turbinia icon indicating copy to clipboard operation
turbinia copied to clipboard

Published 20 hours ago verified publisher icon google

VNC password decoder

Open Fryyyyy opened this issue 2 years ago • 5 comments

A new analyser to use https://github.com/jeroennijhof/vncpwd to decode weak passwords, a seen cause of compromise

Fryyyyy avatar Nov 09 '22 03:11 Fryyyyy

Looks like it's a pretty trivial implementation outside of the DES code. Rather than adding a new dependency that hasn't been updated in a while, I wonder if we could easily reproduce this with pycrypto or something.

aarontp avatar Dec 14 '22 07:12 aarontp

Working on this.

goldenkirbi avatar Sep 09 '23 19:09 goldenkirbi

@goldenkirbi are you still working on this?

hacktobeer avatar Oct 20 '23 07:10 hacktobeer

@goldenkirbi are you still working on this?

Yes. Currently, I have a working implementation for decrypting VNC passwords stored in known locations in the Windows registry.

I still have to look into how to process Linux ~/.vnc/passwd

goldenkirbi avatar Oct 20 '23 08:10 goldenkirbi

Super, thanks. What maybe could help is adding the VNC password locations to the Digital Forensic artifact repository and using that in the Turbinia fileextraction task to get them. See below for an example how we do that for Tomcat files.

Tomcat artifacts defined -> https://github.com/ForensicArtifacts/artifacts/blob/main/data/tomcat.yaml#L75 Turbinia Tomcat Job with artifact extraction task -> https://github.com/google/turbinia/blob/5e3f2914d4cfc307d6c9e015679b727a4f9b4d1a/turbinia/jobs/tomcat.py#L54 Turbinia Tomcat analysis task - https://github.com/google/turbinia/blob/5e3f2914d4cfc307d6c9e015679b727a4f9b4d1a/turbinia/workers/tomcat.py#L29

hacktobeer avatar Oct 20 '23 08:10 hacktobeer