On Fri, 29 Nov 2002 rsmcat_private wrote: >In it, we got to fake entries in the DNS server of the machines >accessing one VNC server (inside the audited internal network), so I >just wrote this little troyan to demonstrate how we could bypass the >challenge - response mecanism imposed by VNC to protect password from >being sniffed. You haven't really bypassed it - you're acting as a passive man-in-the-middle. It's not a trojan. > /* we must send VNC version number (from protocol) */ > /* we also must read VNC version number (from protocol) */ > /* we send the authentication method code to the client */ > /* we connect to the real VNC server */ > /* again, we read version number from the VNC server */ > /* and we send ours */ > /* we now read authenticarion method code from VNC server */ > /* here is the challenge from server */ > /* we send the challenge to the victim client */ > /* we have the encrypted password from the client */ No, you have the challenge DES-encrypted by the password. Not the password DES-encrypted by the challenge. See section 5.1.2 of http://www.realvnc.com/docs/rfbproto.pdf. > /* we send the encrypted password to the VNC server */ > /* we read the result from the authentication process */ > /* at this point we should be authenticated */ > /* place whatever code you want here */ I claim no particular expertise in crypto code, but I don't think there's anything here which helps you learn the password. Of course, you've hijacked the data stream, so you could read keystrokes, make screengrabs etc. The VNC site contains a page on wrapping up VNC inside SSH, for proper secure tunnelling. Cheers, Phil
This archive was generated by hypermail 2b30 : Mon Dec 02 2002 - 00:01:16 PST