Crack Or Decrypt Vnc Server Encrypted Password
PermalinkJoin GitHub today
- Vncpasswd - change password for VNC® authentication. The vncserver program runs vncpasswd if necessary the first time you start a VNC desktop. Or other encryption is used over the wire making it hard for anyone to crack the password.
- I don't remember my password for one of my servers. //Decrypts obfuscated passwords by Remmina - The GTK+ Remote Desktop Client //written by Michael Cochez. //'The encrypted password used for the connection. If re.findall(r'username=', i): r_username = i.split('=')[1][:-1] #~ print fo #~ print 'found', f password.
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.
Sign upUse Aircrack-ng to create WPA handshake file for cracking with Hashcat. More: https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/.
Branch:master
3 contributors
| #!/usr/bin/env python2 |
| ''vncpasswd.py: Python implementation of vncpasswd, w/decryption abilities & extra features ;-)'' |
| __author__ ='James Cuzella' |
| __copyright__ ='Copyright 2012,2013, James Cuzella' |
| __credits__ = [ 'Yusuke Shinyama', 'Richard Outerbridge', 'Dan Hoey', 'Jim Gillogly', 'Phil Karn' ] |
| __license__ ='MIT' |
| __version__='0.0.2' |
| __maintainer__ ='James Cuzella' |
| import sys |
| import argparse |
| import platform |
| #from struct import pack, unpack |
| import d3des as d |
| if platform.system().startswith('Windows'): import WindowsRegistry as wreg |
| defsplit_len(seq, length): |
| return [seq[i:i+length] for i inrange(0, len(seq), length)] |
| defdo_crypt(password, decrypt): |
| passpadd = (password +'x00'*8)[:8] |
| strkey =''.join([ chr(x) for x in d.vnckey ]) |
| key = d.deskey(strkey, decrypt) |
| crypted = d.desfunc(passpadd, key) |
| return crypted |
| defdo_file_in(filename, inhex): |
| f =open(filename, 'r') |
| data = f.read() |
| f.close() |
| if ( inhex ): |
| data = data.strip() |
| data = unhex(data) |
| return data |
| defdo_file_out(filename, data, inhex): |
| f =open(filename, 'w') |
| if ( inhex ): |
| data = data.encode('hex') |
| f.write(data) |
| f.close() |
| defunhex(s): |
| '' |
| Decodes a string of hex characters |
| Return: This method returns an decoded version of the string. |
| If a hexidecimal string with odd length is passed, the last character is chopped off and the decoded version of this is returned. |
| Example: |
| >>> unhex('48656c6c6f20576f726c64') |
| 'Hello World' |
| >>> unhex('48656c6c6f20576f726c6') |
| WARN: Odd-length string . Chopping last char off... '48656c6c6f20576f726c' |
| 'Hello Worl' |
| >>> unhex('303132333435363738396162636465666768696a6b6c6d6e6f707172737475767778797a4142434445464748494a4b4c4d4e4f505152535455565758595a2122232425262728292a2b2c2d2e2f3a3b3c3d3e3f405b5c5d5e5f607b7c7d7e20090a0d0b0c') |
| '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!'#$%&'()*+,-./:;<=>?@[]^_`{ }~ tnrx0bx0c' |
| >>> unhex('000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F') |
| 'x00x01x02x03x04x05x06x07x08tnx0bx0crx0ex0fx10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1f' |
| >>> unhex('abcdefghijklmnop') |
| Traceback (most recent call last): |
| File '/usr/lib/python2.7/doctest.py', line 1289, in __run |
| compileflags, 1) in test.globs |
| File '<doctest __main__.unhex[2]>', line 1, in <module> |
| unhex('abcdefghijklmnop') |
| File './vncpasswd.py', line 51, in unhex |
| s = s.decode('hex') |
| File '/usr/lib/python2.7/encodings/hex_codec.py', line 42, in hex_decode |
| output = binascii.a2b_hex(input) |
| TypeError: Non-hexadecimal digit found |
| '' |
| try: |
| s = s.decode('hex') |
| exceptTypeErroras e: |
| if e.message 'Odd-length string': |
| print'WARN: %s . Chopping last char off... '%s''% ( e.message, s[:-1] ) |
| s = s[:-1].decode('hex') |
| else: |
| raise |
| return s |
| defrun_tests(verbose=False): |
| print'Running Unit Tests...' |
| import doctest |
| import __main__ |
