First of all, what is VNC? Virtual Network Computing is a system that allows remote access to a computer desktop using the RFB protocol. Control is achieved by transmitting keystrokes and mouse movements from one computer to another and relaying the screen content over a computer network. One of its advantages is cross-platform compatibility, which allows us to obtain various types of access. RFB is a client-server network protocol for remote access to a computer's graphical desktop. It is used in VNC remote access systems and works at the frame buffer level, making it applicable to graphical windowing systems.
In short, it is a protocol that remotely transmits images from a computer or HMI. HMI stands for Human-Machine Interface, a broad concept that encompasses engineering solutions providing human-operator interaction with controlled machines. In other words, it includes control systems for stations, cash registers, gas stations, and even anal vibrators.
After we understand what VNC is, let's figure out how to hack it. One option is to use IP search engines.
Method 1:
To do this, we will need a shodan.io account with a subscription. It is possible to find a hacked account, but if the account is registered with an email that ends in edu, such as cryptouk.edu, the subscription will be free, and such emails can be found in the logs. Then simply follow this link (after logging in with a premium account):
https://images.shodan.io/?query=rfb
If you are not interested in PCs but only in various control systems, add a little to the query:
https://images.shodan.io/?query=rfb+screenshot.label:ics
And search for interesting devices in the results. The drawback of this method is that it displays devices without passwords, so they are hacked almost immediately and are either shut down or the admins notice suspicious activity and close access. However, the method is simple and can find devices on non-standard ports.
Now, there are two methods that rely on software. It is recommended to run them on a dedicated server or virtual machine. Firstly, we need to download the software: a port scanner (any will do, but Masscan is recommended) and VNC Brute by Z668, a software for brute-forcing VNC access. After successful download, we unpack it. Next, we go to
https://www.ipdeny.com/ipblocks/ ↗ and select the country we want to brute-force, for example, Afghanistan. We click on download, and an HTML with the country's range opens. We then copy the ranges by pressing CTRL+A and CTRL+C. Now, we launch Masscan GUI, paste the ranges, set the parameters as shown in the screenshot, and click on SCAN. After the console opens and closes, we go to the folder with VNC brute and launch it. Before each new scan, we should clear the Masscan folder of text files. We then go to the IP list tab, drag the IP file into the IP window, insert the passwords (popular ones are in the text file password), set the threads to no more than 500, and set the port we scanned. We click on start, and the brute-forcing process begins. When it's done, all the "goods" will be in the Brute folder. We copy them, launch the software again, go to Checker, paste the VNC we found, set the threads to 50, and the timeout to 5. We can also check other parameters if desired. We then check the Check folder for screenshots of the dedicates we found. Once we find an interesting VNC, we should connect to it. If we hacked a VNC dedicated server running Windows, we can turn it into RDP and use it for our purposes, but hosting bots is not safe. We can set a checker for a public database instead.
Now for the second method, it is based on software. I recommend running them on a dedicated server/virtual machine. So, first we need to download the following software:
Port scanner (any will do, but I use Masscan).
DOWNLOAD:
https://mega.nz/file/0GlAUQ4D#gLhSrYr-ukzGqaUOej-lNfuIQsn0xk_QhENeQ1DrJLg ↗ (PASSWORD 12345)
VT:
https://www.virustotal.com/gui/file...732a4c5f114ba624231a72497d77f34a95a/detection ↗
VNC BRUTE BY Z668 - software for VNC brute force attacks.
Download:
https://mega.nz/file/8SNyybRD#Nl_sM6bv9Vl7-V_KTFQbTrltJqs6j3klkTo-zdu_07U ↗ (PASSWORD 12345)
VT:
https://www.virustotal.com/gui/file/2da207373e0de780d7e89d478cb76b16bca1c934c37c0a5a030821b13c020716 ↗
After successfully downloading the software, unpack it. Now, go to
https://www.ipdeny.com/ipblocks/ ↗ and choose the country you want to brute force. Let's say it's Afghanistan. Click the download button. An HTML file with the ranges for the selected country will open. Press CTRL+A and CTRL+C to copy the ranges.
Now, run Masscan GUI, paste the ranges, set the parameters as shown in the screenshot, and click SCAN (you can write not 5900-5906, but just 5900 or 5901, i.e any port from 5900 to 5906). A console will open, and once it closes (if you don't want to wait for the scanning to finish, just click stop), click here:
Files with port numbers will be created. Now, go to the VNC brute folder and run it. By the way, before each new scan, remember to clear the Masscan folder from the text files.
Enter VNC brute, go to the "brute by IP list" tab, drag the IP file into the IP window. Paste the passwords (I left the most popular ones in the password text file, but you can add your own brute force dictionaries). I recommend setting the threads to no more than 500, otherwise the software will hang. Set the port to the one we scanned (the name of the text file you dragged into the IP tab). Click Start.
As we can see, the brute force process has started, and 2 "goods" have already been found. Once the brute force is complete, all the "goods" will be in the Brute folder. Copy them, run the software again, go to Checker, paste our VNCs, set the threads to 50, timeout to 5. Optionally, check the other parameters. This way, we have filtered out the invalid ones, and in the Check folder, we now have screenshots of our dedicated servers. We can browse them and look for interesting ones. There are many things to find, from regular PCs to airport camera control panels. Once we even found a streamer's anal vibrator (you can check the threads).
Now that we have found an interesting VNC, we need to connect to it. If you hacked a VNC dedicated server running on Windows, you can turn it into an RDP (i.e. a regular dedicated server with its hidden account and use it for your purposes). Hosting bots is certainly not safe, but setting up a checker with a public database is feasible.
