KFSensor

 

Edit Sim Std Server - VNC

Use the Edit Sim Std Server - VNC dialog box to add or edit a VNC definition.

You will find a description of what are Sim Std Servers here.

VNC stands for Virtual Network Computing. It is a cross platform remote control application.
A VNC server allows people with the VNC client to take control of the server's mouse and keyboard and view the servers screen.
If a hacker can find an unprotected VNC server they can gain complete control of the server.

This Sim Std Server allows the visitor to attempt to log on but always rejects their password.

You can find out more about VNC at this web site: http://www.realvnc.com/

Title

  • Name
    Each Sim Std Server requires a unique name, which is used to identify it.
  • Description
    A piece of text for notes on what the Sim Std Server aims to support
  • Default Port
    Most services have standard ports on which visitors expect to find them.
    The default port for VNC is 5900.
    This is only used as a prompt during configuration of a Listen; a Sim Std Server can be set on any or many different ports.
  • Severity
    The severity level that events generated by this Sim Std Server will be given. This can be overridden as part of the Listen configuration.

Options

These settings control how this Sim Std Server responds to a visitor.
  • Time out
    The time in seconds that the KFSensor server allows the session to continue for before closing the connection.
  • Idle Time out
    The time in seconds that the KFSensor server will wait for traffic on a connection before closing the connection.
  • Session Limit
    The maximum number of bytes that will be accepted from the visitor before the connection is closed.
  • Version
    VNC exchanges a 7 digit version string between the server and client to ensure they are compatible.
    The current version is "003.003".

Example Attack

The following is a real life example attack on a VNC Sim Std Server.
  1. This server first sends the protocol banner containing the version.
  2. The visitor replies.
  3. The server sends a 4 byte control code asking the visitor to send the password.
  4. This is followed by a 128 bit random number.
  5. The visitor uses the random number to encrypt the password and returns it as a 128 bit encrypted code.
  6. The server then returns a 4 byte control code saying the authentication failed and then closes the connection.

As the password is encrypted with a 128 bit key it is unfortunately not possible for KFSensor to unencrypt it.

The lines that start with ">>>>" indicate a response to the visitor from the Sim Server.

>>>>RFB 003.003%0D%0A
RFB 003.003%0A
>>>>%00%00%00%02%0D%0A
>>>>)#%BE%84%E1l%D6%AER%90I%F1%F1%BB%E9%EB%0D%0A
%A715\%87%90%97Bm%A2r%1A%0C%E5!%A7%0D%0A
>>>>%00%00%00%01%0D%0A

Related Topics


KFSensor On-Line Manual Contents