| (failure_count, test_count) = doctest.testmod(None, None, None, verbose, True) |
| pass_count = test_count - failure_count |
| methods =dir(__main__) |
| ignore_methods = ['__builtins__', '__doc__', '__file__', '__name__', '__package__', '__warningregistry__', 'argparse', 'sys' ] |
| methods = [i for i in methods ifnot i in ignore_methods or ignore_methods.remove(i)] |
| print'%d tests in %s items.'% ( test_count, len(methods) ) |
| if failure_count >0: |
| print'%d out of %d tests failed'% (failure_count, test_count) |
| else: |
| print'%d passed and %d failed.'% ( pass_count, failure_count ) |
| print'Test passed.' |
| sys.exit(failure_count) |
| defmain(): |
| parser = argparse.ArgumentParser(description='Encrypt or Decrypt a VNC password') |
| parser.add_argument('-d', '--decrypt', dest='decrypt', action='store_true', default=False, |
| help='Decrypt an obfuscated password.') |
| parser.add_argument('-e', '--encrypt', dest='decrypt', action='store_false', default=False, |
| help='Encrypt a plaintext password. (default mode)') |
| parser.add_argument('-H', '--hex', dest='hex', action='store_true', default=False, |
| help='Assume input is in hex.') |
| parser.add_argument('-R', '--registry', dest='registry', action='store_true', default=False, |
| help='Input or Output to the windows registry.') |
| parser.add_argument('-f', '--file', dest='filename', |
| help='Input or Output to a specified file.') |
| parser.add_argument('passwd', nargs='?', |
| help='A password to encrypt') |
| parser.add_argument('-t', '--test', dest='test', action='store_true', default=False, |
| help='Run the unit tests for this program.') |
| args = parser.parse_args() |
| if (args.test): |
| run_tests() |
| if ( args.filename Noneand args.passwd Noneand (args.registry Falseornot platform.system().startswith('Windows')) ): |
| parser.error('Error: No password file or password passedn') |
| if ( args.registry and args.decrypt and platform.system().startswith('Windows')): |
| reg = get_realvnc_key() |
| ( args.passwd, key_type) = reg.getval('Password') |
| elifnot platform.system().startswith('Windows'): |
| print'Cannot read from Windows Registry on a %s system'% platform.system() |
| if ( args.passwd !=Noneand args.hex ): |
| args.passwd = unhex(args.passwd) |
| if ( args.filename !=Noneand args.decrypt ): |
| args.passwd = do_file_in(args.filename, args.hex) |
| # If the hex encoded passwd length is longer than 16 hex chars and divisible |
| # by 16, then we chop the passwd into blocks of 64 bits (16 hex chars) |
| # (1 hex char = 4 binary bits = 1 nibble) |
| hexpasswd = args.passwd.encode('hex') |
| if ( len(hexpasswd) >16and (len(hexpasswd) %16) 0 ): |
| print'INFO: Detected ciphertext > 64 bits... breaking into blocks to decrypt...' |
| splitstr = split_len(args.passwd.encode('hex'), 16) |
| print'INFO: Split blocks = %s'% splitstr |
| cryptedblocks = [] |
| for sblock in splitstr: |
| cryptedblocks.append( do_crypt(sblock.decode('hex'), args.decrypt) ) |
| #print '%016st%s' % ( sblock, cryptedblocks ) |
| crypted =''.join(cryptedblocks) |
| elif ( len(hexpasswd) <=16): |
| crypted = do_crypt(args.passwd, args.decrypt) |
| else: |
| if ( args.decrypt ): |
| print'WARN: Ciphertext length was not divisible by 8 (hex/16).' |
| print'Length: %d'%len(args.passwd) |
| print'Hex Length: %d'%len(hexpasswd) |
| crypted = do_crypt(args.passwd, args.decrypt) |
| if ( args.filename !=Noneandnot args.decrypt ): |
| do_file_out(args.filename, crypted, args.hex) |
| if ( args.registry andnot args.decrypt and platform.system().startswith('Windows')): |
| reg = get_realvnc_key() |
| reg.setval('Password', crypted, wreg.WindowsRegistry.REG_BINARY) |
| elifnot platform.system().startswith('Windows'): |
| print'Cannot write to Windows Registry on a %s system'% platform.system() |
| prefix = ('En','De')[args.decrypt True] |
| print'%scrypted Bin Pass= '%s''% ( prefix, crypted ) |
