13 Mar, 2023

Virtual Network Computing (VNC)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

VNC stands for Virtual Network Computing. It is a graphical desktop-sharing system that allows remote control of another computer. The VNC protocol is a remote desktop sharing protocol that enables users to control a computer desktop remotely. The protocol works by transmitting keyboard and mouse events from the local machine to the remote machine and transmitting the graphical screen updates back to the local machine. This allows a user to remotely access and control another computer, as if they were sitting in front of it. The VNC protocol is commonly used in IT support and remote working scenarios.

VNC common ports

Port 5900: This is the default port used by the VNC server. It allows remote users to access and control the server’s desktop.

Port 5901: If multiple instances of the VNC server are running on the same machine, the port number is incremented for each additional instance. Port 5901 is used for the second instance of the server, port 5902 for the third instance, and so on.

Port 5800: This is the default port used by the VNC web server. It allows users to access and control the server’s desktop using a web browser.

Port 5801: If multiple instances of the VNC web server are running on the same machine, the port number is incremented for each additional instance. Port 5801 is used for the second instance of the web server, port 5802 for the third instance, and so on.

Standard commands from unauthorized users

Running commands or scripts. Unauthorized users may try to run commands or scripts on the server to gain access to sensitive data or perform malicious activities.

Installing malware. An unauthorized user may attempt to install malware on the server using the VNC connection. This malware could be used to steal data, launch denial-of-service attacks, or take control of the system.

Modifying system settings. Unauthorized users may try to modify system settings on the server to disable security features, grant themselves higher privileges, or otherwise gain control of the system.

Creating or deleting files. An unauthorized user may attempt to create or delete files on the server, potentially causing data loss or system instability.

Monitoring or recording activity. An unauthorized user may attempt to use VNC to monitor or record the activities of users on the server, potentially violating their privacy or stealing sensitive data.

Tools for using protocol VNC

Manual Tools:

  • TightVNC: is a free remote control software package that allows you to remotely control another computer’s desktop over a network. It includes a viewer, a server, and a Java viewer. TightVNC is easy to use and highly configurable.

  • RealVNC: is a popular VNC client/server software package that is available for a variety of operating systems. It supports encryption, file transfer, and chat features, among other things. RealVNC is also highly configurable and easy to use.

  • UltraVNC: is a free remote control software package that allows you to remotely control another computer’s desktop over a network. It includes a viewer, a server, and a Java viewer. UltraVNC also supports encryption and file transfer.

  • TigerVNC: is a high-performance VNC client/server software package that is available for a variety of operating systems. It is designed to provide fast, reliable remote desktop access, and supports encryption and compression.

  • x11vnc: is a VNC server program that allows you to view and control a remote X Windows desktop from your local computer. It supports encryption and SSL/TLS connections.

  • vncviewer: is a command-line tool that allows you to connect to a VNC server and view its desktop. It is included with most VNC software packages and is highly configurable.

  • Remmina: is a remote desktop client that supports a variety of protocols, including VNC. It includes features such as tabbed connections, SSH tunneling, and plugin support.

  • KRDC: is a remote desktop client for KDE that supports VNC, RDP, SSH, and other protocols. It includes features such as multiple connection profiles, remote file browsing, and tabbed connections.

  • Tigervnc-java: is a Java-based VNC viewer that supports encryption and SSL/TLS connections. It is designed to be easy to use and highly configurable.

  • Chicken of the VNC: is a VNC client for Mac OS X that supports encryption, mouse and keyboard scaling, and other features. It is easy to use and highly configurable.

Automated Tools:

  • Metasploit Framework: is a popular penetration testing tool that includes a module for exploiting VNC servers. It can be used to test the security of VNC servers and to gain unauthorized access to remote systems.

  • Nmap: is a powerful network scanning tool that can be used to discover VNC servers on a network. It can also be used to test the security of VNC servers by performing port scans and vulnerability scans.

