Results 1 to 6 of 6

Thread: VNC security

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207

    VNC security

    I realise quite a lot of people use VNC, quite often on internet-connected systems.

    1. Is there any theoretical barrier to a VNC password being brute-forced reasonably easily / quickly?

    2. Is there any logging in VNC servers for incorrect passwords.

    3. Does the IP of connections get logged?

    It strikes me that although VNC uses a (fairly) strong password authentication scheme itself, there are no mechanisms to prevent brute-forcing.

    Also as VNC has no usernames, forcing VNC passwords only is required, as there is not a username required.

    If these things are true, should we not petition [i.e. make] for a stronger version of VNC?

    PS: Don't flame me for putting this in *NIX, I realise VNC works on non-UNIX systems too, but there isn't a "Platform independent security discussions" forum.

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    vnc wasnt designed for an environment where high security is an issue. it was originally made by the people at bell labs for use amoung them selves on their own network. it worked wel an they decided to share it.
    their is a brute force tool made just for those who are foolis enough to use vnc in an untrusted environment
    ive heard you can use vnc in conjunction with ssh although i havn't had cause to find out more about this.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    vnc with ssh... yup: (http://www.uk.research.att.com/vnc/sshvnc.html)
    Basically, you setup your vnc server to bind to localhost, then setup your ssh client to tunnel the vnc port to the remote host...

    This pretty much gives you all the advantages of ssh security while enjoying your vnc gui...

    Ammo

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Ok, so the thing to do is to run vnc binding only to localhost, then ssh in and tunnel the ports.

    What about Windows Users?

    Many sysadmins of NT4 etc use VNC as an alternative to the many commercial remote control products (notably PCAnywhere) - this isn't as much of an issue with Win2k as win2k server ships with terminal server which is quite effective.

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    if a company can afford the licensing for NT they afford a license for pcAnywhre. if they try to get away cheap, what happens after that is nobodys fault but their own. i use vnc behind a firewall and pcanywhere listening on a modem to call in from home.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    Slarty, you just beat me to the punch. Last week, as a result of pure boredom, I started experimenting a bit with vnc (in particular the latest build available for win32 platforms, 3.3.3r9). Since I didn't complete anything yet, I didn't share anything - but I'm planning to do so in the near future. For now, this is what I found as an answer on your questions:

    Is there any theoretical barrier to a VNC password being brute-forced reasonably easily / quickly?
    I've been coding in an attempt to do just this, but so far I'm only able to try one password in about 10 seconds - this is probably just because I'm a lousy programmer, but I did find an security message saying 'too many succesive tries.' I'm getting another messege, however, so I don't yet know if the restriction is actually in the program.

    Is there any logging in VNC servers for incorrect passwords. / Does the IP of connections get logged?
    No, there's no logging whatsoever.

    It strikes me that although VNC uses a (fairly) strong password authentication scheme itself (...)
    Partially true. The old RFB-protocol that VNC uses does use a DES-like encryption, but it is limited to 8 character password. All characters after the 8th are not used. This means that if you set the password "thisisaverylongpassword", you can use just "thisisav" to connect to the server.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •