o [NSE] Added minecraft-auth.nse by Toni Ruotto. It checks for

Minecraft game servers that don't check usernames against a master server.
2025-12-15 12:19:02 +00:00 · 2011-01-10 01:14:15 +00:00
parent 4fa142de14
commit 68ac93f69a
3 changed files with 66 additions and 0 deletions
--- a/4
+++ b/4
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Added minecraft-auth.nse by Toni Ruotto. It checks for
+  Minecraft game servers that don't check usernames against a master
+  server.
+
 o Added a service probe for master servers of Quake 3 and other games.
  [Toni Ruotto]

--- a/scripts/minecraft-auth.nse
+++ b/scripts/minecraft-auth.nse
@@ -0,0 +1,61 @@
+description = [[
+Detects Minecraft username spoofing vulnerability.
+
+Logging into a Minecraft multiplayer server requires online
+authentication at minecraft.net. Some Minecraft servers
+however are configured to run in an insecure mode making
+it possible to play multiplayer games in the absence of Internet
+connectivity. A server running in the insecure mode skips the
+authentication letting anyone log in with any username.
+A determined individual can use modified client software to log
+into such insecure servers with a username registered to another
+player.
+]]
+
+---
+-- @output
+-- 25565/tcp open  minecraft
+-- |_minecraft-auth: vulnerable to username spoofing
+
+author = "Toni Ruottu"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"default", "vuln", "safe"}
+
+require("bin")
+require("nmap")
+require("shortport")
+
+portrule = shortport.port_or_service (25565, "minecraft", {"tcp"})
+
+action = function( host, port )
+	local HANDSHAKE_REQUEST = 2
+	local HANDSHAKE_RESPONSE = 2
+
+	local socket = nmap.new_socket()
+	local status, _ = socket:connect(host.ip, port.number)
+	if not status then
+		return
+	end
+
+	--login name for the handshake
+	--(we never actually try logging into the server)
+	local login = "minecraft"
+
+	socket:send(bin.pack("C>P", HANDSHAKE_REQUEST, login))
+	status, data = socket:receive_bytes(4)
+	socket:close()
+	if not status then
+		return
+	end
+
+	local _, packet_id, connection_hash = bin.unpack("C>P", data)
+	if packet_id ~= HANDSHAKE_RESPONSE then
+		return
+	end
+	if connection_hash ~= "-" then
+		return
+	end
+
+	return "vulnerable to username spoofing"
+end
+
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -80,6 +80,7 @@ Entry { filename = "ldap-brute.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "ldap-rootdse.nse", categories = { "discovery", "safe", } }
 Entry { filename = "ldap-search.nse", categories = { "discovery", "safe", } }
 Entry { filename = "lexmark-config.nse", categories = { "discovery", "safe", } }
+Entry { filename = "minecraft-auth.nse", categories = { "default", "safe", "vuln", } }
 Entry { filename = "modbus-discover.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "mongodb-databases.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "mongodb-info.nse", categories = { "default", "discovery", "safe", } }