📺

VNC Honeypot

Detect unauthorized access attempts targeting VNC remote desktop services.

5900
Default Port
TCP
Protocol
Auth Response
Detection
VNC tripwire details

About VNC

VNC (Virtual Network Computing) provides platform-independent remote desktop access commonly used for server management, KVM-over-IP, and remote support. VNC is frequently found on internal networks managing headless servers, industrial systems, and lab environments. Unlike RDP, VNC often uses shared passwords rather than per-user authentication.

What Gets Captured

When an attacker attempts to connect using your VNC honeypot credentials, Tripwires captures:

  • Auth response - The DES-encrypted authentication response
  • Source IP - The attacker's IP address
  • Timestamp - Exact time of the connection
  • Client protocol version - The RFB protocol version negotiated

Connection Formats

VNC credentials can be planted in various formats depending on your environment:

VNC Viewer

vncviewer vnc-xxx.gettripwires.com:5900

TightVNC

tvnviewer vnc-xxx.gettripwires.com::5900

Python (vncdotool)

from vncdotool import api
client = api.connect('vnc-xxx.gettripwires.com', password='password')
client.captureScreen('screenshot.png')

SSH Tunnel + VNC

ssh -L 5900:vnc-xxx.gettripwires.com:5900 jumphost
vncviewer localhost:5900

Strategic Placement Ideas

Server KVM Access

Leave as 'IPMI/KVM console' access info in server management docs.

Lab Environment Docs

Add as 'test lab remote access' in development environment documentation.

Helpdesk Knowledge Base

Include as 'remote support tool' connection details in helpdesk guides.

RDP LDAP