MOON
Server: Apache
System: Linux 54-179-220-51.cprapid.com 3.10.0-1160.144.1.el7.tuxcare.els4.x86_64 #1 SMP Tue Apr 7 08:40:40 UTC 2026 x86_64
User: thehunarfound (1001)
PHP: 7.4.29
Disabled: NONE
$ pwd: /usr/share/nmap/scripts/
Upload Files
File: //usr/share/nmap/scripts/realvnc-auth-bypass.nse
local nmap = require "nmap"
local shortport = require "shortport"

description = [[
Checks if a VNC server is vulnerable to the RealVNC authentication bypass
(CVE-2006-2369).
]]
author = "Brandon Enright"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

---
-- @output
-- PORT     STATE SERVICE VERSION
-- 5900/tcp open  vnc     VNC (protocol 3.8)
-- |_realvnc-auth-bypass: Vulnerable

categories = {"auth", "default", "safe"}


portrule = shortport.port_or_service(5900, "vnc")

action = function(host, port)
	local socket = nmap.new_socket()
	local result
	local status = true

	socket:connect(host, port)
	
	status, result = socket:receive_lines(1)

	if (not status) then
		socket:close()
		return
	end

	socket:send("RFB 003.008\n")
	status, result = socket:receive_bytes(2)

	if (not status or result ~= "\001\002") then
		socket:close()
		return
	end

	socket:send("\001")
	status, result = socket:receive_bytes(4)

	if (not status or result ~= "\000\000\000\000") then
		socket:close()
		return
	end

	socket:close()

	return "Vulnerable"
end
@ Telegram