Discussion:
3 machine running VNC behind NAT router?
Michael Lande
2006-09-02 12:26:01 UTC
Permalink
I'll admit it. I'm a newbie. How do pick which machine to login to?

A friend help me get started with VNC on WinXP so I could provide
remote support for a client of mine. I wanted to be able to login to
the PC which is behind a cable modem and a DHCP router. All is well
on the first PC. My friend had me open up ports 5850 - 5950 on the
firewall which is a DLink router. We also found the current IP
address for the WinXP PC which I obtained from whatismyip.com. It is
a dynamic ip address from the cable company and it hasn't change yet
(6 weeks, same ip).
John Aldrich
2006-09-02 19:47:00 UTC
Permalink
On Saturday 02 September 2006 02:24 am, Michael Lande wrote:
[snip]
Kevin Smathers
2006-09-02 21:47:01 UTC
Permalink
That is a pretty dangerous configuration you have there. VNC transfers
passwords in the clear, so it is no more save as a WAN protocol than
'Telnet' or 'FTP', both of which are disfavored relative to more secure
tools like 'ssh'. Instead of opening up a whole block of addresses
like that I would open up just port 22 to some machine running an
ssh-daemon, then use the tunneling features of VNC to forward some local
port to the VNC service port of the machine I'm interested in. The rule
for VNC is that port 5900 is the same as ':0', 5901 is the same as ':1',
etc. Using 'putty' I forward L5910 to 192.168.1.2:5900, for example,
and that means that when I connect to 'localhost:10' it actually shows
me '192.168.1.2:0'.

SSH daemons available for windows include:

WinSSHd ($40/for personal use only)
Cygwin (freeware, requires familiarity with Unix)

Cheers,
-kls
Post by Michael Lande
I'll admit it. I'm a newbie. How do pick which machine to login to?
A friend help me get started with VNC on WinXP so I could provide
remote support for a client of mine. I wanted to be able to login to
the PC which is behind a cable modem and a DHCP router. All is well
on the first PC. My friend had me open up ports 5850 - 5950 on the
firewall which is a DLink router. We also found the current IP
address for the WinXP PC which I obtained from whatismyip.com. It is
a dynamic ip address from the cable company and it hasn't change yet
(6 weeks, same ip).
Scott C. Best
2006-09-04 00:17:01 UTC
Permalink
Kevin:

Heya. I felt compelled to reply, as your VNC password
information is very misleading.

Telnet and FTP actually *do* send passwords in the clear.
That is, if you actually captured packets in transit, you'd see
the password right there. However, VNC absolutely does not do this.
VNC uses challenge-response authentication, well decribed here:

http://en.wikipedia.org/wiki/Challenge-response_authentication

In VNC, I believe it works as follows: the server generates
a random value "N", and encrypts it using the saved VNC password.
When a VNC client connects, it receives this "encrypted challenge".
The Viewer then decrypts the value "N" using the password provided by
the user into the Viewer. It then performs a simple operation (eg,
calculates "N+1"), encrypts that and sends it back as the "response".
If the "response" is correct, the Server knows that the Viewer user
knows the correct password. And while enough information has gone
by in the wires for someone to *deduce* the password (ie, if a
malicious user knows the challenge string, the response string,
and the exact "simple operation" in the source), the password itself
cannot fairly be said to be "in the clear".

Otherwise...I agree with your assertion that leaving any
service open to direct connections from the Internet is asking
for trouble. I use EchoVNC to avoid this.

cheers,
Scott
Post by Kevin Smathers
That is a pretty dangerous configuration you have there. VNC transfers
passwords in the clear, so it is no more save as a WAN protocol than
'Telnet' or 'FTP'...
<snip>
Kevin Smathers
2006-09-05 09:57:00 UTC
Permalink
My error. Except for the password, every thing else is sent in the
clear, including any passwords you might type after your initial connection.
Post by Scott C. Best
Heya. I felt compelled to reply, as your VNC password
information is very misleading.
Telnet and FTP actually *do* send passwords in the clear.
That is, if you actually captured packets in transit, you'd see
the password right there. However, VNC absolutely does not do this.
http://en.wikipedia.org/wiki/Challenge-response_authentication
In VNC, I believe it works as follows: the server generates
a random value "N", and encrypts it using the saved VNC password.
When a VNC client connects, it receives this "encrypted challenge".
The Viewer then decrypts the value "N" using the password provided by
the user into the Viewer. It then performs a simple operation (eg,
calculates "N+1"), encrypts that and sends it back as the "response".
If the "response" is correct, the Server knows that the Viewer user
knows the correct password. And while enough information has gone
by in the wires for someone to *deduce* the password (ie, if a
malicious user knows the challenge string, the response string,
and the exact "simple operation" in the source), the password itself
cannot fairly be said to be "in the clear".
Otherwise...I agree with your assertion that leaving any
service open to direct connections from the Internet is asking
for trouble. I use EchoVNC to avoid this.
cheers,
Scott
Post by Kevin Smathers
That is a pretty dangerous configuration you have there. VNC transfers
passwords in the clear, so it is no more save as a WAN protocol than
'Telnet' or 'FTP'...
<snip>
_______________________________________________
VNC-List mailing list
http://www.realvnc.com/mailman/listinfo/vnc-list
Continue reading on narkive:
Loading...