Re: VNC game

[Philip Rowlands <phr () doc ic ac uk>]

On Fri, 29 Nov 2002 rsmc () tid es wrote:

> In it, we got to fake entries in the DNS server of the machines
> accessing one VNC server (inside the audited internal network), so I
> just wrote this little troyan to demonstrate how we could bypass the
> challenge - response mecanism imposed by VNC to protect password from
> being sniffed.

You haven't really bypassed it - you're acting as a passive
man-in-the-middle. It's not a trojan.

>       /* we must send VNC version number (from protocol) */
>       /* we also must read VNC version number (from protocol) */
>       /* we send the authentication method code to the client */
>       /* we connect to the real VNC server */
>       /* again, we read version number from the VNC server */
>       /* and we send ours */
>       /* we now read authenticarion method code from VNC server */
>       /* here is the challenge from server */
>       /* we send the challenge to the victim client */
>       /* we have the encrypted password from the client */

No, you have the challenge DES-encrypted by the password. Not the
password DES-encrypted by the challenge. See section 5.1.2 of
http://www.realvnc.com/docs/rfbproto.pdf.

>       /* we send the encrypted password to the VNC server */
>       /* we read the result from the authentication process */
>       /* at this point we should be authenticated */
>       /* place whatever code you want here */

I claim no particular expertise in crypto code, but I don't think
there's anything here which helps you learn the password. Of course,
you've hijacked the data stream, so you could read keystrokes, make
screengrabs etc.

The VNC site contains a page on wrapping up VNC inside SSH, for proper
secure tunnelling.


Cheers,

Phil