Re: Minecraft "Insecure Mode" Detection Script

[Fyodor <fyodor () insecure org>]

On Mon, Dec 20, 2010 at 03:35:14PM +0200, Toni Ruottu wrote:
>   Merry Christmas time!
>
> This time I wrote a script for auditing security of Minecraft. The
> Minecraft multiplayer server has an "insecure mode". When running in
> this mode the server does not verify usernames against minecraft.net.
> Running the server in insecure mode makes it possible to play the game
> offline despite the authentication server being unreachable.

Thanks for writing this script, Toni!  David has tentatively added it
to the Nmap trunk, but I'm wondering if it would be better for the
people who need this one to get it from
http://seclists.org/nmap-dev/2010/q4/729 instead?  If only a small
number of people need to audit Minecraft game servers for this
particular configuration setting, maybe it makes more sense for them
to download and use it directly rather than push it out to everyone
who downloads Nmap.

Are there people on nmap-dev who expect that they will use this script
to check whether or not Minecraft servers are configured to verify
usernames against minecraft.net?

If the number of users is expected to be very small, I think it is
better to let them find it on Google (or wherever) and download from
Seclists.  Or maybe the script could be broadened into a
minecraft-info which collects more information from the server and
appeals to a broader set of users?

Or maybe there is widespread demand for the script just as it is.  I'm
not really a gamer, so I'm not the most informed on these issues.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/