Edited by groves226, 02 December 2016 - 08:27 PM.
Https By Default
#1
Posted 02 December 2016 - 08:26 PM
#2
Posted 03 December 2016 - 08:55 PM
9563 is the PID of MWOclient.exe
TCP 192.168.1.65:52675 a23-78-215-240.deploy.static.akamaitechnologies.com:http ESTABLISHED 9536
TCP 192.168.1.65:52676 a23-215-104-26.deploy.static.akamaitechnologies.com:http ESTABLISHED 9536
TCP 192.168.1.65:52677 a23-215-104-26.deploy.static.akamaitechnologies.com:http ESTABLISHED 9536
or IP only
TCP 192.168.1.65:52675 23.78.215.240:80 ESTABLISHED 9536
TCP 192.168.1.65:52676 23.215.104.26:80 ESTABLISHED 9536
TCP 192.168.1.65:52677 23.215.104.26:80 ESTABLISHED 9536
Edited by groves226, 03 December 2016 - 08:56 PM.
#3
Posted 04 December 2016 - 09:49 AM
The HTTP connections you saw there @groves226 may be loading the content carousel, not actual game traffic. Even so, that should be https
#4
Posted 04 December 2016 - 02:19 PM
The only other stuff I saw were the following during sign in(11184 is the PID for the client)
TCP 192.168.1.65:58546 192.99.109.129:45461 ESTABLISHED 11184
UDP 0.0.0.0:57272 *:* 11184
then during match maker election
TCP 192.168.1.65:58540 23.78.193.103:80 CLOSE_WAIT 11184
during the wait in the match lobby before deploying to the planet
UDP 0.0.0.0:57272 *:* 11184
UDP 0.0.0.0:55135 *:* 11184
TCP 192.168.1.65:58541 23.62.239.34:80 CLOSE_WAIT 11184
TCP 192.168.1.65:58542 23.62.239.34:80 ESTABLISHED 11184
TCP 192.168.1.65:58546 192.99.109.129:45461 ESTABLISHED 11184
after deploying to planet
the above are what remained
it is insane that a modern online game fails to secure it's communication channels. Though MAYBE they are using SSL over port 80.. I'll fire up wireshark next to see if that is the case. If that is the case that is also stupid.
#5
Posted 05 December 2016 - 06:42 AM
#6
Posted 05 December 2016 - 12:05 PM
might be time to start blowing up the mwo twitter and tagging security researchers in the posts
#7
Posted 09 December 2016 - 08:30 AM
groves226, on 05 December 2016 - 12:05 PM, said:
might be time to start blowing up the mwo twitter and tagging security researchers in the posts
I agree 92384623789462389% . And getting/implementing a SSL cert is easy and/or free (Let's Encrypt).
I don't know if they hash the credentials before sending it, but still... it can be cracked.
PGI... make it so, or screw it, give one of us a call and one of us will do it, if it is too much of an issue. Because I don't want my card details stolen, once they get my logins. I know you use a different provider (which is obvious when making a purchase and they could be hacked due to an unknown exploit), but they get some info off of it and they can buy themselves some gifts via one of our accounts (if their intention is to not steal card details), once they managed to hack it. And because of the long loading/connection times, one will never know if someone is doing a MtM attack (they don't have to use SSL strip as it is not encrypted) and recording all inputs
#8
Posted 09 December 2016 - 10:41 AM
I have to travel for work and am going to pass it off to a friend to break it.
#9
Posted 10 December 2016 - 10:56 AM
#10
Posted 11 December 2016 - 05:54 PM
I owe them some more PCAPs, once I make them it'll be easy headway.
If you want to see what is being passed, install Wireshark and start the capture. You'll be looking for the conversation going to 192.99.109.129:45461 and in the data field you'll see the HEX.
#11
Posted 12 December 2016 - 12:02 PM
Either we should get employed by PGI, or get a nice big mech pack for doing their IT department's job. If you want, I can send you some more info on what I can find. Just not here on the forum, as someone else might find it useful though.
#12
Posted 12 December 2016 - 01:55 PM
I am going to setup my raspberry pi as the mtm server and try ssl strip on that port and see if I can get my password off of it.
*edit: However PGI... I think you should REALLY change the hostnames of the servers it communicates with. The name gives it away, or at least put a proxy in between the server in the client to prevent direct contact with it. I assume there is a firewall there... well I hope
Edited by SiZiGee, 12 December 2016 - 04:04 PM.
#13
Posted 14 December 2016 - 02:25 PM
#14
Posted 20 December 2016 - 09:34 AM
#15
Posted 20 December 2016 - 02:33 PM
#16
Posted 20 December 2016 - 03:06 PM
Hopefully your buddy has the free time I have to handle escalations on a daily basis now, then family time and a tiny bit of game time... fun times ahead.
Edited by SiZiGee, 20 December 2016 - 03:07 PM.
#17
Posted 29 December 2016 - 07:12 AM
I will check the traffic to/from the auth server tonight
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users