Feb. 27, 2011, 10:57 a.m.
posted by newmy
Virtual Network Computing (VNC) was written by AT&T Laboratories to allow a user complete control of a computer remotely. The control offered by VNC mimics how control would occur if the user were sitting at the console. The tool attempts to be operating-system independent both for the client and server. This software runs on most flavors of Unix and Windows, and the source code can be downloaded at http://realvnc.com/.
VNC is packaged as a client and a server. The server resides on the machine you wish to control. The client will be installed on the machine that will be the controller. Therefore, you will install the client on your "attacker" machine, and the server will be installed on the "victim" machine. Additionally, the need for the proprietary client program may be eliminated in some circumstances because VNC also provides a web server. This means the server can be controlled with a standard web browser.
If the target is a Windows machine, it can be compromised in several different ways. The easiest and most famous method is for the attacker to send an e-mail with an attachment that is VNC in disguise. For this discussion, assume that the method of compromise will be through this method. VNC is used in this case instead of some of the other backdoors, because most virus detectors will not consider VNC to be malicious software. After all, it's a legitimate remote administration tool.
The VNC must be installed and configured on the attacker's platform before it can infect the victim server. VNC's setup program is similar to most software that runs on the Windows operating system. A simple setup wizard takes you through the process.
Assuming you're the attacker, after VNC has been installed, you can run the VNC server so that it may be initially configured. In the Current User Properties dialog box, accessed by the VNC "app mode" program found in the Start | Programs | RealVNC folder, set up the configuration options as shown in the following illustration:
It is important that you note that VNC runs like the X Window System in that it defines displays. In this case, a display number of 0 (zero) will make VNC listen on port 5800 for the web server and port 5900 for the proprietary VNC server. The importance of these ports is clear in the next screenshot, as the attacker connects to the machine on which VNC Server has been installed. The attacker uses a web browser to connect to port 5800 for the IP address of the VNC machine. If VNC were to listen on display 1, then the web port would be 5801. This opens a web page that prompts the user for a password to enter the system:
After the correct password has been supplied, the system desktop is available to the attacker in the web browser. The following screenshot is a DOS prompt window viewed through a VNC session. Notice that everything looks exactly the same as it would if you were sitting in front of the console. In the screenshot, we see the attacker's session inside the web browser. She has opened a command prompt and is in the process of downloading a root kit. Remember, if an administrator were sitting at the console, all of this activity would be visible on the screen.
So far, we have seen that the desktop of a victim machine can be controlled through a web browser. The proprietary VNC viewer tool allows the victim's desktop to be displayed outside a web browser. This viewer uses TCP port 5900 instead of 5800, as we have used in the previous screenshots.
Most security administrators should be blocking TCP ports 5800 and 5900 from entering their networks. Because TCP port 80 is the least regulated port by many administrators, it would be to an attacker's advantage to have VNC listen on port 80 instead of 5900 for connections. Using some high-school math skills, any attacker can accomplish this attack. However, if VNC is truly being used as a backdoor, the listening port may be modified to any valid TCP port.
The following screenshot is a DOS prompt window viewed through a VNC session. Notice that everything looks exactly the same as if you were sitting in front of the console. The web browser has been cropped.
Now let's discuss a few more caveats to using VNC as a backdoor into the network. The first concerns how VNC stores session information, such as the initial password, in the registry. If we are to move the server we created on our local attacker's machine to the victim machine, we would need this information present in the remote registry. Therefore, we must copy out the registry values found on the local machine to make them available to the victim machine. This can be accomplished in Windows using system utility regedit and choosing File | Export to save the values to a text file. The text file will contain something like this:
Those who prefer command-line tools can use the reg command:
C:\>reg export HKCU\Software\RealVNC\WinVNC4 vnc.txt The operation completed successfully. C:\>type vnc.txt Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\RealVNC\WinVNC4] "Password"=hex:15,0a,44,88,72,71,ba,90
The following are the results viewed within the Registry Editor.
If you are even a little knowledgeable about how to create batch files, installation of the VNC server on a victim machine can be relatively simple. Create a batch file similar to that shown in the next screenshot. When the victim runs this batch file, it will add the appropriate values to the registry and download, via FTP, the VNC server from your drop site to the victim machine. Of course, a myriad of other ways can be used to get the VNC executables on the victim machine, but this is one of our favorites. You could also use the popular exe binding programs that are available or one of many other intricate methods.
The other item to address to enable the VNC server to run stealthily is to remove the system tray icon shown in the lower-right corner of the desktop screen when it is executed. Removal of this item is beyond the scope of this book, but it is important to note that the source code for performing such tasks is freely available. Therefore, a resourceful programmer with limited skills should be able to remove this icon from the victim's desktop.
If we choose to use the VNC server on a Unix machine, it is not as complicated as the Windows method. This program may be run by anyone, not just a root user. The source code must be downloaded and compiled for a Unix-like operating system. After it is compiled, running vncserver starts the server. Of course, the attacker will need access to a prompt at the victim machine to do this. When vncserver is executed, the attacker is prompted for a password and the next available display is assigned to his session. The display VNC uses in Unix works in basically the same way it works in Windows.
Remember that Unix systems restrict access to port numbers less than 1024. A nonroot user will be able to launch a listener on TCP port 5800, but will be prevented from opening a listener on TCP port 80.
First, as in Windows, the attacker can access the victim machine by using a web browser. Remember that when you run vncserver, you will be provided with a "display number." Remember this display number, and add it to 5800. Then, use this resulting number and connect to the victim machine in a manner similar to the Windows method. When the authors ran vncserver on our victim machine, we were told that the display number was 3. We connected to port 5803 on the victim machine:
The victim desktop that we control with VNC will look significantly different than Windows because a pseudo X server is started within vncserver. An example of a victim machine is shown here:
After you have access to VNC on one of the machines in the victim network, you have come a long way toward compromising the other machines if no firewalls are in place between the internal machines (as is the case in the case study later in this chapter). This allows you to control (and send data from) the machine you've compromised.