Tue Sep 16 22:05:01 2003
Scott C. Best wrote:
> First, when you press "Send"
> on a web-browser form, all of the data in that form is sent at
> once, in well-delineated form, making the data relatively easy to
> identify. In a VNC session, by comparison, every *character* is
> sent as soon as you type it, along with other RFB info to update
> the visuals. That will make intercepting the data fundamentally
> more difficult as it is "spread" across so many more packets, and
> mixed in with so much other data.
Yes, it's encoded, it's compressed, it's scattered and it's mixed with lots
of other data, but _that_does_not_matter_. Reassembling the scattered packets
of a TCP session isn't difficult. Every operating system has the code to do
that, and lots of monitoring programs too, and TCP is documented in case you
really want to write it yourself. Decompressing and decoding the data stream
isn't difficult either. VNC knows how to do it. The source code is free, and
so is the RFB documentation.
If I wanted to sniff other people's VNC traffic i'd first try to find an
existing program to do this. If I couldn't find one I would:
1: use one of the existing programs that can intercept TCP sessions. Maybe
I'd have to teach it how to recognize the RFB protocol. That's no big problem.
2: feed the keystrokes to a small program that would write them to a log
file. If I'd need a translation table I could get one from any VNC server.
3: feed the screen updates to one of those VNC viewers that can record them
as a video file.
4: feed the image data to one of the existing programs that perform character
recognition on screenshots, and log the character data.
Once this was done I could automatically record all VNC sessions on every
network link I could get access to, and then I could scan the text logs for
interesting tokens such as "Password" or whatever I'd be looking for.
I'd be surprised if no one has done this already, and maybe even put the
pieces together to a convenient program, but if not, it's probably just a
matter of time.
On the Internet, either you have encryption, or you have *no* security.