Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 17:27

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 49 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: sampfp Error
PostPosted: 24 Oct 2007 18:46 

Joined: 24 Oct 2007 18:18
Posts: 23
SA:MP invisible Fake Players DoS 0.1
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- target xxx.xxx.xxx.xxx: 7777

name: ...::BaluNet Server 0.2.2::...
mode: Public Enemy: LS(m)
map: San Andreas
players: 6/100
password: off

- start attack:
Player:
Error: socket timeout, no reply received

use this on samp 01 but now version 0.2.2


Last edited by NaWaR on 01 Jan 2008 02:29, edited 1 time in total.

Top
 Profile  
 
 
 Post subject:
PostPosted: 24 Oct 2007 21:43 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
seems that they have changed the protocol and have added zlib compression, I need to add this new one to the tool.
If you have a couple of sniffed packets they can be useful too.


Top
 Profile  
 
 Post subject:
PostPosted: 24 Oct 2007 22:52 

Joined: 24 Oct 2007 18:18
Posts: 23
:)


Last edited by NaWaR on 01 Jan 2008 02:30, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: 25 Oct 2007 13:29 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I repeat: if you have a couple of sniffed packets (are ok those collected with wpe too) they are very useful.
I don't have the game so I can only monitor the dedicated server.


Top
 Profile  
 
 Post subject:
PostPosted: 25 Oct 2007 20:05 

Joined: 24 Oct 2007 18:18
Posts: 23
i have no sniffed ..! :(


Top
 Profile  
 
 Post subject:
PostPosted: 25 Oct 2007 21:24 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
It's enough to use WPE (http://wpepro.net) and dumping some packets, it's just a matter of seconds.
Otherwise here I have nothing else to do since seems that an unique udp packet is no longer enough to fill the server's slot


Top
 Profile  
 
 Post subject:
PostPosted: 26 Oct 2007 16:12 

Joined: 16 Aug 2007 06:25
Posts: 367
I have v0.2.2 installed, so I just fired up wireshark real fast and connected to a server. Here is the first 18 packets in order... hope it helps you guys: http://zero-labs.net/samp.txt


Top
 Profile  
 
 Post subject:
PostPosted: 26 Oct 2007 17:24 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
The packets which start with SAMP are not very useful, can you collect the first packets which don't have "SAMP" at the beginning?
Thanx!


Top
 Profile  
 
 Post subject:
PostPosted: 26 Oct 2007 23:13 

Joined: 24 Oct 2007 18:18
Posts: 23
cause the sampfp was working on version 0.1b perfectlly
now we just need a new version of sampfp that working with 0.2.2
thank you


Last edited by NaWaR on 01 Jan 2008 02:31, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: 27 Oct 2007 07:39 

Joined: 16 Aug 2007 06:25
Posts: 367
Hey,

Sorry about that. Those were probably just the server query packets. I did it again, and scanned after clicking on the server (to avoid the query packets).

Refresh the link here to get the new packets: http://zero-labs.net/samp.txt

Hope that helps :)


Top
 Profile  
 
 Post subject:
PostPosted: 27 Oct 2007 13:09 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Excellent work friend 8-)

The packets which starts with the byte 0x78 (the char 'x') identify the beginning of zlib compressed data which use a positive windowbits value, this is usually an interesting thing to know when playing with unknown packets, protocols and files.

Update: I have found where I was wrong... the packets sent by the server are not compressed, that's why I didn't understood the protocol ih ih ih
The new version of sampfp will be released in the next hours.


Top
 Profile  
 
 Post subject:
PostPosted: 27 Oct 2007 18:58 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
first of all .. i have never used it, but about packets and WPE pro ..
since WPE pro opens process and records packets directly from that process..it wont capture some vital info sometimes. I dont know why, but its just so. it wont show me half of things sometimes...packets just r not full...

i compared ''join'' packets for game aliens vs predator 2 long time ago .. and i remember that those packets in WPE pro was not full packets. some data was missing. etherpeek is much better :)


Top
 Profile  
 
 Post subject:
PostPosted: 27 Oct 2007 19:35 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
try to use my wpe2cap tool so you can have a pcap-style file which you can use for comparing.
During my tests wpe has been ever excellent with its capturing


Top
 Profile  
 
 Post subject:
PostPosted: 28 Oct 2007 04:14 

Joined: 16 Aug 2007 06:25
Posts: 367
Interesting, so only the client sends compressed packets, and the server sends regular packets (not compressed)? Cause that's what I noticed.. that only the client's packets sent begin with 0x78


Top
 Profile  
 
 Post subject:
PostPosted: 28 Oct 2007 13:02 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
exactly.
Then yesterday I have released the new version of the tool.
The nice thing I have noticed is that passwords are no longer needed, in short an attacker can fill a server without knowing the keyword, which wasn't possible (as far as I remember) in the previous versions of the servers.


Top
 Profile  
 
 Post subject:
PostPosted: 28 Oct 2007 19:17 

Joined: 16 Aug 2007 06:25
Posts: 367
That packet info is good information to know, as you said. Do you know of any other ways to identify compression or encryption types in packets like you can with zlib? Like a chart of some kind, or a website with more info about different types?

I think you had a program that could identify what types of encoding/algorithms/etc.. were being used in a process, but I was hoping there was an easier way to narrow down what algorithms are being used at a certain time.


