Add vnc_auth module

README.md

@@ -46,6 +46,9 @@ The module is disabled by default - to enable it, rename `docker-compose.additio
 ### what-vpn
 Uses https://github.com/dlenski/what-vpn under the hood. Identifies servers running various SSL VPNs and is licensed under GPL-3.0-or-later.
 
+### vnc_auth
+Uses https://nmap.org/nsedoc/scripts/vnc-brute.html under the hood. Performs a brute force attack on VNC servers to guess password. This is licensed under GPL-3.0-or-later.
+
 ## Testing
 To run the tests, run:
 
@@ -80,3 +83,4 @@ We kindly remind you that:
 * by contributing to the `ssl_checks` module you agree that the AGPL-3.0 License shall apply to your input automatically, without the need for any additional declarations to be made.
 * by contributing to the `sqlmap` module you agree that the GPL-2.0 License shall apply to your input automatically, without the need for any additional declarations to be made.
 * by contributing to the `forti_vuln` module you agree that the GPL-3.0 License shall apply to your input automatically, without the need for any additional declarations to be made.
+* by contributing to the `vnc_auth` module you agree that the GPL-3.0 License shall apply to your input automatically, without the need for any additional declarations to be made.

autoreporter_addons/vnc_auth/reporter.py

@@ -0,0 +1,40 @@
+from pathlib import Path
+from typing import Any, Dict, List
+
+from artemis.reporting.base.language import Language
+from artemis.reporting.base.report import Report
+from artemis.reporting.base.report_type import ReportType
+from artemis.reporting.base.reporter import Reporter
+from artemis.reporting.base.templating import ReportEmailTemplateFragment
+from artemis.reporting.utils import get_top_level_target
+
+
+class VncAuthReporter(Reporter):  # type: ignore
+    VNC_WEAK_PASS = ReportType("vnc_auth")
+
+    @staticmethod
+    def create_reports(task_result: Dict[str, Any], language: Language) -> List[Report]:
+
+        if task_result["headers"]["receiver"] != "vnc_auth":
+            return []
+
+        if not task_result["status"] == "INTERESTING":
+            return []
+
+        return [
+            Report(
+                top_level_target=get_top_level_target(task_result),
+                target="vnc://" + task_result["target_string"],
+                report_type=VncAuthReporter.VNC_WEAK_PASS,
+                timestamp=task_result["created_at"],
+                additional_data={"pass": task_result["result"]["password"][:3] + "*****"},
+            )
+        ]
+
+    @staticmethod
+    def get_email_template_fragments() -> List[ReportEmailTemplateFragment]:
+        return [
+            ReportEmailTemplateFragment.from_file(
+                str(Path(__file__).parents[0] / "template_vnc_weak_pass.jinja2"), priority=10
+            ),
+        ]

autoreporter_addons/vnc_auth/template_vnc_weak_pass.jinja2

@@ -0,0 +1,14 @@
+{% if "vnc_auth" in data.contains_type %}
+    <li>{% trans %}The following VNC servers allow authenticating with a simple password:{% endtrans %}
+        <ul>
+            {% for report in data.reports %}
+                {% if report.report_type == "vnc_auth" %}
+                    <li>
+                        {{ report.target }}: {% trans %}password{% endtrans %} {{ report.additional_data.pass }}
+                        {{ report_meta(report) }}
+                    </li>
+                {% endif %}
+            {% endfor %}
+        </ul>
+    </li>
+{% endif %}

autoreporter_addons/vnc_auth/translations/en_US/LC_MESSAGES/messages.po

@@ -0,0 +1,7 @@
+#: autoreporter_addons/vnc_auth/template_vnc_weak_pass.jinja2:2
+msgid "The following VNC servers allow authenticating with a simple password:"
+msgstr ""
+
+#: autoreporter_addons/vnc_auth/template_vnc_weak_pass.jinja2:7
+msgid "password"
+msgstr ""

autoreporter_addons/vnc_auth/translations/messages.pot

@@ -0,0 +1,7 @@
+#: autoreporter_addons/vnc_auth/template_vnc_weak_pass.jinja2:2
+msgid "The following VNC servers allow authenticating with a simple password:"
+msgstr ""
+
+#: autoreporter_addons/vnc_auth/template_vnc_weak_pass.jinja2:7
+msgid "password"
+msgstr ""

autoreporter_addons/vnc_auth/translations/pl_PL/LC_MESSAGES/messages.po

@@ -0,0 +1,9 @@
+#: autoreporter_addons/vnc_auth/template_vnc_weak_pass.jinja2:2
+msgid "The following VNC servers allow authenticating with a simple password:"
+msgstr ""
+"Następujące serwery VNC umożliwiają uwierzytelnianie za pomocą prostego "
+"hasła:"
+
+#: autoreporter_addons/vnc_auth/template_vnc_weak_pass.jinja2:7
+msgid "password"
+msgstr "hasło"

docker-compose.yml

@@ -58,10 +58,21 @@ services:
     restart: always
     command: "python3 -m artemis.modules.karton_whatvpn"
 
