Nmap realvnc-auth-bypass NSE Script
This page contains detailed information about how to use the realvnc-auth-bypass NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/realvnc-auth-bypass.nse
Script categories: auth, safe, vuln
Target service / protocol: vnc
Target network port(s): 5900, 5901, 5902
List of CVEs: CVE-2006-2369
Script Description
The realvnc-auth-bypass.nse script checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).
Realvnc-auth-bypass NSE Script Arguments
This is a full list of arguments supported by the realvnc-auth-bypass.nse script:
vulns.shortIf set, vulnerabilities will be output in short format, a single line consisting of the host's target name or IP, the state, and either the CVE ID or the title of the vulnerability. Does not affect XML output.
vulns.showall
If set, the library will show and report all the registered vulnerabilities which includes the NOT VULNERABLE
ones. By default the library will only report the VULNERABLE
entries: VULNERABLE
, LIKELY VULNERABLE
, VULNERABLE (DoS)
and VULNERABLE (Exploitable)
. This argument affects the following functions: vulns.Report.make_output(): the default output function for portule/hostrule scripts. vulns.make_output(): the default output function for postrule scripts. vulns.format_vuln() and vulns.format_vuln_table() functions.
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..]
syntax. For example:
nmap --script=realvnc-auth-bypass --script-args vulns.short=value,vulns.showall=value <target>
Realvnc-auth-bypass NSE Script Example Usage
Here's an example of how to use the realvnc-auth-bypass.nse script:
nmap --script=realvnc-auth-bypass <target>
Realvnc-auth-bypass NSE Script Example Output
Here's a sample output from the realvnc-auth-bypass.nse script:
PORT STATE SERVICE VERSION
5900/tcp open vnc VNC (protocol 3.8)
| realvnc-auth-bypass:
| VULNERABLE:
| RealVNC 4.1.0 - 4.1.1 Authentication Bypass
| State: VULNERABLE
| IDs: CVE:CVE-2006-2369
| Risk factor: High CVSSv2: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
| RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and
| Cisco CallManager, allows remote attackers to bypass authentication via a
| request in which the client specifies an insecure security type such as
| "Type 1 - None", which is accepted even if it is not offered by the server.
| Disclosure date: 2006-05-08
| References:
| http://www.intelliadmin.com/index.php/2006/05/security-flaw-in-realvnc-411/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2369
Realvnc-auth-bypass NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file>
option, Nmap will produce a XML output and save it in the file.xml
file.
Author
- Brandon Enright
References
- https://nmap.org/nsedoc/scripts/realvnc-auth-bypass.html
- https://github.com/nmap/nmap/tree/master/scripts/realvnc-auth-bypass.nse
- http://www.intelliadmin.com/index.php/2006/05/security-flaw-in-realvnc-411/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2369
See Also
Visit Nmap NSE Library for more scripts.
Version
This page has been created based on Nmap version 7.92.