Metaspolitable 2: Port 6000 – X11 Server

It’s worth noting at the outset of this post that I was unsuccessful in exploiting this X11 service, but will document my efforts nonetheless.

The Nmap scan of Metasploitable 2 revealed:

PORT STATE SERVICE VERSION
6000/tcp open X11 (access denied)

The Nessus scan on this port detailed the following:

Port 6000/tcp
10407 – X Server Detection     [-/+]

Synopsis
An X11 server is listening on the remote host

Description
The remote host is running an X11 server. X11 is a client-server protocol that can be used to display graphical applications running on a given host on a remote client.

Since the X11 traffic is not ciphered, it is possible for an attacker to eavesdrop on the connection.

Solution
Restrict access to this port. If the X11 client/server facility is not used, disable TCP support in X11 entirely (-nolisten tcp).

So Nessus is reporting the possibility of sniffing traffic. We can scan this service using Metasploit:

msf exploit(postgres_payload) > use auxiliary/scanner/x11/open_x11
msf auxiliary(open_x11) > show options

Module options (auxiliary/scanner/x11/open_x11):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    6000             yes       The target port
   THREADS  1                yes       The number of concurrent threads

msf auxiliary(open_x11) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103
msf auxiliary(open_x11) > exploit

[*] 192.168.1.103 Access Denied
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(open_x11) >

Metasploit is reporting “access denied”.

Everything I’ve read online relating to exploiting this service relies on open authentication, which in this instance does not appear to be the case.

The Metasploit: The Penetration Tester’s Guide advises using the xspy sniffing tool to detect keystrokes, as the X system handles the GUI including the mouse and keyborad; however, again, this relies on unauthenticated access to the system and so as expected this technique failed:

# xspy 192.168.1.103
Client is not authorized to connect to Serverxspy: can't open display 192.168.1.103:0
blah....

# xspy -display 192.168.1.103 -delay 100 -up
xspy: can't open display -display:0
blah....

As I’m not sure how to progress this one; I admit defeat at this point.