Part 2 - VNC Scanner

Video Activity

Another vulnerability that can potentially be exploited is an unsecured VNC service. This vulnerability is particularly nasty since VNC essentially provides remote control of a host. In this video, Dean demonstrates the Metasploit VNC exploit scanner.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

Another vulnerability that can potentially be exploited is an unsecured VNC service. This vulnerability is particularly nasty since VNC essentially provides remote control of a host. In this video, Dean demonstrates the Metasploit VNC exploit scanner.

Video Transcription
00:03
>> If you remember from our services
00:03
[NOISE] we should recall that we had VNC running here.
00:03
There it is. Any credentials
00:03
which I've captured again will be shown here.
00:03
These are from the Postgres shell
00:03
that I reestablished earlier.
00:03
As I was saying, it will put these in
00:03
the database as they are
00:03
captured and shows where they came from,
00:03
what service that was running,
00:03
and because I did the hashtag with Postgres,
00:03
I also grab that.
00:03
We see that it's an MD5 hash.
00:03
For VNC, we have a scanner for this.
00:03
Let me do a search.
00:03
For VNC, let's see
00:03
how many things we get. We get quite a few.
00:03
Let me do a search for scanner VNC.
00:03
See if that works. There we go.
00:03
Notice I don't need double-quotes.
00:03
I can just use a slash because I know it's a scanner
00:03
that I want and I remember that there's one for VNC.
00:03
That gives me a nice little shortcut to be
00:03
able to do in that format.
00:03
We're going to first try
00:03
a non-detection scan that looks for
00:03
a VNC configuration that has
00:03
a blank password or hasn't had the password set.
00:03
That would be a huge benefit for
00:03
the contester because VNC connection
00:03
is much likely a remote desktop connection.
00:03
Let's go ahead and specify this.
00:03
We'll look at our options.
00:03
Our host is already set.
00:03
Remote port looks correct.
00:03
Let's go ahead and run the exploit.
00:03
It found protocol version 3,4
00:03
and it looks like
00:03
it did not find a blank password, but it might have.
00:03
That was worth checking.
00:03
Again, we're going for the list of
00:03
services trying methodically to
00:03
identify areas where we
00:03
think we might be able to gain access to a system.
00:03
We've already shown a couple
00:03
>> ways to get into the system,
00:03
>> but we want to try some various options in order to
00:03
fully explore our available exploits.
Up Next