What's new

Discussion Man in the Middle Attack (Spoofing Server-Side) - Possibilites

  • Thread starter Jhawk3406
  • Start date
  • Views 21,262
J

Jhawk3406

Enthusiast
Messages
61
Reaction score
25
This game is largely server side, actually it's incredible how much server-side goes on. Even engrams on the ground, you can't pick them up until you have full connection.

Man in the Middle - Short description - Where you intercept all traffic on your computer going from your console to the server back to your console. All traffic goes through you before it reaches it's destination. The server side thinks you are the console and the console thinks you are the server. This brings up a lot of possibilities.

Main_the_middle.JPG




Cain and Abel - Needed for MITM Attack


Now using Wireshark, we can evaluate each packet that goes from your console to the server and back. Doing little things (like buying an engram) that take 3-4 sec are good so that you don't have a lot of packets to review.

What we want to do is intercept and modify the packets that the server sends back to the console. Once we identify certain packets (like putting a weapon in your vault), we can do this again but block off the server connection (using Zone Alarm), and send packets from your computer to your console basically spoofing the server for a couple of seconds. The possibilities are endless.

This is a work-in-progress as I've only spent a few hours testing.



To find what is all Server-side, you can use Zone Alarm and while doing the MITM attack and basically block the server-side. If the game allows you to do stuff then it's client side, if not server side.

Server-side (will be updated)
- Equipping/Un-equipping weapons/items
- Bounties at the tower (obtaining and rewarding)
- Buying anything
- Picking up engrams
- Taking/Putting items in the vault
- Dismantling
- Reviving

Client-side (PLEASE POST ANYTHING YOU BELIEVE TO BE CLIENT-SIDE)
- Picking up ammo
- Killing enemies


THE IDEA (Duplication)-
1. Take an item out of the vault, record packets sent and received.
2. Put item back in the vault.
3. Identify which packets the server sent the client when taking the item out.
4. Block Server-side connection, try to take the item out of the vault (won't let you), but then send the server-side packets you gathered earlier.
5. Go back to orbit immediately, unblock server-side
6. Now you have the item in your inventory, but since we blocked all server-side connection while taking the item out, the server still shows the item in the vault.



Again, this is just a work-in-progress as I've only had a few hours of reviewing but the idea is there. I do realize that this may be a little out of the reach for most people to understand but just giving my thoughts.



EDIT - PROGRESS - 9/29/14

I see some people are having issues with this method. Let me explain some more...

Your console connects to bungie through a variety of different IP addresses (their servers). For what each IP address is for, well that is unknown. But, we can easily find out which IP address accounts for the inventory, etc. Equipping different stuff in your inventory, you'll start seeing one IP generate much more packets than the others. Voila you have found the server you want to mimic.

FYI - In Cain and Abel, "Full Routing" on an IP means that we have effectively establish the MITM attack. Here in the picture you can see that the IP I needed is indeed "Full Routing."

5ZFammJ.png




Now time to sniff packets. What I found out in just a short time of testing, is that equipping a different item (in this case a gauntlet) produces 12 total packets between your console and the server. It seems as the packets come in pairs each being the same length. In the "Destination" column, the 4.x.x.x.x IP address is packets sending from my console to the server. My console is the 192.168.1.8.

Q5WBmdx.png



Well that's it for now. Expect another update here this week.
 
Last edited:
B

Bnana

Enthusiast
Messages
47
Reaction score
6
Would I most likely get banned for doing this?
 
C

Chelsea Grinner

LETS BURN THIS BASTARD TO THE GROUND
Messages
416
Reaction score
92
This seems very possible. It reminds me of the .json modding that GTA V had when it came out. Even though I'm not sure how to do it, I'm sure someone could get it.

http://www.se7ensins.com/forums/threads/tunables-json-bypass-tutorial.1029593/ Here's my GTA V guide/example.

Would I most likely get banned for doing this?
It is possible, like with GTA V they couldn't find out until they knew about it and put patches up. Then people would report the abuser and that would get them banned.
 
B

Bnana

Enthusiast
Messages
47
Reaction score
6
I cant figure out how to block the server and find which is the correct packet for taking out something of your Vault?
 
C

Chelsea Grinner

LETS BURN THIS BASTARD TO THE GROUND
Messages
416
Reaction score
92
I cant figure out how to block the server and find which is the correct packet for taking out something of your Vault?
Take a look at the link I posted above and see if you can find their servers' address. After you find it, try blocking it with the windows host file inside of system32. (implying you still use windows)
 
I

Im4eversmart

The hacks are real
Messages
2,161
Reaction score
1,903
TL;DR
The xbox uses UDP and a special xbox packet protocol. The xbox uses chaining so even the same requests will generate different packets. They could even be doing emulated TCP over UDP.