  • vncrack: is a password cracking tool for VNC servers. It uses brute-force techniques to crack weak passwords and gain unauthorized access to remote systems.

  • Hydra: is a popular password cracking tool that can be used to crack VNC server passwords. It supports a wide range of protocols and can be highly effective in cracking weak passwords.

  • Medusa: is another password cracking tool that can be used to crack VNC server passwords. It is highly configurable and can be used to perform brute-force attacks, dictionary attacks, and other types of attacks.

Last five known CVE for VNC

CVE-2019-1895 – A vulnerability in the Virtual Network Computing (VNC) console implementation of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to access the VNC console session of an administrative user on an affected device. The vulnerability is due to an insufficient authentication mechanism used to establish a VNC session. An attacker could exploit this vulnerability by intercepting an administrator VNC session request prior to login. A successful exploit could allow the attacker to watch the administrator console session or interact with it, allowing admin access to the affected device.

CVE-2014-8240 – Integer overflow in TigerVNC allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to screen size handling, which triggers a heap-based buffer overflow, a similar issue to CVE-2014-6051.

CVE-2014-6055 – Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer 0.9.9 and earlier allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a (1) long file or (2) directory name or the (3) FileTime attribute in a rfbFileTransferOffer message.

CVE-2014-6051 – Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer 0.9.9 and earlier allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via an advertisement for a large screen size, which triggers a heap-based buffer overflow.

CVE-2012-4115 – The fabric-interconnect component in Cisco Unified Computing System (UCS) does not encrypt KVM virtual-media data, which allows man-in-the-middle attackers to obtain sensitive information by sniffing the network or modify this traffic by inserting packets into the client-server data stream, aka Bug ID CSCtr72964.

Useful information

VNC consists of two components: a server and a viewer. The server component is installed on the computer that is being remotely controlled, while the viewer component is installed on the computer that is doing the controlling. Once the server and viewer are set up and connected over the network, the viewer can see and control the desktop of the remote computer as if it were physically sitting in front of it.

VNC uses a remote framebuffer (RFB) protocol to transmit desktop images and user input over the network. The protocol is designed to be platform-independent and supports a wide range of operating systems, including Windows, Mac OS X, Linux, and Unix.

VNC is often used in business and educational settings, where it allows IT administrators and teachers to remotely access and control computers in different locations. It is also popular with individuals who want to remotely access their home computers while on the go.

One of the benefits of VNC is that it can be configured to use encryption and other security features to protect against unauthorized access. However, it is important to ensure that VNC servers are properly secured and that strong passwords are used to prevent unauthorized access.

There are many VNC software packages available, both free and commercial. Some of the most popular include TightVNC, RealVNC, UltraVNC, and TigerVNC. In addition to these, there are also many VNC viewer and server applications available for mobile devices, making it easy to remotely access and control desktops from smartphones and tablets.

Known banners

  • RFB 003.003 – This is the banner that is sent by a VNC server that uses the RFB protocol version 3.3.

  • RFB 003.007 – This is the banner that is sent by a VNC server that uses the RFB protocol version 3.7.

  • RFB 003.008 – This is the banner that is sent by a VNC server that uses the RFB protocol version 3.8.

  • VNC Desktop – This banner is often displayed by VNC servers when a connection is established, indicating that the remote desktop is being accessed.

  • RealVNC – This is the banner that is sent by RealVNC servers, which are a popular implementation of the VNC protocol.

  • TightVNC – This is the banner that is sent by TightVNC servers, another popular implementation of the VNC protocol.

  • UltraVNC – This is the banner that is sent by UltraVNC servers, another commonly used VNC implementation.

  • TigerVNC – This is the banner that is sent by TigerVNC servers, which is an open-source implementation of the VNC protocol.

  • x11vnc – This is the banner that is sent by x11vnc servers, which allows users to remotely access and control X11 desktops over VNC.

  • TurboVNC – This is the banner that is sent by TurboVNC servers, which is a high-performance implementation of the VNC protocol.

Books for studies Virtual Network Computing

Virtual Network Computing A Complete Guide – 2020 Edition by Gerardus Blokdyk: This book provides a comprehensive guide to VNC, covering topics such as VNC architecture, configuration, security, troubleshooting, and more. It is a useful resource for anyone looking to learn about VNC, from beginners to experienced users.

Virtual Network Computing The Complete Guide to Understanding VNC by Joseph Kraynak: This book covers the basics of VNC, including installation, configuration, and remote access. It also includes information on advanced topics such as multiple users and encryption.

Real VNC: Real Virtual Network Computing by Bernd Schemmer: This book provides an overview of RealVNC, a popular VNC implementation. It covers topics such as installation, configuration, and advanced features like file transfer and printing.

Virtual Network Computing via Thin Client-Server Architecture: A Practical Guide by Tariq Aziz and Sajid Iqbal: This book explores how VNC can be used in thin client-server architectures. It covers topics such as installation, configuration, and optimization for high-performance environments.

VNC Tips and Tricks by David McAllister: This book provides tips and tricks for using VNC, including how to optimize performance, troubleshoot common issues, and secure remote connections.

List of Payload for VNC

  • Reverse shell payload – This payload is used to establish a reverse shell on the VNC server, giving the attacker remote access to the server.

  • Keylogger payload – This payload is used to capture keystrokes on the VNC server, allowing the attacker to steal passwords and other sensitive information.

  • Screen capture payload – This payload is used to capture screenshots of the VNC server’s desktop, allowing the attacker to view sensitive information that is displayed on the screen.

  • File upload/download payload – This payload is used to upload or download files from the VNC server, allowing the attacker to steal or exfiltrate sensitive data.

  • Webcam/mic capture payload – This payload is used to capture video and audio from the VNC server’s webcam and microphone, allowing the attacker to spy on the server’s surroundings.

  • Password cracking payload – This payload is used to crack passwords on the VNC server, allowing the attacker to gain access to the server.

  • Remote code execution payload – This payload is used to execute arbitrary code on the VNC server, allowing the attacker to gain full control of the server.

  • Denial of service (DoS) payload – This payload is used to flood the VNC server with traffic, causing it to become unresponsive or crash.

Mitigation

  1. Use strong authentication: VNC servers should be configured to require strong passwords and/or multi-factor authentication (MFA) to prevent unauthorized access.

  2. Limit network exposure: VNC servers should not be exposed to the public internet and should only be accessible from trusted networks or via a virtual private network (VPN).

  3. Disable unused features: Unused VNC server features, such as file transfer or remote printing, should be disabled to reduce attack surface.

  4. Keep software up-to-date: Regularly update VNC server software to ensure that any known vulnerabilities are patched.

  5. Monitor for unusual activity: Monitor VNC server logs and network traffic for unusual activity that may indicate a compromise.

  6. Use encryption: Enable encryption for VNC connections to prevent eavesdropping and man-in-the-middle attacks.

  7. Use firewall rules: Configure firewall rules to only allow access to the VNC server from authorized IP addresses and networks.

  8. Use strong encryption algorithms: Choose strong encryption algorithms, such as AES or 3DES, for VNC connections.

  9. Enforce access control policies: Configure VNC server access control policies to limit access to authorized users and groups.

Conclusion

Virtual Network Computing (VNC) is a powerful tool for remote desktop access that enables users to control another computer’s screen, keyboard, and mouse as if they were physically present. However, VNC also poses security risks, and adversaries can abuse it to perform malicious actions such as opening documents, downloading files, and running arbitrary commands. To mitigate these risks, it is important to follow best practices such as requiring strong authentication on the server, restricting access to VNC servers to your VPN, minimizing the number of individuals who have administrative access, and enforcing lockout policies after unsuccessful login attempts. By following these practices, organizations can use VNC securely and ensure that adversaries cannot abuse it to perform malicious actions.

Other Services

Ready to secure?

Let's get in touch