I've installed UltraVNC on a Windows box and played with the "DMS"
plugin. Cf. http://doc.uvnc.com/features/encryption.html
Obviously, it enciphers the whole connection and breaks the standard
VNC protocol.
Connecting to it, you get 12 apparently random bytes. The bytes are
always the same until you change the RC4 server key.
I tried to change the key and did some experiments with this little
script. I think that we could detect this with a good probability.
Any thought?
-----------------------------------------------------------------------------
include("dump.inc");
s = open_sock_tcp(5900);
r = recv(socket: s, length: 1024);
dump(ddata: r, dtitle: "UltraVNC");
if (strlen(r) != 12) exit(0);
for (i = 0; i < 12; i ++)
{
z = ord(r[i]);
for (j = 0; j < 8; j ++)
if (z & (1 << j))
{
total ++;
n[j] ++;
}
}
for (i = 0; i < 8; i ++)
display('n[',i, '] = ', n[i], ' / 12\n');
display('total = ', total, ' / 96\n');
-----------------------------------------------------------------------------
$ nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: ba ab dd f3 0b 01 db a4 24 e3 6f c8 ........$.o.
n[0] = 8 / 12
n[1] = 7 / 12
n[2] = 4 / 12
n[3] = 7 / 12
n[4] = 4 / 12
n[5] = 7 / 12
n[6] = 6 / 12
n[7] = 8 / 12
total = 51 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: e0 99 65 59 71 38 87 a8 54 ef 5d 08 ..eYq8..T.].
n[0] = 7 / 12
n[1] = 2 / 12
n[2] = 5 / 12
n[3] = 7 / 12
n[4] = 6 / 12
n[5] = 6 / 12
n[6] = 7 / 12
n[7] = 5 / 12
total = 45 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: 42 1f 4d b6 0d 2c 4d bc 20 cd 58 66 B.M..,M. .Xf
n[0] = 5 / 12
n[1] = 4 / 12
n[2] = 9 / 12
n[3] = 8 / 12
n[4] = 4 / 12
n[5] = 5 / 12
n[6] = 6 / 12
n[7] = 3 / 12
total = 44 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: e6 0b 7c 64 7e 7b 1f f7 09 7f 38 87 ..|d~{....8.
n[0] = 7 / 12
n[1] = 8 / 12
n[2] = 8 / 12
n[3] = 8 / 12
n[4] = 7 / 12
n[5] = 8 / 12
n[6] = 7 / 12
n[7] = 3 / 12
total = 56 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: bf d3 5c 89 9c 1b 97 93 3b 11 f9 56 ..\.....;..V
n[0] = 9 / 12
n[1] = 7 / 12
n[2] = 5 / 12
n[3] = 7 / 12
n[4] = 11 / 12
n[5] = 3 / 12
n[6] = 4 / 12
n[7] = 7 / 12
total = 53 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: 23 20 0a 3b f2 49 9d dc e9 38 3f 22 # .;.I...8?"
n[0] = 6 / 12
n[1] = 6 / 12
n[2] = 3 / 12
n[3] = 8 / 12
n[4] = 6 / 12
n[5] = 8 / 12
n[6] = 4 / 12
n[7] = 4 / 12
total = 45 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: 2a ac fd 7e 7b 79 96 07 5d ed 56 45 *..~{y..].VE
n[0] = 7 / 12
n[1] = 6 / 12
n[2] = 9 / 12
n[3] = 8 / 12
n[4] = 7 / 12
n[5] = 7 / 12
n[6] = 8 / 12
n[7] = 4 / 12
total = 56 / 96
$
plugin. Cf. http://doc.uvnc.com/features/encryption.html
Obviously, it enciphers the whole connection and breaks the standard
VNC protocol.
Connecting to it, you get 12 apparently random bytes. The bytes are
always the same until you change the RC4 server key.
I tried to change the key and did some experiments with this little
script. I think that we could detect this with a good probability.
Any thought?
-----------------------------------------------------------------------------
include("dump.inc");
s = open_sock_tcp(5900);
r = recv(socket: s, length: 1024);
dump(ddata: r, dtitle: "UltraVNC");
if (strlen(r) != 12) exit(0);
for (i = 0; i < 12; i ++)
{
z = ord(r[i]);
for (j = 0; j < 8; j ++)
if (z & (1 << j))
{
total ++;
n[j] ++;
}
}
for (i = 0; i < 8; i ++)
display('n[',i, '] = ', n[i], ' / 12\n');
display('total = ', total, ' / 96\n');
-----------------------------------------------------------------------------
$ nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: ba ab dd f3 0b 01 db a4 24 e3 6f c8 ........$.o.
n[0] = 8 / 12
n[1] = 7 / 12
n[2] = 4 / 12
n[3] = 7 / 12
n[4] = 4 / 12
n[5] = 7 / 12
n[6] = 6 / 12
n[7] = 8 / 12
total = 51 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: e0 99 65 59 71 38 87 a8 54 ef 5d 08 ..eYq8..T.].
n[0] = 7 / 12
n[1] = 2 / 12
n[2] = 5 / 12
n[3] = 7 / 12
n[4] = 6 / 12
n[5] = 6 / 12
n[6] = 7 / 12
n[7] = 5 / 12
total = 45 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: 42 1f 4d b6 0d 2c 4d bc 20 cd 58 66 B.M..,M. .Xf
n[0] = 5 / 12
n[1] = 4 / 12
n[2] = 9 / 12
n[3] = 8 / 12
n[4] = 4 / 12
n[5] = 5 / 12
n[6] = 6 / 12
n[7] = 3 / 12
total = 44 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: e6 0b 7c 64 7e 7b 1f f7 09 7f 38 87 ..|d~{....8.
n[0] = 7 / 12
n[1] = 8 / 12
n[2] = 8 / 12
n[3] = 8 / 12
n[4] = 7 / 12
n[5] = 8 / 12
n[6] = 7 / 12
n[7] = 3 / 12
total = 56 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: bf d3 5c 89 9c 1b 97 93 3b 11 f9 56 ..\.....;..V
n[0] = 9 / 12
n[1] = 7 / 12
n[2] = 5 / 12
n[3] = 7 / 12
n[4] = 11 / 12
n[5] = 3 / 12
n[6] = 4 / 12
n[7] = 7 / 12
total = 53 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: 23 20 0a 3b f2 49 9d dc e9 38 3f 22 # .;.I...8?"
n[0] = 6 / 12
n[1] = 6 / 12
n[2] = 3 / 12
n[3] = 8 / 12
n[4] = 6 / 12
n[5] = 8 / 12
n[6] = 4 / 12
n[7] = 4 / 12
total = 45 / 96
$ !!
nasl /tmp/ec.nasl -t 10.10.10.10
:::UltraVNC
00: 2a ac fd 7e 7b 79 96 07 5d ed 56 45 *..~{y..].VE
n[0] = 7 / 12
n[1] = 6 / 12
n[2] = 9 / 12
n[3] = 8 / 12
n[4] = 7 / 12
n[5] = 7 / 12
n[6] = 8 / 12
n[7] = 4 / 12
total = 56 / 96
$