RealVNC Authentication Bypass Scanner: A Tool to Test and Exploit RealVNC Servers

See the documentation for the vulns library. Example Usage nmap -sV --script=realvnc-auth-bypass Script Output PORT STATE SERVICE VERSION5900/tcp open vnc VNC (protocol 3.8) realvnc-auth-bypass: VULNERABLE: RealVNC 4.1.0 - 4.1.1 Authentication Bypass State: VULNERABLE IDs: CVE:CVE-2006-2369 Risk factor: High CVSSv2: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server. Disclosure date: 2006-05-08 References: -flaw-in-realvnc-411/_ -bin/cvename.cgi?name=CVE-2006-2369 Requires nmap shortport vulns Author:Brandon EnrightLicense: Same as Nmap--See -legal.html

In the previous section, we were able to capture the Challenge and the Response for the authentication of VNC. If we want to connect to a service, we require a password that we can enter. To do this we will decipher the password from the challenge and response. We need to install the tool called vncrack_s for this task. We used the wget to get it downloaded on our Kali machine. As it was in a compressed file, we use gunzip for decompressing it. To run the tool, we need to provide the execution permissions to it.

realvnc bypass authentication scanner download

2ff7e9595c