PDA

View Full Version : HCE RCON Brute Force



POQbum
September 25th, 2011, 03:50 PM
We're having a problem with this. Someone has developed a tool to brute force the rcon. He appears to not be malicious but of course we do not want other people to be able to admin our servers. He tells us that he is not planning to release it but he will continue to use it as he pleases.

I'm looking to see if anyone is able to limit the number of rcon attempts since this seems like the more efficient way to stop the problem. When he runs this program it nearly lags out the server which is a big problem also.

If someone can develop this please make a patcher because it's useless to us otherwise.

Thanks

urbanyoung
September 25th, 2011, 03:59 PM
I believe Goemitar made a good video that demonstrates why brute forcing your rcon password would be a tedious and ineffective task. If he got your password it's because it wasn't a good one. The lag on the other hand is an issue. I'll add some code to the next Phasor which will limit the amount of attempts to x per minute, if more they're kicked. Hopefully the next build will run on CE too, it's a matter of whether or not I can be bothered finding signatures for every address I use.

edit: i see you want a patcher, oh well.

POQbum
September 25th, 2011, 04:04 PM
it wasn't a very secure password, we're going to try with a more secure one and see how things go (if he's able to still crack it or if our servers continually lag down)

Patrickssj6
September 25th, 2011, 04:05 PM
Brute forcing over a network is not efficient. That guy probably used Luigi's information on network handshakes. If he truly wanted to crack the rcon he could have gone one step further and find a remote exploit.

Like urban said though, lag is the real problem.

EDIT: If you want a safe password, use 2 (or more) words divided by a dot and append a 3 digit number.

Cortexian
September 25th, 2011, 04:06 PM
Brute forcing is only something to be concerned about if you're using extremely terrible, short, easy passwords.

POQbum
September 25th, 2011, 04:15 PM
I believe Goemitar made a good video that demonstrates why brute forcing your rcon password would be a tedious and ineffective task. If he got your password it's because it wasn't a good one. The lag on the other hand is an issue. I'll add some code to the next Phasor which will limit the amount of attempts to x per minute, if more they're kicked. Hopefully the next build will run on CE too, it's a matter of whether or not I can be bothered finding signatures for every address I use.

edit: i see you want a patcher, oh well. or if you could edit an existing modified .exe
The problem we have with all these .exe mods is they are created as individual .exe's but not patchers. So we can't combine use of different mods, we just have to choose one over the other. It's a horrible dilemma :/

@Patrickssj6
(http://www.modacity.net/forums/member.php?167-Patrickssj6)are you saying there is some sort of exploit to gain rcon access (non-brute force)?

@freelancer
yes it was a pretty terrible and short password, I didn't know there was a brute force method developed so the rcon was intended to just be easy to remember.
He claimed to have cracked it in 3.2 seconds.

..anyway we'll try it with the longer more complex password. Thanks guys.

Cortexian
September 25th, 2011, 04:16 PM
Wow, what did you do.. use "abc" as your password? lmao.

You should always use secure passwords, that's the entire point of a password.

POQbum
September 25th, 2011, 04:18 PM
Wow, what did you do.. use "abc" as your password? lmao.

You should always use secure passwords, that's the entire point of a password.
hah no, but I don't want to give away the form we used. It wasn't THAT easy or any common phrase, but certainly wasn't secure.

Skrillex
September 25th, 2011, 05:06 PM
Geomitar's methods were rather crude to say the least. It's perfectly possible to brute-force over a network.
However, @Patrickssj6 (http://www.modacity.net/forums/member.php?167-Patrickssj6) is much more accurate in his assumption of remote exploits/network handshakes. 3.2 seconds was the conclusion I imagine one of your members reached after viewing the logs. And yes, there are ways of gaining access to RCON passwords that do not involve brute-force.

Source of this project will never be released as public domain. It was purely an intellectual thought test to see if it could be done. However, I do find myself rather vulnerable to using it under certain circumstances i.e. a bot is in the server, someone is flaming etc.

Responses to this thread will be watched with considerable interest.

EDIT: =CE= Combat Experts has already switched over to a more secure RCON. A 6+ character RCON such as a29XdL# is much better than, say, 6671 format.

Limited
September 25th, 2011, 05:45 PM
Geomitar's methods were rather crude to say the least. It's perfectly possible to brute-force over a network.
However, @Patrickssj6 (http://www.modacity.net/forums/member.php?167-Patrickssj6) is much more accurate in his assumption of remote exploits/network handshakes. 3.2 seconds was the conclusion I imagine one of your members reached after viewing the logs. And yes, there are ways of gaining access to RCON passwords that do not involve brute-force.

