HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 38 guests online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow VNC Password Sniffing
EH-Net
May 25, 2013, 06:30:10 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: VNC Password Sniffing  (Read 12257 times)
0 Members and 1 Guest are viewing this topic.
hades_a
Newbie
*
Offline Offline

Posts: 22



View Profile
« on: September 15, 2009, 10:42:00 PM »
Hi All,

I need some advice please.

I have conducted a vulnerability assessment on a client's external network and have discovered an open VNC port (both client and web) which one can conect to from any IP on the Internet.

I know that the vulnerability related to VNC is that you can sniff the credentials as they are by default sent in open text (the client is not tunnelling this through SSH).

As far as I know, to sniff the password you would need to either have access to a router between two connections or else interpose yourself in a 'man-in -the-middle'. You would also be able to sniff the traffic if you were plugged into a hub (or switch with promiscuity set accordingly) with either of the end points.

Taking these scenarios into account it would be a highly unlikely that the password could be sniffed if these vectors were suitably protected. Am I missing something here which makes the risk of password sniffing very likely of occuring?

The client does not need to comply to SOX so I cannot use that as leverage in getting him to close this down. I can only plead to his common sense.

Any advice or insight would be much appreciated.

Thanks

Chris
Logged
MCSE 2003:Security, Security+, MCITP:EA
Jhaddix
Sr. Member
****
Offline Offline

Posts: 317



View Profile WWW
« Reply #1 on: September 16, 2009, 03:38:15 AM »
In reporting voice your finding and give them a link to audit their VNC passwords,
among others you can use an oldie but goodie:

VNCPwdump

VNCPwdump can be used to dump and decrypt the registry key containing the encrypted VNC password in a few different ways.

It supports dumping and decrypting the password by:
- Dumping the current users registry key
- Retrieving it from a NTUSER.DAT file
- Decrypting a command line supplied encrypted password
- Injecting the VNC process and dumping the owners password

CHANGES 1.0.5
- Support for RealVNC 4
- Command line encryption of plaintext password
- Set service and user passwords

CHANGES 1.0.6
- Minor bugfixes
- Support for Windows NT 4
Logged
GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester

http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #2 on: September 16, 2009, 07:24:43 AM »
I've always believe that security is as strong as your weakest link.   How is the physical security?  What about wireless?   If either of those are lacking, it's an entry point to the LAN and you can then sniff whatever you want.   There could be unsecured machines on the LAN that an attacker can compromise and use to sniff passwords.  There are often HVAC, Voice Mail, Key Card Access control machines running very unsecured versions of Windows that are very easily compromised.   When you are explaining your findings, you can try to paint a picture where your VNC issue is just one of the steps on a footpath to a compromised network.

I also usually mention some of the historical vulnerabilities that have existed in VNC, like the authentication bypass one.   I have found that this is pretty good leverage.

Jason, I hadn't seen that tool before.  Thanks!
Logged
~~~~~~~~~~~~~~
Ketchup
Dengar13
Sr. Member
****
Offline Offline

Posts: 380



View Profile
« Reply #3 on: September 16, 2009, 07:37:15 AM »
Yes, thanks for the information of that tool.  I haven't seen it either.  Very good advice from the previous two posters.
Logged
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
hades_a
Newbie
*
Offline Offline

Posts: 22



View Profile
« Reply #4 on: September 17, 2009, 12:33:23 AM »
Thank you for the advice.

Much appreciated!
Logged
MCSE 2003:Security, Security+, MCITP:EA
SynJunkie
Jr. Member
**
Offline Offline

Posts: 71


View Profile WWW
« Reply #5 on: September 19, 2009, 04:47:10 AM »
Cain is also an excellent tool for compromising VNC.

It can either pull the passwords from the registry:

http://www.wonderhowto.com/how-to/video/how-to-decode-vnc-passwords-with-cain-160725/



Or sniff them off the wire and bruteforce them:

http://www.youtube.com/watch?v=-8SOVQXD3mg

Hope this helps.

Syn
Logged
----------------------------------
http://synjunkie.blogspot.com
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.094 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.