pentesting-vnc
$
npx mdskill add xalgord/xalgorix/pentesting-vnc- During authorized assessments when a VNC port is open (5800/5801 web, 5900/5901 RFB, or 5900+display) - When testing for unauthenticated ("None" auth) VNC access to a desktop - When testing for the RealVNC authentication bypass - When you recover a `~/.vnc/passwd` file and need to decrypt the stored password - When validating weak/default VNC passwords via brute force
SKILL.md
.github/skills/pentesting-vncView on GitHub ↗
---
name: pentesting-vnc
description: Testing VNC remote desktop services using the Remote Frame Buffer (RFB) protocol during authorized
engagements. VNC commonly listens on 5900/5901 (and web clients on 5800/5801). Covers RFB fingerprinting, no-auth /
RealVNC auth-bypass detection with nmap NSE and Metasploit, password brute force, decrypting the weak 3DES-stored
~/.vnc/passwd, and gaining graphical desktop control.
domain: cybersecurity
subdomain: network-services-pentesting
tags:
- penetration-testing
- network-services
- vnc
- rfb
- remote-desktop
- brute-force
version: '1.0'
author: xalgorix
license: Apache-2.0
---
# Pentesting VNC (port 5900/5901)
## When to Use
- During authorized assessments when a VNC port is open (5800/5801 web, 5900/5901 RFB, or 5900+display)
- When testing for unauthenticated ("None" auth) VNC access to a desktop
- When testing for the RealVNC authentication bypass
- When you recover a `~/.vnc/passwd` file and need to decrypt the stored password
- When validating weak/default VNC passwords via brute force
## Quick Enumeration
```bash
# RFB version, auth types, and known bypasses
nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p <PORT> <IP>
# vnc-info reports the RFB protocol version and supported security types
# vnc-title grabs the desktop title; realvnc-auth-bypass flags the bypass
# Check for "None" (no authentication) security type
msf> use auxiliary/scanner/vnc/vnc_none_auth
# Shodan-style discovery
# port:5900 RFB
```
## Critical: Checks Most Often Missed
1. **None / no authentication** — many VNC servers expose security type "None", granting full desktop control with zero credentials. Confirm with `vnc_none_auth` and connect directly.
2. **RealVNC auth bypass** — older RealVNC versions accept a null/insecure security type negotiation, bypassing the password entirely. Flagged by `realvnc-auth-bypass`.
3. **Weak 3DES-stored password** — `~/.vnc/passwd` stores the VNC password encrypted with a fixed, long-reversed 3DES key. If you can read the file, you can recover the cleartext with `vncpwd`.
4. **8-character password truncation** — VNC passwords are limited to 8 characters, making them weak to brute force; mind the limit when supplying a wordlist.
5. **Web client (5800/5801)** — a Java/HTTP VNC client may be exposed separately from the RFB port and can leak version/host info.
How to CONFIRM: no-auth is confirmed when `auxiliary/scanner/vnc/vnc_none_auth` reports the host accepts the None type, or `vncviewer <IP>::5901` connects without prompting for a password. A bypass is confirmed when `realvnc-auth-bypass` returns VULNERABLE.
## Workflow
### Step 1: Enumerate (RFB version, auth types, title)
```bash
nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p 5900,5901 <IP>
# Note the offered security types: 1 = None, 2 = VNC auth (DES challenge), etc.
```
### Step 2: Authenticate (no-auth, bypass, brute force)
```bash
# Test unauthenticated access
msf> use auxiliary/scanner/vnc/vnc_none_auth
msf> set rhosts <IP>
msf> run
# Connect (no password if None auth)
vncviewer <IP>::5901
# Brute force the VNC password (8-char limit)
vncviewer -passwd passwd.txt <IP>::5901
msf> use auxiliary/scanner/vnc/vnc_login
hydra -P passwords.txt <IP> vnc
```
### Step 3: Exploit / Extract (decrypt stored password)
```bash
# Recover cleartext from a stored ~/.vnc/passwd (3DES weak key)
git clone https://github.com/jeroennijhof/vncpwd
cd vncpwd && make
./vncpwd <vnc password file>
# The fixed 3DES key used to encrypt VNC passwords was reversed years ago,
# so any readable passwd file yields the cleartext password.
# Windows: use the equivalent vncpwd.exe tool.
```
### Step 4: Post-access (desktop control, pivot)
```bash
# Once connected you have full keyboard/mouse control of the desktop:
# - read on-screen credentials, open terminals, browse the filesystem
# - reuse recovered VNC password against other hosts/services (password reuse)
# - leverage the desktop session to escalate or pivot deeper into the network
vncviewer <IP>::5901
```
## Key Concepts
| Concept | Description |
|---------|-------------|
| **VNC** | Virtual Network Computing; graphical desktop sharing |
| **RFB protocol** | Remote Frame Buffer; transmits screen updates and input events bidirectionally |
| **Security type** | Negotiated auth method: None (1), VNC auth (2), and vendor variants |
| **VNC auth** | DES challenge-response using the (8-char) VNC password |
| **~/.vnc/passwd** | Stores the VNC password encrypted with a fixed, reversed 3DES key |
| **Display number** | Maps to port 5900 + display (e.g. :1 -> 5901) |
| **RealVNC auth bypass** | Flaw allowing the password step to be skipped via type negotiation |
## Tools & Systems
| Tool | Purpose |
|------|---------|
| **nmap** (vnc-* NSE) | RFB version, auth types, title, RealVNC bypass detection |
| **Metasploit vnc_none_auth** | Detect unauthenticated VNC access |
| **Metasploit vnc_login** | Brute-force VNC password |
| **vncviewer** | Connect to and control the remote desktop |
| **vncpwd** | Decrypt 3DES-stored VNC passwords from passwd files |
| **hydra** | Alternative VNC password brute force |
## Common Scenarios
### Scenario 1: Unauthenticated Desktop
`vnc_none_auth` reports the host accepts security type None. `vncviewer <IP>::5900` opens a full desktop session with no credentials, exposing on-screen data and a terminal.
### Scenario 2: Stored Password Recovery
A readable `~/.vnc/passwd` is pulled from a compromised host. `vncpwd passwd` recovers the cleartext, which is reused to access the host's VNC desktop and other servers.
### Scenario 3: RealVNC Bypass
`realvnc-auth-bypass` flags an old RealVNC server. The auth step is skipped during negotiation, granting unauthenticated control.
### Scenario 4: Weak Password Brute Force
An 8-character VNC password falls quickly to `vnc_login` with a common-password list, yielding desktop access.
## Output Format
```
## VNC Finding
**Service**: VNC (RFB)
**Severity**: <Critical|High|Medium>
**Host**: <IP>:5900/5901
**Auth Type**: <None | VNC auth | RealVNC bypass>
### Summary
<What was found: no-auth access, weak/cracked password, decrypted stored password, bypass>
### Evidence
- Command: <nmap / vncviewer / vncpwd>
- Output: <security type, connection success, recovered password (redacted)>
### Access Obtained
- Full graphical desktop control as the logged-in user
- <on-screen secrets / reused credentials, if any>
### Recommendation
1. Require strong authentication; never expose security type "None"
2. Patch RealVNC/UltraVNC to remove known auth-bypass flaws
3. Tunnel VNC over SSH/VPN; do not expose 5900/5901 to untrusted networks
4. Restrict access by source IP and enable encryption where supported
5. Rotate VNC passwords and avoid reuse across hosts
```