# VNC (Virtual Network Computing) Pentesting

VNC is a graphical desktop sharing system that uses the Remote Frame Buffer protocol to remotely control another computer. Default ports are 5800, 5801, 5900, 5901.

### Enumeration <a href="#enumeration" id="enumeration"></a>

```
nmap --script vnc-info -p 5900 <target-ip>
# RealVNC authentication bypass (CVE-2006-2369)
nmap --script realvnc-auth-bypass -p 5900 <target-ip>

msf> use auxiliary/scanner/vnc/vnc_none_auth
```

#### Brute Force Credentials <a href="#brute-force-credentials" id="brute-force-credentials"></a>

VNC server does not use the username, but only the password.

```
hydra -P passwords.txt vnc://<target-ip>
hydra -P passwords.txt <target-ip> vnc
```

### Connect <a href="#connect" id="connect"></a>

#### Using Remmina <a href="#using-remmina" id="using-remmina"></a>

```
remmina
remmina -c vnc://<target-ip>
remmina -c vnc://username@vulnerable.com
remmina -c vnc:vulnerable.com?VncUsername=username
remmina -c vnc://username:password@vulnerable.com
remmina -c vnc://vulnerable.com?VncUsername=username\&VncPassword=password
```

#### Using VNC Viewer <a href="#using-vnc-viewer" id="using-vnc-viewer"></a>

If we don’t have `vncviewer`, install it first:

```
sudo apt install tigervnc-viewer
```

Then run the following command to connect:

```
vncviewwer 10.0.0.1:5901
# with password file
vncviewer -passwd ./passwd.txt 10.0.0.1:5901
```