add vnc password crack 2022-08-06

GhostTroops · Aug 6, 2022 · d885db2 · d885db2
1 parent b0626ea
commit d885db2
Show file tree

Hide file tree

Showing 13 changed files with 1,092 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -20,8 +20,9 @@
   Code-level optimization, parameter optimization, and individual modules, such as vscan filefuzz, have been rewritten for these integrated projects.
   In principle, do not repeat the wheel, unless there are bugs, problems
 - Cross-platform: based on golang implementation, lightweight, highly customizable, open source, supports Linux, windows, mac os, etc.
-- Support [22] password blasting, support custom dictionary, open by "priorityNmap": true
+- Support [23] password blasting, support custom dictionary, open by "priorityNmap": true
   * RDP
+  * VNC
   * SSH
   * Socks5
   * rsh-spx

diff --git a/README_CN.md b/README_CN.md
@@ -11,7 +11,7 @@
 </p>
 
 # 特性
-Vulnerabilities Scan；15000+PoC漏洞扫描；22种应用弱口令爆破；7000+Web指纹；146种协议90000+规则Port扫描；Fuzz、HW打点、BugBounty神器...
+Vulnerabilities Scan；15000+PoC漏洞扫描；[ 23 ] 种应用弱口令爆破；7000+Web指纹；146种协议90000+规则Port扫描；Fuzz、HW打点、BugBounty神器...
 <h1 align="center">
 <img width="928" alt="image" src="https://user-images.githubusercontent.com/18223385/175768227-098c779b-6c5f-48ee-91b1-c56e3daa9c87.png">
 </h1>
@@ -20,8 +20,9 @@ Vulnerabilities Scan；15000+PoC漏洞扫描；22种应用弱口令爆破；7000
   并对这些集成的项目进行代码级别优化、参数优化，个别模块,如 vscan filefuzz部分进行了重写  
   原则上不重复造轮子，除非存在bug、问题
 - 跨平台：基于golang实现，轻量级、高度可定制、开源，支持Linux、windows、mac os等
-- 支持【22】种密码爆破，支持自定义字典, 通过 "priorityNmap": true 开启 
+- 支持[ 23 ] 种密码爆破，支持自定义字典, 通过 "priorityNmap": true 开启 
   * RDP
+  * VNC
   * SSH
   * Socks5
   * rsh-spx

diff --git a/pkg/hydra/cracker.go b/pkg/hydra/cracker.go
@@ -18,6 +18,7 @@ import (
 	"github.com/hktalent/scan4all/pkg/hydra/socks5"
 	"github.com/hktalent/scan4all/pkg/hydra/ssh"
 	"github.com/hktalent/scan4all/pkg/hydra/telnet"
+	"github.com/hktalent/scan4all/pkg/hydra/vnc"
 	"github.com/hktalent/scan4all/pkg/hydra/winrm"
 	"github.com/hktalent/scan4all/pkg/kscan/core/slog"
 	"github.com/hktalent/scan4all/pkg/kscan/lib/gotelnet"
@@ -66,6 +67,13 @@ func Socks5Cracker(i interface{}) interface{} {
 	}
 	return nil
 }
+func VncCracker(i interface{}) interface{} {
+	info := i.(AuthInfo)
+	if ok, _ := vnc.Check(info.IPAddr, info.Auth.Username, info.Auth.Password, info.Port); ok {
+		return info
+	}
+	return nil
+}
 
 func sshCracker(i interface{}) interface{} {
 	info := i.(AuthInfo)

diff --git a/pkg/hydra/doNmapResult.go b/pkg/hydra/doNmapResult.go
@@ -84,7 +84,7 @@ func DoParseXml(s string, bf *bytes.Buffer) {
 					m1[ip] = append(xx09, []string{szPort, service})
 				}
 				if os.Getenv("NoPOC") != "true" {
-					if "socks5" == service {
+					if "socks5" == service || "vnc" == service {
 						CheckWeakPassword(ip, service, port)
 					} else if "445" == szPort && service == "microsoft-ds" || "135" == szPort && service == "msrpc" {
 						util.PocCheck_pipe <- &util.PocCheck{

diff --git a/pkg/hydra/hydra.go b/pkg/hydra/hydra.go
@@ -22,7 +22,7 @@ var (
 	CustomAuthMap  *AuthList
 	// rtsp://admin:[email protected]:554/0x8b6c42
 	// rtsp: 554, 5554,8554
-	ProtocolList = strings.Split("rdp,ssh,rsh-spx,mysql,mssql,oracle,postgresql,redis,ftp,mongodb,mongod,smb,telnet,snmp,wap-wsp,router,winrm,pop3,socks5", ",")
+	ProtocolList = strings.Split("rdp,ssh,rsh-spx,mysql,mssql,oracle,postgresql,redis,ftp,mongodb,mongod,smb,telnet,snmp,wap-wsp,router,winrm,pop3,socks5,vnc", ",")
 )
 
 func NewCracker(info *AuthInfo, isAuthUpdate bool, threads int) *Cracker {
@@ -82,6 +82,8 @@ func (c *Cracker) Run() {
 		c.Pool.Function = postgresqlCracker
 	case "socks5":
 		c.Pool.Function = Socks5Cracker
+	case "vnc":
+		c.Pool.Function = VncCracker
 	case "ldap", "rsh-spx", "ssh":
 		c.Pool.Function = sshCracker
 	case "telnet":

diff --git a/pkg/hydra/loadDicts.go b/pkg/hydra/loadDicts.go
@@ -145,6 +145,7 @@ func init() {
 		}
 		md["pop3"] = md["ssh"]
 		md["socks5"] = md["ssh"]
+		md["vnc"] = md["ssh"]
 		md["rsh-spx"] = md["ssh"]
 		md["snmp"] = &PPDict{
 			Username:  util.GetVal4File("snmp_user", snmp_user),

diff --git a/pkg/hydra/vnc/checkvnc.go b/pkg/hydra/vnc/checkvnc.go
@@ -0,0 +1,20 @@
+package vnc
+
+import (
+	"fmt"
+	"net"
+)
+
+func Check(Host, Username, Password string, Port int) (bool, error) {
+	nc, err := net.Dial("tcp", fmt.Sprintf("%s:%d", Host, Port))
+	if err != nil {
+		return false, err
+	}
+	cc1, err := Client(nc, &ClientConfig{Auth: []ClientAuth{&PasswordAuth{Password: Password}}})
+	if err != nil {
+		return false, err
+	} else {
+		cc1.Close()
+		return true, nil
+	}
+}