VNC Traffic Hunt

Overview

Hunt for VNC traffic that may indicate unauthorized remote access.

VNC Port Reference

Port	Protocol	Description
5900	TCP	VNC display :0 (most common)
5901-5910	TCP	VNC displays :1 through :10
5800	TCP	VNC HTTP/Java viewer
5500	TCP	VNC reverse connection

Port

Protocol

Description

5900

TCP

VNC display :0 (most common)

5901-5910

TCP

VNC displays :1 through :10

5800

TCP

VNC HTTP/Java viewer

5500

TCP

VNC reverse connection

VNC from Flows

SELECT
    sourceip AS "Source",
    destinationip AS "Destination",
    destinationport AS "Port",
    SUM(flowbytes) AS "Total Bytes",
    COUNT(*) AS "Connections"
FROM flows
WHERE destinationport BETWEEN 5900 AND 5910
   OR destinationport = 5800
GROUP BY sourceip, destinationip, destinationport
ORDER BY "Connections" DESC
LIMIT 100
LAST 7 DAYS

VNC from External (Security Risk)

SELECT
    sourceip AS "External Source",
    destinationip AS "Internal Target",
    destinationport AS "Port",
    COUNT(*) AS "Attempts"
FROM flows
WHERE (destinationport BETWEEN 5900 AND 5910 OR destinationport = 5800)
  AND NOT INCIDR('10.0.0.0/8', sourceip)
  AND NOT INCIDR('172.16.0.0/12', sourceip)
  AND NOT INCIDR('192.168.0.0/16', sourceip)
GROUP BY sourceip, destinationip, destinationport
ORDER BY "Attempts" DESC
LIMIT 100
LAST 30 DAYS

Evil Twin Detection

VNC Traffic Hunt

Overview

VNC Port Reference

VNC from Flows

VNC from External (Security Risk)

Related