The fuss is about leaving any holes open at all. VNC by itself is a
fairly secure program and the odds of someone outside your LAN
capturing your password is very unlikely. However it is possible. If
their is a million VNC servers on the Internet and their is a
one-in-a-million shot that enough packets could be sniffed to capture
a password...well better safe then sorry. I'd rather have to go
through the trouble of setting up a secure connection than have to
make a special trip to who knows where to recover that comprimised
computer. An easier way is to use a secure VNC server that supports
encryption. RealVNC Enterprise[1] supports 2048-bit encrypted
authentication and 128-bit encrypted sessions. Overall though, I'd be
more concerned about having the VNC server on the default port on the
Internet to begin with. Brute force applications like THC-Hydra[2]
are designed to crack passwords on VNC. Thankfully most VNC servers
will automatically disconnect a user after 3 failed attempts.
[1] http://www.realvnc.com/download.html
[2] http://thc.org/thc-hydra/
On 4/19/05, Andy Bruce - softwareAB <andy@softwareab.net> wrote:
This is a very interesting question to me. In my own case, I do have SSH
setup thru Cygwin (http://www.cygwin.com/) for my local network and I
use VNC thru that connection when I need to manage my own stuff
remotely. However, I have to admit that when I use VNC to aid remote
clients (which happens quite frequently) I don't worry about encryption
whatsoever.
FWIW, here's my approach:
1. I don't even try to explain setting up an SSH daemon to them. I
simply have them install the VNC server in user-mode and start it.
2. If I can't explain to them in 5 min or less how to do port
forwarding, I just have them connect directly to their cable/dsl modem.
3. Get the debugging and/or support done.
4. Have them stop the VNC server. Since it isn't running as a service,
it won't start up next time and so won't be a security risk.
5. Tell them to turn off port forwarding from the router (if they could
grok it), or just have them connect their PC back to the router and
their router back to the cable/dsl modem. In either case, 5900 isn't
available to the outside world so there's no risk even if they were
running VNC in service-mode.
I have to agree with Steve that this is, for all practical purposes, a
non-existent security risk. The only things that could go wrong:
a. "Somebody" is sniffing the packet stream while the VNC passwords are
being exchanged, and, during that 20 minute interchange, cracks the
password and logs onto the VNC server. Of course, we would notice this
problem on both ends!
b. I have never captured the data shared between client and server
(screen/UI deltas) and so have no idea if these pose a security risk or not.
c. While the VNC server is running and they are connected to the
internet (port forwarding has the same problem as direct connect) a port
sniffer detects that 5900 is available and immediately zooms in thru
some VNC security hole. Wez would know a lot more about this possibility
than me, though!
Am I missing something here?
Steve Bostedor wrote:
I'd like to know if anyone has any working examples of why an
unencrypted VNC session over the Internet is seen as such a horrible
security risk. I understand that unencrypted ANYTHING over the Internet
lends the chance for someone to decode the packets (assuming that they
capture every one of them) but in reality, what are the real risks here
and has anyone successfully captured a VNC session from more than 2
router hops away and actually gotten any meaningful information from it?
I've captured a big chunk of a LOCAL session using Ethereal and the only
thing that I can see that is usable is the password exchange. Agreed
that this could be a problem if someone just happened to be sniffing
your local LAN segment at that exact moment and happened to capture your
encrypted VNC password, he could crack the password and log in himself.
But how paranoid is it to go through all of the trouble of setting up
SSH to avoid that when you could just change your VNC password often and
make sure that your local LAN is reasonably secure from prying eyes?
How about once it gets out on the Internet? Packets bounce all over the
place on the Internet. What are the odds that someone out there will
pick your VNC packets out of all of the millions of packets running
through the back bone routers without being noticed, capture enough of
them to possibly replay a session, and actually have the patience or the
tools to do so. I've scoured the web out of this curiosity, looking for
a tool to put VNC packets together into something useful for a hacker.
There's nothing. Nada.
So, I guess that what I'm asking is; what all of the fuss is about?
Your POP3 password likely gets passed unencrypted but we're being asked
to be paranoid about an encrypted VNC password? This is all coming from
a discussion that I had with someone over the merits of using SSH with
VNC over the internet for a 10 minute VNC session.
Does anyone have anything that's not hypothetical? Is there a tool that
I'm missing out there that does more than just crack a VNC password?
Does anyone know of any reported security breaches where VNC was a
weakness?
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
--
Mark Owen
