Rich Smith (Miami, FL) joined Immunity in October 2008 to lead R&D for CANVAS, Immunity’s flagship product. Prior to joining Immunity, Rich has 5 years experience as a principal security researcher with HP Labs leading the Research In Offensive Technology and Threats (RiOTT). Rich has spoken at numerous international conferences,both public and private, and participated in both industry and EU sponsored infosec groups. Rich’s most recent public research was in the area of permanent denial of service (PDOS) attacks against embedded systems, which he presented publicly in Singapore(SyScan), Taiwan(SyScan) and London (EUSecWest). Rich’s technical expertise includes extensive toolset and exploit development in python, and experience with both network, desktop and embedded system security.
Topic: VAASeline: VNC Attack Automation Suite
During network enumerations and pentests VNC servers are commonly found on otherwise-secured systems. VNC servers can often be the subjects of weak or blank passwords due to their presence as part of an organisation’s ‘Shadow IT’ infrastructure, thus not conforming to password or authentication policies.
For these reasons, it was deemed preferable to have a generic method by which VNC systems could have artitrary command executionscripted against them in an automated manner as part of a penetration test or vulnerability scan using only the Remote Frame Buffer (RFB) protocol on which VNC is built. While a seemingly simple task, due to the design of the RFB protocol, it quickly becomes complex and you are left thinking ‘it shouldn’t be this hard …. should it?’ The reason for this from a programatic perspective is the blind nature of the protocol: mouse and keyboard events input, framebuffer updates output. This makes input vectors very limited and outcome of supplied input essentially invisible to scripts as it is manifested as visual screen updates only.
The presentation discusses a generic method by which arbitrary commands can be executed on a VNC server only through the use of standard RFB protocol packet types, albeit through the inventive misuse of them.
In brief, a multistep technique to use the clipboard of the target VNC server along with an uploaded VBScript clipboard monitor and the Client/ServerCutText RFB packet types as a crude RPC interface over which a custom but extensible ASCII protocol has been implemented to allow arbitrary, stateful actions to be taken on Win32 VNC servers using only the RFB protocol.
A library written in python to allow the technique to be easily used has be written and will be released under the LGPL license, along with the presentation. In addition a number of other VNC attack tools based on the same library will also be released, including:
These tools can be easily scripted together to provide an entirely automated VNC server enumeration, password discovery and attacker action across an entire network as part of a penetration test. Demonstrations of the tools, libraries and techniques will be shown in the presentation. Finally the techniques should be generally applicable to the Remote Desktop Protocol also, although a library to support this is not ready for release at this time.
What will attendees gain: