Specialized Systems, Inc.

Specialized Systems, Inc.
VNCPush Framework

VNCPush - Operating Environment

If you are logged into the network as a domain administrator, you do not have to put in a username or password. If no username and password are specified, the script uses the account of the user logged into the computer invoking the script. If you are not logged in as a domain administrator on the initiating host and you plan to authenticate as a domain administrator, you will want to put in the username as: domain\username. You can also use a local (target host account) account on the target machine with the syntax:

	localmachine\localadmin.

The VNC Service asks for a password, this is setup in the registry and is put there with regini.exe from the INI file. In order to change this, you will have to install VNC, manually change VNC's default password, and then grab the encoded value from the registry once VNC has changed the registry setting.

	HKLM/Software/ORL/WinVNC3/Default/Password:REG_BINARY

	The default password installed by VNCPush is:

		letmein

VNCPush - Limitations

You must have administrative rights on the target computer. These administrative rights can either be domain administrators membership (if the target is a member of said domain) or local SAM administrator's membership.

Administrative rights or equivalent are required for:

Using an administrative share to xfer files
Binding IPC$ connection for remote registry
Binding IPC$ to control services

The target host, at a minimum, must be running the following services:

Server Service
Remote Registry Service

The target host must also allow users to authenticate over the network with the designated user account (as opposed to forcing all network authentication to guest). In Local Security Policies:

Security Options / Network Access / Sharing and security model for local accounts:
"Classic" (instead of: Guest only)

VNCPush - Protection / Installation Prevention

Disable admin shares
Disable Remote Registry service
Implement simple firewall (local) service
Force Guest authentication in Local Security Policy

Forcing Guest authentication is the most effective. The Windows NT resource kit includes an application called rmtshare.exe. As long as an IPC$ connection can be established, a resourceful user can still create a share.

Detecting VNCPush installation: From Event Viewer's Security log:

	Event......: 538
	Source.....: Security
	Category...: Logon/Logoff
	User.......: Source Computer / Source Account
	Logon Type.: 3