Source of this project will never be released as public domain. It was purely an intellectual thought test to see if it could be done. However, I do find myself rather vulnerable to using it under certain circumstances i.e. a bot is in the server, someone is flaming etc.

Responses to this thread will be watched with considerable interest.

EDIT: =CE= Combat Experts has already switched over to a more secure RCON. A 6+ character RCON such as a29XdL# is much better than, say, 6671 format.
I'd like to know your comments about disrupting the server to meet your fix of knowledge. I can understand targeting the attack on your own server, or a friends server but to me it seems your targeting innocent servers and disrupting peoples fun. Pretty selfish right?

Skrillex
September 25th, 2011, 05:51 PM
Please, insults are not required, however well veiled they may be.

In respect to your comments, I did not disrupt the game; in fact, I removed a player who was causing quite a few issues in-game. If you do have queries, PM me or tag me. I'll reply eventually.

As I have said, this is not for release, ever.

Limited
September 25th, 2011, 06:04 PM
Ha, insults...Don't make me laugh.


When he runs this program it nearly lags out the server which is a big problem also.
So your method of gaining the password lagged the server by a substancial amount, the server admin says so right? Then why are you saying you gained access to remove a player, when the server admin was in the server? Could you have not plead with the server admin and discuss possible actions, instead of hijacking the server, compromising the servers integrity and taking matters into your own hands.


No wonder your trying to tip-toe your way around.

Skrillex
September 25th, 2011, 06:15 PM
From my own experience whilst running the program in the server, there were no lag issues. Nor did any other player complain of them. The same can be said for CPU spikes; there were none when I ran the program.

There were no administrators online at the time, and not only was the player I removed using his large ping to kill players in a hog, he was breaking several rules and being generally disrespectful to players. I kicked him from the server. The server was hardly compromised at any point apart from in it's RCON.

Insinuating would have been a better word than insult, perhaps.

Donut
September 25th, 2011, 06:17 PM
doesnt really change the fact that you broke the rcon password on a server that wasnt yours without anybody's permission and performed an administrator's task without the proper clearance.

Skrillex
September 25th, 2011, 06:20 PM
I haven't denied that at any point; I am aware that what I did doesn't fit within the rules, however at the time it provided a useful opportunity to test something, and improve the game for everyone involved.

Instead of discussing my actions, perhaps one could return on-topic and discuss what Bum posted originally. As said before, I'm interested to see what Modacity can come up with.

Limited
September 25th, 2011, 06:21 PM
I'm not insinuating anything, we have the server admins own accord of the accounts that happened. Thats good enough for me to believe. Rather than some newly registered member who I've never heard of (obviously I know who the real Skrillex is).

By your accounts, your completely disagreeing with every point the original poster made, therefore are you calling him a liar, or are you the one bending the truth?

E: Wow, so a guy broke a rule, so you thought you'd break a rule to make it even? Seems a bit ironic.

I'm trying to judge the scale of the event, before I cast a verdict on what should happen next. To me it seems you have no issue with breaking international law and taking matters into your own hands. So its a pretty big issue.

urbanyoung
September 25th, 2011, 06:23 PM
Is there any point attacking his character? He made a program to see if it worked, it did. He used it because it worked. He could do worse things than he's doing.

@ Skrillex, you say its an exploit and not brute force, what would cause any noticeable lag if not for brute force?

Skrillex
September 25th, 2011, 06:24 PM
I am denying that my program caused any lag experienced by the server. It could not have been the cause. I am obviously not denying that I cracked the RCON, but that matter I hope is being settled on the =DG= forums, and not here.

@UrbanYoung: bruteforce would produce noticeable lag, depending on how you went about it. Exploits are usually (and in this case are) un-noticeable to a player on the server. It doesn't require a large transfer of data which would cause lag.

urbanyoung
September 25th, 2011, 06:25 PM
Hmm this is interesting, I may take a look to see what I can find. I like having something to reverse. I assumed it was brute force and was wrong, cool. Is this for CE or PC?

Skrillex
September 25th, 2011, 06:27 PM
Custom Edition. Any form of nullifying repeat attempts at RCON access within a certain time-frame (I.E 7 per second) would nullify most brute-force methods. It'd be a useful feature of a server app such as Phasor.

