Physical attacks
Mobile Apps Pentesting
Pentesting

5800,5801,5900,5901 - Pentesting VNC

Basic Information

In computing, Virtual Network Computing (VNC) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical-screen updates back in the other direction, over a network. From wikipedia.

VNC usually uses ports 5800 or 5801 or 5900 or 5901.

PORT STATE SERVICE
5900/tcp open vnc

Enumeration

nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p <PORT> <IP>
msf> use auxiliary/scanner/vnc/vnc_none_auth

Connect to vnc using Kali

vncviewer [-passwd passwd.txt] <IP>::5901

Decrypting VNC password

Default password is stored in: ~/.vnc/passwd

If you have the VNC password and it looks encrypted (a bunch of bytes). It is probably ciphered with 3des. You can get the clear text password using https://github.com/jeroennijhof/vncpwd

make
vncpwd <vnc password file>

You can do this because the password used inside 3des to encrypt the plan-text VNC passwords was reversed years ago.