Brute force VNC crack

Luis.F.Correia@seg-social.pt Luis.F.Correia "at" seg-social.pt
Thu, 17 Aug 2000 12:09:58 +0000


To crack VNC passwords is as easy as going to the source code and analise
the VNCAUTH.C

Then in a windows machine you just go to the registry and patch it.

I have done it !

-----Original Message-----
From: Kenneth Foster [mailto:fosterk "at" aenigma.net]
Sent: quarta-feira, 16 de Agosto de 2000 22:54
To: vnc-list "at" uk.research.att.com
Subject: RE: Brute force VNC crack


cool idea about the hex editor.  I didn't even think of that.

As far as generating a dictionary of possible password, that would require
about 10828567056280801 possible passwords in a dictionary.  That is a huge
file and would be very large in respect to hard drive space.  Not saying it
couldn't be done, but I wouldn't want to do it.


Ken


-----Original Message-----
From: owner-vnc-list "at" uk.research.att.com
[mailto:owner-vnc-list "at" uk.research.att.com]On Behalf Of Ingecom - SERRE
Jean-Christophe
Sent: Wednesday, August 16, 2000 3:17 PM
To: vnc-list "at" uk.research.att.com
Subject: RE: Brute force VNC crack


"Kenneth Foster" <fosterk "at" aenigma.net> wrote:
>
> brute forcing of passwords will always work.  There are two ways to do
stop
> this.
>
> 1:      Use passwords that don't show up in dictionaries.  This may be
more
> difficult to remember, but it makes it less likely to be cracked.  The
code,
> as written, uses a dictionary attack.  Not quite what it says in the title
> of the crack.

Yes and no: in "hacker toolz" you'll find a lot of little programs for
generating you a (huge) textfile with the complete list of possible
passwords based on your provided character set and mini/maxi lengths --
then, using that textfile as the "dictionnary" will actually perform the
brute-force attack.

This kind of attack tool often just provide support for an external
textfile, because it allows to reuse the wealth of available
dictionnaries as well as a brute-force generated textfile, while being a
simple quick-n-dirty program...

> 2:      The other way to stop this is to change the encryption key used by
your
> company and recompile your server and client tools.  By changing the key
no
> password, even the correct one, from a non-company VNCviewer will work. At
> least from my testing.

As a note, since most people don't have VC++6 or time for recompiling
VNC, this can also be easily done, as always, by a mere hex-patch.

>From the WinVNC source file "vncauth.c" we see that VNC's DES key is:
  unsigned char fixedkey[8] = {23,82,107,6,35,78,88,7};
which is, in hex:
  17 52 6B 06 23 4E 58 07

Using any hex-editor, one will find a unique occurence of that hex
pattern in the WINVNC.EXE and VNCVIEWER.EXE binaries, and will be able
to hex-change it for a custom key w/o any recompilation.

--
JCS - Jean-Christophe SERRE - INGECOM France - +33 (0)1.48.34.12.34

Microsoft: the 51st State of America -- 52nd coming soon!
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------