vnc-pentesting
Best for Security penetration testersWorks with GitHubHigh risk
⌘source
- author
@wgpsec- language
- Python
★1.2kstars
199forks
Apr 22, 2026
✦overview.md
Key Features
- ·Methodology for VNC service penetration testing
- ·Covers service discovery, password cracking, and unauthenticated access
- ·Includes VNC password file decryption techniques
- ·Guides exploitation of known VNC vulnerabilities
- ·Provides a structured decision tree for testing phases
- ·Integrates with related skills for credential spraying and lateral movement
Use Cases
- →Testing the authentication strength of an exposed VNC service on ports 5800/5900/5901
- →Attempting to gain access to a VNC server configured without a password
- →Decrypting a recovered VNC password file to obtain plaintext credentials
- →Exploiting known vulnerabilities in specific VNC implementations like RealVNC or UltraVNC
Best for
- ✓Security penetration testers
- ✓Red team operators
- ✓Network vulnerability assessments
Not ideal for
- !General system administration
- !Legitimate remote desktop support
- !Non-security-related network scanning
FAQs
name
vnc-pentesting
description
VNC 服务(5900/5901 端口)渗透测试方法论。涵盖 VNC 服务发现、密码爆破、无认证访问、VNC 密码文件解密、已知漏洞利用。
当 Agent 扫描发现 5800/5900/5901 端口开放、需要测试 VNC 认证强度、尝试无认证访问、或解密 VNC 密码文件时,触发此 Skill。
metadata:{"tags":["vnc","远程桌面","5900端口","vncviewer"],"category":"exploit/network-service"}
VNC 渗透测试方法论 (5800/5900/5901)
相关 skill: 凭据爆破 ->
cred-spray; 横向移动 ->lateral-movement; RDP 渗透 ->rdp-pentesting
深入参考
- VNC 枚举、密码解密、已知漏洞详细命令 -> 读 references/vnc-techniques.md
整体决策树
发现 5800/5900/5901 端口开放
├─ Phase 1: 服务发现
│ ├─ Nmap 脚本扫描 -> 版本信息 / 认证绕过检测 / 标题获取
│ ├─ 确定 VNC 实现 (RealVNC / TightVNC / UltraVNC / TigerVNC / x11vnc)
│ └─ 端口映射:
│ ├─ 5800/5801 -> HTTP Web 客户端 (Java Applet)
│ └─ 5900/5901 -> VNC 协议原生端口 (display :0 / :1)
├─ Phase 2: 认证测试
│ ├─ 无认证访问检测 (Metasploit vnc_none_auth)
│ │ ├─ 无密码 -> 直接连接 vncviewer
│ │ └─ 需要密码 -> 进入爆破
│ ├─ 密码爆破 (hydra / medusa / ncrack)
│ └─ 默认密码尝试
├─ Phase 3: 密码文件解密
│ ├─ 目标文件: ~/.vnc/passwd (Linux) / 注册表 (Windows)
│ ├─ VNC 密码使用 3DES 固定密钥加密 (已被逆向)
│ └─ 工具: vncpwd / vncpasswd.py
├─ Phase 4: 已知漏洞
│ ├─ RealVNC 认证绕过
│ ├─ UltraVNC 缓冲区溢出
│ └─ 特定版本 CVE 检索
└─ Phase 5: 后渗透
├─ 截屏 / 键盘记录
├─ 文件传输 (UltraVNC)
└─ 反向 VNC 连接
Phase 1: 服务发现
1.1 Nmap 枚举
# VNC 脚本扫描: 信息获取 + 认证绕过检测 + 标题获取
nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p <PORT> <IP>
1.2 端口与显示号关系
| 端口 | 用途 | 说明 |
|---|
$install
1-click copynpx skills add wgpsec/AboutSecurity --skill vnc-pentestingSafety assessment
★
Clarity score
How clear and easy to understand the SKILL.md instructions are, rated from 1 to 5.
5/ 5
excellentVery clear and well structured, with almost no room for misunderstanding.
◎
Actionability score
How directly an agent can act on the SKILL.md instructions, rated from 1 to 5.
5/ 5
very highHighly actionable with clear, concrete steps that an agent can follow directly.