VNC

 < Day Day Up > 



Virtual Network Computing (VNC) was written by AT&T Laboratories to allow a user complete control of a computer remotely. The control offered by VNC mimics how control would occur if the user were sitting at the console. The tool attempts to be operating-system independent both for the client and server. This software runs on most flavors of Unix and Windows, and the source code can be downloaded at http://www.uk.research.att.com/vnc/.

VNC is packaged as a client and a server. The server resides on the machine you wish to control. The client will be installed on the machine that will be the controller. Therefore, you will install the client on your “attacker” machine, and the server will be installed on the “victim” machine. Additionally, the need for the proprietary client program may be eliminated in some circumstances because VNC also provides a web server. This means the server can be controlled with a standard web browser.

Implementation

If the target is a Windows machine, it can be compromised in several different ways. The easiest and most famous method is for the attacker to send an e-mail with an attachment that is VNC in disguise. For this discussion, assume that the method of compromise will be through this method. VNC is used in this case instead of some of the other backdoors, because most virus detectors cannot detect VNCs.

The VNC must be installed and configured on the attacker’s platform before it can infect the victim server. VNC’s setup program is similar to most software that runs on the Windows operating system. A simple setup wizard takes you through the process.

Assuming you’re the attacker, after VNC has been installed, you can run the VNC server so that it may be initially configured. In the Current User Properties dialog box, accessed by the VNC “app mode” program found in the Start | Programs | VNC folder, set up the configuration options as shown in the following illustration:

It is important that you note that VNC runs like the X Window System in that it defines displays. In this case, a display number of 0 (zero) will make VNC listen on port 5800 for the web server and port 5900 for the proprietary VNC server. The importance of these ports is clear in the next screenshot, as the attacker, using FreeBSD, connects to the machine on which VNC has been installed. The attacker uses a web browser to connect to port 5800 for the IP address of the VNC machine. This opens a web page that prompts the user for a password to enter the system:

click to expand

After the correct password has been supplied, the system desktop is available to the attacker in the web browser. The following screenshot is a DOS prompt window viewed through a VNC session. Notice that everything looks exactly the same as it would if you were sitting in front of the console. In the screenshot, we see the attacker’s session inside the web browser. She has opened a command prompt and is in the process of downloading a root kit. Remember, if an administrator were sitting at the console, all of this activity would be visible on the screen.

click to expand

So far, we have seen that the desktop of a victim machine can be controlled through a web browser. The proprietary VNC viewer tool allows the victim’s desktop to be displayed outside a web browser. This viewer uses TCP port 5900 instead of 5800, as we have used in the previous screenshots.

Most security administrators should be blocking TCP port 5900 from entering their networks. Because TCP port 80 is the least regulated port by many administrators, it would be to an attacker’s advantage to have VNC listen on port 80 instead of 5900 for connections. Using some high-school math skills, any attacker can accomplish this attack. Recall that the Current User Properties dialog box, which set up the VNC server, queried for the display number to listen on. By default, this is set as display 0, or port 5900. We know that 65,535 ports are available for the Transmission Control Protocol (TCP). Therefore, TCP port 65536 is also TCP port 0, because the values wrap around the valid range. Therefore, if we subtract 5900 from 65,536, we get 59,636. If we add 80 to this result (for port 80), we get 59,716. Then we can type 59716 as the display number for the VNC server setup configuration in the Current User Properties box so it forces the VNC server to listen on port 80 on the victim machine:

After running the netstat -an command to display the open ports, we’d see that port 80 is now open.

There is one problem with this situation, however. If we connect to the victim over display 59716, the VNC viewer returns an error. This also happens when we do the same for the VNC web server on TCP port 59616. Therefore, we must use a data redirector on our local machine to listen on port 5900 and forward the traffic to the victim on TCP port 80. This is can be accomplished using a datapipe. (For a complete description of how to use a datapipe, see Chapter 15.) After a datapipe has been executed with those parameters, the vncviewer application is pointed toward our local machine. The result of this operation is that the traffic is redirected from our local machine and forwarded to the victim machine on port 80, thereby evading the firewall in place!

The following screenshot is a DOS prompt window viewed through a VNC session. Notice that everything looks exactly the same as if you were sitting in front of the console. The web browser has been cropped.

click to expand

Now let’s discuss a few more caveats to using VNC as a backdoor into the network. The first concerns how VNC stores session information, such as the initial password, in the registry. If we are to move the server we created on our local attacker’s machine to the victim machine, we would need this information present in the remote registry. Therefore, we must copy out the registry values found on the local machine to make them available to the victim machine. This can be accomplished in Windows using system utility regedit and choosing File | Export to save the values to a text file. The following are the results viewed within the Registry Editor.

click to expand

If you are even a little knowledgeable about how to create batch files, installation of the VNC server on a victim machine can be relatively simple. Create a batch file similar to that shown in the next screenshot. When the victim runs this batch file, it will add the appropriate values to the registry and download, via FTP, the VNC server from your drop site to the victim machine. Of course, a myriad of other ways can be used to get the VNC executables on the victim machine, but this is one of our favorites. You could also use the popular exe binding programs that are available or one of many other intricate methods.

click to expand

The other item to address to enable the VNC server to run stealthily is to remove the system tray icon shown in the lower-right corner of the desktop screen when it is executed. Removal of this item is beyond the scope of this book, but it is important to note that the source code for performing such tasks is freely available. Therefore, a resourceful programmer with limited skills should be able to remove this icon from the victim’s desktop.

If we choose to use the VNC server on a Unix machine, it is not as complicated as the Windows method. This program may be run by anyone, not just a root user. The source code must be downloaded and compiled for a Unix-like operating system. After it is compiled, running vncserver starts the server. Of course, the attacker will need access to a prompt at the victim machine to do this. When vncserver is executed, the attacker is prompted for a password and the next available display is assigned to his session. The display VNC uses in Unix works in basically the same way it works in Windows.

First, as in Windows, the attacker can access the victim machine by using a web browser. Remember that when you run vncserver, you will be provided with a "display number." Remember this display number, and add it to 5800. Then, use this resulting number and connect to the victim machine in a manner similar to the Windows method. When the authors ran vncserver on our victim machine, we were told that the display number was 3. We connected to port 5803 on the victim machine:

click to expand

The victim desktop that we control with VNC will look significantly different than Windows because a pseudo X server is started within vncserver. An example of a victim machine is shown in the next screenshot:

click to expand

After you have access to VNC on one of the machines in the victim network, you have come a long way toward compromising the other machines if no firewalls are in place between the internal machines (as is the case in the case study later in this chapter). This allows you to control (and send data from) the machine you’ve compromised.



 < Day Day Up > 



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net