VNC
aka RealVNC, TightVNC, TigerVNC
Remote desktop on 5900. The password is capped at 8 chars and stored DES-encrypted with a fixed key, so a readable passwd file decrypts straight to plaintext.
Ports
| Port | Proto | Notes |
|---|---|---|
5900 | tcp | VNC display :0 |
5901 | tcp | VNC display :1 |
5800 | tcp | VNC over HTTP (Java applet) |
Fingerprint
- nmap vnc-info reports the protocol and auth
- 5900+N maps to display :N
Key files
| Path | Holds | Sensitive |
|---|---|---|
~/.vnc/passwd | DES-encrypted VNC password (fixed key, reversible) | sensitive |
Default / weak creds
weak 8-char passwords; sometimes none
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2006-2369 | RealVNC 4.1.1 authentication bypass |
Exploitation primitives
- Connect with vncviewer once you have (or bypass) the password
- Decrypt a looted ~/.vnc/passwd to recover the plaintext password
- Brute force the 8-char password
Overview
VNC on 5900 is graphical remote access. Its password scheme is weak by design (8-char max, fixed-key DES), so a recovered passwd file is as good as plaintext.
Enumeration
Fingerprint it:
nmap -p5900 --script vnc-info,vnc-title <TARGET>Access
Connect with a viewer:
vncviewer <TARGET>:5900Decrypt a looted password file:
echo -n <hex> | xxd -r -p | openssl enc -des-cbc -d -K e84ad660c4721ae0 -iv 0000000000000000Hardening
Tunnel VNC over SSH, set a strong password (or use a build without the 8-char cap), and restrict source IPs.