Virtual Network Computing (VNC) is a remote administration tool that allows the administrator to use the server desktop as if she were sitting right in front of it. This interaction takes place by sharing mouse movements, keystrokes, and screen updates through the Remote FrameBuffer (RFB) protocol. What happens on the server is reflected in the client viewer and vice versa. VNC, once developed at the AT&T Research Lab, is now being distributed in several variants, some open-sourced under the GPL license, and others sold commercially. Most of the freely available variants share a similar protocol as well as codebase, and they may be interoperable. For this discussion, I will be referring to the free version of RealVNC version 4.1 at the time of this writing) except where otherwise indicated. Although there are VNC servers that run on most operating systems, our focus lies with utilizing it as a backdoor for Windows. What you use as a client is up to your discretion. For ease of use, I usually use one of the Windows VNC viewers.
VNC, though marketed as a fully featured administration tool, has a number of key features that make it ideal for use as a backdoor.
What could be better than controlling the target as if you were sitting in front of it? I think the advantages over the weak Windows CLI are obvious.
You can install VNC without any wizards, pop-ups, or any other graphical interaction on the server. The Metasploit Framework also offers methods for injecting a VNC server as payload to a number of exploits (see Chapter 7).
By changing a few registry keys, you can make very useful changes to the interface to help conceal the installation, such as:
Disable and remove the System Tray icon
Disable connect/disconnect alert beeps
Prevent the VNC server from shutting down; very sophisticated users only are able to disable the service
Due to the multiplatform nature of the various distributions of VNC, clients are available for most operating systems.
Again, due to its development as a legitimate remote administration tool, you'll also find VNC to have a few disadvantages as a backdoor.
But wait, wasn't this just described as a big plus? Not if you are trying to keep your activity behind the scenes. Once installed, all of your actions are displayed for the world to see on the server's monitor.
VNC is not a lightweight protocol. A lot of bandwidth is required for a useable connection. If you happen to be toying with a target half a world away, you are going to pay the price, both in performance and in the footprint you leave on the remote network.
Many of the free variants of VNC are not supplied with more than rudimentary encryption for the initial authentication. Communications beyond that are often unsecured. Some commercial versions boast higher-strength encryption for the entire session. There are also patches and plug-ins available to add stronger encryption to some free versions.
For more information on VNC, try these:
Home page of the original VNC distribution
Detailed information regarding VNC
The VNC distribution that I have been using
An open source Apple OS X VNC client