Server : Apache/2.4.41 (Ubuntu) System : Linux absol.cf 5.4.0-198-generic #218-Ubuntu SMP Fri Sep 27 20:18:53 UTC 2024 x86_64 User : www-data ( 33) PHP Version : 7.4.33 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, Directory : /usr/share/nmap/scripts/
Upload File :
Current File : //usr/share/nmap/scripts/vnc-title.nse
local creds = require "creds"
local shortport = require "shortport"
local stdnse = require "stdnse"
local vnc = require "vnc"
description = [[
Tries to log into a VNC server and get its desktop name. Uses credentials
discovered by vnc-brute, or None authentication types. If
<code>realvnc-auth-bypass</code> was run and returned VULNERABLE, this script
will use that vulnerability to bypass authentication.
]]
author = "Daniel Miller"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "discovery"}
---
-- @see vnc-brute.nse
-- @see realvnc-auth-bypass.nse
--
-- @output
-- | vnc-title:
-- | name: LibVNCServer
-- | geometry: 800 x 600
-- |_ color_depth: 24
--
-- @xmloutput
-- <elem key="name">QEMU (instance-00000002)</elem>
-- <elem key="geometry">1024 x 768</elem>
-- <elem key="color_depth">24</elem>
dependencies = {"vnc-brute", "realvnc-auth-bypass"}
portrule = shortport.port_or_service( {5900, 5901, 5902} , "vnc", "tcp", "open")
local function fail(err) return stdnse.format_output(false, err) end
action = function(host, port)
local v = vnc.VNC:new( host, port )
local status, data
local result = stdnse.output_table()
status, data = v:connect()
if ( not(status) ) then return fail(data) end
status, data = v:handshake()
if ( not(status) ) then return fail(data) end
-- If this doesn't work, start over.
status = false
local reg = host.registry["realvnc-auth-bypass"]
if reg and reg[port.number] then
stdnse.debug1("Trying RealVNC Auth Bypass")
-- Force None auth type and try to init to exploit
v:sendSecType(vnc.VNC.sectypes.NONE)
status, data = v:login_none()
if status then
status, data = v:client_init(true)
if not status then
stdnse.debug1("RealVNC Auth Bypass failed.")
end
end
if not status then
-- clean up and start over
v:disconnect()
status, data = v:connect()
if not status then return fail(data) end
status, data = v:handshake()
if not status then return fail(data) end
-- Be sure to let the regular login stuff have a try
status = false
end
end
if not status then
local c = creds.Credentials:new(creds.ALL_DATA, host, port)
local tried = 0
for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do
tried = tried + 1
stdnse.debug1("Trying creds: %s:%s", cred.user, cred.pass)
status, data = v:login(cred.user, cred.pass)
if status then
break
end
end
if tried < 1 then
--worth trying a None-type login
stdnse.debug1("Trying empty creds, for None security type")
status, data = v:login("", "")
end
if not status then
return fail(("Couldn't log in: %s"):format(data))
end
status, data = v:client_init(true)
end
if status then
local out = stdnse.output_table()
out.name = data.name
out.geometry = ("%d x %d"):format(data.width, data.height)
out.color_depth = data.depth
return out
end
end
Server : Apache/2.4.41 (Ubuntu)