Jump to content

VNC and DES

Steve0

By Steve0,
in AutoIt General Help and Support

 Share

Recommended Posts

Steve0 Seeker

Steve0

Posted
Posted (edited)

We have a basic info/auditing tool made in AutoIT to grab various bits and pieces from workstation systems, looking into decrypting the VNC password and include in the tool as well.

Doing some research, the password is stored using DES with a specific key. I've tried decrypting using SkinnyWhiteGuys' DES script ( ) with the fixed key VNC uses, however I'm having trouble working out how to pass VNC's key to the DES function.

I know the key is: 23,82,107,6,35,78,88,7

What I dont' know is what format its expected to be in for the function.

I've tried converting this key into hexadecimal and binary values, but the encryption fails every time. Theres not much point pasting my code, its just a messagebox using the DES function above. Encrypted password is stored in a variable using: RegRead("HKCU\Software\Orl\WinVNC3\Default", "Password"), likewise, encrypting a known password using the key (in various formats) does not match the binary value stored in the registry.

Any assistance would be most appreciated.

Thanks

Steve

Edited by Steve0
Link to comment
Share on other sites
funkey Universalist

funkey

Posted
Posted

I even made a tool decrypting VNC passwords in AutoIt from local and remote workstations. For remote it uses psexec.exe. You have to know the administrators password to get access to the remote VNC password.

But I don't know if I should upload it here. :mellow:

Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the Universe
trying to produce bigger and better idiots.
So far, the Universe is winning.

Link to comment
Share on other sites
PsaltyDS Universalist

PsaltyDS

Posted
Posted

You don't know how to translate that "key" to a usable form. How did you derive it? This is just a guess at how it might be transformed into usable form: 

#include <GUIConstantsEx.au3>
#include <EditConstants.au3>
#include <WindowsConstants.au3>
#include <Crypt.au3>
#include <WinAPI.au3>

; Example of realtime DES encryption

GUICreate("Realtime Encrypting", 400, 450, -1)
Global $hInputEdit = GUICtrlCreateEdit("", 0, 0, 400, 150, $ES_WANTRETURN)
Global $hOutputEdit = GUICtrlCreateEdit("", 0, 150, 400, 150, $ES_READONLY)
Global $hDecryptEdit = GUICtrlCreateEdit("", 0, 300, 400, 150, $ES_READONLY)
GUIRegisterMsg($WM_COMMAND, "WM_COMMAND")
GUISetState(@SW_SHOW)

; To optimize perfomance we start the library and create a key
_Crypt_Startup()

Global $sKey = "12,23,34,45,56,67,78,89"
Global $aKey = StringSplit($sKey, ",")
Global $sDevivedKey = "0x"
For $n = 1 To $aKey[0]
    $sDevivedKey &= Hex(Int($aKey[$n]), 2)
Next
Global $binDerivedKey = Binary($sDevivedKey)
Global $hKey = _Crypt_DeriveKey($binDerivedKey, $CALG_DES)

Do
    Local $msg = GUIGetMsg()
Until $msg = $GUI_EVENT_close

_Crypt_DestroyKey($hKey)
_Crypt_Shutdown()

Func WM_COMMAND($hWinHandle, $iMsg, $wParam, $lParam)
    #forceref $hWinHandle, $iMsg, $lParam
    ; If something was changed in the input editbox
    If _WinAPI_HiWord($wParam) = $EN_CHANGE And _WinAPI_LoWord($wParam) = $hInputEdit Then
        Local $bEncrypted = _Crypt_EncryptData(GUICtrlRead($hInputEdit), $hKey, $CALG_DES)
        GUICtrlSetData($hOutputEdit, $bEncrypted)
        Local $sDecrypted = BinaryToString(_Crypt_DecryptData($bEncrypted, $hKey, $CALG_DES))
        GUICtrlSetData($hDecryptEdit, $sDecrypted)
    EndIf
EndFunc   ;==>WM_COMMAND

:mellow:

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law
Link to comment
Share on other sites
Steve0 Seeker

Steve0

Posted
  • Author
Posted

Many thanks for the responses, the application is intended for use on an internal network by staff that already have domain admin access, just saves either resetting the VNC password or using an app like VNCon to decrypt the password from the registry.

The "key" was obtained just by searching Google for VNC's fixed decryption key, here is a link to an application in C that also lists it: http://www.jonaspiela.com/files/2011/02/vncdec.c

I just don't know how to convert from an "unsigned char" to something AutoIT can use.

@PsaltyDS - your script looks nice, unfortunately the encrypted version does not match. An example of what I'm looking for would be:

Password - Passw0rd

Encrypted - 0xfacbcf50c3bf1c08

Link to comment
Share on other sites
funkey Universalist

funkey

Posted
Posted (edited)

Here is what you need: http://funkey.square7.ch/AutoIt/VNC-Password-Catcher.rar

Edited by funkey

Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the Universe
trying to produce bigger and better idiots.
So far, the Universe is winning.

Link to comment
Share on other sites
  • 10 months later...
muxmax Seeker

muxmax

Posted
Posted (edited)

I'm searching for autoit des(vnc)-routines for creating an untended Install of VNC with a random password.

Does this archive contain something like this?

Unfortunately the rar-archive isn't available anymore. Can you re-upload it?

Many thanks!

muxmax

Edited by muxmax
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...