Just wondering, when I type in my password from the remote client, is it encrypted before it is sent to the server?
Thanks,
-PJ
Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Is server password encrypted?
Re: Is server password encrypted?
It is encrypted, but it is trivial to break the encryption. If I remember correctly Ettercap breaks it on the fly.pjme7154 wrote:Just wondering, when I type in my password from the remote client, is it encrypted before it is sent to the server?
Thanks,
-PJ
It is stored encrypted, but default settings allow it to be changed. I know some of the later versions of 19 have some sccurity areoud this at least for the service password, but I don't know the details.OldNick wrote:I would also be interedsted to know this. At present, I use a private phone line, but am looking using the Net.
Also, how secure is the password _on_ the Server machine? If somebody connects, networking, can they read / alter the VNC passwordon that machine at all?
Thanks for any advice
The password is never send over the connection.
- The server generates a random challenge (like "µ%l!§£@^bhg45")
- It encrypts this challenge (3DES) using the entered VNC password
- The server sends the UNencrypted challenge to the viewer
- The viewer encrypts the received challenge (3DES) using the entered VNC password
- The viewer sends its encrypted challenge back to the server
- The server checks if boths encrypted challenges match. If yes, the connection is allowed.
But the DES used is weak anyway. Can be cracked using brute force:
- Always use 8chars VNC passwords
- Use an encryption DSMPlugin, this way everything is additionnaly strongly encrypted, even connection handshaking.
- The server generates a random challenge (like "µ%l!§£@^bhg45")
- It encrypts this challenge (3DES) using the entered VNC password
- The server sends the UNencrypted challenge to the viewer
- The viewer encrypts the received challenge (3DES) using the entered VNC password
- The viewer sends its encrypted challenge back to the server
- The server checks if boths encrypted challenges match. If yes, the connection is allowed.
But the DES used is weak anyway. Can be cracked using brute force:
- Always use 8chars VNC passwords
- Use an encryption DSMPlugin, this way everything is additionnaly strongly encrypted, even connection handshaking.
UltraSam
-
Guest