Tag Archives: keylogger

More X11 Hacking with xspy and xwatchwin

I’ve posted about open X11 servers before, including keylogging and grabbing an image of the desktop.  Today I just want to add a couple other tools to the toolbelt.  To learn more about X11, see the other posts as they describe it in better detail.

Setup Your Testbed

Today I’ll be using Ubuntu 14.04.1 LTS version.  The setup is almost the same as before with Ubuntu 12.04, except the config file has moved for some reason.  If you look in the /etc/lightdm/ folder, there no longer exists any lightdm.conf file.  There is only a users.conf file.  I tried just creating a lightdm.conf file, but that totally crashed my system and I had to refresh to my previous snapshot.  Do not do this.

The config files have moved to the /usr/share/lightdm/lightdm.conf.d/ folder.  Add the xserver-allow-tcp=true line to the end of the /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf file, restart lightdm with “sudo restart lightdm”, and you should be good to go.  Don’t forget to run “xhost +” to allow anyone to connect, just light the previous X11 post describes.

If you want to run xhost  + by default, add the following:


Then your xhost.sh script can look like this:

xhost +

If you want to make it work on a different OS, here is a post that shows how to enable X11 on a couple versions of Linux.


How do you find a vulnerable host?

This section is the same as the last X11 post.

How do you attack that host?

Double check to make sure the previous attacks work (such as grabbing a screen shot).

First we’ll use the xspy tool.  This is actually already built into Kali, and seems to work better than the xkey tool that was described before.  Simply type xkey and then the IP address:


There appears to have been a different version in Backtrack or Kali at a different time where you had to specify options such as “xspy -display”, but on my machine, all that just confused xspy.  If your X11 server is on a port other than 6000 (like 6001 or something), you may have to download and compile a different version.  Just do a search – they’re everywhere.


The other tool is xwatchwin.  You’ll have to download this one.  I found it here.  Follow the README to compile (just type xmkmf && make) and you’re good to go.

In order to use the tool, first you need to find the ID of the window using xwininfo:

$ xwininfo -root -display serverip:number


On my system, the window ID is 0x165.  So next (on the native Kali desktop, not a SSH terminal window), type:

$ ./xwatchwin serverip:number -w 0x165

A xwatchwin window will pop up, showing a (very delayed) constant view of the desktop.  This will pretty much be like a View Only version of VNC.

That’s all for now, happy hacking!

X11 Keylogger

To understand X11 and some other ways to attack it, see the first X11 post.

There are a few additional things you can do with open X11 ports, but they don’t seem to work on a Ubuntu system.  Therefore I am setting up a CentOS 6.4 machine for this next test.

Setup Your Testbed

Run the default install of CentOS.  I used the LiveCD and ran the installer from there.

Once CentOS is installed, make sure you either disable the firewall or add in the appropriate ports.  Otherwise you’ll spend a long time troubleshooting why those ports don’t appear to be open over the network.  You can do this either from the GUI (System -> Administrator -> Firewall), or the GUI (/etc/init.d/iptables stop)

Allowing direct TCP connection to X11 is done by editing the /etc/gdm/gdm.schemas file.  There is an option called security/DisallowTCP that needs to be changed from true to false.



After this, restart your X server (or the entire system) and you should have port 6000 open.  If not, check the firewall again (iptables -L should either be empty, or have a rule for dst port 6000 BEFORE any deny all rule).

Also, remember to follow the same procedure as listed in the last X11 post.  xhost + must be added so that anyone can connect.


How do you find a vulnerable host?

This section is the same as the last X11 post.

How do you attack that host?

Double check to make sure the previous attacks work (such as grabbing a screen shot).

The first thing we are going to do is setup a keylogger over X11.  Download the xkey.c file from here.  Then compile it just as it mentions in the instructions:

root@kali:~# gcc -o xkey xkey.c -lX11 -lm
xkey.c: In function `main`:
xkey.c:81:6: warning: incompatible implicit declaration of built-in function `exit` [enabled by default]

There will be some warnings as shown above, but no errors – the program compiles just fine.  Then you just simply need to run the program in the form ./xkey <ip address>:<x11 number>.  So run the following:

# ./xkey

Then start typing on your CentOS box.  The key presses will pop up.

keyloggingNote: I really don’t know why everything is doubled up, but the point is, keystrokes are being logged.

By the way, I’ve also been playing with some older tools that are supposed to be able to push commands over X11 (like what we were doing with xdotool). They are called xpusher.c and xtester.c.  I haven’t gotten them to work yet though – if anyone else has, please comment.