Top
 Profile  
 
 Post subject:
PostPosted: 28 Oct 2007 19:51 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
zlib with positive windowbits is the most easy to recognize, then there are gzip and bzip2 which have an initial signature too (signsrch can find them or you can just navigate in signsrch.sig for finding them)


Top
 Profile  
 
 Post subject:
PostPosted: 30 Oct 2007 13:49 

Joined: 24 Oct 2007 18:18
Posts: 23
i will try it and post replay here :)


Last edited by NaWaR on 01 Jan 2008 02:32, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: 30 Oct 2007 14:04 

Joined: 24 Oct 2007 18:18
Posts: 23
C:\tcpfp>tcpfp -t xxx.xxx.xxx.xxx 7777

Generic TCP Fake Players DoS 0.2.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- target xxx.xxx.xxx.xxx : 7777
- check if remote port is open:
Error: Connection timed out

C:\tcpfp>tcpfp -f xxx.xxx.xxx.xxx 7777

Generic TCP Fake Players DoS 0.2.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- load file containing the data to send: xxx.xxx.xxx.xxx

Error: No such file or directory

C:\tcpfp>tcpfp -r xxx.xxx.xxx.xxx 7777

Generic TCP Fake Players DoS 0.2.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- target xxx.xxx.xxx.xxx : 7777
- check if remote port is open:
Error: Connection timed out

C:\tcpfp>tcpfp -s xxx.xxx.xxx.xxx 7777

Generic TCP Fake Players DoS 0.2.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- target xxx.xxx.xxx.xxx : 7777
- check if remote port is open:
Error: Connection timed out

problem


Last edited by NaWaR on 01 Jan 2008 02:32, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: 30 Oct 2007 15:10 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Ehmmm the tool is called sampfp (as you wrote in the title of this thread too) not tcpfp... I don't know if laughing or crying, really


Top
 Profile  
 
 Post subject:
PostPosted: 30 Oct 2007 19:35 

Joined: 24 Oct 2007 18:18
Posts: 23
for explaining but idownload sampfp , and it sayes

C:\sampfp>sampfp xxx.xxx.xxx.xxx 7777

SA:MP invisible Fake Players DoS 0.1.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- target xxx.xxx.xxx.xxx : 7777
..
name: ...::BaluNet Server 0.2.2::...
mode: Public Enemy: LS(m)
map: San Andreas
players: 6/100
password: off

- start attack:
Player: ..
- no reply I try with new version

Player: ..
- no reply I try with new version

Player: ..1
Player: ..2
Player: ..3
Player: ..4
Player: ..5
Player: ..
Error: unknown packet reply (0)

C:\sampfp>

same sampfp but for samp 0.2.2


Last edited by NaWaR on 01 Jan 2008 02:33, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: 31 Oct 2007 23:50 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
i have read this topic for a while..and i dont understand a damn thing anymore ..
are you saying that sampfp doesnt work at all .. or you are saying that it works with one version and doesn't work with other version ?


Top
 Profile  
 
 Post subject:
PostPosted: 01 Nov 2007 18:39 

Joined: 24 Oct 2007 18:18
Posts: 23
exactly it's working with one and not working with the new version
do you have the game gta ? i mean samp 0.2.2R version it is the newest version of samp and the fullserver bug i mean players , as you can see UP , ERROR Error: unknown packet reply (0)


Last edited by NaWaR on 01 Jan 2008 02:35, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: 01 Nov 2007 21:27 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
In my tests the tool works perfectly just versus version 0.2.2 (tried both local and non local servers) so there is nothing else to change


Top
 Profile  
 
 Post subject:
PostPosted: 01 Nov 2007 23:30 

Joined: 16 Aug 2007 06:25
Posts: 367
The tool works fine for me too.


Top
 Profile  
 
 Post subject:
PostPosted: 01 Nov 2007 23:32 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Probably a -f option for flooding the server (as in bf1942fp and bf2fp) can be useful with slow networks.
What you think Soma?


Top
 Profile  
 
 Post subject:
PostPosted: 02 Nov 2007 00:22 

Joined: 24 Oct 2007 18:18
Posts: 23
it's working on some servers but not in all servers
for example names NaWaR , Mrluigi , max...
like that and by this i could see that players in the game :)))))
and i think about another idea : to make program for players to login and log out , by this the chat will full and players bug it will be really great ...
i can sen an example program like this called abuser in that program player log in and write in chat *&^%$#$%^& and log out it's really great


thats how the old sampfp worked perfectlly


Attachments:
dos-attack.jpg
dos-attack.jpg [ 93.48 KiB | Viewed 3766 times ]


Last edited by NaWaR on 01 Jan 2008 02:36, edited 1 time in total.
Top
 Profile  
 
 Post subject:
PostPosted: 02 Nov 2007 14:31 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
sampfp supports only invisible players for some simple reasons: the one packet filling is minimalistic, does an anonymous work and is possible to add spoofing without problems and then because SA:MP changes protocol continuously and I don't have the desire of re-reverse anything from scratch all the times.
Later I will add the -f option to the tool


Top
 Profile  
 
 Post subject:
PostPosted: 02 Nov 2007 16:40 

Joined: 24 Oct 2007 18:18
Posts: 23
yes


Last edited by NaWaR on 01 Jan 2008 02:37, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: 02 Nov 2007 19:17 

Joined: 16 Aug 2007 06:25
Posts: 367
[quote="aluigi"]Probably a -f option for flooding the server (as in bf1942fp and bf2fp) can be useful with slow networks.
What you think Soma?[/quote]

Yea I agree that there should always an -f option that floods continuously no matter what the player count currently is. I feel that showing the server players as they are added until it is full is only useful when demonstrating/testing that the tool works. But if you are wanting to be effective in preventing players from joining, flooding continuously with -f would always be more effective.

And with the -f option, I think there should be no checks/restrictions. The program should just send the packets and not worry about errors, replies, etc.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 49 posts ]  Go to page 1, 2  Next

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron