RealVNC is a much used and pretty secure program as far as remote attacks go as long as a strong password is set. But it's only as secure as the computer its on
Its password is stored locally and is very easily cracked.
To illustrate this I used a program called x4 which is made spcefically for decoding vnc paswords.
after i set the password to "my_pass" (so i can put back my real password when im finished) i retrieve it from the registry where it is stored in hexadecimal format
HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default
password b8 1e ac 6a ed f4 36 30
After starting the program using the -W flag for 'windows interactive' each pair of charecters gets entered one at a time until all eight are entered
C:\Pwd>x4 -W
b8
1e
ac
6a
ed
f4
36
30
Entered HEX String: b8 1e ac 6a ed f4 36 30
VNC Password: my_pass
C:\Pwd>
The decrypted password immeditally appears.
Do not use vnc on a computer where others that you shouldn't trust have access to it and change the password often. Also keep in mind that the registry is accessable to anyone who gains a remote shell on your computer so keep it patched and firewalled. In earlier version vnc was vulnerable to session hi-jacking and although thats been fixed a weak password can still be brute forced.
