VNC sends credentials in clear text over the wire much like FTP, or telnet, and some other basic protocols. We can create a secure shell tunnel to bind a local port to a remote port. In this case we will be binding
5901 locally with 5901 on our remote host. The VNC port number will change based on the screen so to speak, so it is possible to run more than one vnc session/screen, just use the corresponding port. To start another VNC server, just repeat the vncserver command.
Server side setup:
You'll need sshd and vnc started.
Create a password if you haven't already as ssh will not work without one. This should only apply to the LiveDVD.
I like to add ssh into the startup as I am running a hard drive install.
generate your keys if you have not already, then start your ssh daemon
root@bt:~# update-rc.d ssh defaults
set your vnc password and start your VNC server.
root@bt:~# /etc/init.d/ssh start
Viewer side steps:
Next, on the machine you will be viewing with, create a tunnel from your localhost port to remote host port and VNC in through the tunnel, The tunnel protects your credentials and session.
FYI the command with OpenSSH for windows is the same if you are wanting to view from a windows machine.
root@bt:~# ssh -L 5901:127.0.0.1:5901 firstname.lastname@example.org
Now that you've got your tunnel created you will need to connect to VNC locally through said tunnel.
To VNC into your backtrack machine locally I like to use;(laptop in scenario below. Could even be a windows machine)
Then start whatever you need.
Now here is where this might be useful.
Say for instance you have a backtrack laptop and a very powerful backtrack/server desktop running back in the office capable of using CUDA/pyrit, something that will take awhile. You've collected a WPA 4-way handshake for your current given pentest with your laptop. You create your ssh tunnel, you upload the handshake, start your VNC server on your CUDA/pyrit server, VNC in, start your pyrit crack in the 5901 VNC session on your cracking server, and go get some lunch. You can power down your laptop if you like, eat your sushi, power back on, tunnel up again, then go back to your VNC session to check your progess as everything in the VNC session on the cracking server will continue to run unless you stop said process or you killed your VNC server for that particular screen. Even if you have closed your SSH tunnel! A nice advantage of this is for over the internet connections is you would only need to forward your SSH port and not VNC.
EDIT: I've recorded a short video of establishing the connection once everything is set up. This is to demonstrate that your processes continue to run, and also to help fully illustrate what we are doing here to people struggling with the concept.
VNC through SSH tunnel Video
Pay attention to which hostnames certain commands are run on