5800,5801,5900,5901 - Pentesting VNC

👉 Overview

👀 What ?

Pentesting VNC (Virtual Network Computing) refers to the practice of testing the security of VNC services on ports 5800, 5801, 5900, and 5901. VNC is a graphical desktop sharing system that allows remote control of another computer. Ports 5800 and 5801 are often used for browser-based VNC access, while 5900 and 5901 are used for the actual VNC service.

🧐 Why ?

Pentesting VNC is essential because VNC services, if not properly secured, can allow unauthorized users to gain control of a system. VNC is often used in corporate environments, making it a prime target for attackers. Understanding how to test these services and patch any vulnerabilities is critical for maintaining a secure network.

⛏️ How ?

Pentesting VNC involves several steps. First, identify the VNC services running on your network, often using a tool like Nmap. Next, attempt to connect to the VNC service using a VNC client. If a password is required, try common default passwords or use a tool like Hydra to attempt to crack the password. If you gain access, assess the level of control you have over the system. Finally, document your findings and work on patching any vulnerabilities found.

⏳ When ?

Pentesting VNC should be conducted regularly, especially after any changes to network infrastructure or VNC configurations. It is also recommended to perform ad-hoc tests in response to new vulnerabilities identified in VNC software.

⚙️ Technical Explanations

Virtual Network Computing (VNC) operates by transmitting keyboard and mouse events from the client, also known as the 'viewer', to the host, known as the 'server'. In return, screen updates are relayed back to the client. This interaction happens over specific ports, typically 5800/5801 for web access, and 5900/5901 for the VNC service itself.

If these ports are left open and unsecured, they can be exploited by attackers looking for unauthorized access to a system. It is because of this potential vulnerability that penetration testing or 'pentesting' these services becomes crucial.

Pentesting involves testing for common vulnerabilities, such as weak or default passwords, unpatched software, or misconfigured access controls. Various tools, such as Nmap, Hydra, and Metasploit, can be used to identify and exploit these vulnerabilities.

Nmap is a network mapper tool that can discover hosts and services on a computer network. It does this by sending packets and analyzing the responses. Nmap is typically used to find open ports and identify the services running on those ports.

Hydra is a password cracking tool. It can perform rapid dictionary attacks against more than 50 protocols, including FTP, HTTP, and VNC. It's often used to test the strength of passwords and can identify weak passwords that could be vulnerable to a brute force attack.

Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities. It provides the infrastructure, content, and tools to perform penetration tests and extensive security auditing.

Regular pentesting is recommended, especially after any changes to network infrastructure or VNC configurations. Ad-hoc tests should also be performed in response to new vulnerabilities identified in VNC software.

Let's consider an educational example to understand how to pentest VNC services using the tools mentioned: Nmap, Hydra, and Metasploit.

  1. Identifying VNC Services with Nmap: First, we need to identify if any VNC services are running on the network and what ports they are operating on. We can use Nmap for this purpose. The following command scans the target IP (192.168.1.1 in this example) for open ports in the range of 5800-5901:
nmap -p 5800-5901 192.168.1.1

The output will indicate if any of these ports are open and potentially running VNC services.

  1. Cracking VNC Password with Hydra: Suppose we found a VNC service running on port 5900. We can use Hydra to attempt to crack the password. Assume we have a file passwords.txt containing a list of possible passwords. The following command attempts to crack the VNC password:
hydra -s 5900 -P passwords.txt -v -V -u 192.168.1.1 vnc

Here, -s specifies the port, -P denotes the path to the password file, -u indicates that we only want to try SSL connections, and vnc is the service to attack.

  1. Exploiting with Metasploit: Once we have the VNC password, we can use Metasploit to exploit potential vulnerabilities. First, start Metasploit:
msfconsole

Then, use a VNC module (like vnc_login):

use auxiliary/scanner/vnc/vnc_login

Next, set the RHOSTS (target host) and RPORT (target port):

set RHOSTS 192.168.1.1
set RPORT 5900

Finally, run the exploit:

run

This process will attempt to exploit any vulnerabilities present in the VNC service. Remember, this process should only be used for educational purposes and conducted on networks where you have permission to do so.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.