VNCPush 1.x
VNCPush Hompage
<![CDATA[
VNCPush Readme
================================================================================
Version 1.6
Copyright © 2003 Specialized Systems. All rights reserved.
Sean Blankenship (spcsys@gmail.com)
================================================================================
Description:
VNCPush pushes the VNC server onto a target machine without physically
being at the target computer. VNCPush is written in JScript and utilizes
Microsoft Internet Explorer's HyperText Application (HTA) interface for
GUI based interaction.
The primary purpose of this application is for consulting purposes. Since
workstations do not have Terminal Services installed or enabled by default,
this script can allow remote access to workstations in large networks where
the location of a workstation may be either unknown or inaccessible to the
administrator.
VNCPush also includes the capability of removing (pulling) the VNC Server
service and all files installed in the Push process. It is recommended that
you remove the VNC service for security reasons when you are finished.
================================================================================
Operation:
If you are logged into the network as a domain administrator, you
do not have to put in a username or password. If no username and
password are specified, the script uses the account of the user
logged into the computer invoking the script.
If you are not logged in as a domain administrator on the initiating
host and you plan to authenticate as a domain administrator, you will
want to put in the username as: domain\username. You can also use a
local (target host account) account on the target machine with the
syntax: localmachine\localadmin.
The VNC Service asks for a password, this is setup in the registry
and is put there with regini.exe from the INI file. In order to
change this, you will have to install VNC, manually change VNC's
default password, and then grab the encoded value from the registry
once VNC has changed the registry setting.
HKLM/Software/ORL/WinVNC3/Default/Password:REG_BINARY
The default password installed by VNCPush is:
letmein
================================================================================
Features:
Pushes VNC server onto remote computer and installs VNC as a service
in automatic mode. VNC is also started immediately on the target host.
The VNC taskbar icon is not displayed on the target host. This is a
feature of Tridia VNC with a registry setting that is inserted by the
script on the remote host.
================================================================================
Limitations:
You must have administrative rights on the target computer.
These administrative rights can either be domain administrators
membership (if the target is a member of said domain) or local
SAM administrator's membership.
Administrative rights or equivalent are required for:
o Using an administrative share to xfer files
o Binding IPC$ connection for remote registry
o Binding IPC$ to control services
The target host, at a minimum, must be running the following services:
o Server Service
o Remote Registry Service
The target host must also allow users to authenticate over the
network with the designated user account (as opposed to forcing
all network authentication to guest). In Local Security Policies:
o Security Options / Network Access /
Sharing and security model for local accounts: "Classic"
(instead of: Guest only)
================================================================================
VNCPush Protection (prevention):
o Disable admin shares
o Disable Remote Registry service
o Implement simple firewall (local) service
o Force Guest authentication in Local Security Policy
Forcing Guest authentication is the most effective. The Windows NT
resource kit includes an application called rmtshare.exe. As long
as an IPC$ connection can be established, a resourceful user can
still create a share.
Detecting VNCPush installation: From Event Viewer's Security log:
o Event......: 538
o Source.....: Security
o Category...: Logon/Logoff
o User.......: Source Computer / Source Account
o Logon Type.: 3
================================================================================
Disclosure:
o This application is not intended for cracking or any other offensive
or unlawful activity. Use of this application requires authentication
and has no brute force password (auth hammering) extensibility.
o There exists both network sniffing based VNC password crackers and
brute force VNC password cracking utilities. Installing VNC poses a risk
to workstations giving privileges to a Windows machine equal to that
of the console user (less physical access).
o Traces of IPC$ and C$ access are left in the security event log. You
can erase these by binding IPC$, and using the Computer Management
MMC to access the remote target and clearing via GUI.
o All components of the VNC core application have been developed by
AT&T research labs and modified by the developers at TridiaVNC. All
VNC components are copyrights of their respective owners. The
VNCPush application is a front-end for deploying the VNC application
on Windows NT based machines via native SMB and RPC mappoints, once
installed and connected, you are using 3rd party software.
================================================================================
Troubleshooting:
If you have a share mapped to the computer running the script, you
may run into a situation where XP/NT will not allow you to map
both a share and an IPC$ connection with different credentials.
This can be verified by manually trying to map an IPC$ via the
command prompt:
net use \\rhost\ipc$ /user:domain\username password
It has been observed that from an XP machine to another XP machine,
using the source host's user id (blank username / password in VNCPush),
you may get the access denied error even though the authentication is
valid. I have found that by connecting via VPN to your home domain
(active route to your DC), you can then authenticate. This must be
an issue with the destination XP machine needing you to re-confirm
your authentication.
If you receive an error binding IPC$, manually map the IPC$ endpoint
via a DOS command prompt:
net use \\computer\ipc$
net use \\computer\ipc$ /user:domain\username
net use \\computer\ipc$ /user:domain\username password
The error message returned from the above DOS commands should help
troubleshoot the problem.
