Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] new scripts and libraries: vnc

From: David Fifield <david () bamsoftware com>
Date: Wed, 11 Aug 2010 22:24:47 -0600
On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:

o VNC
- A smallish library that supports listing supported security types and authentication using the "VNC Authentication" 
security type (vnc.lua)
- The following script make use of it:
   x vnc-brute - performs password guessing against VNC based servers
   x vnc-info - lists the supported security types for each VNC server


These look good to me. Here are my results.

This is TightVNC on Windows.

$ ./nmap --datadir . --script vnc-info,vnc-brute 192.168.0.190 -p 5900

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-11 15:25 MDT
Nmap scan report for 192.168.0.190
Host is up (0.00033s latency).
PORT     STATE SERVICE
5900/tcp open  vnc
| vnc-info:
|   Protocol version: 3.8
|   Security types:
|     VNC Authentication
|_    Tight
| vnc-brute:
|   Accounts
|     No valid accounts found
|   Statistics
|     Perfomed 10 guesses in 1 seconds, average tps: 10
|
|_  ERROR: Too many retries, aborted ...

This is screen sharing on Mac OS X.

$ ./nmap --datadir . --script vnc-info,vnc-brute 192.168.0.190 -p 5900 -Pn

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-11 15:41 MDT
Nmap scan report for 192.168.0.190
Host is up (0.00058s latency).
PORT     STATE SERVICE
5900/tcp open  vnc
| vnc-info:
|   Protocol version: 3.889
|   Security types:
|     Mac OS X security type (30)
|     VNC Authentication
|_    Mac OS X security type (35)
| vnc-brute:
|   Accounts
|     No valid accounts found
|   Statistics
|_    Perfomed 5010 guesses in 11 seconds, average tps: 455

This is against the remote desktop in GNOME 2.22.3, with no password set.

$ ./nmap --datadir . --script vnc-info,vnc-brute 192.168.0.2 -p 5900 -Pn -d

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-11 22:05 MDT
Nmap scan report for 192.168.0.2
Host is up, received user-set (0.00052s latency).
Scanned at 2010-08-11 22:05:49 MDT for 49s
PORT     STATE SERVICE REASON
5900/tcp open  vnc     syn-ack
| vnc-info:
|_  ERROR: ERROR: VNC:handshake failed to recevive protocol version
| vnc-brute:
|   Accounts
|     No valid accounts found
|   Statistics
|     Perfomed 10 guesses in 37 seconds, average tps: 0
|
|_  ERROR: Too many retries, aborted ...

I couldn't get any output against GNOME unless I used the -d option. If
I run vnc-info by itself, I get

5900/tcp open  vnc
| vnc-info:
|   Protocol version: 3.7
|   Security types:
|     TLS
|     None
|_  WARNING: Server does not require authentication

Running vnc-brute by itself has no change. Setting a password doesn't
help either. I attached packet captures of running each script
individually and together.

I think the library and scripts look good enough to do further debugging
under revision control. Please commit them.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: