New script vnc-title

2025-12-09 22:21:29 +00:00 · 2016-04-01 22:29:40 +00:00
parent 3af66a0445
commit 41de3b1d60
3 changed files with 76 additions and 0 deletions
--- a/3
+++ b/3
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Added vnc-title for logging in to VNC servers and grabbing the desktop
+  title, geometry, and color depth. [Daniel Miller]
+
 o [NSE] More VNC updates: Support for VeNCrypt auth type, output of
  authentication sub-types in vnc-info, and all zero-authentication types are
  recognized and reported. [Daniel Miller]
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -513,6 +513,7 @@ Entry { filename = "versant-info.nse", categories = { "discovery", "safe", } }
 Entry { filename = "vmauthd-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "vnc-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "vnc-info.nse", categories = { "default", "discovery", "safe", } }
+Entry { filename = "vnc-title.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "voldemort-info.nse", categories = { "discovery", "safe", } }
 Entry { filename = "vuze-dht-info.nse", categories = { "discovery", "safe", } }
 Entry { filename = "wdb-version.nse", categories = { "default", "discovery", "version", "vuln", } }
--- a/scripts/vnc-title.nse
+++ b/scripts/vnc-title.nse
@@ -0,0 +1,72 @@
+local creds = require "creds"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local vnc = require "vnc"
+
+description = [[
+Tries to log into a VNC server and get its desktop name. Uses credentials
+discovered by vnc-brute, or None authentication types.
+]]
+
+author = "Daniel Miller"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"intrusive", "discovery"}
+
+---
+-- @output
+-- | vnc-title:
+-- |   name: LibVNCServer
+-- |   geometry: 800 x 600
+-- |_  color_depth: 24
+--
+-- @xmloutput
+-- <elem key="name">QEMU (instance-00000002)</elem>
+-- <elem key="geometry">1024 x 768</elem>
+-- <elem key="color_depth">24</elem>
+
+dependencies = {"vnc-brute"}
+
+portrule = shortport.port_or_service( {5900, 5901, 5902} , "vnc", "tcp", "open")
+
+local function fail(err) return stdnse.format_output(false, err) end
+
+action = function(host, port)
+
+  local v = vnc.VNC:new( host, port )
+  local status, data
+  local result = stdnse.output_table()
+
+  status, data = v:connect()
+  if ( not(status) ) then return fail(data) end
+
+  status, data = v:handshake()
+  if ( not(status) ) then return fail(data) end
+
+  local c = creds.Credentials:new(creds.ALL_DATA, host, port)
+  local tried = 0
+  for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do
+    tried = tried + 1
+    stdnse.debug1("Trying creds: %s:%s", cred.user, cred.pass)
+    status, data = v:login(cred.user, cred.pass)
+    if status then
+      break
+    end
+  end
+  if tried < 1 then
+    --worth trying a None-type login
+    stdnse.debug1("Trying empty creds, for None security type")
+    status, data = v:login("", "")
+  end
+  if not status then
+    return fail(("Couldn't log in: %s"):format(data))
+  end
+  status, data = v:client_init(true)
+  if status then
+    local out = stdnse.output_table()
+    out.name = data.name
+    out.geometry = ("%d x %d"):format(data.width, data.height)
+    out.color_depth = data.depth
+    return out
+  end
+
+end