[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VNC game



On Fri, 29 Nov 2002 rsmc@xxxxxx wrote:

>In it, we got to fake entries in the DNS server of the machines
>accessing one VNC server (inside the audited internal network), so I
>just wrote this little troyan to demonstrate how we could bypass the
>challenge - response mecanism imposed by VNC to protect password from
>being sniffed.

You haven't really bypassed it - you're acting as a passive
man-in-the-middle. It's not a trojan.

>	/* we must send VNC version number (from protocol) */
>	/* we also must read VNC version number (from protocol) */
>	/* we send the authentication method code to the client */
>	/* we connect to the real VNC server */
>	/* again, we read version number from the VNC server */
>	/* and we send ours */
>	/* we now read authenticarion method code from VNC server */
>	/* here is the challenge from server */
>	/* we send the challenge to the victim client */
>	/* we have the encrypted password from the client */

No, you have the challenge DES-encrypted by the password. Not the
password DES-encrypted by the challenge. See section 5.1.2 of
http://www.realvnc.com/docs/rfbproto.pdf.

>	/* we send the encrypted password to the VNC server */
>	/* we read the result from the authentication process */
>	/* at this point we should be authenticated */
>	/* place whatever code you want here */

I claim no particular expertise in crypto code, but I don't think
there's anything here which helps you learn the password. Of course,
you've hijacked the data stream, so you could read keystrokes, make
screengrabs etc.

The VNC site contains a page on wrapping up VNC inside SSH, for proper
secure tunnelling.


Cheers,

Phil