Vulnerability Scanning
53
a major potential vulnerability. Metasploit’s built-in VNC Authentication
None scanner searches a range of IP addresses for VNC servers that do not
have a password configured (that support “None” authentication, meaning a
blank password). Usually, this scan will turn up nothing of value, but a good
penetration tester leaves no stone unturned when looking for ways access a
target system.
NOTE
Recent VNC servers do not allow blank passwords. To set one up in your lab for testing,
use older VNC servers such as RealVNC 4.1.1.
The VNC scanner, like most Metasploit auxiliary modules, is easy to con-
figure and run. The only required configuration for
vnc_none_auth
is to supply
it with an IP or a range of IPs to scan. Simply select the module, define your
RHOSTS
and
THREADS
, if desired, and run it, as shown next:
msf >
use auxiliary/scanner/vnc/vnc_none_auth
msf auxiliary(vnc_none_auth) >
show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 5900 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(vnc_none_auth) >
set RHOSTS 192.168.1.155
RHOSTS => 192.168.1.155
msf auxiliary(vnc_none_auth) >
run
[*] 192.168.1.155:5900, VNC server protocol version : RFB 003.008
[*] 192.168.1.155:5900, VNC server security types supported : None
[*] 192.168.1.155:5900, VNC server security types includes None, free access!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(vnc_none_auth) >
If you get lucky and Metasploit finds a VNC server with no authentica-
tion , you can use Back|Track’s
vncviewer
to connect to the target machine
without a password, as shown in Figure 4-18.
Figure 4-18: Connecting to VNC with no authentication using
vncviewer