Edit: my program works with both CE and PC. This occurred on CE.

urbanyoung
September 25th, 2011, 06:49 PM
Ok cool I'll have a dig around the PC server once I finish classes for the day :)

jcap
September 25th, 2011, 07:00 PM
Ok, so ignoring the debate about whether what he did was morally wrong or not...

Skrillex has some method of cracking rcon on servers, correct? Well, instead of blaming him for finding an exploit, why don't we just work on a way to prevent someone who actually has malicious intent from exploiting it? Skrillex suggested that some protection could be built into a server app, but if the issue is more complex than a simple brute force, some people are going to need more information to patch it.

Amit
September 25th, 2011, 07:00 PM
POQ said he experienced noticeable lag while you were performing your actions. Well, if there was already a random dude with a high ping in the server, how do we know that it wasn't him who caused the extreme amounts of lag?

In any case, you can't just run around on servers acting like the Halo vigilante. If you have a complaint, contact the server admins with details, if possible, and leave the server. If the other people in the server decide that they want to stay, that's their choice.

EDIT: I just realized this is in the release section. I thought only downloads go here, not discussion.

POQbum
September 25th, 2011, 07:10 PM
We run on VPS's and when he ran (at least I believe he ran it during that time) it lagged out nearly all players in Death Island and the other server supported by that particular VPS.
I may be wrong in my assumption, it may have been some sort of server-wide spike that affected that particular VPS during that time. This does happen occasionally but usually does not lag badly enough for players to lose connection (mostly just causes momentary warp for ~2-3 seconds)

Skillex I realize your intent is not malicious and I thank you for that (since you could have all of our servers offline right now) but I'm hoping we can find a way to patch this so that no one is able to do this in the future.

Skrillex
September 25th, 2011, 07:25 PM
Of course. I still find it hard to believe that my program would cause lag high enough to cause players to drop out, so I think that is something unrelated to the use of this program.

I'll be willing to 'test' RCON's against my program for you should you want me to, Bum. And yes, I have spoken to Addict about this as well, so he is aware of how to upgrade his RCON for maximum security. I have created an Xfire for the purpose of speaking with you who wish to contact me: skrillex191.

Edit: @Amit, I am aware.

Zeph
September 25th, 2011, 07:37 PM
You know, Bungie/Microsoft is supposed to patch the servers if an exploit shows up.

Kornman00
September 25th, 2011, 07:42 PM
@UrbanYoung: bruteforce would produce noticeable lag, depending on how you went about it. Exploits are usually (and in this case are) un-noticeable to a player on the server. It doesn't require a large transfer of data which would cause lag.
A rcon request packet consumes 72 bytes of message data. Add to this the generic PDU headers from the message delta system and lower, and the rest of the networking stack and you're probably around 100 bytes. That's just for a *request* a response to the client consumes 80 bytes of message data. Again, add to that the PDU headers from the message delta system and the rest of the stack, and you're probably around 100 bytes.

If you're trying to brute force the server's rcon password, you're going to be hammering the server with requests. Let's just say that you're able to do 15 requests (which then reply with 15 responses) per second. That's 200 * 15 = 3000. Bytes. Damn near 3MB. A second. Just for your requests. At least.

Now factor into the mix of updating a server full of players (server has to send data out to ALL players) and the updates received from clients, and your brute force is going to fucking thrash the server's bandwidth. Which will affect the players on that server's connection. Causing lag.

The rcon password is never transmitted across the network, at least not from the server. The only way to figure out the rcon other than from brute force, is by hacking into the server running the process, or capturing the packets of someone else on the server who sent an rcon request. Which would suggest an admin was already on the server at the same time as you, or previously in a prior game.

urbanyoung
September 25th, 2011, 08:17 PM
I'm assuming he doesn't actually find the password, but exploits the packet's handling. That's the only way I can see it working. I imagine he sends a "bad" rcon request with an invalid size or w/e which bypasses a bit of validation. I'm going to see if I can find anything now.

@people worried about their server, just use a server mod like Gandanur (PC/CE) or Phasor (PC) as they implement a hash based system too, which will stop this exploit.

Kornman00
September 25th, 2011, 08:28 PM
I imagine he sends a "bad" rcon request with an invalid size or w/e which bypasses a bit of validation. I'm going to see if I can find anything now.
The way he initially started talking suggested he cracked the password.


EDIT: =CE= Combat Experts has already switched over to a more secure RCON. A 6+ character RCON such as a29XdL# is much better than, say, 6671 format.

