background image

54

Chapter 4

If you think a VNC scan is likely to be a waste of time and that you’ll never 

find systems with open VNC servers enabled, think again. During a large 
penetration test, which included thousands of systems, one of the authors 
noticed that one of those systems had an open VNC server. 

While the author was in the system documenting his finding, he noticed 

activity on the system. This was overnight on a system that was unlikely to 
have an authorized user on it. While not always considered a best practice, 
the author pretended to be another unauthorized intruder and engaged the 
intruder in conversation via Notepad. The intruder was not very bright and 
told the author that he was scanning large blocks of systems for open VNC 
servers. Here is a segment of the conversation:

Author:

 You in the us? or out of country? I know some people 

in denmark.

Attacker:

 I’m from Norway actually, hehe, I have relatives 

in Denmark.

Author:

 You hang in any boards? like I used to like some but they 

have been going away

Attacker:

 I mostly hang in some programming boards, but not much 

else. Have you been into hacking for a long time or what? What’s 
your age btw? I’m 22.

Author:

 I have been on this for like fun for around a year or so. Still 

in school. 16. Just something to do.

Attacker:

 Haven’t been there. I too mostly do this for fun, just trying 

to see what I can do, test my skills. I wrote the “VNC finder” myself 
btw, I have found a lot of servers, but this is the only one where I 
could actually have some fun

Author:

 Wow. What did you write it in? Can I dl it? Do you have 

a handle?

Attacker:

 It’s written in a language called PureBasic, but it’s kinda 

not ready for release yet, it’s only for my own use. But maybe I can 
share it anyway, I could upload the code somewhere and let you 
compile it. That is if you can find some PureBasic compiler on 
some warez site :P

Author: 

Thats cool. you can put it in that pastebin site from irc. 

That lets you anon post I have not done purebasic before. just 
python and perl

Attacker:

 Let me see, I'll look for that pastebin site and upload it, 

just give me some minutes, I’ll be around.

The attacker then gave the author a link to a pastebin page with the full 

source for the custom VNC scanner he was using.

Scanning for Open X11 Servers

Metasploit’s built-in 

open_x11 

scanner

 

is similar to the 

vnc_auth 

scanner, 

in that it scours a range of hosts for X11 servers that allow users to connect 
without authentication. Although X11 servers aren’t widely used today, lots