Scanning The Entire Internet: Unauthenticated VNC Servers

Want to scan the whole Internet and see what people are doing? Look no further, today I present a post on Virtual Network Computing (VNC) and how many people in the world set-up VNC servers with no authentication. I will cover VNC, scanning the internet, the RFB protocol, a python script to take screenshots and interesting finds (the best for last) :-)

 

Virtual Network Computing (VNC)

Virtual Network Computing (VNC) is a software that once installed on a user's computer allows remote access to this computer from anywhere in the world. A user connecting to a VNC server is able to move the mouse, click and type as if the user was sitting in front of the computer. VNC uses the Remote Frame Buffer (RFB) protocol and by default listens on port 5900.

Being able to access a home/work computer remotely has many benefits such as accessing files/data and being able to remotely work anywhere at any time. However, the security aspect of VNC must be taken into account or malicious actors will also be able to remotely access and control your computer.

VNC servers can be set-up with a password to discourage attackers. Nevertheless, human error is unavoidable and there are people who set up their computers as VNC servers without the need for any form of authentication. This article will go into exploiting human error, accessing and documenting VNC servers that do not require authentication.

Scanning the Internet

This was done using the open-source tool masscan created by Robert David Graham. I used masscan to scan all IPv4 addresses on the internet and create a list of IPs that had port 5900 open. DO NOT SCAN FROM YOUR HOUSE, your ISP will catch the massive amount of packets you are sending to the internet and shut you down. You can try to scan from a virtual private server (VPS) that you can rent for a small fee. The terms of use for a VPS generally say no internet scanning as well, but you can get away with it. Masscan gives you an estimated time of scan completion, just be quick and pull your scan results offline as soon as your scan completes (or better as you scan, pull down IPs) before your VPS shuts you down.

I won't disclose how I obtained my list, but my completed scan resulted in 3.4 million IP addresses with port 5900 open and took about 10 hours.

Here's how some people reacted to being scanned (they didn't like it).

 

pwnVNC

The script begins by prompting for user input for the location of their IP list. The function get_security(TCP_IP) takes an IP address, connects to port 5900 over TCP/IP, negotiates the version/security handshake and sets a flag if unauthenticated access is possible. If this flag is set, vncsnapshot is invoked in the main section of the script. The script repeats until all IPs in the list with no password have been documented with screenshots.

The latest copy of my code can be found here: https://github.com/justinbui/pwnVNC

Remote Frame Buffer (RFB) protocol

To truly understand pwnVNC.py, you have to understand how the RFB protocol performs the version handshake and the security handshake. Full documentation on the RFB protocol can be found here.

Protocol Version Handshake

To connect to a VNC, the client (your computer) makes a connection to the VNC server over port 5900. When this TCP connection is made, the server responds with it's RFB protocol version. This is returned of 12 bytes which can be read as a string of ASCII characters. The protocol version is in the form: 'RFB XXX.YYY\n' with '\n' being interpreted as a new line character. The client must then respond with it's RFB protocol version capabilities. In the case of pwnVNC.py, we send back the version that we receive to the server which completes the protocol version handshake.

Security Handshake

Once the client and server have agreed on a protocol version, the server sends a single byte that represents the number of authentication methods that are possible to connect to this VNC server. For each method of authentication, the server sends a byte that represents the security types it can handle. In our case, we are looking for no authentication which is represented by security type '1' or 0x00000001 bits. When security type '1' is found we set our snapshot_flag to True.

The red box shows what our script looks for before attempting to run vncsnapshot.

Interesting Finds

I found many different operating system ranging from Windows to Linux to OSX. There were many windows/linux servers, people watching TV shows and even a mobile device/tablet. Unfortunately, there were also many industrial control systems (ICS), programmable logic controllers (PLC) and supervisory control and data acquisition systems (SCADA). I even found a server dealing with a bank's internal network.

 

Concluding Remarks

This analysis has been done before at Def Con 22 and by other people as well. I wanted to write my own method of automation as a learning exercise.

This was done for informational/educational purposes only. I did not, at any point in time, attempt to break into a system that had authentication. The program does not do anything malicious to the VNC servers it found without authentication. If you want an image taken down, please email me and I will remove it immediately.

I hope you learned something from this article whether it was some socket programming in python, the concept of VNC or details on the RFB protocol. Thanks for reading!

I will keep my code updated and it can be found here: https://github.com/justinbui/pwnVNC

Below are my references and tools that made all this possible. Big thank you to everyone who helped develop these open-source tools!
Github: masscan
Github: vncsnapshot
Documentation on RFB Protocol
https://0wned.it/2014/08/28/open-curtains-vnc-with-no-authentication/ (previously done VNC scan by 0wned using perl and nmap)
Massscanning the Internet: Defcon 22

Scan the Internet & Screenshot All the Things