Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: smb-psexec.nse example -- remotely grabbing a vnc password

From: Ron <ron () skullsecurity net>
Date: Sat, 13 Mar 2010 00:51:19 -0600
Hey,

Very cool! If you send me the .lua (or excerpt the proper lines), and you don't mind, I can add it to one of my default 
configs (or perhaps create a new one for 'external' programs). 

On Fri, 12 Mar 2010 16:14:41 -0800 rilian4 rilian4 <rilian4 () gmail com>
wrote:

Using vncpwdump from Patrik Karlsson's website:
http://www.cqure.net/wp/vncpwdump, I was able to generate the
following results from Ron's smb-psexec.nse script against a windows
xp box running the free version of RealVNC.

Host script results:
| smb-psexec:
|   Local VNC Password Dump
|     -------------------------------------
|     Password: mypass
|_    ERROR: Found no password for current user

Nmap done: 1 IP address (1 host up) scanned in 3.32 seconds


This requires the .exe and a .dll to be uploaded to the target and
administrative creds supplied to the nmap command. The results are
accurate. The first password returned is the vnc password stored if
vnc is running as a service. The ERROR line is generated when
the .exe attempts to find a password set by the local user, which in
the case of my box does not exist. You can manipulate the .lua to
scan for either or both. This output is exactly the same as if you
run the command locally on the xp box.

I have a .lua I wrote using ron's default.lua as an example that
generates the results above. Would anyone like the .lua posted here
or to have a copy offlist? I would be happy to license it under the
nmap license or whatever else is needed.

I thought up using this tool in combination with smb-psexec as a
great test of the smb-psexec.nse script and it passed with flying
colors. Great work Ron! I plan to keep on finding new and inventive
ways to use smb-psexec.nse!! This is a humongously useful tool. Also
a big thank you to Patrik Karlsson(Who apaprently has an array of
nmap contributions as well!) for creating the vncpwdump tool!

Also of note: This tool can be used to set the service or user
passwords as well as read them.
Let me know if anyone wants more information on this.

-Aaron
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: