Steve0 Posted August 12, 2011 Share Posted August 12, 2011 (edited) We have a basic info/auditing tool made in AutoIT to grab various bits and pieces from workstation systems, looking into decrypting the VNC password and include in the tool as well. Doing some research, the password is stored using DES with a specific key. I've tried decrypting using SkinnyWhiteGuys' DES script ( ) with the fixed key VNC uses, however I'm having trouble working out how to pass VNC's key to the DES function. I know the key is: 23,82,107,6,35,78,88,7 What I dont' know is what format its expected to be in for the function. I've tried converting this key into hexadecimal and binary values, but the encryption fails every time. Theres not much point pasting my code, its just a messagebox using the DES function above. Encrypted password is stored in a variable using: RegRead("HKCU\Software\Orl\WinVNC3\Default", "Password"), likewise, encrypting a known password using the key (in various formats) does not match the binary value stored in the registry. Any assistance would be most appreciated. Thanks Steve Edited August 12, 2011 by Steve0 Link to comment Share on other sites More sharing options...
funkey Posted August 12, 2011 Share Posted August 12, 2011 I even made a tool decrypting VNC passwords in AutoIt from local and remote workstations. For remote it uses psexec.exe. You have to know the administrators password to get access to the remote VNC password. But I don't know if I should upload it here. Programming today is a race between software engineers striving tobuild bigger and better idiot-proof programs, and the Universetrying to produce bigger and better idiots.So far, the Universe is winning. Link to comment Share on other sites More sharing options...
PsaltyDS Posted August 12, 2011 Share Posted August 12, 2011 You don't know how to translate that "key" to a usable form. How did you derive it? This is just a guess at how it might be transformed into usable form: expandcollapse popup#include <GUIConstantsEx.au3> #include <EditConstants.au3> #include <WindowsConstants.au3> #include <Crypt.au3> #include <WinAPI.au3> ; Example of realtime DES encryption GUICreate("Realtime Encrypting", 400, 450, -1) Global $hInputEdit = GUICtrlCreateEdit("", 0, 0, 400, 150, $ES_WANTRETURN) Global $hOutputEdit = GUICtrlCreateEdit("", 0, 150, 400, 150, $ES_READONLY) Global $hDecryptEdit = GUICtrlCreateEdit("", 0, 300, 400, 150, $ES_READONLY) GUIRegisterMsg($WM_COMMAND, "WM_COMMAND") GUISetState(@SW_SHOW) ; To optimize perfomance we start the library and create a key _Crypt_Startup() Global $sKey = "12,23,34,45,56,67,78,89" Global $aKey = StringSplit($sKey, ",") Global $sDevivedKey = "0x" For $n = 1 To $aKey[0] $sDevivedKey &= Hex(Int($aKey[$n]), 2) Next Global $binDerivedKey = Binary($sDevivedKey) Global $hKey = _Crypt_DeriveKey($binDerivedKey, $CALG_DES) Do Local $msg = GUIGetMsg() Until $msg = $GUI_EVENT_close _Crypt_DestroyKey($hKey) _Crypt_Shutdown() Func WM_COMMAND($hWinHandle, $iMsg, $wParam, $lParam) #forceref $hWinHandle, $iMsg, $lParam ; If something was changed in the input editbox If _WinAPI_HiWord($wParam) = $EN_CHANGE And _WinAPI_LoWord($wParam) = $hInputEdit Then Local $bEncrypted = _Crypt_EncryptData(GUICtrlRead($hInputEdit), $hKey, $CALG_DES) GUICtrlSetData($hOutputEdit, $bEncrypted) Local $sDecrypted = BinaryToString(_Crypt_DecryptData($bEncrypted, $hKey, $CALG_DES)) GUICtrlSetData($hDecryptEdit, $sDecrypted) EndIf EndFunc ;==>WM_COMMAND Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law Link to comment Share on other sites More sharing options...
Steve0 Posted August 15, 2011 Author Share Posted August 15, 2011 Many thanks for the responses, the application is intended for use on an internal network by staff that already have domain admin access, just saves either resetting the VNC password or using an app like VNCon to decrypt the password from the registry. The "key" was obtained just by searching Google for VNC's fixed decryption key, here is a link to an application in C that also lists it: http://www.jonaspiela.com/files/2011/02/vncdec.c I just don't know how to convert from an "unsigned char" to something AutoIT can use. @PsaltyDS - your script looks nice, unfortunately the encrypted version does not match. An example of what I'm looking for would be: Password - Passw0rd Encrypted - 0xfacbcf50c3bf1c08 Link to comment Share on other sites More sharing options...
funkey Posted August 15, 2011 Share Posted August 15, 2011 (edited) Here is what you need: http://funkey.square7.ch/AutoIt/VNC-Password-Catcher.rar Edited August 15, 2011 by funkey Programming today is a race between software engineers striving tobuild bigger and better idiot-proof programs, and the Universetrying to produce bigger and better idiots.So far, the Universe is winning. Link to comment Share on other sites More sharing options...
Steve0 Posted August 16, 2011 Author Share Posted August 16, 2011 Here is what you need: http://funkey.square7.ch/AutoIt/VNC-Password-Catcher.rarSimply marvelous, very much appreciated! Link to comment Share on other sites More sharing options...
muxmax Posted July 12, 2012 Share Posted July 12, 2012 (edited) I'm searching for autoit des(vnc)-routines for creating an untended Install of VNC with a random password. Does this archive contain something like this? Unfortunately the rar-archive isn't available anymore. Can you re-upload it? Many thanks! muxmax Edited July 12, 2012 by muxmax Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now