CyberWolf-Security
  • Home
  • Getting Started in Cyber Security
  • Misc
    • Misc Items
      • Powershell commands
      • Reverse Shells
      • Web Shells
      • File Sharing
      • Useful Commands
      • Google Dorks
      • Proxy & Proxy Chains
      • Port Scanning
      • Intercept Linux CLI Traffic
      • Nessus
    • Frequency stuff
    • Random stuff - needs sorting
  • Services
    • Ports - Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 69 - TFTP
      • 79 - Finger
      • 88 - Kerberos
      • 123 - NTP
      • 137 - Netbios
      • 161 - SNMP
      • 363 - LDAP
      • 443 - HTTPS
        • IIS
      • 445 - SMB
      • 500 - IKE
      • 623 - IPMI
      • 873 - RSYNC
      • 1433 - MSSQL
      • 1521 - Oracle DB
      • 3389 - RDP
      • 3260 - iSCSI
      • 2049 - NFS
      • 5900 - VNC
      • 5985 - WinRM
      • 6000 - X11
      • 8080 - Jenkins
      • 11211 - Memcached
  • Password Cracking
    • Password attacks
    • Password Cracking
  • Tools
    • Tools
      • Crackmapexec
      • Metasploit
      • Bloodhound
      • Tcpdump
      • Logcat
  • Wireless testing
    • Wireless
      • Converting handshake to .hccapx for Hashcat
      • Cracking WPA/WPA2 hashes
      • Hacking Wireless
      • Get Wireless password from Windows CMD
      • Hotspot
  • Web Application
    • Web App
      • Directory Brute forcing
      • Subdomain brute forcing
      • JWT Tokens
      • GIT
      • Cross-Site Scripting (XSS)
        • Embedded images
        • Payloads
      • WPScan
      • Local File Inclusion (LFI)
      • SQLmap
      • Server Side Template Injection
      • SQL Injection
      • Using Hydra for web brute force
      • Remote Code Execution (RCE)
      • Uploads
      • Subdomain takeover
      • XLS/CSV Injection
      • XML Injection
  • Internals
    • Internals
      • Finding Domain Controllers and DHCP servers
      • Discovering hosts from the inside
      • Dumping domain hashes
      • Active Directory
      • Getting local hashes
      • service principle names (SPNs)
  • Mobile Application
    • Mob App
      • MobApp Testing VM
      • Jailbreaking IOS
      • Tools
        • Frida
        • MobSF
          • Installing MobSF
      • Mobile Application Testing
        • Android
          • Checklist and Methodology
          • ADB
        • IOS
          • Checklist and Methodology
  • Cloud
    • Microsoft Office 365 Security Review
      • Page 1
    • Kubernetes & Docker Review
  • Privilege escalation
    • Windows
      • Tools
      • Unquoted service paths
    • Service Execution
    • Linux
      • Tools
      • Perform a core dump
      • Useful commands
      • Spawn a TTY shell
  • CTF-stuff
    • .Git
  • Steganography
    • Tools
  • Labs / Resources
    • Mitre Caldera
    • Blue-Team
      • Labs
    • Red-Team
      • Vulnerable virtual machines
      • Vulnerable Sites
  • Training
    • Certifications
      • OSCP
      • CEH
      • Crest
        • Crest CPSA
        • Crest CRT
          • Syllabus
          • Appendix B: Core Technical Skills
            • B4 - Network Mapping & Target Identification
            • B5 - Interpreting Tool Output
            • B8 - OS Fingerprinting
            • B9 - Application Fingerprinting and Evaluating Unknown Services
            • B13 - File System Permissions
          • Appendix C: Background Information Gathering & Open Source
            • C2 - Domain Name Server (DNS)
          • Appendix D: Networking Equipment
            • D1 - Management Protocols
            • D3 - Networking Protocols
          • Appendix E: Microsoft Windows Security Assessment
            • E1 - Domain Reconnaissance
            • E2 - User Enumeration
            • E3 - Active Directory
            • E5 - Windows Vulnerabilities
            • E9 - Common Windows Applications
          • Appendix F: Unix Security Assessment
            • F1- User enumeration
            • F2 - Unix vulnerabilities
            • F3 - FTP
            • F4 - Sendmail / SMTP
            • F5 - Network File System (NFS)
            • F6 - R* services
            • F7 - X11
            • F8 - RPC services
            • F9 - SSH
          • Appendix G: Web Technologies
            • G1 - Web Server Operation
            • G2 - Web Servers & their Flaws
            • G4 - Web Protocols
            • G7 - Web Application Servers
          • Appendix I: Web Testing Techniques
            • I1 - Web Site Structure Discovery
            • I2 - Cross Site Scripting Attacks
            • I3 - SQL Injection
            • I6 - Parameter Manipulation
          • Appendix J: Databases
            • J1 - Microsoft SQL Server
            • J2 - Oracle RDBMS
            • J3 - Web / App / Database Connectivity
      • Study Material
        • Encryption
    • Terminology
      • NTLM & NTLM2
  • Vulnerabilities
    • Vulnerabilities
  • Exploits
    • ImageMagick
    • CVE-2021-3560 (PolKit)
  • Bug Bounty
    • Bug Bounty Programs
    • Sub Domain Finder
    • link dump
  • FAQ
    • Install ALFA AWUS1900 on Kali
    • Update and upgrade Linux
  • Build Review
    • Workstation
  • Hack the Box
    • Challenges
      • The Needle
Powered by GitBook
On this page
  • Enumeration
  • Connect to VNC using Kali
  • Decrypting VNC password
  • Shodan

Was this helpful?

  1. Services
  2. Ports - Services

5900 - VNC

VNC is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. VNC usually uses ports 5800 or 5801 or 5900 or 5901.

Enumeration

nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p <PORT> <IP>
msf> use auxiliary/scanner/vnc/vnc_none_auth

Connect to VNC using Kali

vncviewer [-passwd passwd.txt] <IP>::5901

Nmap:

Script: vnc-info

Example Usage

nmap -p 5901 --script vnc-info 192.168.0.50

PORT    STATE SERVICE 
5900/tcp open  vnc 
| vnc-info: 
|   Protocol version: 3.889 
|   Security types: 
|     Mac OS X security type (30) 
|_    Mac OS X security type (35)

Brute Force with Metasploit

use auxiliary/scanner/vnc/vnc_login

Decrypting VNC password

Default password is stored in: ~/.vnc/passwd

make
vncpwd <vnc password file>

Shodan

  • port:5900 RFB

Previous2049 - NFSNext5985 - WinRM

Last updated 2 years ago

Was this helpful?

If you have the VNC password and it looks encrypted (a few bytes, like if it could be and encrypted password). It is probably ciphered with 3des. You can get the clear text password using

You can do this because the password used inside 3des to encrypt the plain-text VNC passwords was reversed years ago. For Windows you can also use this tool: I save the tool here also for ease of access:

https://github.com/jeroennijhof/vncpwd
https://www.raymond.cc/blog/download/did/232/
34KB
vncpwd.zip
archive