From ea133331d18fdfeddb767deda4acc1caa1696d5d Mon Sep 17 00:00:00 2001 From: "runonceex@gmail.com" <122456175@qq.com> Date: Tue, 3 Dec 2024 23:11:36 +0800 Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0vnc=E6=BC=8F=E6=B4=9E?= =?UTF-8?q?=E6=9C=AA=E6=8E=88=E6=9D=83=E6=89=AB=E6=8F=8F=E5=92=8C=E7=88=86?= =?UTF-8?q?=E7=A0=B4=EF=BC=8C=E4=BF=AE=E5=A4=8Dgo-vnc=20bug?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Plugins/base.go | 1 + Plugins/vnc.go | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ common/config.go | 2 ++ go.mod | 1 + go.sum | 2 ++ 5 files changed, 92 insertions(+) create mode 100644 Plugins/vnc.go diff --git a/Plugins/base.go b/Plugins/base.go index 36a206c..1aa9c07 100644 --- a/Plugins/base.go +++ b/Plugins/base.go @@ -19,6 +19,7 @@ var PluginList = map[string]interface{}{ "3306": MysqlScan, "3389": RdpScan, "5432": PostgresScan, + "5900": VncScan, "6379": RedisScan, "9000": FcgiScan, "11211": MemcachedScan, diff --git a/Plugins/vnc.go b/Plugins/vnc.go new file mode 100644 index 0000000..b34bd4c --- /dev/null +++ b/Plugins/vnc.go @@ -0,0 +1,86 @@ +package Plugins + +import ( + "fmt" + "github.com/Run0nceEx/go-vnc" + "github.com/shadow1ng/fscan/common" + "net" + "time" +) + +// VncScan 扫描 VNC 服务 +func VncScan(info *common.HostInfo) (flag bool, err error) { + if common.IsBrute { + return false, nil + } + + flag = false + Host, Port := info.Host, info.Ports + addr := fmt.Sprintf("%s:%s", Host, Port) + + // 建立 TCP 连接 + conn, err := net.DialTimeout("tcp", addr, 3*time.Second) + //设置连接超时防止过长等待 + err = conn.SetDeadline(time.Now().Add(5 * time.Second)) + if err != nil { + return false, fmt.Errorf("无法连接到 %v: %v", addr, err) + } + defer conn.Close() + + // 无认证测试 + config := &vnc.ClientConfig{ + Auth: []vnc.ClientAuth{ + new(vnc.ClientAuthNone), + }, + } + + client, err := vnc.Client(conn, config) + + if err == nil { + // 无需认证即可访问 + result := fmt.Sprintf("[+] VNC unauthenticated access successful: %v:%v", Host, Port) + common.LogSuccess(result) + defer client.Close() + return true, nil + } + + // 如果无认证失败,进行密码爆破 + for _, pass := range common.Passwords { + conn, err := net.DialTimeout("tcp", addr, 5*time.Second) + if err != nil { + continue // 如果无法重连,跳过此密码 + } + defer conn.Close() + + config := &vnc.ClientConfig{ + Auth: []vnc.ClientAuth{ + &vnc.PasswordAuth{ + Password: pass, + }, + }, + } + + client, err := vnc.Client(conn, config) + + if err == nil { + // 密码验证成功 + result := fmt.Sprintf("[+] VNC password verification successful: %v:%v, password: %v", Host, Port, pass) + common.LogSuccess(result) + err := client.Close() + if err != nil { + return false, err + } + return true, nil + } else { + if "security handshake failed: Either the username was not recognised, or the password was incorrect" != err.Error() { + err := client.Close() + if err != nil { + return false, err + } + } + } + } + + // 如果无认证和密码爆破都失败 + return false, nil +} diff --git a/common/config.go b/common/config.go index de43265..9c9da7e 100644 --- a/common/config.go +++ b/common/config.go @@ -25,6 +25,7 @@ var PORTList = map[string]int{ "mysql": 3306, "rdp": 3389, "psql": 5432, + "vnc": 5900, "redis": 6379, "fcgi": 9000, "mem": 11211, @@ -52,6 +53,7 @@ var PortGroup = map[string]string{ "mysql": "3306", "rdp": "3389", "psql": "5432", + "vnc": "5900", "redis": "6379", "fcgi": "9000", "mem": "11211", diff --git a/go.mod b/go.mod index 9322059..0b9bdd7 100644 --- a/go.mod +++ b/go.mod @@ -4,6 +4,7 @@ go 1.19 require ( github.com/C-Sto/goWMIExec v0.0.1-deva.0.20210704154847-b8ebd6464a06 + github.com/Run0nceEx/go-vnc v0.0.0-20241202154954-fb59a61ca735 github.com/denisenkom/go-mssqldb v0.12.3 github.com/fatih/color v1.7.0 github.com/go-sql-driver/mysql v1.8.1 diff --git a/go.sum b/go.sum index fb9a058..72284da 100644 --- a/go.sum +++ b/go.sum @@ -20,6 +20,8 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/Run0nceEx/go-vnc v0.0.0-20241202154954-fb59a61ca735 h1:NlON1hW+R8xLUukzWMVbfYhuMLEnFzGHujOF/eY1U+Q= +github.com/Run0nceEx/go-vnc v0.0.0-20241202154954-fb59a61ca735/go.mod h1:ADwAYIJnQSfPRASouAkAOBd7oSV7hfkbCVs2gexegQo= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 h1:yL7+Jz0jTC6yykIK/Wh74gnTJnrGr5AyrNMXuA0gves=