Brute force VNC crack

Walden H. Leverich WaldenL "at" TechSoftInc.com
Thu, 17 Aug 2000 14:29:51 +0000


Ken,

I'm not sure changing the encryption key would prevent brute-force attempts.
Think of it this way:

Using the "modified" version of VNC I tell VNC that my password is 'george'
and this gets encrypted to 'gracie' (I know it would be a mess of hex, but
this is easier) Your argument says that when I attempt to encrypt 'george'
on the standard VNC viewer I won't get 'gracie' and as such I won't be able
to issue the correct response to the challenge, and you are correct.
However, this is a brute force attempt and at some point I am going to
encrypt 'oldtimer' and that will be encrypted to 'gracie' and then I will be
able to answer the server's challenge. 

Now I think your password is 'oldtimer' and your password is 'george' but it
doesn't really matter because I have access to your machine anyway.

-Walden

-----Original Message-----
From: Kenneth Foster [mailto:fosterk "at" aenigma.net]
Sent: Tuesday, August 15, 2000 5:27 PM
To: vnc-list "at" uk.research.att.com
Subject: RE: Brute force VNC crack


brute forcing of passwords will always work.  There are two ways to do stop
this.

1:	Use passwords that don't show up in dictionaries.  This may be more
difficult to remember, but it makes it less likely to be cracked.  The code,
as written, uses a dictionary attack.  Not quite what it says in the title
of the crack.

2:	The other way to stop this is to change the encryption key used by
your
company and recompile your server and client tools.  By changing the key no
password, even the correct one, from a non-company VNCviewer will work. At
least from my testing.


Ken Foster

-----Original Message-----
From: owner-vnc-list "at" uk.research.att.com
[mailto:owner-vnc-list "at" uk.research.att.com]On Behalf Of Ernie Oporto
Sent: Tuesday, August 15, 2000 4:59 PM
To: vnc-list "at" uk.research.att.com
Subject: Brute force VNC crack


Has anyone seen this before?  Is this still true?

http://www.securiteam.com/tools/Brute_forcing_VNC_passwords.html
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------