Rich Smith

Rich Smith
Rich Smith (Miami, FL) joined Immunity in October 2008 to lead R&D for CANVAS, Immunity’s flagship product. Prior to joining Immunity, Rich has 5 years experience as a principal security researcher with HP Labs leading the Research In Offensive Technology and Threats (RiOTT). Rich has spoken at numerous international conferences,both public and private, and participated in both industry and EU sponsored infosec groups. Rich’s most recent public research was in the area of permanent denial of service (PDOS) attacks against embedded systems, which he presented publicly in Singapore(SyScan), Taiwan(SyScan) and London (EUSecWest). Rich’s technical expertise includes extensive toolset and exploit development in python, and experience with both network, desktop and embedded system security.

Topic: VAASeline: VNC Attack Automation Suite

During network enumerations and pentests VNC servers are commonly found on otherwise-secured systems. VNC servers can often be the subjects of weak or blank passwords due to their presence as part of an organisation’s ‘Shadow IT’ infrastructure, thus not conforming to password or authentication policies.

For these reasons, it was deemed preferable to have a generic method by which VNC systems could have artitrary command executionscripted against them in an automated manner as part of a penetration test or vulnerability scan using only the Remote Frame Buffer (RFB) protocol on which VNC is built. While a seemingly simple task, due to the design of the RFB protocol, it quickly becomes complex and you are left thinking ‘it shouldn’t be this hard …. should it?’ The reason for this from a programatic perspective is the blind nature of the protocol: mouse and keyboard events input, framebuffer updates output. This makes input vectors very limited and outcome of supplied input essentially invisible to scripts as it is manifested as visual screen updates only.

The presentation discusses a generic method by which arbitrary commands can be executed on a VNC server only through the use of standard RFB protocol packet types, albeit through the inventive misuse of them.

In brief, a multistep technique to use the clipboard of the target VNC server along with an uploaded VBScript clipboard monitor and the Client/ServerCutText RFB packet types as a crude RPC interface over which a custom but extensible ASCII protocol has been implemented to allow arbitrary, stateful actions to be taken on Win32 VNC servers using only the RFB protocol.

A library written in python to allow the technique to be easily used has be written and will be released under the LGPL license, along with the presentation. In addition a number of other VNC attack tools based on the same library will also be released, including:

  • Passive Clipboard Sniff: This allows the contents of the clipboards from both a VNC client and server to be grabbed off the wire by an attacker.
  • Active Clipboard Sniff: This allows the clipboard of a targeted VNC system to be monitored by a n attacker who is able to authenticate to a VNC server.
  • VNC Auto Auth: This allows a VNC server utilising password authentication to have its password enumerated by either dictionary or brute force attacks.
These tools help an attacker to get into a position whereby he is able to use the VNC RPC technique to take arbitrary scriptable actions on a target.

These tools can be easily scripted together to provide an entirely automated VNC server enumeration, password discovery and attacker action across an entire network as part of a penetration test. Demonstrations of the tools, libraries and techniques will be shown in the presentation. Finally the techniques should be generally applicable to the Remote Desktop Protocol also, although a library to support this is not ready for release at this time.

Presentation outline:

  • 1.A discussion of the problem, why do we want a way to take automatic actions against a VNC server ?
  • Why is this problem hard ? It should be easy right.
  • A discussion of the RFB protocol to answer the question above. Many people will be familiar with VNC but not with the protocol that sits below it.
  • First steps toward a solution, how can we script keystrokes and use the CutText packets?
  • Explaining why using key stroke emulation is part of the solution but not all of it due to unreliability and the need for not blind, stateful command execution.
  • Introduce the vbscript clipboard monitor that will allow us to use the targets clipboard and the RFB Client/ServerCutText Packets as an IO channel over which we can construct our protocol.
  • Discussion of design and implementation of the ASCII protocol and how the vbscript can be customised to support almost any action desired.
  • Demonstration of the final all in one working solution allowing automated actions to be taken on VNC systems.
  • Discussion of the python library that make the solution easy and accessible.
  • Discussion and demonstration of the other tools being released alongside the library which aid in the automation of the discussed VNC attack (PassiveVNCSniff, ActiveVNCSniff, VNCAutoAuth).
  • Discussion of future possibilities and the potential for using the same techniques against the Remote Desktop Protocol (RDP) supported by default on Microsoft Windows.
  • Questions.

What will attendees gain:

  • A detailed insight into the protocol which sits beneath the VNC solution that they will all likely be familiar with.
  • A case study with which to understand the build up of an attack based solution from initial goals, through problematic first steps to full blown working solution, and the creation of a generic and extensible library upon which the desired functionality can be based.
  • A further proof point that Shadow IT across a companies infrastructure can be the small chink in the armor need to leverage full blown arbitrary code execution.
  • A fully working VNC automation library with which they can script their own vulnerability scans.