Re: [PEN-TEST] Decrypting VNC passwords - Tool required

["Hyde, Mark (GEO)" <Mark.Hyde () COMPAQ COM>]

Loki,

These passwords are stored in an encrypted form in the registry. The tools
discussed decrypt the password. It is not a brute force.

If you have remote registry access then you may be able to retreive the
password.

Taking a typical VNC implementation scenario - ie Admins use VNC on
workstations - to support user problems and on servers - for remote admin. A
workstation user would have very little difficulty to get hold of the VNC
password in his local registry and decrypt it. There is a very good chance
that the same password is used for all workstations & servers on the net and
so you are potentially putting the keys to the domain on every workstation.

> From a penetration point of view it would be much simpler to attack a
workstation (with less chance of being detected), then move to the servers.

If I have time I would like to check if the VNC password goes in clear over
the net. If so then the workstation user would just have ask for admin to
provide remote support and then  sniff the session and not bother about
decryting. But I'm sure someone has already checked this...

Mark

-----Original Message-----
From: Loki [mailto:loki.loa () SUBDIMENSION COM]
Sent: Wednesday, August 23, 2000 3:58 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: Decrypting VNC passwords - Tool required


Is their a method of retreiving those same VNC passwords remotely? Or are we
just talking about a simple brute-force?


----------------------------------------------------------------------
Loki [LoA]
loki.loa () subdimension com

"A verse from Saint Paul stays with me. It is perhaps the strangest
passage in the Bible in which he writes: Even now in Heaven there were
angels carrying savage weapons."

----------------------------------------------------------------------
PGP Key fingerprint =  67 1D 12 BE 61 D6 63 B2  6A 8C F8 A1 80 88 1B 4
[jbrill () nasa gov]# ./crack /etc/passwd > passwd.cr
[jbrill () nasa gov]# su - root
[root () nasa gov]#
----------------------------------------------------------------------


-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Batten, Gerald
Sent: Tuesday, August 22, 2000 8:00 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Decrypting VNC passwords - Tool required


There's a tool called vnccrack.  You can find a copy of it here:
http://www.phenoelit.de/  If you give it the encrypted password, it will
decrypt it for you as well.  I find this usefull when customers ask me if
VNC is safe to use as an administration tool.

Gerald Batten
Security Consultant
EXOCOM

*Note: views expressed in this communication are not those of my employer's.

*Note2: They're not necessarily mine either.

> -----Original Message-----
> From: erica bernt [mailto:erica_bbb () YAHOO COM]
> Sent: Monday, August 21, 2000 5:37 AM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Decrypting VNC passwords - Tool required
>
>
> Hi Everyone,
>
> I was doing an audit of some systems and managed to
> penetrate into the NT domain. I see that VNC is
> installed and so I picked up the DES encrypted
> password from the registry. As per :
>
> http://www.securiteam.com/securitynews/VNC_3_3_2_R6_uses_a_wea
> k_password_protection_mechanism.html
>
> My specific questions to you is what tool would you
> recommend to decrypt this password ? and are there any
> other ways to attack VNC ?
>
> On a more general level, what are the most formidable
> remote management tools that are out there that you
> have most difficulty to detect and penetrate ?
>
> regards Erica
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Mail - Free email you can access from anywhere!
> http://mail.yahoo.com/