+  karton-vnc_auth:
+    build:
+      context: Artemis-modules-extra
+      dockerfile: karton_vnc_auth/Dockerfile
+    volumes: ["./docker/karton.ini:/etc/karton/karton.ini", "${DOCKER_COMPOSE_ADDITIONAL_SHARED_DIRECTORY:-./shared}:/shared/"]
+    depends_on: [karton-system]
+    env_file: .env
+    restart: always
+    command: "python3 -m artemis.modules.karton_vnc_auth"
+
   autoreporter:
     volumes:
       - ./Artemis-modules-extra/extra_modules_config.py:/opt/extra_modules_config.py
       - ./Artemis-modules-extra/autoreporter_addons/dns_reaper/:/opt/artemis/reporting/modules/dns_reaper/
       - ./Artemis-modules-extra/autoreporter_addons/forti_vuln/:/opt/artemis/reporting/modules/forti_vuln/
       - ./Artemis-modules-extra/autoreporter_addons/sqlmap/:/opt/artemis/reporting/modules/sqlmap/
       - ./Artemis-modules-extra/autoreporter_addons/ssl_checks/:/opt/artemis/reporting/modules/ssl_checks/
+      - ./Artemis-modules-extra/autoreporter_addons/vnc_auth/:/opt/artemis/reporting/modules/vnc_auth/

extra_modules_config.py

@@ -73,3 +73,13 @@ class ExtraModulesConfig:
 
     # WPScan API key
     WPSCAN_API_KEY = decouple.config("WPSCAN_API_KEY", default=None)
+
+    # List of VNC passwords for the vnc_auth module.
+    VNC_AUTH_PASSWORD_LIST = ["admin", "12345678", "password"]
+
+    # Timeout counted in seconds, after which the vnc_auth module starts checking passwords after it's launched.
+    # This is to wait after fingerprinting the service to avoid sending too many requests to the server.
+    VNC_AUTH_INITIAL_SLEEP = 60
+
+    # Number of seconds to wait between password guesses.
+    VNC_AUTH_BRUTE_DELAY = 30

karton_vnc_auth/Dockerfile

@@ -0,0 +1,11 @@
+FROM certpl/artemis:latest
+
+RUN apk add nmap nmap-scripts
+
+COPY karton_vnc_auth/requirements.txt /requirements_vnc_auth.txt
+RUN pip install -r /requirements_vnc_auth.txt
+
+WORKDIR /opt/
+
+COPY extra_modules_config.py /opt/
+COPY karton_vnc_auth/karton_vnc_auth.py /opt/artemis/modules/

karton_vnc_auth/karton_vnc_auth.py

@@ -0,0 +1,110 @@
+#!/usr/bin/env python3
+import tempfile
+import time
+from typing import Any, Dict, Tuple
+
+import nmap
+from artemis import load_risk_class
+from artemis.binds import Service, TaskStatus, TaskType
+from artemis.module_base import ArtemisBase
+from artemis.task_utils import get_target_host
+from artemis.utils import throttle_request
+from karton.core import Task
+
+from extra_modules_config import ExtraModulesConfig
+
+
+@load_risk_class.load_risk_class(load_risk_class.LoadRiskClass.LOW)
+class VncAuth(ArtemisBase):  # type: ignore[misc]
+    """
+    Performs a brute force attack on VNC servers to guess password.
+    """
+
+    identity = "vnc_auth"
+    filters = [
+        {"type": TaskType.SERVICE.value, "service": Service.UNKNOWN.value},
+    ]
+
+    def brute_vnc(self, host: str, port: int, passwords_file: str) -> Dict[Any, Any]:
+        np = nmap.PortScanner()
+        result = np.scan(
+            host,
+            str(port),
+            arguments=" ".join(
+                [
+                    "-Pn",
+                    "--disable-arp-ping",
+                    "--script vnc-brute",
+                    "--script-args",
+                    "'{}'".format(
+                        ",".join(
+                            [
+                                "brute.mode=pass",
+                                "brute.useraspass=false",
+                                f"brute.delay={ExtraModulesConfig.VNC_AUTH_BRUTE_DELAY}",
+                                "brute.passonly=true",
+                                "brute.threads=0",
+                                "brute.start=1",
+                                "brute.firstonly=true",
+                                "brute.retries=1",
+                                f"passdb={passwords_file}",
+                            ]
+                        )
+                    ),
+                ]
+            ),
+        )
+
+        return dict(result)
+
+    def parse_result(self, result: Dict[Any, Any], host: str, port: int) -> Tuple[int, str]:
+        try:
+            script_result = result["scan"][host]["tcp"][port]["script"]["vnc-brute"]
+        except KeyError:
+            return -1, "ERROR - no script results found"
+
+        if "Valid credentials" in script_result:
+            return 1, script_result.split("\n")[2].removesuffix("- Valid credentials").strip()
+        elif "No valid accounts found" in script_result:
+            return 0, "No valid credentials found"
+        elif "ERROR" in script_result:
+            return -1, script_result[script_result.find("ERROR") :]
+        else:
+            return -1, "ERROR - could not parse the result"
+
+    def run(self, current_task: Task) -> None:
+        status = TaskStatus.OK
+        status_reason = None
+        valid_password = None
+
+        host = get_target_host(current_task)
+        port = current_task.get_payload("port")
+
+        tmp = tempfile.NamedTemporaryFile()
+        with open(tmp.name, "w") as f:
+            f.write("\n".join(ExtraModulesConfig.VNC_AUTH_PASSWORD_LIST))
+
+        time.sleep(ExtraModulesConfig.VNC_AUTH_INITIAL_SLEEP)
+
+        result = throttle_request(lambda: self.brute_vnc(host, port, tmp.name))
+        check_status, status_reason = self.parse_result(result, host, port)
+
+        if check_status == -1:
+            status = TaskStatus.ERROR
+        elif check_status == 0:
+            status = TaskStatus.OK
+        elif check_status == 1:
+            status = TaskStatus.INTERESTING
+            valid_password = status_reason
+            status_reason = f"Valid password: {valid_password}"
+
+        self.db.save_task_result(
+            task=current_task,
+            status=status,
+            status_reason=status_reason,
+            data={"script_result": result, "password": valid_password},
+        )
+
+
+if __name__ == "__main__":
+    VncAuth().loop()

karton_vnc_auth/requirements.txt

@@ -0,0 +1 @@
+python_nmap==0.7.1