VNC
Port:5900
Enumeration
nmap -p 5900 --script=*vnc* <IP>
Connect to a VNC service
Requires valid credentials
When setting a VNC password, the password is obfuscated and saved as a file on the server. Instead of directly entering the password, the obfuscated password file can be included using the passwd option.
Connecting to VNC using Port-forward:
Decrypting Passwords
VNC uses a hardcoded DES key to store credentials. The same key is used across multiple product lines. Reference:https://github.com/frizb/PasswordDecrypts
RealVNC HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver Value: Password
TightVNC HKEY_CURRENT_USER\Software\TightVNC\Server HKLM\SOFTWARE\TightVNC\Server\
tightvnc.ini vnc_viewer.ini Value: Password or PasswordViewOnly
TigerVNC HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4 Value: Password
UltraVNC C:\Program Files\UltraVNC\ultravnc.ini Value: passwd or passwd2
-d: decrypt
-f: file
Last updated