If you have any problems removing VNC, restart the remote computer with
the following command and then use VNCPush to remove VNC:
shutdown -r -f -m \\netbiosname
If you get authentication problems, map the IPC$ endpoint first with
the following command and then use shutdown.exe:
net use \\netbiosname\ipc$ /user:domain\username password
The problem usually occurs removing the vnchooks.dll file. I think it
is a timing problem with stopping the VNC service and then removing the
file too quickly before the service has completely stopped.
================================================================================
Included Files / Descriptions:
readme.txt..........: Readme / information file.
vncpush.chm.........: Help file.
vncpush.hta.........: Main Application.
vncpush.ini.........: Customizable INI file for VNCPush.
vncpush.reg.........: VNC registry values to push to remote host.
vncpush.dll.........: Dynamic Link Library for VNCPush application.
bin/
omnithread_rt.dll.: VNC component (threading control component).
reg.exe...........: Microsoft Remote registry tool.
regini.exe........: Microsoft Remote registry tool.
regini.doc........: Microsoft documentation for regini.exe.
rmtshare.exe......: Microsoft utility for creating remote shares.
sc.exe............: Microsoft Service Control tool (XP version).
viewer.exe........: VNC component (local viewer).
vnchooks.dll......: VNC component (VNC plugin methods).
winvnc.exe........: VNC component (NT service EXE).
zlib.dll..........: VNC component (compression).
================================================================================
VNCViewer Arguments:
The following arguments can be included in the call for the VNCViewer.
Omitting all (the default with exception to /viewonly) results in the
most popular defined by the TridiaVNC developers. I included the
ability to just use 'x' as an argument to bring up the default dialog.
x............................: Default VNC viewer dialog.
/viewonly....................: No remote input (snooping).
/fullscreen..................: Full screen mode.
/noremotecursor..............: Disable remote cursor tracking.
/quality N...................: Bitmap display quality.
/8bit........................: Force 8 bit Bitmaps (256 color).
/compresslevel N.............: Bitmap compression for xfer.
/preferredEncoding encoding..: Compression encoding algorithm.
================================================================================
Change Log:
Version 1.6
o Moved location of regini.ini from .\bin to .\include / renamed winvnc.ini.
o Added data to winvnc.ini to stop desktop background from removing.
o Added 'Service Description' to vncpush.ini and in service push module.
o Commented out 'strip spaces' in getini().
o Renamed svchostx.exe to winvnc.exe.
o Added quotes to "VNC_REMOTE_SERVICE_NAME" in service push/pull for spaces.
o Added debugging to alert user when logfile not found when user attempts
to open via Options GUI. Information given about debug levels required.
o Added debugging to INI read module for non-existing INI assignments.
o Added debugging to VNC Viewer module for missing EXE assignments.
o Added keyboard shortcuts to HTA interface (accesskey tags).
Version 1.5
o Changed configuration modal filename and added service control modal.
o Added service control functionality: stop, start, restart interfaces.
o Added RMTSHARE.EXE GUI modal
Version 1.4
o Added "Open Log" button to the configuration menu.
o Changed application directory structure.
Version 1.3
o Fixed problem starting remote VNC service from Windows 2000 systems.
o Implemented feature to allow quick username specifications. Clicking
on "Username:" text will prepend the hostname into the username
field. Example: hostname and username converts to hostname\username.
o Changed font-family from system default to tahoma in debug textarea.
o Added Close, Help, and About interfaces.
o Compensated GUI geometry for new interfaces.
o Added READONLY attribute to debug textarea object.
Version 1.2
o Activated (in options) debug log file for dos based commands which
are used when a debug level of 3 or higher is specified. DOS commands
cannot be returned to the scripting host so STDOUT redirects are
redirected to a log file specified by the APP_DEBUG_FILE. The default
name is vncpush.log which will be created in the 'working' directory
environment in which VNCPush is invoked.
Version 1.1
o Added sc.exe to bin directory for extended compatibility.
o Changed viewer interaction with settings. The viewer will now
start with no arguments if 'x' is given in VNC_VIEWER_ARGS.
Version 1.0
o Changed X: local mapping to V:, to reduce probability of conflict.
o Made minor syntax changes in debug reporting routine.
o Added form.rhost.focus() to init() syntax for onLoad().
Version 0.1.4
o Fixed bug in INI parse algorithm related to CRLF>2 @ EOF.
o Extended debug reporting into registry and service push/pull modules.
Version 0.1.3
o Added INI configuration file. This file is editable by the user but
changes made during runtime sessions are not saved back to the INI
file. If you want to keep the changes, you must manually edit the
INI file: default: 'vncpush.ini'.
Version 0.1.2
o Added EDIT interface for changing global variables (settings), on a
per session basis.
o Made cosmetic enhancements such as input field highlighting and
selection on the focus/blur event handlers.
Version 0.1.1
o Added password masking to password input field.
o Added debug window and more complex debug and error reporting.
Version 0.1.0
o Initial version, basic push, pull, and view interfaces.
]]>