[Plugins-writers] detecting UltraVNC with DMS plugin (RC4 encryption)

mikhail@private

I've installed UltraVNC on a Windows box and played with the "DMS"
plugin. Cf. http://doc.uvnc.com/features/encryption.html
Obviously, it enciphers the whole connection and breaks the standard
VNC protocol.
Connecting to it, you get 12 apparently random bytes. The bytes are
always the same until you change the RC4 server key. 

I tried to change the key and did some experiments with this little
script. I think that we could detect this with a good probability. 

Any thought?

-----------------------------------------------------------------------------

include("dump.inc");
s = open_sock_tcp(5900);
r = recv(socket: s, length: 1024);

dump(ddata: r, dtitle: "UltraVNC");

if (strlen(r) != 12) exit(0);

for (i = 0; i < 12; i ++)
{
 z = ord(r[i]);
 for (j = 0; j < 8; j ++)
  if (z & (1 << j))
  {
   total ++;
   n[j] ++;
  }
}
for (i = 0; i < 8; i ++)
 display('n[',i, '] = ', n[i], ' / 12\n');

display('total  = ', total, ' / 96\n');
-----------------------------------------------------------------------------

$ nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: ba ab dd f3 0b 01 db a4 24 e3 6f c8                ........$.o.            

n[0] = 8 / 12
n[1] = 7 / 12
n[2] = 4 / 12
n[3] = 7 / 12
n[4] = 4 / 12
n[5] = 7 / 12
n[6] = 6 / 12
n[7] = 8 / 12
total  = 51 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: e0 99 65 59 71 38 87 a8 54 ef 5d 08                ..eYq8..T.].            

n[0] = 7 / 12
n[1] = 2 / 12
n[2] = 5 / 12
n[3] = 7 / 12
n[4] = 6 / 12
n[5] = 6 / 12
n[6] = 7 / 12
n[7] = 5 / 12
total  = 45 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: 42 1f 4d b6 0d 2c 4d bc 20 cd 58 66                B.M..,M. .Xf            

n[0] = 5 / 12
n[1] = 4 / 12
n[2] = 9 / 12
n[3] = 8 / 12
n[4] = 4 / 12
n[5] = 5 / 12
n[6] = 6 / 12
n[7] = 3 / 12
total  = 44 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: e6 0b 7c 64 7e 7b 1f f7 09 7f 38 87                ..|d~{....8.            

n[0] = 7 / 12
n[1] = 8 / 12
n[2] = 8 / 12
n[3] = 8 / 12
n[4] = 7 / 12
n[5] = 8 / 12
n[6] = 7 / 12
n[7] = 3 / 12
total  = 56 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: bf d3 5c 89 9c 1b 97 93 3b 11 f9 56                ..\.....;..V            

n[0] = 9 / 12
n[1] = 7 / 12
n[2] = 5 / 12
n[3] = 7 / 12
n[4] = 11 / 12
n[5] = 3 / 12
n[6] = 4 / 12
n[7] = 7 / 12
total  = 53 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: 23 20 0a 3b f2 49 9d dc e9 38 3f 22                # .;.I...8?"            

n[0] = 6 / 12
n[1] = 6 / 12
n[2] = 3 / 12
n[3] = 8 / 12
n[4] = 6 / 12
n[5] = 8 / 12
n[6] = 4 / 12
n[7] = 4 / 12
total  = 45 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: 2a ac fd 7e 7b 79 96 07 5d ed 56 45                *..~{y..].VE            

n[0] = 7 / 12
n[1] = 6 / 12
n[2] = 9 / 12
n[3] = 8 / 12
n[4] = 7 / 12
n[5] = 7 / 12
n[6] = 8 / 12
n[7] = 4 / 12
total  = 56 / 96
$ 
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers