Sniffing game servers

[imported_sardinemaster]

Hi Guys,
After some inactivity, I come back with a new question, kind of unusual, I have to admit.

I'll explain the context:
I'm a gamer, and I play Counter-Strike Source. I personally own a server. Fortunately, my server hasn't been hacked yet, but I have friend who have had theirs hacked, which isn't very pleasing to say the least.

This is how the attacker does it (at least according to the articles I have read on the internet): he sniffs the information that is coming into the server (static IP, obviously) whenever the client (admin of server) is using the rcon (remote control) password, which basically gives the sucker all the powers on the server. This is even made easier because the file is not encrypted, it is simple plain text that is transfered from the client to the server. Obviously only one person knew the password; so no chance of a leak.

There is supposedly a fix for this, but to be honest i do not trust it, because it doesn't involve in any way encrypting the information or anything that would stop one of those lame ****s from hacking a server. Therefore I'd like to try that on my server to make sure that it won't happen to me in the middle of an important match.

As you probably guessed from the way I explained the procedure, I am not really up-to-speed on what concerns sniffing, so if you could explain relatively thourougly on how to sniff, it would be of great appreciation!

Thanks,
sardinemaster

P.S. I did read the "how-to"s on sniffing but I didn't quite find myself in them because this is an IP over the internet and seems more complicated (forgive me if I'm wrong and being idiotic )

[imported_sonicboom]

I dont see how they could sniff the file remote over the internet. If the person was in a LAN or Wireless LAN then it would seem a lot more plausable. Backtrack is capable of doing this, but only on the LAN, not the open internet.

It is possible:
A. Someone who close to the person, either in the same room, or at least the same LAN, sniffed/stoled the password.
B. They were socialially engineered into infecting their computer with a trojan/bot that revealed their info. This could be over the LAN or over the internet.

[Dom.Hutton]

By the sounds of it.
The server in question got hit with a MITM attack.
However this can only be done when someone is on the same LAN or atleast the WAN.
So I am not sure how to help you sorry.
Cheers

[Thorn]

It isn't sniffing, it's apparently known vulnerability with the Counter Strike Source engine.

A new breed of CSS Hacks?
Posted on Oct 25, 2008 03:37:41 AM

Have you seen that latest Counter Strike Source Hacks in action? We run a few CSS servers and the past week or so there have been some super efficient Counter Strike Source hacks going around. Nobody is sure where they are coming from but we do have a few ideas. The main problem with these hacks is that one of the features seems to exploit a vulnerability in CSS that allows the user to become an admin, and even de-admin other admins. There is really nothing short of what they can do. Everything from banning other users, changing peoples game name, changing maps, and more. Of course they include the regular hacks that we have all become a custom to like AIMBOT, wallhack, ESP, and so on. I can deal with the normal hacks, they don’t bother me all that much because it’s easy enough to spec and ban them. But this new set of features kind of rage me. Like I said earlier in the paragraph, we aren’t positive who coded these hacks, but one of the main suspects is as of now is mirc-scripts(linked in the beginning of this article).

Right now we are working on getting everyone a fix for this problem. Clearly there is a config file someplace that is allowing the user(s) to take control of servers. So far Steam hasn’t replied to any of our emails, but I can only assume they’re working on this too. This doesn’t only effect Counter Strike Source servers, but any games that run on that team engine (Day of Defeat Source, Half Life 2 Death Match, Garrys Mod and Zombie Panic.) We will update everyone soon as we know something.

Found on devoted2gaming.com/tag/counter-strike/

In the future, you might want to try a search or two. Googling "Counter Strike Source vulnerability" actually brings this up very quickly.

As far as sniffing goes, it is possible to sniff traffic on the Internet, although it is rather unlikely.

[imported_sardinemaster]

It isn't sniffing, it's apparently known vulnerability with the Counter Strike Source engine.



Found on devoted2gaming.com/tag/counter-strike/

In the future, you might want to try a search or two. Googling "Counter Strike Source vulnerability" actually brings this up very quickly.

As far as sniffing goes, it is possible to sniff traffic on the Internet, although it is rather unlikely.

Thank you very much for this link, Thorn. I am currently looking for the way they do it.
But as I said I did do my research (didnt come across that link, though ), so I counter what you said with this article (one of the many, that state there is a rcon vulnerability)

archive.cert.uni-stuttgart.de/bugtraq/2003/09/msg00296.html

So I ask again, is this possible?

