54
Chapter 4
If you think a VNC scan is likely to be a waste of time and that you’ll never
find systems with open VNC servers enabled, think again. During a large
penetration test, which included thousands of systems, one of the authors
noticed that one of those systems had an open VNC server.
While the author was in the system documenting his finding, he noticed
activity on the system. This was overnight on a system that was unlikely to
have an authorized user on it. While not always considered a best practice,
the author pretended to be another unauthorized intruder and engaged the
intruder in conversation via Notepad. The intruder was not very bright and
told the author that he was scanning large blocks of systems for open VNC
servers. Here is a segment of the conversation:
Author:
You in the us? or out of country? I know some people
in denmark.
Attacker:
I’m from Norway actually, hehe, I have relatives
in Denmark.
Author:
You hang in any boards? like I used to like some but they
have been going away
Attacker:
I mostly hang in some programming boards, but not much
else. Have you been into hacking for a long time or what? What’s
your age btw? I’m 22.
Author:
I have been on this for like fun for around a year or so. Still
in school. 16. Just something to do.
Attacker:
Haven’t been there. I too mostly do this for fun, just trying
to see what I can do, test my skills. I wrote the “VNC finder” myself
btw, I have found a lot of servers, but this is the only one where I
could actually have some fun
Author:
Wow. What did you write it in? Can I dl it? Do you have
a handle?
Attacker:
It’s written in a language called PureBasic, but it’s kinda
not ready for release yet, it’s only for my own use. But maybe I can
share it anyway, I could upload the code somewhere and let you
compile it. That is if you can find some PureBasic compiler on
some warez site :P
Author:
Thats cool. you can put it in that pastebin site from irc.
That lets you anon post I have not done purebasic before. just
python and perl
Attacker:
Let me see, I'll look for that pastebin site and upload it,
just give me some minutes, I’ll be around.
The attacker then gave the author a link to a pastebin page with the full
source for the custom VNC scanner he was using.
Scanning for Open X11 Servers
Metasploit’s built-in
open_x11
scanner
is similar to the
vnc_auth
scanner,
in that it scours a range of hosts for X11 servers that allow users to connect
without authentication. Although X11 servers aren’t widely used today, lots