Vulnerability Development mailing list archives
Re: VNC game
From: Philip Rowlands <phr () doc ic ac uk>
Date: Mon, 2 Dec 2002 01:40:11 +0000 (GMT)
On Fri, 29 Nov 2002 rsmc () tid es wrote:
In it, we got to fake entries in the DNS server of the machines accessing one VNC server (inside the audited internal network), so I just wrote this little troyan to demonstrate how we could bypass the challenge - response mecanism imposed by VNC to protect password from being sniffed.
You haven't really bypassed it - you're acting as a passive man-in-the-middle. It's not a trojan.
/* we must send VNC version number (from protocol) */ /* we also must read VNC version number (from protocol) */ /* we send the authentication method code to the client */ /* we connect to the real VNC server */ /* again, we read version number from the VNC server */ /* and we send ours */ /* we now read authenticarion method code from VNC server */ /* here is the challenge from server */ /* we send the challenge to the victim client */ /* we have the encrypted password from the client */
No, you have the challenge DES-encrypted by the password. Not the password DES-encrypted by the challenge. See section 5.1.2 of http://www.realvnc.com/docs/rfbproto.pdf.
/* we send the encrypted password to the VNC server */ /* we read the result from the authentication process */ /* at this point we should be authenticated */ /* place whatever code you want here */
I claim no particular expertise in crypto code, but I don't think there's anything here which helps you learn the password. Of course, you've hijacked the data stream, so you could read keystrokes, make screengrabs etc. The VNC site contains a page on wrapping up VNC inside SSH, for proper secure tunnelling. Cheers, Phil
Current thread:
- VNC game rsmc (Dec 01)
- Re: VNC game Philip Rowlands (Dec 02)