GTA used http requests, so that was why they could use a custom dns to reroute the unencrpyted packets.

If you could block packets, that wouldn't help since it is probably a transnational system. That means if you take something out, that means it is moved from one system and placed in another. It wouldn't be in both systems at the same time.
 
B

Bnana

Enthusiast
Messages
47
Reaction score
6
Ok I'll try
Take a look at the link I posted above and see if you can find their servers' address. After you find it, try blocking it with the windows host file inside of system32. (implying you still use windows)
 
C

Chelsea Grinner

LETS BURN THIS BASTARD TO THE GROUND
Messages
416
Reaction score
92
TL;DR
The xbox uses UDP and a special xbox packet protocol. The xbox uses chaining so even the same requests will generate different packets. They could even be doing emulated TCP over UDP.

GTA used http requests, so that was why they could use a custom dns to reroute the unencrpyted packets.

If you could block packets, that wouldn't help since it is probably a transnational system. That means if you take something out, that means it is moved from one system and placed in another. It wouldn't be in both systems at the same time.

Even if the Xbox is using UDP or even TCP, does the necessarily mean that Destiny is for every single server sided file? Because even though the Xbox does, GTA's tunables didn't. I get what you're trying to say with different packets/protocols and all, but it seems like to me you're comparing a consoles connection, and a games connection. Two different things.

edit: Before I start some war on a gaming forum, I just want to point out, I'm only asking, trying to get a answer... If I'm wrong, I'm wrong. I'll admit it.
 
I

Im4eversmart

The hacks are real
Messages
2,161
Reaction score
1,903
Even if the Xbox is using UDP or even TCP, does the necessarily mean that Destiny is for every single server sided file? Because even though the Xbox does, GTA's tunables didn't. I get what you're trying to say with different packets/protocols and all, but it seems like to me you're comparing a consoles connection, and a games connection. Two different things.

edit: Before I start some war on a gaming forum, I just want to point out, I'm only asking, trying to get a answer... If I'm wrong, I'm wrong. I'll admit it.

It's the same thing.
 
B

Bnana

Enthusiast
Messages
47
Reaction score
6
Have either of you tried the method listed in the post
This seems very possible. It reminds me of the .json modding that GTA V had when it came out. Even though I'm not sure how to do it, I'm sure someone could get it.

http://www.se7ensins.com/forums/threads/tunables-json-bypass-tutorial.1029593/ Here's my GTA V guide/example.


It is possible, like with GTA V they couldn't find out until they knew about it and put patches up. Then people would report the abuser and that would get them banned.
TL;DR
The xbox uses UDP and a special xbox packet protocol. The xbox uses chaining so even the same requests will generate different packets. They could even be doing emulated TCP over UDP.

GTA used http requests, so that was why they could use a custom dns to reroute the unencrpyted packets.

If you could block packets, that wouldn't help since it is probably a transnational system. That means if you take something out, that means it is moved from one system and placed in another. It wouldn't be in both systems at the same time.
If you have could you attempt to help me?
 
I

Im a Leecher

In lulz we trust
Messages
1,261
Reaction score
360
legit in lobby
inv approved hacks
 
B

BattleBuddy

Enthusiast
Messages
531
Reaction score
173
This may be way off topic, but some what relevant. I tried cain/able and zonealarm with Destiny, but it seemed to have no effect. All I was wanting to do is be in a game by my self. Any thoughts on how to do this?
 
A

ap ii intense

Crescent Fresh
Messages
647
Reaction score
540
All of the items at the tower are completely server sided. Lets say you want to take a weapon out of the vault. The way i think it works is your console asks the server to move the weapon id to the inventory part of the save. If it exists in the vault then all the server has to do is move the id from the vault to the inventory section of the game save. However if the weapon doesn't exists then it won't do anything. The same applies to buying weapons from vendors but this time it will copy it from the server.
Now for ingame items it seems possible because i don't think the server would or could track that many items. Also everytime you open your inventory it downloads all of the weapons from the server. So you might be able to change the response of the server but if you did it wouldn't ever save.
 
J

Jwow

Getting There
Messages
1,724
Reaction score
404
just so everyone is aware, packet manipulation has never worked out well (or at all) on xbox. People tried back in halo 2 and that didn't go anywhere. Same story with other games on newer consoles.
 
Top Bottom