Last I recall, the message delta system validates that the data trying to be decoded isn't greater than the maximum packet size for the message type. Or else it will return false and the game won't even process that message's data. If the message isn't decoded, the password check doesn't take place.

If all that is happening is a malformed packet, then the process of cracking the password should be instantaneous. Would probably have to be a complex set of data executing by way of a buffer overflow, to enable the server to continue operating without error...

TPBlinD
September 25th, 2011, 08:37 PM
itt: kid with the name SKRILLEX (terrible) acting pretentious and better than everyone

Sean Aero
September 25th, 2011, 08:45 PM
As always, "Proof or it didn't happen".
One admin being worried about a rcon-password being compromised is not enough for me.
This happens in clans quite often that rcon gets leaked, especially bigger clans.
I would like to see some proof of this "project" before everyone starts wasting time on finding and fixing something, what could potentially just be some hoax/trolling.
Thanks :)

urbanyoung
September 25th, 2011, 08:46 PM
The way he initially started talking suggested he cracked the password.

Yeah it's weird, he says it's an exploit but also says a better password will protect you. He also mentioned something about 3.2 seconds which seems a little strange when talking about an exploit..

edit: I can't see any potential bugs in the password processing, short of a buffer overrun (which I doubt) I don't see how it could be done. My guess is the password got leaked.

edit1: if anyone's curious you can brute force a 3 character rcon password (remote server) in less than 5 minutes, so I guess there is a need for this, although anything over 4 characters is safe.

Cleaver
September 26th, 2011, 11:02 AM
Bum, you say the Death Island server lagged in the process - he was on Snipers Unlimited when he cracked RCON.

I'm assuming he doesn't actually find the password, but exploits the packet's handling. That's the only way I can see it working. I imagine he sends a "bad" rcon request with an invalid size or w/e which bypasses a bit of validation. I'm going to see if I can find anything now.

The server log shows one failed attempt before successfully using the pl command.

@Sean Aero, I don't see how we can provide proof that there wasn't an RCON leak. That's almost asking us to post our entire recent server logs to show that at no point was RCON released accidentally in chat.

Sean Aero
September 26th, 2011, 11:36 AM
Bum, you say the Death Island server lagged in the process - he was on Snipers Unlimited when he cracked RCON.

The server log shows one failed attempt before successfully using the pl command.

@Sean Aero, I don't see how we can provide proof that there wasn't an RCON leak. That's almost asking us to post our entire recent server logs to show that at no point was RCON released accidentally in chat.

Exactly so my point being, why jump to the conclusion that the RCON was brute forced? Why not assume it was indeed leaked through forum, chat or pm.
I'm not sure how you guys got to the conclusion that it was indeed a Brute Force. (Do tell!)
The only one that has something to proof here is Skrillex, until that time I consider this a hoax, a joke at most.

POQbum
September 26th, 2011, 12:00 PM
Exactly so my point being, why jump to the conclusion that the RCON was brute forced? Why not assume it was indeed leaked through forum, chat or pm.
I'm not sure how you guys got to the conclusion that it was indeed a Brute Force. (Do tell!)
The only one that has something to proof here is Skrillex, until that time I consider this a hoax, a joke at most.
This is actually true, we're doing more digging to make sure it's not a leak. I was told by a few people that this was brute force and naturally that's what I went with when I posted this. After examining the logs it does not appear to be Brute force at all since that would require actual attempts.

Cleaver
September 26th, 2011, 12:57 PM
Exactly so my point being, why jump to the conclusion that the RCON was brute forced? Why not assume it was indeed leaked through forum, chat or pm.
I'm not sure how you guys got to the conclusion that it was indeed a Brute Force. (Do tell!)
The only one that has something to proof here is Skrillex, until that time I consider this a hoax, a joke at most.
If it's an exploit, we can't provide log evidence of something that didn't occur directly in the game server. We've had no reports from anyone about a leak, and we'd trust our moderators to inform us if one were to happen.
Consider it what you like, because we aren't able to validate the issue.

supersniper
September 27th, 2011, 01:08 AM
hahahahaha rcon brute force, too bad that's a farfetched idea. unless your password was hce or cake or pony there's no way in hell your pass was hacked.

it's a logical answer you trusted the wrong person with it, it's simple just change the pass and move on.

POQbum
September 27th, 2011, 12:44 PM
To update this thread, there was no crack or exploit.
It was an rcon leak and the guy has been found and identified.