VNC was not originally designed for use over insecure networks. It uses
unencrypted communication, and its password can be brute-forced in a
relatively easy manner.
However, there are ways to secure it. For example, tunnel it through SSH,
patch it to use SSL or use MindVNC.
We have an article that describes how to secure VNC:
http://www.securiteam.com/unixfocus/Securing_VNC_for_the_Internet_environmen
t.html
(NOTE: URL might be wrapped)
You might want to check our some VNC cracking tools:
http://www.securiteam.com/tools/Brute_forcing_VNC_passwords.html
http://www.securiteam.com/tools/VNC_Password_Brute_Force_utility_released.ht
ml
(NOTE: URLs might be wrapped)
--
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com
----- Original Message -----
From: "Ivan Fox" <[EMAIL PROTECTED]>
To: "Firewall-Wizards@Nfr. Net" <[EMAIL PROTECTED]>;
"Firewalls@Lists. Gnac. Net" <[EMAIL PROTECTED]>; "Firewall-1"
<[EMAIL PROTECTED]>
Sent: Thursday, December 14, 2000 12:29 AM
Subject: VNC through the firewall
> I understand that the ip and password for using VNC are encrypted, but the
> data are not. Please correct me:
>
> VNC is a very thin client. Are "data" passing through the wire are key
> strokes, mouse strokes, screen display? Are sniffer able to capture NT id
> and password when logging onto an NT domain using VNC.
>
> Any comments are appreciated.
>
> Thanks,
>
> Ivan
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
