VNC (Virtual Network Computing) Pentesting

VNC is a graphical desktop sharing system that uses the Remote Frame Buffer protocol to remotely control another computer. Default ports are 5800, 5801, 5900, 5901.

Enumeration

nmap --script vnc-info -p 5900 <target-ip>
# RealVNC authentication bypass (CVE-2006-2369)
nmap --script realvnc-auth-bypass -p 5900 <target-ip>

msf> use auxiliary/scanner/vnc/vnc_none_auth

Brute Force Credentials

VNC server does not use the username, but only the password.

hydra -P passwords.txt vnc://<target-ip>
hydra -P passwords.txt <target-ip> vnc

Connect

remmina
remmina -c vnc://<target-ip>
remmina -c vnc://username@vulnerable.com
remmina -c vnc:vulnerable.com?VncUsername=username
remmina -c vnc://username:password@vulnerable.com
remmina -c vnc://vulnerable.com?VncUsername=username\&VncPassword=password