As I said I'm not up-to-speed on sniffing, but wouldn't it be possible to sniff all the files incoming the server IP? Therefore you would have to attack when the admin is using the admin commands and sending the password, but still doable and not that hard.

Thanks for your help,
sardinemaster

[Thorn]

Thank you very much for this link, Thorn. I am currently looking for those mIRC scripts.
But as I said I did do my research (didnt come across that link, though ), so I counter what you said with this article (one of the many, that state there is a rcon vulnerability)

archive.cert.uni-stuttgart.de/bugtraq/2003/09/msg00296.html

So I ask again, is this possible?

As I said I'm not up-to-speed on sniffing, but wouldn't it be possible to sniff all the files incoming the server IP? Therefore you would have to attack when the admin is using the admin commands and sending the password, but still doable and not that hard.

Thanks for your help,
sardinemaster

Yes, technically this is possible.

Grabbing a plaintext password on a LAN or WLAN is extremely easy as others have pointed out. In fact, it is trivial and can be done in a matter of seconds.

As I stated before, it is also possible on the Internet, although it is extremely unlikely.

First of all, if the server and the admin's PC are on the same LAN, the password would never leave the LAN. The password would never be passed to the Internet via the local router, and would have to be sniffed on the LAN.

If the server and the admin's PC are not on the same LAN, it would be difficult, time consuming, and would require physical access to the actual wires somewhere on the path a routed packet has taken. Assuming server which as not been compromised with a Trojan or some other malware it becomes almost impossible. To "sniff all the files incoming the server IP" outside of the server's location and guarantee grabbing the password, you would need to have physical access to the LAN of the ISP providing service to the server or the LAN of the ISP providing service to the admin's PC.

Technically, this could also be done anywhere along that route, but filtering the amount of traffic for one IP and one password would most likely require access to fiber taps. The likelihood of any of any of this happening is very, very small. Government agencies don't go to that trouble to catch criminals. Do you really think some punk is going to go through all that for a Counter Strike server?

All of the above narrows the how and where the password would get sniffed. Realistically, it come down to four places:

• On the LAN server.
• On the LAN of the admin's PC.
• At the LAN of the ISP providing service to the admin's PC.
• At the LAN of the ISP providing service to the server.

If there are known malicious scripts which attack game servers, and there are known vulnerabilities like buffer overflows in the server software, then the easiest way for an attacker who is not on the same LAN as either the admin or the server to gain the admin's password is to run a malicous script which takes advantage of a know vulnerability and hands the password off to attacker.

We know that both the malicious scripts and the game server vulnerabilities exist. We can also assume that it is rather unlikely that an attacker works at one of the ISPs in question. If we also assume that you never let anyone on the LAN when you were administering the server (or that you trust the users you had on at the time), the chances are that the attack was done in a manner other than a malicious script are unlikely in the extreme.

[imported_sardinemaster]

Do you really think some punk is going to go through all that for a Counter Strike server?

Nop, I think you're absolutely right.

I guess he is just exploiting one of the vulnerabilities in the software.

Will update if I find how they do it.

Thanks again Thorn for enlightening me.

sardinemaster

[Thorn]

Nop, I think you're absolutely right.

I guess he is just exploiting one of the vulnerabilities in the software.

Will update if I find how they do it.

Thanks again Thorn for enlightening me.

sardinemaster

You're welcome and good luck with it.

[drakoth777]

It would only be possible to sniff that password on the LAN of the ISP if the server and the admin PC were on different LANs, right? I mean the only reason a packet containing the password would be sent to the ISP LAN would be to contact the ISPs nameserver, which would resolve the hostname of the server or admin PC on the other LAN? Is my understanding correct?

I mean if server and the admin PC are in the same LAN, which is probably the case, then there's no reason to contact the ISPs nameserver, therefore, making it impossible to sniff outside the server/admin PC LAN.

Is this correct?

[Barry]

It would only be possible to sniff that password on the LAN of the ISP if the server and the admin PC were on different LANs, right? I mean the only reason a packet containing the password would be sent to the ISP LAN would be to contact the ISPs nameserver, which would resolve the hostname of the server or admin PC on the other LAN? Is my understanding correct?

I mean if server and the admin PC are in the same LAN, which is probably the case, then there's no reason to contact the ISPs nameserver, therefore, making it impossible to sniff outside the server/admin PC LAN.

Is this correct?

Sounds about right.