nxc-vnc
Remotely access graphical desktop using NX protocol
TLDR
Search for valid credentials by trying out every combination in the specified lists of usernames and passwords
Avoid rate limiting through VNC-sleep
Take a screenshot on the remote system after waiting the specified amount of time
SYNOPSIS
nxc vnc <target(s)> [authentication_options] [vnc_module_options]
Where <target(s)> can be:
IP_ADDRESS (e.g., 192.168.1.10)
IP_RANGE (e.g., 192.168.1.0/24)
HOSTNAME
FILENAME (a file containing a list of targets)
all (all hosts discovered within the specified scope)
PARAMETERS
--username
Username to authenticate with on the target system.
--password
Password to authenticate with on the target system.
--hash
NTLM hash to authenticate with (LM:NTLM format).
--no-pass
Authenticates with an empty password.
--local-auth
Forces local authentication on the target system (not domain).
--vnc-port
Specify the VNC service port (default is 5900).
--vnc-dump-hash
Attempts to dump VNC authentication hashes from the target.
--vnc-screenshot
Takes a screenshot of the VNC desktop and saves it to the specified local path.
--vnc-password
Provides the VNC password directly for VNC authentication (separate from Windows/SMB authentication).
--vnc-connect
Attempts to connect to the VNC service. This is often an implicit action if no other VNC-specific action (like dumping hash or screenshot) is specified.
DESCRIPTION
nxc-vnc is not a standalone command but a specific module within the NetExec (nxc) framework, a powerful post-exploitation tool primarily used in network security assessments, penetration testing, and red teaming operations. This module focuses on interacting with VNC (Virtual Network Computing) services found on target systems. It allows security professionals to enumerate VNC servers, attempt authentication, dump VNC authentication hashes (typically NTLMv1 or NTLMv2 hashes if VNC is configured to use Windows authentication), and even capture screenshots of the remote VNC session. The nxc vnc module leverages NetExec's capabilities to authenticate against target systems (e.g., via SMB/RPC) and then, if successful, attempts to interact with VNC services. Its primary use cases include reconnaissance, credential harvesting, and visual verification of VNC access on compromised or vulnerable systems within an enterprise network. It streamlines the process of assessing VNC security posture across multiple hosts.
CAVEATS
nxc-vnc is a module of the NetExec framework and requires NetExec to be installed. Successful interaction relies on network connectivity to the target's VNC service and valid authentication credentials. Usage without explicit authorization is illegal and unethical. This tool is intended for legitimate security assessments and penetration testing. Some functionalities, particularly screenshot capture, may require additional Python dependencies (e.g., vncdotool) to be installed.
USAGE EXAMPLES
nxc vnc 192.168.1.10 --username administrator --password 'P@ssw0rd1' --vnc-dump-hash
Description: Dumps VNC hashes from a single target using specified credentials.nxc vnc 192.168.1.0/24 --local-auth --vnc-screenshot /tmp/vnc_screens/
Description: Takes screenshots from all VNC services in the subnet, authenticating locally and saving to a directory.nxc vnc hosts.txt --vnc-password 'vncpass' --vnc-connect
Description: Connects to VNC services listed in hosts.txt using a direct VNC password.
HISTORY
The nxc framework, of which vnc is a module, was originally known as CrackMapExec (CME), developed by @byt3bl33d3r. It gained significant popularity in the cybersecurity community for its comprehensive suite of post-exploitation capabilities against various network protocols, especially SMB. The project was later renamed to NetExec (nxc) due to a trademark dispute. The vnc module was integrated into the framework to extend its reach to VNC services, offering specialized functionalities like hash dumping and screenshot capture, thereby enhancing its utility for red team operations and security assessments.
