Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

VNC very insecure

Any features you would like to see in UltraVNC? Propose it here
Post Reply
Mr Faber
Posts: 3
Joined: 2004-07-12 12:51

VNC very insecure

Post by Mr Faber »

Is it possible to use SHA1 or an other secure hash instead of the old method because it seems to be very easy to crack the password from the registry.
http://phenoelit.de/fr/protos.html#VNC
Maybe there can be an option for compatible (insecure method) or new ultravnc password storing (with SHA1 or maybe SHA-256 :) ). If you activate the secure option the old values have to be removed.

CU
Mr Faber
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6863
Joined: 2004-04-23 10:21
Contact:

Post by Rudi De Vos »

Direct registry hacking

The risk is limited, you need a standard windows password to get access to the registry.

If you can get access, you can change the password without
the need to crack it.
If you have physical access, you can boot from a linux cdrom
and even change the administrator account. AFter that you can do what you want.


Net sniffering and packet capturing

This is possible, for external connections you should always use some kind of extra encryption.
If somebody insite you network is capable of doing this, be sure he has 100 other ways of getting access. 99% of the security breaks are caused by users, how many bosses have there password on the bottom of there keyboard, or secured document are printed and left on the desk.
Sir Nigel
20
20
Posts: 48
Joined: 2004-05-24 03:20
Location: Texas
Contact:

Post by Sir Nigel »

This is an old issue. Just make sure you use the mslogon and you should be fine.
This space not for rent.
lenisham
40
40
Posts: 104
Joined: 2004-06-24 07:00

Re: VNC very insecure

Post by lenisham »

Mr Faber wrote:Is it possible to use SHA1 or an other secure hash instead of the old method because it seems to be very easy to crack the password from the registry.
http://phenoelit.de/fr/protos.html#VNC
Maybe there can be an option for compatible (insecure method) or new ultravnc password storing (with SHA1 or maybe SHA-256 :) ). If you activate the secure option the old values have to be removed.

CU
Mr Faber
As long as we're on the subject when will the file transfer require a password before allowing a connection and file transfers?
Post Reply