Pokemon Server Archive
PvP Server => Server Talk => Topic started by: 1cec0ld on April 15, 2012, 11:14:07 pm
-
Watch JeremyJr.
(https://www.pokemonserver.net/forum/proxy.php?request=http%3A%2F%2Fi259.photobucket.com%2Falbums%2Fhh305%2Fjeretry%2F2012-04-15_194152.png&hash=f19c8f7b4da7e24bb4b439578f6aa62b)
(https://www.pokemonserver.net/forum/proxy.php?request=http%3A%2F%2Fi259.photobucket.com%2Falbums%2Fhh305%2Fjeretry%2F2012-04-15_194200.png&hash=bbffefb44d2913c7a12b29cd1fae936b)
(https://www.pokemonserver.net/forum/proxy.php?request=http%3A%2F%2Fi259.photobucket.com%2Falbums%2Fhh305%2Fjeretry%2F2012-04-15_194206.png&hash=69d08e8e3ad41a5718b20eee5aef8453)
Minecrafts authentication protocol is completely broken. I'll try to give a simple explaination:
When a server is in online-mode=true, it will force players that try to connect to solve a little challenge to prove that they own the username that they want to use on the server. That challenge is:
Server: "Dear user, take this random number and upload it under your username to the minecraft.net servers. If you can do that, then you clearly are the owner of that username and I'll let you log in."
What the attacker does:
At the same time that you start to connect to the attackers minecraft server (A), he will start to connect with your username to another server (B). Now (B) will give the attacker the above challenge, which the attacker can't solve (he can't upload stuff to minecraft.net in your name). But the attacker is clever and just forwards the challenge to you, behaving as if it is the challenge of his own server (A). You will be able to solve it and happily upload the random number to minecraft.net, thinking it grants you access to (A), while in fact it grants the attacker access to (B).
This scheme is not identifyable by the user! All you will see is a normal minecraft server in online-mode=true that gives you a normal challenge that you normally solve).
This scheme is not identifyable by the attacked server! All that server sees is a user (the attacker) normally trying to login with a specific username. The server challenge that user as usual, and the user is able to normally solve the challenge. Therefore it is normally accepted onto the server.
Minecraft's authentication scheme is therefore completely broken and can't be trusted. I heavily recommend runnning xAuth or a similar plugin to protect your users from this form of takeover. and especially your ADMIN AND MODERATOR ACCOUNTS.
xAuth is outdated as far as I can see, but be aware anyways.
-
Wow, anyone can be a hacker. I'll keep my eye out for them, and report If I find anything.
-
The moral is simply to trust a server before you join it. It's that simple.
Further digging showed JeremyJr2 on a list of banned TeamAvo Members.
-
I did not understand a thing...
-
I understood it. And I will also look out for anymore of these people until xAuth is updated.
-
The moral is simply to trust a server before you join it. It's that simple.
Further digging showed JeremyJr2 on a list of banned TeamAvo Members.
He's from TeamAvO?
Oh damn, good you banned him while you did.
-
I did not understand a thing...
/me Hey youre an op here? Join my server pl0x?
/you ok. :yippee:
/me (now im going to log in here with your name so I can hack :evil: )
/me I need your random number so mc.net thinks its you. But youre logging in to my server so now I know what it is. *sent*
/server access granted, you are now op because youre pretending to be another person.*
/server sux to be that guy on your server being impersonated now :rotf: :haha: :rotf: :haha: :rotf: *
-
Good you banned him. But I have no idea what that team is that you are talking about, can someone explain it to me?
-
Pretty much, if you join a server, they can join as you on a different server at the same time you login to theirs.
-
So they are some famous hacker huh? We have to watch out! But 1ce how did you know he tried to hack, maybe he really had that problem?
-
"People that are ops or owners on other servers" Other servers have no effect on a single server.
-
That makes more sense.
-
i still don't understand how they can log in as you on another server without your password..
-
But 1ce how did you know he tried to hack, maybe he really had that problem?
Further digging showed JeremyJr2 on a list of banned TeamAvo Members.
I always confirm my bans if it's under a simple suspicion.
-
Im still confused although i have no doubt you did the right thing
-
WOW. That really opened my eyes! I'm also surprised an AVO tried to attack the server.
-
Okay, let me try to explain this if I'm correct. The hacker asks me to join their server. As I join, my account AUTOMATICALLY does some check to make sure my account is legit. The server asks my account for a number, and my accoutn automatically responds with the number. The hacker intecepts the number so he gets it instead of the server. Now the hacker has my unique number, and when he sends THAT number to a server, the server will think "OH! You're number 1123! That's Paradox's number!" and log him as me.
-
That's the basis of it. However, how does one get the number. It also seems if it doesn't sign into your account, but the permissions, right?
-
It signs in as YOU. Your name, Your IGN, and therefore all plugins see you as you, including bukkit and ops.txt
And I'm not a hacker so I have no idea how they intercept the security randomNumber.
-
They can basically use a plugin type program on their server to intercept this number as it goes through their server. It could be very complex or simple but either way it is doable. Hacker nowadays have managed much more complecated and dangerous feats so this surprises me none. Given time Minecraft will be updated to fix this issue
-
It signs in as YOU. Your name, Your IGN, and therefore all plugins see you as you, including bukkit and ops.txt
And I'm not a hacker so I have no idea how they intercept the security randomNumber.
I'd guess that Minecraft uses hash functions and the such. I recently learned about it in my programming course, it's pretty complicated.
-
Listen here hackerz, your days of evil are over, prepare to meet the light! :D
-
Listen here hackerz, your days of evil are over, prepare to meet the light! :D
NOOOOO! also i have one of those just would never use it on the pokemonserver.
-
I have tons of hack clients in my disposal, use that shit... well.... never actually.
-
Did not realise the potency of this kind of attack until just now. Literally fifteen minutes ago, I banned a guy just after i was fooled :doh:
Don't remember his name, but its a good thing the owner was on at the same time. Good thing I knew what had happened..
-
Problem: OP People joining servers that aren't the pokemon server.
Solution: Burn them at the stake for such blasphemous actions.
-
Problem: OP People joining servers that aren't the pokemon server.
Solution: Burn them at the stake for such blasphemous actions.
or just simply permaban them insted
-
What if the rest of team avo comes to grief?
-
Their problem :P
-
What if the rest of team avo comes to grief?
i have a freind who has a freind of a guy in avo
-
Tell us his IGN so we can ban him <3
-
In this situation, you could do what my friend does and partake in offensive security. Which may or may not involve DDoSing.
It's funny. But wrong. DDoSing is bad.
Hear that kids? Don't be a prick. Don't DDoS.
This has been a Public Service Announcement brought to you by the CalDaBeast Foundation: A Brighter Future for All
-
Wooooo
-
I'm locking this. The problem was fixed 2 weeks ago.