Re: Minecraft "Insecure Mode" Detection Script

[Toni Ruottu <toni.ruottu () iki fi>]

Minecraft is still in beta phase, but it is fairly popular. The game
server is distributed by the game developer, so anyone can run a
server. Minecraft wiki (
http://www.minecraftwiki.net/wiki/Custom_server_list ) mentions 7
alternative implementations of the current game server, and 18
implementations of the Classic server which as far as I know does not
have user accounts. Usage statistics at
http://www.webcitation.org/mainframe.php tell the following:

2098 players online, in 973 servers.
2768424 registered users, of which 902760 (32.6%) have bought the game.
In the last 24 hours, 24206 people registered, and 6739 people bought the game.
Games started in the last 24 hours:
Minecraft Alpha: 969531
Minecraft Classic: 352228

As for extracting more information, I had my go at implementing the
protocol in greater detail. It is doable, but not that easy. The
protocol is very verbose, so getting the interesting information
requires bypassing lots of uninteresting stuff. That would not be so
much of a problem, but skipping a frame requires parsing it to figure
out how big it is based on the frame type, but also some information
stored in the payload. Currently bypassing uninteresting information
takes approximately 200 lines of Lua, which is not too bad. The
problem is that whenever we encounter an unknown message type, we need
to restart and hope we do not encounter that message type next time.
The problem of unknown message types gets bigger as new message types
are introduced into the game.

Going further than the authentication type check requires logging in.
This requires valid Minecraft user credentials and authentication
against the minecraft.net server, unless the game sever is running in
the said insecure mode. In any case most of the interesting
information is tied to the user account that one logs in with. This
might include player x,y,z location in the game, as well as player
inventory. So if I forgot where I had a cool diamond sword, I could
provide nmap with my credentials, and scan some servers to find the
correct one. With most items being fairly easy to create, scanning
servers to locate an item does not seem very useful. Also, scanning a
server by logging in would introduce me as a character in the game and
kick the potential real me out of the server as only one connection
from a user is allowed at a time.

There are also some in-game commands. The commands are sent as chat
messages, and the response to the commands are chat messages as well.
It is generally impossible to know which messages are responses to a
specific command without spending lots of idle time between sending
commands. I think it would be a good strategy to just send all
commands that might produce some interesting output at the very
beginning of a connection, and display any received chat messages
after running the script for a while. On the standard server however
the commands are only available to users with special rights. On some
other servers some commands are available to regular users as well.
Scanning servers in this manner might help people identify interesting
servers that they want to play on. However I am not sure if it is
worth the effort. Given a trivial way of skipping unknown message
types, I would probably had written a minecraft-commands script.


On Mon, Jan 10, 2011 at 11:53 PM, Fyodor <fyodor () insecure org> wrote:
> On Mon, Dec 20, 2010 at 03:35:14PM +0200, Toni Ruottu wrote:
> >   Merry Christmas time!
> >
> > This time I wrote a script for auditing security of Minecraft. The
> > Minecraft multiplayer server has an "insecure mode". When running in
> > this mode the server does not verify usernames against minecraft.net.
> > Running the server in insecure mode makes it possible to play the game
> > offline despite the authentication server being unreachable.
>
> Thanks for writing this script, Toni!  David has tentatively added it
> to the Nmap trunk, but I'm wondering if it would be better for the
> people who need this one to get it from
> http://seclists.org/nmap-dev/2010/q4/729 instead?  If only a small
> number of people need to audit Minecraft game servers for this
> particular configuration setting, maybe it makes more sense for them
> to download and use it directly rather than push it out to everyone
> who downloads Nmap.
>
> Are there people on nmap-dev who expect that they will use this script
> to check whether or not Minecraft servers are configured to verify
> usernames against minecraft.net?
>
> If the number of users is expected to be very small, I think it is
> better to let them find it on Google (or wherever) and download from
> Seclists.  Or maybe the script could be broadened into a
> minecraft-info which collects more information from the server and
> appeals to a broader set of users?
>
> Or maybe there is widespread demand for the script just as it is.  I'm
> not really a gamer, so I'm not the most informed on these issues.
>
> Cheers,
> Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/