Whut ?Quote:
ps their api is still more secure as https
it make it a lot more difficult to man in the middle than the normal tcp sending password in plaintext.Quote:
It is not true at all.Quote:
"{{\"id\":2,\"jsonrpc\":\"2.0\",\"method\":\"ClientLibrary.initSession\",\"params\":{{\"sessionId\":\"CENSORED\"}}}}"
"{{\"id\":2,\"jsonrpc\":\"2.0\",\"result\":\"CENSORED\"}}"
There is no plaintext, because the packet is sent over https protocol, so it's almost impossbile to make some MITM attack, providing the launcher verifies the SSL certificate. Of course if you have access to the victim`s PC it won't change anything, but then there is really no way to protect your password. Even if it would be send in hashed form that changes nothing, because capturing the hashed string would be enough to get access to the account.Quote:
It may be safer because sent once but still vulnerable.
First of all, thank you for your information.Quote:
Eg. Request:
Response:Code:"{{\"id\":2,\"jsonrpc\":\"2.0\",\"method\":\"ClientLibrary.initSession\",\"params\":{{\"sessionId\":\"CENSORED\"}}}}"
Code:"{{\"id\":2,\"jsonrpc\":\"2.0\",\"result\":\"CENSORED\"}}"
There is no plaintext, because the packet is sent over https protocol, so it's almost impossbile to make some MITM attack, providing the launcher verifies the SSL certificate. Of course if you have access to the victim`s PC it won't change anything, but then there is really no way to protect your password. Even if it would be send in hashed form that changes nothing, because capturing the hashed string would be enough to get access to the account.
The problem with the "old" client is that your credentials may be compromised even without the access to the victim`s PC, lets say you log in into NosTale while connected to open WiFi in restaurant, someone can monitor your WiFi packets and taking into account that the "nostale crypto" is fully reversible simply grab your password. In current situation with new launcher, best what the attacker can get from the login/world connection is the one-time auth token
Very kind and clear. Thank you. It is not about decrypting because nowdays it would be impossible as you said but bypassing the SSL certificate. You are then able to swap the keys as you wish being in the middle acting like a proxy. I may connect later to Discord and contact you in private to discuss about it if I got any time in the late evening.Quote:
However as I said, that changes nothing. Even if you are able to sniff the request (I'm wondering how) you will get the string that is used to auth you anyway. You don't need the password then to log in into account. The hashed password would be enough.
Anyway I'm really wondering how are you able to decrypt data sent over HTTPS protocol without having access to the victim`s PC and providing the client precisely verifies the SSL certificate. Any link or explaination would be really helpful.
Yes I just needed to figure out how to listen to the pipe as the soft I use expect / instead of //./pipe but at least now I have everything I need. This is useless for the momentQuote:
Eg. Request:
Response:Code:"{{\"id\":2,\"jsonrpc\":\"2.0\",\"method\":\"ClientLibrary.initSession\",\"params\":{{\"sessionId\":\"CENSORED\"}}}}"
Code:"{{\"id\":2,\"jsonrpc\":\"2.0\",\"result\":\"CENSORED\"}}"
There is no plaintext, because the packet is sent over https protocol, so it's almost impossbile to make some MITM attack, providing the launcher verifies the SSL certificate. Of course if you have access to the victim`s PC it won't change anything, but then there is really no way to protect your password. Even if it would be send in hashed form that changes nothing, because capturing the hashed string would be enough to get access to the account.
The problem with the "old" client is that your credentials may be compromised even without the access to the victim`s PC, lets say you log in into NosTale while connected to open WiFi in restaurant, someone can monitor your WiFi packets and taking into account that the "nostale crypto" is fully reversible simply grab your password. In current situation with new launcher, best what the attacker can get from the login/world connection is the one-time auth token
Of course it is possible to install your own certificate when you controll the victim device, such MITM attacks are possible, without them doing the GitHub repo would be much harder, because I have used the Fiddler, which installs fake SSL certificate which user must then trust, but to do so you still need to somehow access the victim`s device. Still wonder how to do something like this without accessing the device.Quote:
Very kind and clear. Thank you. It is not about decrypting because nowdays it would be impossible as you said but bypassing the SSL certificate. You are then able to swap the keys as you wish being in the middle acting like a proxy. I may connect later to Discord and contact you in private to discuss about it if I got any time in the late evening.
There is a technique to do it remotely without any contact with the victim's PC and it is often used in hacking. CloudFlare is also implementing a protection against it.Quote:
MITM of the HTTPS once the message is encrypted (except with knowledge of the private key) is "impossible".Quote:
This is one of many possible techniques, good job. You can tell the web server you are an old browser forcing the HTTP protocol.Quote:
However, if you are on the same network as your target, you can force it to use the HTTP protocol (see SSLStrip for example). Fortunately, it is possible to protect against this type of attack (see [Only registered and activated users can see links. Click Here To Register...]).
If it forces you to use HTTP how good validation of the certificate might succeed if the certificate isn't even present? It's not a internet browser where there still exists HTTP websites, however the launcher actually know that he except HTTPS connection with specify certificate.Quote:
However, if you are on the same network as your target, you can force it to use the HTTP protocol (see SSLStrip for example). Fortunately, it is possible to protect against this type of attack (see [Only registered and activated users can see links. Click Here To Register...]).
If you force a browser to use HTTP, there is no need for validation since there is no certificate.Quote:
I was talking about websites in general. I've never studied the Nostale launcher much before. However, from the little I' ve seen, it seems like an Electron/Electron-like application. If this is the case, then it' s Chromium running behind it and everything I just said applies to it.Quote:
Are you talking about certificate pinning ? If yes, in some case you can bypass it.Quote: