在本文中将描述了一个小的python脚本,该脚本可用于确定VNC服务器上使用的身份验证类型。它使用Scapy数据包处理程序来执行所有网络数据传输和检索。该程序可能并不完美,但是经过有限的测试,它似乎可以正常运行。为了了解程序的工作原理,我需要解释VNC客户端如何与VNC服务器交互。RFB协议用于建立与服务器的连接。默认情况下,它运行在TCP端口5900上。我将Scapy导入python程序,并将IP地址和端口号保存到变量IpAddress和port中。
from scapy.all import *
IpAddress = '192.168.1.13'
port = 5900
在执行脚本之前运行以下命令很重要。这样可以完成TCP握手。
iptables -A OUTPUT -p tcp –tcp-flags RST RST -j DROP
第一步是执行与端口5900的TCP握手。我已将TCP SYN数据包的超时值设置为2秒。如果VNC服务器未使用SYNACK进行响应,则可以防止代码无限循环地运行。
如果服务器确实响应了SYNACK,则SYNACK数据包将存储在synack变量中。
syn = IP(dst=IpAddress)/TCP(dport=port, flags='S')
synack = sr1(syn, timeout=2)
然后,我用ACK完成TCP握手,并将其发送到VNC服务器。
ack = IP(dst=IpAddress)/TCP(dport=port, flags='A', seq=1, ack=synack.seq + 1)
send(ack)
现在,TCP握手已完成,VNC服务器应使用协议版本消息进行响应。这是一条消息,告诉客户端服务器支持的版本号。此消息需要被捕获。为此,我然后在接口上运行嗅探器,检查从VNC服务器IP地址传入的所有数据。
filter = 'host ' + IpAddress
vnc = sniff(filter=filter, count=1,timeout=2, prn=vncCheck)
所有与过滤器匹配的数据都将发送到vncCheck函数以进行进一步处理。此功能的第一步是验证它收到的数据包确实是协议版本消息。可以在此处查看协议消息的示例:
所有协议版本数据包的格式均为“ RFB xxx.yyy \ n”。xxx和yyy是协议版本号。因此,确定数据包是否为协议版本消息的最佳方法是简单地检查数据包有效载荷是否包含字符串“ RFB”。
if 'RFB' in packet.load:
收到协议版本消息时。然后,客户端发送客户端协议版本。这将通知服务器客户端支持的协议版本并将用于通信。在我的情况下,我创建了客户端协议版本数据包,其版本有效载荷为“ RFB 003.003 \ n”。
clientVersion = IP(dst=IpAddress)/TCP(dport=port, flags='AP', seq=1, ack=packet.seq + 1)/'RFB 003.003\n'
然后将客户端协议版本发送到VNC服务器。从VNC服务器返回的响应将保存到supportedtypesPacket变量中。此响应以十六进制值的形式包含服务器使用的身份验证类型。例如,从以下屏幕截图中,您可以看到此屏幕截图底部突出显示的安全类型响应00 00 00 02
VNC服务器使用的身份验证类型由最后一个字节定义。在这种情况下,值为02。程序然后提取该字节并将其存储在变量authenticationType中。
authenticationType = str(ord(supportedtypesPacket.load[2])) + str(ord(supportedtypesPacket.load[3]))
authenticationType = int(authenticationType)
最后,使用简单的IF语句将值与匹配的身份验证类型进行比较。
if authenticationType == 00:
print IpAddress + ' uses an Invalid Authentication type of ' + str(authenticationType)
elif authenticationType == 01:
print IpAddress + ' uses No Authentication'
elif authenticationType == 02:
print IpAddress + ' uses VNC Authentication'
elif authenticationType == 05:
print IpAddress + ' uses RA2 Authentication'
elif authenticationType == 06:
print IpAddress + ' uses RA2ne Authentication'
elif authenticationType == 16:
print IpAddress + ' uses Tight Authentication'
elif authenticationType == 17:
print IpAddress + ' uses Ultra Authentication'
elif authenticationType == 18:
print IpAddress + ' uses TLS Authentication'
elif authenticationType == 19:
print IpAddress + ' uses VeNCrypt Authentication'
elif authenticationType == 20:
print IpAddress + ' uses GTK-VNC SASL Authentication'
elif authenticationType == 21:
print IpAddress + ' uses MD5 Hash Authentication'
elif authenticationType == 22:
print IpAddress + ' uses Colin Dean XVP Authentication'
else:
print IpAddress + ' uses an Unknown Authentication type of: ' + str(authenticationType)
为了完整起见,您可以在下面找到包含缩进和注释的完整代码。
from scapy.all import *
#Must run the following command before executing this script. Allows for the TCP handshake to take place.
#iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
#IP and Port of the VNC server
IpAddress = '192.168.1.13'
port = 5900
#Function which is executed on each packet.
def vncCheck(packet):
#Checks that the packet is a server protocol version response. (Should contain 'RFB' if it is.
if packet.haslayer('Raw'):
if 'RFB' in packet.load:
#Creates and sends a clientVersion response. The security type response from the VNC server is saved in the
#Variable supportedtypesPacket
clientVersion = IP(dst=IpAddress)/TCP(dport=port, flags='AP', seq=1, ack=packet.seq + 1)/'RFB 003.003\n'
supportedtypesPacket = sr1(clientVersion)
#Extract the HEX value from the security type response.
authenticationType = str(ord(supportedtypesPacket.load[2])) + str(ord(supportedtypesPacket.load[3]))
authenticationType = int(authenticationType)
#Match the value with the correct authentication type.
print IpAddress + ' Uses an Authentication type of : ' + str(authenticationType)
if authenticationType == 00:
print IpAddress + ' uses an Invalid Authentication type of ' + str(authenticationType)
elif authenticationType == 01:
print IpAddress + ' uses No Authentication'
elif authenticationType == 02:
print IpAddress + ' uses VNC Authentication'
elif authenticationType == 05:
print IpAddress + ' uses RA2 Authentication'
elif authenticationType == 06:
print IpAddress + ' uses RA2ne Authentication'
elif authenticationType == 16:
print IpAddress + ' uses Tight Authentication'
elif authenticationType == 17:
print IpAddress + ' uses Ultra Authentication'
elif authenticationType == 18:
print IpAddress + ' uses TLS Authentication'
elif authenticationType == 19:
print IpAddress + ' uses VeNCrypt Authentication'
elif authenticationType == 20:
print IpAddress + ' uses GTK-VNC SASL Authentication'
elif authenticationType == 21:
print IpAddress + ' uses MD5 Hash Authentication'
elif authenticationType == 22:
print IpAddress + ' uses Colin Dean XVP Authentication'
else:
print IpAddress + ' uses an Unknown Authentication type of: ' + str(authenticationType)
#Creates and sends a TCP SYN packet to the VNC server. (Step 1 of the TCP handshake)
syn = IP(dst=IpAddress)/TCP(dport=port, flags='S')
synack = sr1(syn, timeout=2)
#Creates and sends an ACK packet is response to the servers SYNACK. (Step 3 of the TCP handshake)
ack = IP(dst=IpAddress)/TCP(dport=port, flags='A', seq=1, ack=synack.seq + 1)
send(ack)
#Sniffs incoming network data after the initial TCP handshake. Sends the packets to the vncCheck function.
filter = 'host ' + IpAddress
vnc = sniff(filter=filter, count=1,timeout=2, prn=vncCheck)
关注:Hunter网络安全 获取更多资讯
网站:bbs.kylzrv.com
CTF团队:Hunter网络安全
文章:Xtrato
排版:Hunter-匿名者
转载:https://blog.csdn.net/qq_25879801/article/details/110562083
查看评论