| print'%scrypted Hex Pass= '%s''% ( prefix, crypted.encode('hex') ) |
| defget_realvnc_key(): |
| reg =None |
| for k in ['vncserver', 'WinVNC4',]: |
| try: |
| reg = wreg.WindowsRegistry('RealVNC', k) |
| break |
| exceptWindowsErroras e: |
| if'The system cannot find the file specified'instr(e): |
| pass |
| else: |
| raise e |
| return reg |
| if__name__'__main__': |
| main() |
Copy lines Copy permalink
Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.
Sign upHave a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vnc Server Download
Comments
commented Feb 22, 2018
Not documented anywhere in the FAQ; TigerVNC passwords (and likely its authentication methods) are entirely insecure.
Passwords should be stored, at minimum, as a one-way hash that cannot be decrypted. They do not need to be decryptable for any practical purpose. Anyone can brute force an 8 character password, even without gaining momentary access to the local system. |
commented Feb 22, 2018
That would be nice, but the protocol unfortunately requires the password to be known to the server so we cannot hash it. So any improvements here would require a protocol extension, and getting that widely deployed among other VNC implementations. As for warning about the length, we already have #370 for that. So I'm afraid I'll close this as a duplicate, unless you have something more tangible to suggest for changing the authentication. |
commented Feb 22, 2018 • edited
edited
If the security of TigerVNC cannot be improved because it must be backwards compatible with intrinsically insecure VNC protocols of 20 years ago, then that should be documented on the head of every article on the website in bold red lettering. I was unable to find any overt or easy to find mentions about the weaknesses mentioned above: DES, 8 character max, stored insecurely where malware regularly scrape passwords. Does TigerVNC even thwart high-speed brute force password tries and failure attempts? Similarly, TigerVNC as a project needs to decide whether it wants to stick to being an obsolete backwards compatible program, or a modern and secure program, in a formal statement and liability waiver. There is clearly not enough urgency to discourage people from using TigerVNC. The site requires a statement that implores people to stop using this software, toot sweet. |
commented Feb 22, 2018
OK, seriously... This is an open source project, and as the saying goes'free as in speech, not beer'. If this subject is of such vital importanceto you then why not jump in and help instead of making snarky comments? …On Thu, Feb 22, 2018 at 2:27 PM, a-raccoon ***@***.***> wrote: If the security of TigerZNC cannot be improved because it must be backwards compatable with intrinsically insecure ZNC protocols of 20 years ago, then that should be documented on the head of every article on the website in bold red lettering. I was unable to find any overt or easy to find mentions about the weaknesses mentioned above: DES, 8 character max, stored insecurely where malware regularly scrape passwords. Does TigerZNC even thwart high-speed brute force password tries and failure attempts? Similarly, TigerZNC as a project needs to decide whether it wants to stick to being an obsolete backwards compatible program, or a modern and secure program, in a formal statement and liability waiver. There is clearly not enough urgency to discourage people from using TigerZNC. The site requires a statement that implores people to stop using this software, toot sweet. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#601 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHnWbcjyA_ZUN0celDwuQ-Mmj2NEROmIks5tXb-vgaJpZM4SO9h9> . |
commented Feb 22, 2018 • edited
edited
My remarks are anything but snarky. You also mistaken users who submit feedback, bug reports and security advisories as 'programmers who need to fix it for themselves or shut up.' This is not the case. |