Is it possible to use SHA1 or an other secure hash instead of the old method because it seems to be very easy to crack the password from the registry.
http://phenoelit.de/fr/protos.html#VNC
Maybe there can be an option for compatible (insecure method) or new ultravnc password storing (with SHA1 or maybe SHA-256 ). If you activate the secure option the old values have to be removed.
CU
Mr Faber
Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
VNC very insecure
- Rudi De Vos
- Admin & Developer
- Posts: 6863
- Joined: 2004-04-23 10:21
- Contact:
Direct registry hacking
The risk is limited, you need a standard windows password to get access to the registry.
If you can get access, you can change the password without
the need to crack it.
If you have physical access, you can boot from a linux cdrom
and even change the administrator account. AFter that you can do what you want.
Net sniffering and packet capturing
This is possible, for external connections you should always use some kind of extra encryption.
If somebody insite you network is capable of doing this, be sure he has 100 other ways of getting access. 99% of the security breaks are caused by users, how many bosses have there password on the bottom of there keyboard, or secured document are printed and left on the desk.
The risk is limited, you need a standard windows password to get access to the registry.
If you can get access, you can change the password without
the need to crack it.
If you have physical access, you can boot from a linux cdrom
and even change the administrator account. AFter that you can do what you want.
Net sniffering and packet capturing
This is possible, for external connections you should always use some kind of extra encryption.
If somebody insite you network is capable of doing this, be sure he has 100 other ways of getting access. 99% of the security breaks are caused by users, how many bosses have there password on the bottom of there keyboard, or secured document are printed and left on the desk.
Re: VNC very insecure
As long as we're on the subject when will the file transfer require a password before allowing a connection and file transfers?Mr Faber wrote:Is it possible to use SHA1 or an other secure hash instead of the old method because it seems to be very easy to crack the password from the registry.
http://phenoelit.de/fr/protos.html#VNC
Maybe there can be an option for compatible (insecure method) or new ultravnc password storing (with SHA1 or maybe SHA-256 ). If you activate the secure option the old values have to be removed.
CU
Mr Faber