Optionally brute force usernames for VNC

2025-12-31 11:59:03 +00:00 · 2017-03-15 20:31:24 +00:00
parent d244738246
commit e973ad72f5
2 changed files with 11 additions and 4 deletions
--- a/nselib/vnc.lua
+++ b/nselib/vnc.lua
@@ -380,6 +380,7 @@ VNC = {
  end,

  login_aten = function(self, username, password)
+    username = username or ""
    self.socket:send(username .. ("\0"):rep(24 - #username) .. password .. ("\0"):rep(24 - #password))
    return self:check_auth_result()
  end,
@@ -649,6 +650,7 @@ VNC = {
  end,

  login_plain = function(self, username, password)
+    username = username or ""
    local status = self.socket:send(bin.pack(">IIAA", #username, #password, username, password))
    if not status then
      return false, "Failed to send plain auth"
--- a/scripts/vnc-brute.nse
+++ b/scripts/vnc-brute.nse
@@ -11,6 +11,10 @@ Performs brute force password auditing against VNC servers.
 ---
 -- @see realvnc-auth-bypass.nse
 --
+-- @args vnc-brute.bruteusers If set, allows the script to iterate over
+--                            usernames for auth types that require it (plain,
+--                            SASL (not supported), and ATEN) Default: false,
+--                            since most VNC auth types are password-only.
 -- @usage
 -- nmap --script vnc-brute -p 5900 <host>
 --
@@ -20,7 +24,7 @@ Performs brute force password auditing against VNC servers.
 -- | vnc-brute:
 -- |   Accounts
 -- |_    123456 => Valid credentials
--
+
 -- Summary
 -- -------
 --   x The Driver class contains the driver implementation used by the brute
@@ -86,10 +90,10 @@ Driver =
      return false, err
    end

-    status, data = self.vnc:login( nil, password )
+    status, data = self.vnc:login( username, password )

    if ( status ) then
-      return true, creds.Account:new("", password, creds.State.VALID)
+      return true, creds.Account:new(username, password, creds.State.VALID)
    elseif ( not( data:match("Authentication failed") ) ) then
      local err = brute.Error:new( data )
      -- This might be temporary, set the retry flag
@@ -141,12 +145,13 @@ Driver =


 action = function(host, port)
+  local bruteusers = stdnse.get_script_args(SCRIPT_NAME .. ".bruteusers")
  local status, result
  local engine = brute.Engine:new(Driver, host, port )

  engine.options.script_name = SCRIPT_NAME
  engine.options.firstonly = true
-  engine.options:setOption( "passonly", true )
+  engine.options:setOption( "passonly", not bruteusers )

  status, result = engine:start()