|
You last visited: Today at 07:07
Advertisement
ThinClient for pserver
Discussion on ThinClient for pserver within the Nostale forum part of the MMORPGs category.
06/13/2019, 12:53
|
#16
|
elite*gold: 0 
Join Date: May 2009
Posts: 1,005
Received Thanks: 1,019
|
yes but i don't care about what their api does as it's for private server my only goal is to start a client with the new packet and make it works with noscore/opennos or any other emulator.
ps their api is still more secure as https
|
|
|
|
06/13/2019, 13:36
|
#17
|
elite*gold: 0
Join Date: Nov 2015
Posts: 211
Received Thanks: 141
|
Quote:
Originally Posted by 0Lucifer0
ps their api is still more secure as https
|
Whut ?
|
|
|
|
|
06/13/2019, 14:16
|
#18
|
elite*gold: 0
Join Date: May 2009
Posts: 1,005
Received Thanks: 1,019
|
Quote:
Originally Posted by DarkyZShadow
Whut ?
|
it make it a lot more difficult to man in the middle than the normal tcp sending password in plaintext.
|
|
|
|
|
06/13/2019, 16:51
|
#19
|
elite*gold: 0
Join Date: Sep 2015
Posts: 482
Received Thanks: 532
|
Quote:
Originally Posted by 0Lucifer0
it make it a lot more difficult to man in the middle than the normal tcp sending password in plaintext.
|
It is not true at all.
NosTale encryption is actually more secure than https since there are public tools you can use to MITM it. Everyone can see your request data. In NosTale case the attack must be aimed to a specific game.
Both are very easy to hack in anyway.
Is Gameforge launcher sending the password as hash or plaintext?
|
|
|
|
|
06/13/2019, 17:08
|
#20
|
elite*gold: 0
Join Date: Mar 2015
Posts: 871
Received Thanks: 1,229
|
Well, I didn't expect someone will be interested in the things that happen in the pipe communication. Everything takes place on the "\\\\.\\pipe\\GameforgeClientJSONRPCMS2" (gameforge_client_api.dll). Generally the pipes can be treated like normal files, so you can read/write to pipe using WinApi calls like WriteFile/ReadFile (that whats NosTale does). The messages are very simple and non-complicated that makes it easy to write own launcher.
Eg. Request:
Code:
"{{\"id\":2,\"jsonrpc\":\"2.0\",\"method\":\"ClientLibrary.initSession\",\"params\":{{\"sessionId\":\"CENSORED\"}}}}"
Response:
Code:
"{{\"id\":2,\"jsonrpc\":\"2.0\",\"result\":\"CENSORED\"}}"
Quote:
Originally Posted by Cryless~
It can be cracked, not reversed, only if victim's password is too weak and any security measure is not enough for such people. In anyway the plaintext password (not sure if hashed) is sent to  and you can easily sniff it. It does not matter how you implement it on server side.
It may be safer because sent once but still vulnerable. |
There is no plaintext, because the packet is sent over http s protocol, so it's almost impossbile to make some MITM attack, providing the launcher verifies the SSL certificate. Of course if you have access to the victim`s PC it won't change anything, but then there is really no way to protect your password. Even if it would be send in hashed form that changes nothing, because capturing the hashed string would be enough to get access to the account.
The problem with the "old" client is that your credentials may be compromised even without the access to the victim`s PC, lets say you log in into NosTale while connected to open WiFi in restaurant, someone can monitor your WiFi packets and taking into account that the "nostale crypto" is fully reversible simply grab your password. In current situation with new launcher, best what the attacker can get from the login/world connection is the one-time auth token
|
|
|
|
|
06/13/2019, 17:43
|
#21
|
elite*gold: 0
Join Date: Sep 2015
Posts: 482
Received Thanks: 532
|
Quote:
Originally Posted by WalrossGreat
Well, I didn't expect someone will be interested in the things that happen in the pipe communication. Everything takes place on the "\\\\.\\pipe\\GameforgeClientJSONRPCMS2" (gameforge_client_api.dll). Generally the pipes can be treated like normal files, so you can read/write to pipe using WinApi calls like WriteFile/ReadFile (that whats NosTale does). The messages are very simple and non-complicated that makes it easy to write own launcher.
Eg. Request:
Code:
"{{\"id\":2,\"jsonrpc\":\"2.0\",\"method\":\"ClientLibrary.initSession\",\"params\":{{\"sessionId\":\"CENSORED\"}}}}"
Response:
Code:
"{{\"id\":2,\"jsonrpc\":\"2.0\",\"result\":\"CENSORED\"}}"
There is no plaintext, because the packet is sent over http s protocol, so it's almost impossbile to make some MITM attack, providing the launcher verifies the SSL certificate. Of course if you have access to the victim`s PC it won't change anything, but then there is really no way to protect your password. Even if it would be send in hashed form that changes nothing, because capturing the hashed string would be enough to get access to the account.
