Results 1 to 10 of 11

Thread: Sniffing game servers

Hybrid View

  1. #1
    Junior Member
    Join Date
    Oct 2007
    Posts
    59

    Default Sniffing game servers

    Hi Guys,
    After some inactivity, I come back with a new question, kind of unusual, I have to admit.

    I'll explain the context:
    I'm a gamer, and I play Counter-Strike Source. I personally own a server. Fortunately, my server hasn't been hacked yet, but I have friend who have had theirs hacked, which isn't very pleasing to say the least.

    This is how the attacker does it (at least according to the articles I have read on the internet): he sniffs the information that is coming into the server (static IP, obviously) whenever the client (admin of server) is using the rcon (remote control) password, which basically gives the sucker all the powers on the server. This is even made easier because the file is not encrypted, it is simple plain text that is transfered from the client to the server. Obviously only one person knew the password; so no chance of a leak.

    There is supposedly a fix for this, but to be honest i do not trust it, because it doesn't involve in any way encrypting the information or anything that would stop one of those lame ****s from hacking a server. Therefore I'd like to try that on my server to make sure that it won't happen to me in the middle of an important match.

    As you probably guessed from the way I explained the procedure, I am not really up-to-speed on what concerns sniffing, so if you could explain relatively thourougly on how to sniff, it would be of great appreciation!

    Thanks,
    sardinemaster

    P.S. I did read the "how-to"s on sniffing but I didn't quite find myself in them because this is an IP over the internet and seems more complicated (forgive me if I'm wrong and being idiotic )
    CPU: Mobile DualCore Intel Core 2 Duo T7200, 2000 MHz (12 x 167)- 2Ghz
    Chipset: Mobile Intel Calistoga i945PM
    RAM: 2048 Mb (DDR2-667 DDR2 SDRAM)
    Graphics Card: NVIDIA GeForce Go 7950 GTX (512 Mb)
    Audio: SigmaTel STAC9200 @ Intel 82801GBM ICH7-M - High Definition Audio Controller [A-1]
    Network Card: Broadcom NetXtreme 57xx Gigabit Controller
    Wireless Card: Intel® PRO/Wireless 3945ABG Network Connection
    Modem: Conexant HDA D110 MDC V.92 Modem

  2. #2
    Just burned his ISO imported_sonicboom's Avatar
    Join Date
    Dec 2007
    Posts
    14

    Default

    I dont see how they could sniff the file remote over the internet. If the person was in a LAN or Wireless LAN then it would seem a lot more plausable. Backtrack is capable of doing this, but only on the LAN, not the open internet.

    It is possible:
    A. Someone who close to the person, either in the same room, or at least the same LAN, sniffed/stoled the password.
    B. They were socialially engineered into infecting their computer with a trojan/bot that revealed their info. This could be over the LAN or over the internet.

  3. #3
    Just burned his ISO
    Join Date
    Sep 2008
    Posts
    22

    Default

    By the sounds of it.
    The server in question got hit with a MITM attack.
    However this can only be done when someone is on the same LAN or atleast the WAN.
    So I am not sure how to help you sorry.
    Cheers

  4. #4
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    It isn't sniffing, it's apparently known vulnerability with the Counter Strike Source engine.

    A new breed of CSS Hacks?
    Posted on Oct 25, 2008 03:37:41 AM

    Have you seen that latest Counter Strike Source Hacks in action? We run a few CSS servers and the past week or so there have been some super efficient Counter Strike Source hacks going around. Nobody is sure where they are coming from but we do have a few ideas. The main problem with these hacks is that one of the features seems to exploit a vulnerability in CSS that allows the user to become an admin, and even de-admin other admins. There is really nothing short of what they can do. Everything from banning other users, changing peoples game name, changing maps, and more. Of course they include the regular hacks that we have all become a custom to like AIMBOT, wallhack, ESP, and so on. I can deal with the normal hacks, they don’t bother me all that much because it’s easy enough to spec and ban them. But this new set of features kind of rage me. Like I said earlier in the paragraph, we aren’t positive who coded these hacks, but one of the main suspects is as of now is mirc-scripts(linked in the beginning of this article).

    Right now we are working on getting everyone a fix for this problem. Clearly there is a config file someplace that is allowing the user(s) to take control of servers. So far Steam hasn’t replied to any of our emails, but I can only assume they’re working on this too. This doesn’t only effect Counter Strike Source servers, but any games that run on that team engine (Day of Defeat Source, Half Life 2 Death Match, Garrys Mod and Zombie Panic.) We will update everyone soon as we know something.
    Found on devoted2gaming.com/tag/counter-strike/

    In the future, you might want to try a search or two. Googling "Counter Strike Source vulnerability" actually brings this up very quickly.

