Nmap Development mailing list archives
Re: Minecraft "Insecure Mode" Detection Script
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Tue, 11 Jan 2011 10:04:16 +0200
Minecraft is still in beta phase, but it is fairly popular. The game server is distributed by the game developer, so anyone can run a server. Minecraft wiki ( http://www.minecraftwiki.net/wiki/Custom_server_list ) mentions 7 alternative implementations of the current game server, and 18 implementations of the Classic server which as far as I know does not have user accounts. Usage statistics at http://www.webcitation.org/mainframe.php tell the following: 2098 players online, in 973 servers. 2768424 registered users, of which 902760 (32.6%) have bought the game. In the last 24 hours, 24206 people registered, and 6739 people bought the game. Games started in the last 24 hours: Minecraft Alpha: 969531 Minecraft Classic: 352228 As for extracting more information, I had my go at implementing the protocol in greater detail. It is doable, but not that easy. The protocol is very verbose, so getting the interesting information requires bypassing lots of uninteresting stuff. That would not be so much of a problem, but skipping a frame requires parsing it to figure out how big it is based on the frame type, but also some information stored in the payload. Currently bypassing uninteresting information takes approximately 200 lines of Lua, which is not too bad. The problem is that whenever we encounter an unknown message type, we need to restart and hope we do not encounter that message type next time. The problem of unknown message types gets bigger as new message types are introduced into the game. Going further than the authentication type check requires logging in. This requires valid Minecraft user credentials and authentication against the minecraft.net server, unless the game sever is running in the said insecure mode. In any case most of the interesting information is tied to the user account that one logs in with. This might include player x,y,z location in the game, as well as player inventory. So if I forgot where I had a cool diamond sword, I could provide nmap with my credentials, and scan some servers to find the correct one. With most items being fairly easy to create, scanning servers to locate an item does not seem very useful. Also, scanning a server by logging in would introduce me as a character in the game and kick the potential real me out of the server as only one connection from a user is allowed at a time. There are also some in-game commands. The commands are sent as chat messages, and the response to the commands are chat messages as well. It is generally impossible to know which messages are responses to a specific command without spending lots of idle time between sending commands. I think it would be a good strategy to just send all commands that might produce some interesting output at the very beginning of a connection, and display any received chat messages after running the script for a while. On the standard server however the commands are only available to users with special rights. On some other servers some commands are available to regular users as well. Scanning servers in this manner might help people identify interesting servers that they want to play on. However I am not sure if it is worth the effort. Given a trivial way of skipping unknown message types, I would probably had written a minecraft-commands script. On Mon, Jan 10, 2011 at 11:53 PM, Fyodor <fyodor () insecure org> wrote:
On Mon, Dec 20, 2010 at 03:35:14PM +0200, Toni Ruottu wrote:Merry Christmas time! This time I wrote a script for auditing security of Minecraft. The Minecraft multiplayer server has an "insecure mode". When running in this mode the server does not verify usernames against minecraft.net. Running the server in insecure mode makes it possible to play the game offline despite the authentication server being unreachable.Thanks for writing this script, Toni! David has tentatively added it to the Nmap trunk, but I'm wondering if it would be better for the people who need this one to get it from http://seclists.org/nmap-dev/2010/q4/729 instead? If only a small number of people need to audit Minecraft game servers for this particular configuration setting, maybe it makes more sense for them to download and use it directly rather than push it out to everyone who downloads Nmap. Are there people on nmap-dev who expect that they will use this script to check whether or not Minecraft servers are configured to verify usernames against minecraft.net? If the number of users is expected to be very small, I think it is better to let them find it on Google (or wherever) and download from Seclists. Or maybe the script could be broadened into a minecraft-info which collects more information from the server and appeals to a broader set of users? Or maybe there is widespread demand for the script just as it is. I'm not really a gamer, so I'm not the most informed on these issues. Cheers, Fyodor
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Minecraft "Insecure Mode" Detection Script David Fifield (Jan 09)
- Re: Minecraft "Insecure Mode" Detection Script Toni Ruottu (Jan 09)
- <Possible follow-ups>
- Re: Minecraft "Insecure Mode" Detection Script Fyodor (Jan 10)
- Re: Minecraft "Insecure Mode" Detection Script Toni Ruottu (Jan 11)
- Re: Minecraft "Insecure Mode" Detection Script Fyodor (Jan 11)
- Re: Minecraft "Insecure Mode" Detection Script Ron (Jan 13)
- Re: Minecraft "Insecure Mode" Detection Script Fyodor (Jan 13)
- Re: Minecraft "Insecure Mode" Detection Script Toni Ruottu (Jan 13)
- Re: Minecraft "Insecure Mode" Detection Script Ron (Jan 13)
- Re: Minecraft "Insecure Mode" Detection Script Toni Ruottu (Jan 11)