VNC is a great protocol that you can use on Windows and Linux machines to remotely control computers. This is useful if you need to control your computer when away from home, help your grandma check her email, or help a client with a disk cleanup. VNC is secure in the sense that it requires authentication in order to make the connection, but after that, the data is sent over the internet unencrypted. This means that an attacker could sniff your traffic and snoop everything that's going on. They could even code a client to get a front row seat to exactly what goes on!
SSH is a favorite at Null Byte for its multitude of uses, which we have previously covered. Today we're adding one more use to the list. We are going to tunnel our VNC traffic over SSH so that our traffic is safe and secure when making the dangerous journey across the internet.
- Linux box with VNC installed
- An SSH tunnel up and running
All traffic is encrypted between these two machines using public key encryption techniques, making it difficult for attackers to sniff it. You can request that SSH listens on a particular port on your local machine, and forwards that down the secure connection to a port on a machine at the other end. We could use something similar to the following:
ssh -L <local port>:localhost:<remote port> <machine IP>
Roughly translated: Start an SSH connection to the remote computer and listen on port x on my machine, and forward any connections there to port y on the remote machine.
The VNC protocol uses port 59xx, where xx is equal to the display number of the server. So, a VNC server on a Windows machine which normally uses display number 0, will listen on port 5900. Most Unix VNC servers will use display numbers 0, 1, 2 and so on by listening on ports 5901, 5902, etc. If you forward these ports to a remote machine, you can make the remote VNC server appear to be a server running on your local machine.
So, imagine you had a VNC server running as $DISPLAY=1 on a remote machine and you wanted a secure connection from your local machine. You could start the SSH session using this command:
ssh -L 5902:localhost:5901 <remote host>
Any maps to $DISPLAY=2 on your localhost would actually connect to display :1 on the remote host. Note that the above SSH command line is deliberately meant to accept incoming connections only from the local machine. This means that to use the SSH connection that we have just set up, we must connect to it from the same machine, using the special name localhost, rather than using the machine's own unique name. Instead of running vncviewer:
vncviewer <remote host>:1
You could run:
The difference? The second example is over the secure connection.You could speed up the connection by compressing the data over the network, as well by appending the -C option. No more sketchy VNC access. Don't do remote support with someone unless they have a method of securing your data over the network.
Be a Part of Null Byte!
Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.