This is not a ground breaking 0-day exploit, nor is it intense new research. I recently needed to do something that I had done a long time ago, and not very often. I knew the theory, and it seemed straightforward: I needed to take advantage of an open X11 server during an engagement and realized, while it seemed trivial, I didn’t really remember what to do. It took me a bit of Goole-fu to find the tools and instructions to get me where I needed to be. Since I use this blog as my running notepad I’ll put it here for posterity’s sake, and maybe it’ll help someone out in the future who’s searching for answers just like I was.
Now onto the tools you’ll need. Grab xspy ( or use your BackTrack VM /pentest/sniffers/xspy) and xwatchwin. I found xwatchwin here.
You also need to install xutils-dev (because you’ll need to run xwininfo). On Ubuntu i used
apt-get install xutils-dev
We need to discover the window ID to pass to xwatchwin. For this I use xwininfo:
xwininfo -root -display remote-IP:0
If you receive output similar to what’s shown below take note of the Window ID.
To begin capturing key strokes issue this command (optionally pipe to log file if you want)
./xspy -display remote_ip:0 >> keys-log.txt
Below is an example of running this command and viewing the live keystrokes from another machine (would be cooler if i put up a vid, eh?).
Notice you get all of the keys, even the up key, backspace and CTRL+C.
To begin spying on the active desktop issue this command
./xwatchwin remote-ip:0 -w window-id
In the earlier output from xwininfo we saw that the window ID was 0xb6 (click picture for better view).
The xwatchwin command, if successful, will launch a window that displays the remote users’ desktop (or whatever is on their X11 session) for you viewing delight.
If you’re out there and happen across an open X11 server listening that is a BIG deal. You can grab all of the keystrokes of the logged on user (ALL of them including passwords put in blind for SSH, etc.). You can also remotely spy on the current X session, as well. Not as exciting if it’s a server and no one’s logged in, but still brutal in my opinion. If you run your organizations’ vulnerability scans and you find open and unauthenticated X11 servers you need to remedy those findings with a quickness.
You can mitigate this threat by using the old school xhost method, host based firewall, or not allowing gdm, lightdm (or whatever display manager you use) to listen on TCP. This threat is bad enough on a well protected internal server behind layers of firewalls and that is normally managed via SSH; imagine if this was open on a laptop that someone took to an internet cafe or the airport? Anyone with a little know how could watchlog every move and keystroke they took!