Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapDaniel MillerNMAP:VNC-TITLE.NSE
HistoryApr 01, 2016 - 10:29 p.m.

vnc-title NSE Script

2016-04-0122:29:40
Daniel Miller
nmap.org
83

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Tries to log into a VNC server and get its desktop name. Uses credentials discovered by vnc-brute, or None authentication types. If realvnc-auth-bypass was run and returned VULNERABLE, this script will use that vulnerability to bypass authentication.

See also:

Script Arguments

creds.[service], creds.global

See the documentation for the creds library.

Example Usage

nmap -sV --script=vnc-title <target>

Script Output

| vnc-title:
|   name: LibVNCServer
|   geometry: 800 x 600
|_  color_depth: 24

Requires

local creds = require "creds"
local shortport = require "shortport"
local stdnse = require "stdnse"
local vnc = require "vnc"

description = [[
Tries to log into a VNC server and get its desktop name. Uses credentials
discovered by vnc-brute, or None authentication types. If
<code>realvnc-auth-bypass</code> was run and returned VULNERABLE, this script
will use that vulnerability to bypass authentication.
]]

author = "Daniel Miller"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "discovery"}

---
-- @see vnc-brute.nse
-- @see realvnc-auth-bypass.nse
--
-- @output
-- | vnc-title:
-- |   name: LibVNCServer
-- |   geometry: 800 x 600
-- |_  color_depth: 24
--
-- @xmloutput
-- <elem key="name">QEMU (instance-00000002)</elem>
-- <elem key="geometry">1024 x 768</elem>
-- <elem key="color_depth">24</elem>

dependencies = {"vnc-brute", "realvnc-auth-bypass"}

portrule = shortport.port_or_service( {5900, 5901, 5902} , "vnc", "tcp", "open")

local function fail(err) return stdnse.format_output(false, err) end

action = function(host, port)

  local v = vnc.VNC:new( host, port )
  local status, data
  local result = stdnse.output_table()

  status, data = v:connect()
  if ( not(status) ) then return fail(data) end

  status, data = v:handshake()
  if ( not(status) ) then return fail(data) end

  -- If this doesn't work, start over.
  status = false
  local reg = host.registry["realvnc-auth-bypass"]
  if reg and reg[port.number] then
    stdnse.debug1("Trying RealVNC Auth Bypass")
    -- Force None auth type and try to init to exploit
    v:sendSecType(vnc.VNC.sectypes.NONE)
    status, data = v:login_none()
    if status then
      status, data = v:client_init(true)
      if not status then
        stdnse.debug1("RealVNC Auth Bypass failed.")
      end
    end
    if not status then
      -- clean up and start over
      v:disconnect()
      status, data = v:connect()
      if not status then return fail(data) end
      status, data = v:handshake()
      if not status then return fail(data) end
      -- Be sure to let the regular login stuff have a try
      status = false
    end
  end
  if not status then
    local c = creds.Credentials:new(creds.ALL_DATA, host, port)
    local tried = 0
    for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do
      tried = tried + 1
      stdnse.debug1("Trying creds: %s:%s", cred.user, cred.pass)
      status, data = v:login(cred.user, cred.pass)
      if status then
        break
      end
    end
    if tried < 1 then
      --worth trying a None-type login
      stdnse.debug1("Trying empty creds, for None security type")
      status, data = v:login("", "")
    end
    if not status then
      return fail(("Couldn't log in: %s"):format(data))
    end
    status, data = v:client_init(true)
  end
  if status then
    local out = stdnse.output_table()
    out.name = data.name
    out.geometry = ("%d x %d"):format(data.width, data.height)
    out.color_depth = data.depth
    return out
  end

end

Related

nmap 199
nmap
nmap
netbus-info NSE Script
2010-12-13 18:00:02
ajp-headers NSE Script
2012-05-07 18:49:22
bitcoin-info NSE Script
2011-11-09 18:56:16

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON
Related for NMAP:VNC-TITLE.NSE
nmap199