VNC Enumeration
Overview
VNC (Virtual Network Computing) runs on TCP 5900+ by default (5900 for display :0, 5901 for :1, etc.). Enumeration targets version detection, authentication method identification, and unauthenticated access checks. VNC is frequently deployed with no authentication, weak passwords, or default configurations — especially on development servers, kiosks, and embedded systems.
ATT&CK Mapping
- Tactic: TA0043 - Reconnaissance
- Technique: T1595 - Active Scanning
Prerequisites
- Network access to target port 5900-5910
- Nmap or VNC client installed
Enumeration Techniques
Service Detection
# Nmap
# https://nmap.org/
nmap -sV -p 5900-5910 <target>
Expected output:
5900/tcp open vnc VNC (protocol 3.8)
5901/tcp open vnc VNC (protocol 3.8)
The protocol version reveals the RFB (Remote Framebuffer) protocol version, not the server software. Banner grab for more detail:
nc -nv <target> 5900
Expected output:
(UNKNOWN) [10.10.10.50] 5900 (?) open
RFB 003.008
Authentication Detection
# Nmap
# https://nmap.org/
# Check VNC authentication requirements
nmap -sV -p 5900 --script vnc-info <target>
Expected output (no authentication):
| vnc-info:
| Protocol version: 3.8
| Security types:
|_ None
If security type is None, the server accepts connections without any password. Connect directly:
# TigerVNC (vncviewer)
# https://tigervnc.org/
vncviewer <target>::5900
Expected output for password-protected server:
| vnc-info:
| Protocol version: 3.8
| Security types:
| VNC Authentication (2)
| Tight (16)
Nmap NSE Scripts
# Nmap
# https://nmap.org/
# Attempt VNC authentication with blank/default passwords
nmap -p 5900 --script vnc-brute <target>
# Get detailed VNC server title and resolution
nmap -p 5900 --script vnc-title <target>
Expected output from vnc-title:
| vnc-title:
| name: server01:1 (user01)
|_ resolution: 1920x1080
The window title often reveals the hostname and username of the active session.
Metasploit Modules
# Metasploit Framework
# https://www.metasploit.com/
# VNC no-auth scanner (identifies servers with no password)
msf6 > use auxiliary/scanner/vnc/vnc_none_auth
msf6 > set RHOSTS <target>
msf6 > run
# VNC login scanner (brute-force)
msf6 > use auxiliary/scanner/vnc/vnc_login
msf6 > set RHOSTS <target>
msf6 > set PASS_FILE /usr/share/wordlists/metasploit/vnc_passwords.txt
msf6 > run
The vnc_none_auth scanner is fast and should be run first — it identifies servers accepting connections without any credentials.
VNC Password File Locations
If you gain filesystem access to the VNC server (via other means), VNC password hashes are stored in predictable locations:
| Implementation | Password File |
|---|---|
| RealVNC | ~/.vnc/passwd |
| TightVNC | ~/.vnc/passwd |
| TigerVNC | ~/.vnc/passwd |
| x11vnc | ~/.vnc/passwd or -passwdfile argument |
| UltraVNC (Windows) | C:\Program Files\UltraVNC\ultravnc.ini |
| TightVNC (Windows) | Registry: HKLM\Software\TightVNC\Server\Password |
VNC passwords are DES-encrypted with a fixed key and truncated to 8 characters maximum. They are trivially reversible:
# Metasploit Framework
# https://www.metasploit.com/
# Decrypt a VNC password file
msf6 > irb
>> fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
>> require 'rex/proto/rfb'
>> Rex::Proto::RFB::Cipher.decrypt(["YOUR_HEX_HERE"].pack('H*'), fixedkey)
Or use a dedicated tool:
# vncpwd
# https://github.com/jeroennijhof/vncpwd
vncpwd /path/to/passwd
Note: vncpwd is not installed by default on Kali. Install from source:
git clone https://github.com/jeroennijhof/vncpwd.git
cd vncpwd
make
Common VNC Ports
VNC uses display-based port numbering:
| Display | Port | Notes |
|---|---|---|
| :0 | 5900 | Default display |
| :1 | 5901 | Second display |
| :2 | 5902 | Third display |
| HTTP viewer | 5800 | Java-based web VNC client (if enabled) |
Some implementations run on non-standard ports. Service detection handles this:
# Nmap
# https://nmap.org/
nmap -sV -p- --open <target> 2>/dev/null | grep vnc
Post-Enumeration
With VNC access confirmed, prioritize: - Unauthenticated VNC servers provide immediate desktop-level access — screenshot and document - Active sessions may reveal logged-in user credentials, open applications, and sensitive data on screen - VNC server configuration may reveal the running user's privilege level - Password reuse — VNC passwords are often reused across services
References
Official Documentation
- Nmap vnc-info NSE Script
- Nmap vnc-brute NSE Script
- RFB Protocol Specification (RFC 6143)
- vncpwd - VNC Password Decryptor (GitHub)
Pentest Guides & Tutorials
Password Recovery References
- Stored Password Decryption Techniques (frizb GitHub)
- XenArmor - How to Recover Remote Desktop Password from TightVNC
- RSM War Room - Retrieving Credentials from Configuration Files