There are two programs in a VNC software, the server and viewer. The viewer is used to connect and remotely control the VNC server while the server simply listens for incoming connections from the viewer. The VNC server acts like many of the online services (such as WWW that uses port 80, FTP on port 21, etc) where it requires a port to be opened in order for the viewer to connect, unless you are using the reverse-connection method. The VNC server uses port 5900 by default and it can be easily changed from the VNC server options to provide extra security so that it won’t be instantly recognized as a VNC server service running on that computer. Most of the port scanner checks for open port on a machine and assumes that it is running the service associated with the port number according to the RFC Internet standards.
Today we’re looking into scanning for VNC servers with more accuracy rather than checking if the port 5900 is open.
1. VNC Neighborhood.
VNC Neighborhood is able to locate VNC servers and also provide an easy way to launch the viewer and connect to the servers. Although VNC Neighborhood was last updated 6 years ago, but it worked perfectly on Windows 7 32-bit. We previously mentioned that most port scanner assumes that a service is running based on the port number but VNC Neighborhood seems to have a signature detection where it can detect if the open port is being used by a VNC server.
As a test, we opened port 5900 using a program called Local TCP Port Opener to simulate the VNC service. VNC Neighborhood did not find anything even though the port 5900 was opened by Local TCP Port Opener. Next, we tried running 3 different VNC servers (RealVNC, TightVNC and UltraVNC) and amazingly VNC Neighborhood detected all 3 servers.
VNC Neighborhood can be a bit tricky to use because you cannot find a scan button on the program’s interface. In fact it is very easy to start a scan. VNC Neighborhood will automatically detect your network and all you need to do is double click on the WORKGROUP or right click and select Refresh domain on the available servers box. At the Scanner tab, you can configure if you want to only scan the default VNC port, beep notification when finished scanning, threaded and maximum connections. If you unchecked the “Use default VNC server port”, you will need to manually add the port numbers that you want to scan at the Ports tab. To easily connect to the detected VNC servers, you will need to specify the Viewer path and also the password before you can connect to the servers by double clicking on the computer name displayed in the list.
VNC Neighborhood is very fast in scanning and free but it has its limitation where it can only scan your local network and you cannot check a port range.
Scan4VNC is also another very old tool that is still capable of detecting VNC servers. It is actually a Windows Scripting Host script and requires a registration of the provided kvbWinsockLib.Dll file with regsvr32.exe in Windows. To register the kvbWinsockLib.Dll file, double click on it, and click the Browse button on the Open with window. Browse to C:\Windows\System32\, select regsvr32.exe and click Open. Click the OK button and you will get the message “DllRegisterServer in …. succeeded”. Now double click on scan4vnc.wsf to run Scan4VNC.
Scan4VNC is more flexible where you can scan the whole subnet, providing the IP and port range. Once you’ve entered all the required information, click the Scan Now button to start scanning. You should take note of the scan result because they are not obvious. If you see a result of 0, it means that the port is open, timeout means that the port is closed and the most important result is 7 which means a VNC server is running on that port.
Scan4VNC is free and successfully tested on Windows 7 32-bit.