Nmap Development mailing list archives
Re: smb-psexec.nse example -- remotely grabbing a vnc password
From: Ron <ron () skullsecurity net>
Date: Sat, 13 Mar 2010 00:51:19 -0600
Hey, Very cool! If you send me the .lua (or excerpt the proper lines), and you don't mind, I can add it to one of my default configs (or perhaps create a new one for 'external' programs). On Fri, 12 Mar 2010 16:14:41 -0800 rilian4 rilian4 <rilian4 () gmail com> wrote:
Using vncpwdump from Patrik Karlsson's website: http://www.cqure.net/wp/vncpwdump, I was able to generate the following results from Ron's smb-psexec.nse script against a windows xp box running the free version of RealVNC. Host script results: | smb-psexec: | Local VNC Password Dump | ------------------------------------- | Password: mypass |_ ERROR: Found no password for current user Nmap done: 1 IP address (1 host up) scanned in 3.32 seconds This requires the .exe and a .dll to be uploaded to the target and administrative creds supplied to the nmap command. The results are accurate. The first password returned is the vnc password stored if vnc is running as a service. The ERROR line is generated when the .exe attempts to find a password set by the local user, which in the case of my box does not exist. You can manipulate the .lua to scan for either or both. This output is exactly the same as if you run the command locally on the xp box. I have a .lua I wrote using ron's default.lua as an example that generates the results above. Would anyone like the .lua posted here or to have a copy offlist? I would be happy to license it under the nmap license or whatever else is needed. I thought up using this tool in combination with smb-psexec as a great test of the smb-psexec.nse script and it passed with flying colors. Great work Ron! I plan to keep on finding new and inventive ways to use smb-psexec.nse!! This is a humongously useful tool. Also a big thank you to Patrik Karlsson(Who apaprently has an array of nmap contributions as well!) for creating the vncpwdump tool! Also of note: This tool can be used to set the service or user passwords as well as read them. Let me know if anyone wants more information on this. -Aaron _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- smb-psexec.nse example -- remotely grabbing a vnc password rilian4 rilian4 (Mar 12)
- Re: smb-psexec.nse example -- remotely grabbing a vnc password Ron (Mar 12)