From 68ac93f69a9e3710181e6e930c0d61bbe2691deb Mon Sep 17 00:00:00 2001 From: david Date: Mon, 10 Jan 2011 01:14:15 +0000 Subject: [PATCH] o [NSE] Added minecraft-auth.nse by Toni Ruotto. It checks for Minecraft game servers that don't check usernames against a master server. --- CHANGELOG | 4 +++ scripts/minecraft-auth.nse | 61 ++++++++++++++++++++++++++++++++++++++ scripts/script.db | 1 + 3 files changed, 66 insertions(+) create mode 100644 scripts/minecraft-auth.nse diff --git a/CHANGELOG b/CHANGELOG index b23bf2fcc..b313f5c12 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,9 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added minecraft-auth.nse by Toni Ruotto. It checks for + Minecraft game servers that don't check usernames against a master + server. + o Added a service probe for master servers of Quake 3 and other games. [Toni Ruotto] diff --git a/scripts/minecraft-auth.nse b/scripts/minecraft-auth.nse new file mode 100644 index 000000000..8a914b145 --- /dev/null +++ b/scripts/minecraft-auth.nse @@ -0,0 +1,61 @@ +description = [[ +Detects Minecraft username spoofing vulnerability. + +Logging into a Minecraft multiplayer server requires online +authentication at minecraft.net. Some Minecraft servers +however are configured to run in an insecure mode making +it possible to play multiplayer games in the absence of Internet +connectivity. A server running in the insecure mode skips the +authentication letting anyone log in with any username. +A determined individual can use modified client software to log +into such insecure servers with a username registered to another +player. +]] + +--- +-- @output +-- 25565/tcp open minecraft +-- |_minecraft-auth: vulnerable to username spoofing + +author = "Toni Ruottu" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"default", "vuln", "safe"} + +require("bin") +require("nmap") +require("shortport") + +portrule = shortport.port_or_service (25565, "minecraft", {"tcp"}) + +action = function( host, port ) + local HANDSHAKE_REQUEST = 2 + local HANDSHAKE_RESPONSE = 2 + + local socket = nmap.new_socket() + local status, _ = socket:connect(host.ip, port.number) + if not status then + return + end + + --login name for the handshake + --(we never actually try logging into the server) + local login = "minecraft" + + socket:send(bin.pack("C>P", HANDSHAKE_REQUEST, login)) + status, data = socket:receive_bytes(4) + socket:close() + if not status then + return + end + + local _, packet_id, connection_hash = bin.unpack("C>P", data) + if packet_id ~= HANDSHAKE_RESPONSE then + return + end + if connection_hash ~= "-" then + return + end + + return "vulnerable to username spoofing" +end + diff --git a/scripts/script.db b/scripts/script.db index 54642db90..08aef4b10 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -80,6 +80,7 @@ Entry { filename = "ldap-brute.nse", categories = { "auth", "intrusive", } } Entry { filename = "ldap-rootdse.nse", categories = { "discovery", "safe", } } Entry { filename = "ldap-search.nse", categories = { "discovery", "safe", } } Entry { filename = "lexmark-config.nse", categories = { "discovery", "safe", } } +Entry { filename = "minecraft-auth.nse", categories = { "default", "safe", "vuln", } } Entry { filename = "modbus-discover.nse", categories = { "discovery", "intrusive", } } Entry { filename = "mongodb-databases.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "mongodb-info.nse", categories = { "default", "discovery", "safe", } }