Vulnerability Scanning

53

a major potential vulnerability. Metasploit’s built-in VNC Authentication 
None scanner searches a range of IP addresses for VNC servers that do not 
have a password configured (that support “None” authentication, meaning a 
blank password). Usually, this scan will turn up nothing of value, but a good 
penetration tester leaves no stone unturned when looking for ways access a 
target system.

NOTE

Recent VNC servers do not allow blank passwords. To set one up in your lab for testing, 
use older VNC servers such as RealVNC 4.1.1.

The VNC scanner, like most Metasploit auxiliary modules, is easy to con-

figure and run. The only required configuration for 

vnc_none_auth

 is to supply 

it with an IP or a range of IPs to scan. Simply select the module, define your 

RHOSTS

 and 

THREADS

, if desired, and run it, as shown next:

msf > 

use auxiliary/scanner/vnc/vnc_none_auth

msf auxiliary(vnc_none_auth) > 

show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    5900             yes       The target port
   THREADS  1                yes       The number of concurrent threads

msf auxiliary(vnc_none_auth) > 

set RHOSTS 192.168.1.155

RHOSTS => 192.168.1.155
msf auxiliary(vnc_none_auth) > 

run

[*] 192.168.1.155:5900, VNC server protocol version : RFB 003.008
[*] 192.168.1.155:5900, VNC server security types supported : None

 [*] 192.168.1.155:5900, VNC server security types includes None, free access!

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(vnc_none_auth) >

If you get lucky and Metasploit finds a VNC server with no authentica-

tion  , you can use Back|Track’s 

vncviewer

 to connect to the target machine 

without a password, as shown in Figure 4-18.

Figure 4-18: Connecting to VNC with no authentication using 

vncviewer