16 replies to this topic

[groves226]

Can you guys setup the webpage for HTTPS default? Also why is the game not talking VIA SSL?

Edited by groves226, 02 December 2016 - 08:27 PM.

[groves226]

There is no reason for authentication information to be sent VIA an unsecure connection over a WAN or even a LAN connection

9563 is the PID of MWOclient.exe

TCP 192.168.1.65:52675 a23-78-215-240.deploy.static.akamaitechnologies.com:http ESTABLISHED 9536
TCP 192.168.1.65:52676 a23-215-104-26.deploy.static.akamaitechnologies.com:http ESTABLISHED 9536
TCP 192.168.1.65:52677 a23-215-104-26.deploy.static.akamaitechnologies.com:http ESTABLISHED 9536

or IP only


TCP 192.168.1.65:52675 23.78.215.240:80 ESTABLISHED 9536
TCP 192.168.1.65:52676 23.215.104.26:80 ESTABLISHED 9536
TCP 192.168.1.65:52677 23.215.104.26:80 ESTABLISHED 9536

Edited by groves226, 03 December 2016 - 08:56 PM.

[Muzakman]

This plz! In the very least, forcing https for the mwomercs.com would be both prudent and recommended. I mean, you already have the SSL certificate so making this happen should be straight-forward

The HTTP connections you saw there @groves226 may be loading the content carousel, not actual game traffic. Even so, that should be https

[groves226]

During play it stays on 80.

The only other stuff I saw were the following during sign in(11184 is the PID for the client)

TCP 192.168.1.65:58546 192.99.109.129:45461 ESTABLISHED 11184
UDP 0.0.0.0:57272 *:* 11184

then during match maker election

TCP 192.168.1.65:58540 23.78.193.103:80 CLOSE_WAIT 11184

during the wait in the match lobby before deploying to the planet
UDP 0.0.0.0:57272 *:* 11184
UDP 0.0.0.0:55135 *:* 11184
TCP 192.168.1.65:58541 23.62.239.34:80 CLOSE_WAIT 11184
TCP 192.168.1.65:58542 23.62.239.34:80 ESTABLISHED 11184
TCP 192.168.1.65:58546 192.99.109.129:45461 ESTABLISHED 11184


after deploying to planet

the above are what remained

it is insane that a modern online game fails to secure it's communication channels. Though MAYBE they are using SSL over port 80.. I'll fire up wireshark next to see if that is the case. If that is the case that is also stupid.

[Fox the Apprentice]

The HTTPS Everywhere Firefox extension works fine on the website, so there hopefully won't be too much effort required since HTTPS is already set up correctly for the site.

[groves226]

Yeah, it's actually trivial to do for the webpage. For the game it is crazy it isn't done since they are passing credentials.

might be time to start blowing up the mwo twitter and tagging security researchers in the posts

[SiZiGee]

groves226, on 05 December 2016 - 12:05 PM, said:

Yeah, it's actually trivial to do for the webpage. For the game it is crazy it isn't done since they are passing credentials.

might be time to start blowing up the mwo twitter and tagging security researchers in the posts

I agree 92384623789462389% . And getting/implementing a SSL cert is easy and/or free (Let's Encrypt).

I don't know if they hash the credentials before sending it, but still... it can be cracked.

PGI... make it so, or screw it, give one of us a call and one of us will do it, if it is too much of an issue. Because I don't want my card details stolen, once they get my logins. I know you use a different provider (which is obvious when making a purchase and they could be hacked due to an unknown exploit), but they get some info off of it and they can buy themselves some gifts via one of our accounts (if their intention is to not steal card details), once they managed to hack it. And because of the long loading/connection times, one will never know if someone is doing a MtM attack (they don't have to use SSL strip as it is not encrypted) and recording all inputs

[groves226]

It looks like they are using HEX to pass credentials and account information back and forth on a ephemeral-to-ephemeral port conversation.

I have to travel for work and am going to pass it off to a friend to break it.

[SiZiGee]

Hows the cracking going?

[groves226]

None of us have taken the time to go over it this weekend because of work. I will have some free time over the next few days while I'm in a hotel traveling, I think they are in worse shape.

I owe them some more PCAPs, once I make them it'll be easy headway.


If you want to see what is being passed, install Wireshark and start the capture. You'll be looking for the conversation going to 192.99.109.129:45461 and in the data field you'll see the HEX.

[SiZiGee]

Thanks for the IP and port to look-out for. I will sniff the traffic on my end and see what I can do with the traffic... thank god for kali and its tools. Hex is easy enough, I will run it through cain and abel (or even jack the ripper) and see what I get. Basically do what a script kiddie does...

Either we should get employed by PGI, or get a nice big mech pack for doing their IT department's job. If you want, I can send you some more info on what I can find. Just not here on the forum, as someone else might find it useful though.

[SiZiGee]

It looks like that it is encrypted... well, the auth part at least. Right after the auth, I start getting http traffic (downloading pictures, etc, for eg GET /assets/game/RN_BP_Preview.jpg). So it appears to be encrypted.

I am going to setup my raspberry pi as the mtm server and try ssl strip on that port and see if I can get my password off of it.

*edit: However PGI... I think you should REALLY change the hostnames of the servers it communicates with. The name gives it away, or at least put a proxy in between the server in the client to prevent direct contact with it. I assume there is a firewall there... well I hope

Edited by SiZiGee, 12 December 2016 - 04:04 PM.

[groves226]

I'm putting in extra time at the front end of the week so that Friday and all weekend long I can be free to work on this with some friends.

[SiZiGee]

Any luck? I got swamped by work and RL issues

[groves226]

Me too man... I made some packet captures and didn't even look at them before I filtered the important IP's and shot them to my buddy. This is too close to my real job and I don't like doing it in my free time when I could be drinking, hanging out with loved ones, or blowing things up.

[SiZiGee]

I know the feeling... well at least the IP addresses for auth is the same. And it is 2 geographically separate locations (IP address points to Canada, I can only guess who has a DC there...) and the fact that one can do a mtm is a bit of a concern. And the auth part is crystal clear, auth is encrypted, the rest is not... so that helps with pointing out where to look/focus on.

Hopefully your buddy has the free time I have to handle escalations on a daily basis now, then family time and a tiny bit of game time... fun times ahead.

Edited by SiZiGee, 20 December 2016 - 03:07 PM.

[SiZiGee]

I noticed the forum is now on HTTPS and using a startcom cert... a step in the right direction.

I will check the traffic to/from the auth server tonight