Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

Vnc Password

Post Reply
flochi1
Posts: 4
Joined: 2020-12-31 16:01

Vnc Password

Post by flochi1 »

I know that vnc password can easily be cracked(it is stored in ultravnc.ini).
Is there an method to beter secure it?
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6863
Joined: 2004-04-23 10:21
Contact:

Re: Vnc Password

Post by Rudi De Vos »

[v] non portable password make it more secure.
It can only be cracked with a tool running on that pc.
Using the encryption plugins you can set
-a long passwd
- use a public/private key pair.
flochi1
Posts: 4
Joined: 2020-12-31 16:01

Re: Vnc Password

Post by flochi1 »

[v] non portable password make it more secure.

this works great indeed but we cant automate it. We create the response file and everything is ok.

Can we set this after deployment automatically ? silent?

We are using SCCM to deploy.
flochi1
Posts: 4
Joined: 2020-12-31 16:01

Re: Vnc Password

Post by flochi1 »

So my question is say that vnc is already installed can you send a command or modify the regristry or something like that to set up that [v] non portable password make it more secure.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6863
Joined: 2004-04-23 10:21
Contact:

Re: Vnc Password

Post by Rudi De Vos »

There is no tool.

Fast created one.
createpassword [-secure] mypassword
Need to be executed in the ultravnc.ini folder
1) set secure to 1
2) set secure password

Warning: code differ on 32/64bit.
You need to use 64bit when winvnc.exe is 64bit

It was never made to be cross plaform compatible, your deployment tool need to check the vnc installed version (32/64)

try it first om some local 32/64... NOT fully tested.

http://www.uvnc.eu/download/133/createpassword.zip

My virus checker doesn't like the zip... createpasswd...checking
Seem ok now, needed to sign the exe
flochi1
Posts: 4
Joined: 2020-12-31 16:01

Re: Vnc Password

Post by flochi1 »

it works.

thank you!
esc
Posts: 5
Joined: 2020-12-11 09:26

Re: Vnc Password

Post by esc »

I knew the password was in an .ini file but didn't know it could be decoded that easily. If this is the case, there should be a large text informing about it.

I understand that you can enable the only plugin SecureVNCPlugin64.dsm but is it safe?

Why does the program not use this plug-in by default after installation?
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6863
Joined: 2004-04-23 10:21
Contact:

Re: Vnc Password

Post by Rudi De Vos »

You can
-activate []non portable password, then the password isn't portable and only works on that pc.
-activate the plugin and set a long password
-activate the plugin and use prive/public keys...

The simple vnc password is the default authentication. It's portable and work with all vnc flavors.

The password is in the ini file and there are tools that allow to decrypt them.
Even if we would make it more complex, there would still be tools who does it.
You even can decode the OS admin password i you get access to the disk.

If you allow other people disk access nothing is safe.
Bonji
100
100
Posts: 339
Joined: 2008-05-13 14:54

Re: Vnc Password

Post by Bonji »

esc wrote:I knew the password was in an .ini file but didn't know it could be decoded that easily. If this is the case, there should be a large text informing about it.

I understand that you can enable the only plugin SecureVNCPlugin64.dsm but is it safe?

Why does the program not use this plug-in by default after installation?
Part of using/supporting software is being informed about its origin and current state of development. VNC was created in the late 90s, and its priority was connectivity. Security from that day just doesn't hold up now, but the original mechanism is left in place because all flavors of VNC support it as a minimal level of compatibility. You'll notice any version of VNC (configured simply) can connect to any other version of VNC. This is its power, but you have to be aware of the consequences if you use it in its native state.

UltraVNC is one of the best versions because of how extensible it is which allows these original flaws to be overcome. The Secure plugin with MSLogon authentication completely negates the original password limitations. This tool isn't meant for computer novices (imo), so understanding its components and capabilities is important in deploying it securely and successfully.
-Ben
Post Reply