The problem with the "old" client is that your credentials may be compromised even without the access to the victim`s PC, lets say you log in into NosTale while connected to open WiFi in restaurant, someone can monitor your WiFi packets and taking into account that the "nostale crypto" is fully reversible simply grab your password. In current situation with new launcher, best what the attacker can get from the login/world connection is the one-time auth token |
First of all, thank you for your information.
I am sorry but you are wrong about the SSL certificate because nowdays, as standalone, it is not enough to prevent a MITM attack. It has been broken and there are thousands of tutorials you can find online. I will not explain it here in details because it is not the right section but most important I have no time to waste like that.
However, my question was about the POST request not the traffic sent over the network. From your GitHub I can read that the password is sent with other information to to generate the token. What is its form? Plaintext? Sha512? This is what I am asking and curious about...
|
|
|
|
|
06/13/2019, 17:43
|
#22
|
elite*gold: 0
Join Date: Mar 2015
Posts: 871
Received Thanks: 1,229
|
Pasword that is sent in the POST request body is plain:
However as I said, that changes nothing. Even if you are able to sniff the request (I'm wondering how) you will get the string that is used to auth you anyway. You don't need the password then to log in into account. The hashed password would be enough.
Anyway I'm really wondering how are you able to decrypt data sent over HTTPS protocol without having access to the victim`s PC and providing the client precisely verifies the SSL certificate. Any link or explaination would be really helpful.
|
|
|
|
|
06/13/2019, 17:50
|
#23
|
elite*gold: 0
Join Date: Sep 2015
Posts: 482
Received Thanks: 532
|
Quote:
Originally Posted by WalrossGreat
Pasword that is sent in the POST request body is plain:
However as I said, that changes nothing. Even if you are able to sniff the request (I'm wondering how) you will get the string that is used to auth you anyway. You don't need the password then to log in into account. The hashed password would be enough.
Anyway I'm really wondering how are you able to decrypt data sent over HTTPS protocol without having access to the victim`s PC and providing the client precisely verifies the SSL certificate. Any link or explaination would be really helpful. |
Very kind and clear. Thank you. It is not about decrypting because nowdays it would be impossible as you said but bypassing the SSL certificate. You are then able to swap the keys as you wish being in the middle acting like a proxy. I may connect later to Discord and contact you in private to discuss about it if I got any time in the late evening.
|
|
|
|
|
06/13/2019, 18:24
|
#24
|
elite*gold: 0
Join Date: May 2009
Posts: 1,005
Received Thanks: 1,019
|
Quote:
Originally Posted by WalrossGreat
Well, I didn't expect someone will be interested in the things that happen in the pipe communication. Everything takes place on the "\\\\.\\pipe\\GameforgeClientJSONRPCMS2" (gameforge_client_api.dll). Generally the pipes can be treated like normal files, so you can read/write to pipe using WinApi calls like WriteFile/ReadFile (that whats NosTale does). The messages are very simple and non-complicated that makes it easy to write own launcher.
Eg. Request:
Code:
"{{\"id\":2,\"jsonrpc\":\"2.0\",\"method\":\"ClientLibrary.initSession\",\"params\":{{\"sessionId\":\"CENSORED\"}}}}"
Response:
Code:
"{{\"id\":2,\"jsonrpc\":\"2.0\",\"result\":\"CENSORED\"}}"
There is no plaintext, because the packet is sent over http s protocol, so it's almost impossbile to make some MITM attack, providing the launcher verifies the SSL certificate. Of course if you have access to the victim`s PC it won't change anything, but then there is really no way to protect your password. Even if it would be send in hashed form that changes nothing, because capturing the hashed string would be enough to get access to the account.
The problem with the "old" client is that your credentials may be compromised even without the access to the victim`s PC, lets say you log in into NosTale while connected to open WiFi in restaurant, someone can monitor your WiFi packets and taking into account that the "nostale crypto" is fully reversible simply grab your password. In current situation with new launcher, best what the attacker can get from the login/world connection is the one-time auth token |
Yes I just needed to figure out how to listen to the pipe as the soft I use expect / instead of //./pipe but at least now I have everything I need. This is useless for the moment
It’s pretty useless for the moment but it will be usefull when gameforge will remove the old login and then a lot of pserver won’t be able to update the client. I don’t want this to arrive on NosCore so I’m already working for a fix  but for this I needed a way to test the client
|
|
|
|
|
06/13/2019, 19:45
|
#25
|
elite*gold: 0
Join Date: Mar 2015
Posts: 871
Received Thanks: 1,229
|
Quote:
Originally Posted by Cryless~
Very kind and clear. Thank you. It is not about decrypting because nowdays it would be impossible as you said but bypassing the SSL certificate. You are then able to swap the keys as you wish being in the middle acting like a proxy. I may connect later to Discord and contact you in private to discuss about it if I got any time in the late evening.
|
Of course it is possible to install your own certificate when you controll the victim device, such MITM attacks are possible, without them doing the GitHub repo would be much harder, because I have used the Fiddler, which installs fake SSL certificate which user must then trust, but to do so you still need to somehow access the victim`s device. Still wonder how to do something like this without accessing the device.
