The document discusses vulnerabilities in VNC implementations that allow unauthenticated access. It notes that a scan of the internet found over 335,000 VNC servers, with around 8,000 having no authentication. This lack of authentication allows attackers to access and "pivot" into internal networks. The document provides statistics on different VNC protocol versions found and describes exploits that could allow compromising devices to access additional internal systems through insecure VNC implementations and proxies.

1. Stargate: pivoting through VNC to own
internal networks
By Yonathan Klijnsma & Dan Tentler

2. Stargate: pivoting through VNC to own internal networks 2
@ydklijnsma
Yonathan Klijnsma
Shodan professional, VNC voyeur,
watches attackers and contemplates
their motives.
@Viss
Dan Tentler
Dark overlord of Shodan, VNC voyeur,
security guy with a security company.

3. Stargate: pivoting through VNC to own internal networks
3
Shit on the internet is getting pretty bad….
3
Welcome to the internet - we shall be your guides

4. Stargate: pivoting through VNC to own internal networks
4
Does it get better?
4

5. Stargate: pivoting through VNC to own internal networks
5
No..
5

6. Stargate: pivoting through VNC to own internal networks
6
No…. no really
6

7. Stargate: pivoting through VNC to own internal networks
7
Its currently even worse…
7

8. Stargate: pivoting through VNC to own internal networks
8
It doesn’t seem to get better…
8

9. Stargate: pivoting through VNC to own internal networks
9
Security Camera “IoT”
9

10. Stargate: pivoting through VNC to own internal networks
10
Internet of Things Conference
10

11. Stargate: pivoting through VNC to own internal networks
11
Internet of Things Conference
11

12. Stargate: pivoting through VNC to own internal networks
12
Internet of Things Conference
12

13. Stargate: pivoting through VNC to own internal networks
13
Everything is being invented again
13

14. Stargate: pivoting through VNC to own internal networks
14
Everything is being invented again
14
- They have Wifi
- They have telnet
- Nobody added authentication
- There is actually a CVE for not having authentication
- WHAT.

15. Stargate: pivoting through VNC to own internal networks
15
They aren’t getting it, hackers are having fun.
15

16. Stargate: pivoting through VNC to own internal networks
16
Besides ancient industrial devices we see new ‘toys’
16

17. Stargate: pivoting through VNC to own internal networks
17
Besides ancient industrial devices we see new ‘toys’
17

18. Stargate: pivoting through VNC to own internal networks
18
Besides ancient industrial devices we see new ‘toys’
18

19. Stargate: pivoting through VNC to own internal networks
19
German 'Sonnenbatterie' solar-cell power storage systems
19

20. Stargate: pivoting through VNC to own internal networks
20
Boats…
20

21. Stargate: pivoting through VNC to own internal networks
21
We can find criminals(!?) on VNC….
21

22. Stargate: pivoting through VNC to own internal networks
22
Maldives fishes! :D
22

23. Stargate: pivoting through VNC to own internal networks
23
Cardiac imaging on Shodan….
23

24. Stargate: pivoting through VNC to own internal networks
24
Fingerprints….
24

25. Stargate: pivoting through VNC to own internal networks
25
Swatting 2.0….
25

26. Stargate: pivoting through VNC to own internal networks
26
Medical devices
26

27. Stargate: pivoting through VNC to own internal networks
27
Lets look at some statistics for VNC
27
Decided to scan the globe (with some Shodan help) for the RFB protocol
header. It came back with 335K~ results, of those there are 8K~ which use
no authentication.

28. Stargate: pivoting through VNC to own internal networks
28
Lets look at some statistics for VNC
28
RFB 002.000
RFB 003.002
RFB 003.003
RFB 003.004
RFB 003.005
RFB 003.006
RFB 003.007
RFB 003.008
RFB 003.010
RFB 003.016
RFB 003.033
RFB 003.039
RFB 003.043
RFB 003.130
RFB 003.236
RFB 003.889
RFB 004.000
RFB 004.001
RFB 005.000
RFB 009.123
RFB 009.221
RFB 009.963
RFB 103.006
0 40000 80000 120000 160000
These should not exist?!

29. Stargate: pivoting through VNC to own internal networks
29
Lets look at some statistics for VNC
29
RFB 002.000
RFB 003.002
RFB 003.003
RFB 003.004
RFB 003.005
RFB 003.006
RFB 003.007
RFB 003.008
RFB 003.010
RFB 003.016
RFB 003.033
RFB 003.039
RFB 003.043
RFB 003.130
RFB 003.236
RFB 003.889
RFB 004.000
RFB 004.001
RFB 005.000
RFB 009.123
RFB 009.221
RFB 009.963
RFB 103.006
0 40000 80000 120000 160000
Apple remote desktop
RealVNC Personal
RealVNC Enterprise
?

30. Stargate: pivoting through VNC to own internal networks
30
Lets look at some statistics for VNC
30
RFB 002.000
RFB 003.002
RFB 003.003
RFB 003.004
RFB 003.005
RFB 003.006
RFB 003.007
RFB 003.008
RFB 003.010
RFB 003.016
RFB 003.033
RFB 003.039
RFB 003.043
RFB 003.130
RFB 003.236
RFB 003.889
RFB 004.000
RFB 004.001
RFB 005.000
RFB 009.123
RFB 009.221
RFB 009.963
RFB 103.006
0 40000 80000 120000 160000
Something else was responding with “RFB 000.000”
3.5K somethings named ‘RealVNC repeaters’.

31. Stargate: pivoting through VNC to own internal networks 31

32. Stargate: pivoting through VNC to own internal networks 32

33. Stargate: pivoting through VNC to own internal networks 33

34. Stargate: pivoting through VNC to own internal networks 34

35. Stargate: pivoting through VNC to own internal networks 35

36. Stargate: pivoting through VNC to own internal networks 36

37. Stargate: pivoting through VNC to own internal networks 37

38. Stargate: pivoting through VNC to own internal networks 38

39. Stargate: pivoting through VNC to own internal networks 39

40. Stargate: pivoting through VNC to own internal networks 40

41. Stargate: pivoting through VNC to own internal networks 41

42. Stargate: pivoting through VNC to own internal networks 42

43. Stargate: pivoting through VNC to own internal networks 43

44. Stargate: pivoting through VNC to own internal networks 44

45. Stargate: pivoting through VNC to own internal networks 45

46. Stargate: pivoting through VNC to own internal networks 46

47. Stargate: pivoting through VNC to own internal networks 47

48. Stargate: pivoting through VNC to own internal networks 48

49. Stargate: pivoting through VNC to own internal networks 49

50. Stargate: pivoting through VNC to own internal networks 50

51. Stargate: pivoting through VNC to own internal networks
51
Talked to vendor
51
• Fixed port wrapping
• Will not enforceVNC because own product will stop working
• Will enforce whitelisting instead of blacklisting (I think)
Product will stay as it is, a plain TCP proxy without inspection.

52. Stargate: pivoting through VNC to own internal networks
52
I see your black/white listing but I don’t like it
52
curl "http://localhost/testaction.cgi?
mode2=mode2&server_port=5901&viewer_port=5500&allow_on=all
ow_on&allow_con=&refuse_con=&id_con=&web_port=80&hidden=
" -H "Authorization: BasicYWRtaW46YWRtaW5hZG1pMg=="

53. Stargate: pivoting through VNC to own internal networks
53
Do not run this.
53
We call this ‘vulnerability’ stargate, you never know where you end
up :)
It's an open proxy, and can be used to pivot into environments.

54. Stargate: pivoting through VNC to own internal networks
54
Have fun!
54
Here are our (horrible) Python scripts, use at own caution and always:
don’t abuse it (too much):
https://www.github.com/0x3a/stargate/
And if you manage to use this in a pentest please tell us the war-stories :D

55. Stargate: pivoting through VNC to own internal networks 553