OpenSkillIndex← back to search

Hacktricks-skills vnc-pentest

VNC (Virtual Network Computing) pentesting and exploitation. Use this skill whenever the user mentions VNC, remote desktop, ports 5800/5801/5900/5901, RFB protocol, vncviewer, or needs to enumerate/connect to/attack VNC services. Also trigger for VNC password decryption, brute force attacks, or Shodan queries for VNC services.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-vnc/SKILL.MD
source content

VNC Pentesting

A skill for enumerating, connecting to, and exploiting VNC (Virtual Network Computing) services during penetration testing.

When to Use This Skill

Use this skill when:

  • You discover VNC services on ports 5800, 5801, 5900, or 5901
  • You need to enumerate VNC configurations and vulnerabilities
  • You want to connect to a VNC server for remote desktop access
  • You have a VNC password file that needs decryption
  • You're performing brute force attacks against VNC authentication
  • You need to search for exposed VNC services using Shodan

Basic Information

Virtual Network Computing (VNC) is a graphical desktop-sharing system using the Remote Frame Buffer (RFB) protocol. It enables remote control by transmitting keyboard and mouse events bidirectionally.

Common VNC Ports:

  • 5800/tcp
    - VNC with HTTP tunneling
  • 5801/tcp
    - VNC with HTTP tunneling (display :1)
  • 5900/tcp
    - Standard VNC (display :0)
  • 5901/tcp
    - Standard VNC (display :1)

Enumeration

Nmap Scanning

Run comprehensive VNC enumeration with Nmap:

# Basic service detection
nmap -sV -p 5900 <TARGET_IP>

# Advanced VNC enumeration with scripts
nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p <PORT> <IP>

# Full enumeration with version detection
nmap -sV -sC --script vnc-* -p 5800,5801,5900,5901 <TARGET_IP>

Metasploit Scanner

Use Metasploit's VNC scanner to find instances without authentication:

msfconsole
use auxiliary/scanner/vnc/vnc_none_auth
set RHOSTS <TARGET_IP>
set RPORT 5900
run

Shodan Search

Find exposed VNC services on the internet:

# Search for VNC on port 5900
shodan search "port:5900 RFB"

# Search for VNC with no authentication
shodan search "port:5900 RFB" "no authentication"

Connection

Using vncviewer (Kali Linux)

Connect to a VNC server:

# Basic connection
vncviewer <IP>::5901

# Connection with password file
vncviewer -passwd passwd.txt <IP>::5901

# Connection with display number
vncviewer <IP>:1

Note: Use 

::
for port specification (e.g., 
192.168.1.100::5901
) and 
:
for display number (e.g., 
192.168.1.100:1
).

Password Decryption

VNC passwords are encrypted using a weak 3DES cipher. If you obtain a VNC password file, you can decrypt it.

Linux/macOS

The default VNC password file location is 

~/.vnc/passwd
.

Use the 

vncpwd
tool to decrypt:

# Clone and build the tool
git clone https://github.com/jeroennijhof/vncpwd.git
cd vncpwd
make

# Decrypt the password
./vncpwd <path-to-password-file>

Windows

Use the VNC Password Decryptor tool available at:

Brute Force Attacks

If authentication is required, attempt brute force attacks:

# Using nmap
nmap -sV --script vnc-brute -p 5900 <TARGET_IP>

# Using metasploit
msfconsole
use auxiliary/attack/vnc/vnc_brute
set RHOSTS <TARGET_IP>
set RPORT 5900
set USER_FILE /path/to/usernames.txt
set PASS_FILE /path/to/passwords.txt
run

Common VNC Passwords to Try

Default or weak passwords often include:

  • password
    , 
    admin
    , 
    root
    , 
    vnc
    , 
    123456
  • guest
    , 
    test
    , 
    demo
    , 
    vncviewer
  • Empty password (no authentication)

Security Considerations

  • VNC with no authentication is a critical vulnerability
  • VNC passwords are weakly encrypted and easily cracked
  • Exposed VNC services on the internet are common attack vectors
  • Always check for authentication bypass vulnerabilities
  • Consider using SSH tunneling for secure VNC access

Workflow Summary

  1. Discover - Identify VNC services via port scanning (5800, 5801, 5900, 5901)
  2. Enumerate - Use Nmap scripts and Metasploit to gather information
  3. Test Authentication - Check for no-auth or weak authentication
  4. Connect - Use vncviewer to establish remote desktop session
  5. Decrypt - If you have password files, decrypt them using vncpwd
  6. Brute Force - If needed, attempt credential attacks

Tips

  • Always try connecting without a password first (many VNC servers have no auth)
  • The 
    ::
    syntax in vncviewer specifies the port, 
    :
    specifies the display
  • VNC password files are typically 16 bytes when encrypted
  • Use 
    nmap --script vnc-info
    to get version and configuration details
  • Check for RealVNC authentication bypass vulnerabilities