|
|
|
|
|
06/13/2019, 20:50
|
#26
|
elite*gold: 0
Join Date: Sep 2015
Posts: 482
Received Thanks: 532
|
Quote:
Originally Posted by WalrossGreat
Of course it is possible to install your own certificate when you controll the victim device, such MITM attacks are possible, without them doing the GitHub repo would be much harder, because I have used the Fiddler, which installs fake SSL certificate which user must then trust, but to do so you still need to somehow access the victim`s device. Still wonder how to do something like this without accessing the device.
|
There is a technique to do it remotely without any contact with the victim's PC and it is often used in hacking. CloudFlare is also implementing a protection against it.
|
|
|
|
|
06/13/2019, 20:51
|
#27
|
elite*gold: 0
Join Date: Nov 2015
Posts: 211
Received Thanks: 141
|
Quote:
Originally Posted by WalrossGreat
Of course it is possible to install your own certificate when you controll the victim device, such MITM attacks are possible, without them doing the GitHub repo would be much harder, because I have used the Fiddler, which installs fake SSL certificate which user must then trust, but to do so you still need to somehow access the victim`s device. Still wonder how to do something like this without accessing the device.
|
MITM of the HTTPS once the message is encrypted (except with knowledge of the private key) is "impossible".
However, if you are on the same network as your target, you can force it to use the HTTP protocol (see SSLStrip for example). Fortunately, it is possible to protect against this type of attack (see ).
|
|
|
|
|
06/13/2019, 21:09
|
#28
|
elite*gold: 0
Join Date: Sep 2015
Posts: 482
Received Thanks: 532
|
Quote:
Originally Posted by DarkyZShadow
MITM of the HTTPS once the message is encrypted (except with knowledge of the private key) is "impossible".
However, if you are on the same network as your target, you can force it to use the HTTP protocol (see SSLStrip for example). Fortunately, it is possible to protect against this type of attack (see ). |
This is one of many possible techniques, good job. You can tell the web server you are an old browser forcing the HTTP protocol.
|
|
|
|
|
06/13/2019, 21:18
|
#29
|
elite*gold: 0
Join Date: Mar 2015
Posts: 871
Received Thanks: 1,229
|
Quote:
Originally Posted by DarkyZShadow
MITM of the HTTPS once the message is encrypted (except with knowledge of the private key) is "impossible".
However, if you are on the same network as your target, you can force it to use the HTTP protocol (see SSLStrip for example). Fortunately, it is possible to protect against this type of attack (see ). |
If it forces you to use HTTP how good validation of the certificate might succeed if the certificate isn't even present? It's not a internet browser where there still exists HTTP websites, however the launcher actually know that he except HTTPS connection with specify certificate.
|
|
|
|
|
06/13/2019, 21:57
|
#30
|
elite*gold: 0
Join Date: Nov 2015
Posts: 211
Received Thanks: 141
|
Quote:
Originally Posted by WalrossGreat
If it forces you to use HTTP how good validation of the certificate might succeed if the certificate isn't even present
|
If you force a browser to use HTTP, there is no need for validation since there is no certificate.
If the server only accepts HTTPS, nothing prevents you (as an attacker) to retrieve the plaintext requests from the target (HTTP) and send them back to the server in encrypted form (HTTPS).
Quote:
Originally Posted by WalrossGreat
It's not a internet browser where there still exists HTTP websites
|
I was talking about websites in general. I've never studied the Nostale launcher much before. However, from the little I' ve seen, it seems like an Electron/Electron-like application. If this is the case, then it' s Chromium running behind it and everything I just said applies to it.
Quote:
Originally Posted by WalrossGreat
However the launcher actually know that he except HTTPS connection with specify certificate.
|
Are you talking about certificate pinning ? If yes, in some case you can bypass it.
|
|
|
|
 |
|
Similar Threads
|
[Release] thinClient Patcher(Multiclient)
11/03/2020 - Nostale Hacks, Bots, Cheats & Exploits - 19 Replies
Hey, i think probably there are people that will need a multiclient as gameforge made this update and why after so many years? now they finally want to change something?(my opinion) anyways.
What is this?
So i made a small tool for you guys. This should allow you to start multiple clients from the original gameforge launcher.
Note: I Did not tested it so much but should work:D.
How To Use?
1- Start the gameforge launcher.
2- Start 'NT_Multiclient Patcher.exe' as admin.
3- Wait for...
|
Thinclient per RDP (o.A) neustarten lassen
05/31/2013 - Technical Support - 9 Replies
Moin,
zur Situation:
Ich betreibe in der Firma meines Dad's unter Anderem einen Terminalserver (Win2k8 R2), auf dem ich per installierter RDP Rolle/Dienst, verschiedene ThinClients betreibe (Chip-PC ist der Hersteller).
Diese TC's machen nichts anderes als Statistiken oder Ähnliches, auf Monitoren anzeigen in vers. Räumen.
Die TC's benutzen eine abgespackte Windows Oberfläche mit einer RDP Session auf den Terminalserver, die direkt nach dem Starten des TC's automatisch aufgerufen...
|
All times are GMT +1. The time now is 07:09.
|
|