    As far as sniffing goes, it is possible to sniff traffic on the Internet, although it is rather unlikely.
    Thorn
    Stop the TSA now! Boycott the airlines.

  5. #5
    Junior Member
    Join Date
    Oct 2007
    Posts
    59

    Default

    Quote Originally Posted by Thorn View Post
    It isn't sniffing, it's apparently known vulnerability with the Counter Strike Source engine.



    Found on devoted2gaming.com/tag/counter-strike/

    In the future, you might want to try a search or two. Googling "Counter Strike Source vulnerability" actually brings this up very quickly.

    As far as sniffing goes, it is possible to sniff traffic on the Internet, although it is rather unlikely.
    Thank you very much for this link, Thorn. I am currently looking for the way they do it.
    But as I said I did do my research (didnt come across that link, though ), so I counter what you said with this article (one of the many, that state there is a rcon vulnerability)

    archive.cert.uni-stuttgart.de/bugtraq/2003/09/msg00296.html

    So I ask again, is this possible?

    As I said I'm not up-to-speed on sniffing, but wouldn't it be possible to sniff all the files incoming the server IP? Therefore you would have to attack when the admin is using the admin commands and sending the password, but still doable and not that hard.

    Thanks for your help,
    sardinemaster
    CPU: Mobile DualCore Intel Core 2 Duo T7200, 2000 MHz (12 x 167)- 2Ghz
    Chipset: Mobile Intel Calistoga i945PM
    RAM: 2048 Mb (DDR2-667 DDR2 SDRAM)
    Graphics Card: NVIDIA GeForce Go 7950 GTX (512 Mb)
    Audio: SigmaTel STAC9200 @ Intel 82801GBM ICH7-M - High Definition Audio Controller [A-1]
    Network Card: Broadcom NetXtreme 57xx Gigabit Controller
    Wireless Card: Intel® PRO/Wireless 3945ABG Network Connection
    Modem: Conexant HDA D110 MDC V.92 Modem

  6. #6
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by sardinemaster View Post
    Thank you very much for this link, Thorn. I am currently looking for those mIRC scripts.
    But as I said I did do my research (didnt come across that link, though ), so I counter what you said with this article (one of the many, that state there is a rcon vulnerability)

    archive.cert.uni-stuttgart.de/bugtraq/2003/09/msg00296.html

    So I ask again, is this possible?

    As I said I'm not up-to-speed on sniffing, but wouldn't it be possible to sniff all the files incoming the server IP? Therefore you would have to attack when the admin is using the admin commands and sending the password, but still doable and not that hard.

    Thanks for your help,
    sardinemaster
    Yes, technically this is possible.

    Grabbing a plaintext password on a LAN or WLAN is extremely easy as others have pointed out. In fact, it is trivial and can be done in a matter of seconds.

    As I stated before, it is also possible on the Internet, although it is extremely unlikely.

    First of all, if the server and the admin's PC are on the same LAN, the password would never leave the LAN. The password would never be passed to the Internet via the local router, and would have to be sniffed on the LAN.

    If the server and the admin's PC are not on the same LAN, it would be difficult, time consuming, and would require physical access to the actual wires somewhere on the path a routed packet has taken. Assuming server which as not been compromised with a Trojan or some other malware it becomes almost impossible. To "sniff all the files incoming the server IP" outside of the server's location and guarantee grabbing the password, you would need to have physical access to the LAN of the ISP providing service to the server or the LAN of the ISP providing service to the admin's PC.

    Technically, this could also be done anywhere along that route, but filtering the amount of traffic for one IP and one password would most likely require access to fiber taps. The likelihood of any of any of this happening is very, very small. Government agencies don't go to that trouble to catch criminals. Do you really think some punk is going to go through all that for a Counter Strike server?

    All of the above narrows the how and where the password would get sniffed. Realistically, it come down to four places:
    • On the LAN server.
    • On the LAN of the admin's PC.
    • At the LAN of the ISP providing service to the admin's PC.
    • At the LAN of the ISP providing service to the server.


    If there are known malicious scripts which attack game servers, and there are known vulnerabilities like buffer overflows in the server software, then the easiest way for an attacker who is not on the same LAN as either the admin or the server to gain the admin's password is to run a malicous script which takes advantage of a know vulnerability and hands the password off to attacker.

    We know that both the malicious scripts and the game server vulnerabilities exist. We can also assume that it is rather unlikely that an attacker works at one of the ISPs in question. If we also assume that you never let anyone on the LAN when you were administering the server (or that you trust the users you had on at the time), the chances are that the attack was done in a manner other than a malicious script are unlikely in the extreme.
    Thorn
    Stop the TSA now! Boycott the airlines.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •