Q3: Multircon

evan1715 · **Posted:** 30 Dec 2007 23:34

luigi, if a server has rcon block patch stopping the anti brute force, doesn't that mean you can guess the rcon quicker using something like -d 1 -b and you'll geuss it because everytime it types it in, it'll say bad rconpassword instead of nothing? If it is too fast, what is the maximum speed it can go to guess the rcon?

aluigi · **Posted:** 31 Dec 2007 17:08

if a server uses the anti-half-second-limit (the q3rconz patch) and you want to use multircon to guess its password you should use a delay equal or major than the ping you have with that server (it can be the game's ping or just the classical ping command).

evan1715 · **Posted:** 02 Jan 2008 22:07

so say if the server is located in europe, i get 120 to 140 ping, do i put it on -d 130 ? or the max of like 150

aluigi · **Posted:** 02 Jan 2008 22:53

if you will use 150 you will be sure that if you catch the right password you will see it display correctly. if you use smaller values (you can use also 50) there is the risk that you will receive the "valid" message 5 or more passwords later, which is not a big problem anyway just to let you know.

evan1715 · **Posted:** 02 Jan 2008 23:37

yes ive done -d 1 -b on a server i get 60 to 95 ping at, and it's gotten the password but it appears to have skipped the correct password, would u be able to make an option that allows it to scan the last 100 options? (im saying 100 just incase :P)

aluigi · **Posted:** 04 Jan 2008 19:47

could be an useful option, anyway if you use brute forcing or wordlist this is not a great problem because in the first case is just enough to retry the bruteforcing from one of the most recente keywords (recovery) and in the second one something similar or just check the latest keywords before the tool stopped (the last password is ever visualized)

evan1715 · **Posted:** 05 Jan 2008 20:54

>_>
ok these people made a work-around to the rcon block patch thing u did, so instead of it saying "Bad rconpassword." they renamed that to something completely different, now u can't guess it or block it

Code:

- rcon type 0 "Quake 3 engine"
- check if rcon is active
- reply from the server:
  Invalid rconpass.

- password guessing with command "cvarlist rcon"
- start brute forcing (69 - "27960")
2

PASSWORD FOUND!!! (2)
Invalid rconpass.

when in reality, its supposed to say bad rconpassword and thinks its not so i guess it assumes if its not "Bad rconpassword" its the correct password which the number 2 but it's not, is there anyway to fix that so it'll still like block or something?

aluigi · **Posted:** 07 Jan 2008 11:46

for blocking rcon in these cases I can add an additional option for continuing the flooding also if password is found (or any other message).
Let me know if this is what you meant.

evan1715 · **Posted:** 07 Jan 2008 16:33

yeah!! that's perfect :) thanks luigi

aluigi · **Posted:** 08 Jan 2008 20:18

added -x to version 0.2.3

evan1715 · **Posted:** 08 Jan 2008 23:23

cool

er but now, what do u do if they renamed rcon and still have the "invalid rconpass." lol... it wont rcon block if the rcon is renamed, it thinks the servers dead or something

Code:

- rcon type 0 "Quake 3 engine"
- check if rcon is active

Error: no reply received, the server is offline or uses a different protocol

it's up i see it on my list... :P when u type /rcon using rconaddress or in-game it says unknown command

aluigi · **Posted:** 09 Jan 2008 10:22

don't use -i and it will work

evan1715 · **Posted:** 09 Jan 2008 23:57

eh, without -i i get the same thing, 'cause rcon is changed to something probably like nocr

Code:

C:\>q3engine\multircon\multircon -d 1 -b 62.4.74.250 30600

Multi engine RCON tool and password guesser 0.2.3
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org

- target   62.4.74.250 : 30600
- rcon type 0 "Quake 3 engine"
- check if rcon is active

Error: no reply received, the server is offline or uses a different protocol

aluigi · **Posted:** 10 Jan 2008 17:11

you missed -x and the parameters of -b
with -x the tool does the floods also if the server doesn't exist, that's why you can't get errors if you use that option

evan1715 · **Posted:** 10 Jan 2008 23:06

Code:

C:\>q3engine\multircon\multircon -x -d 1 -b 10 az09 62.4.74.250 30600

Multi engine RCON tool and password guesser 0.2.3
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org

- target   62.4.74.250 : 30600
- rcon type 0 "Quake 3 engine"
- check if rcon is active

Error: no reply received, the server is offline or uses a different protocol

Seems to have the same problem. You try it. The server IS up, but the rcon is renamed to something else. I did it with and without -i option.

aluigi · **Posted:** 11 Jan 2008 10:44

damn, you are right.
I will adjust the -x option later

evan1715 · **Posted:** 11 Jan 2008 22:19

:D ok thanks, tell me when you've updated it

extravaganza · **Joined:** 11 Feb 2008 07:10 **Posts:** 17

hello, i got the scon guesser now for 2 days and let scanned 2 servers both for 6 hours but i got nothing. Someone tolld me to put values on it but he says "go ask it on aluigi's forum" so if my ping = 40 than i put after -x 40 ? it's just totally new for meso sorry if you think im dump ;) started with hacking one month ago.

Thanks

aluigi · **Posted:** 11 Feb 2008 13:03

I premise that using brute forcing for finding a remote password requires really a biiiig luck, tons of time and in the case of a normal installation of games based on the Quake 3 engine I can just define it impossible due to the half-second limit.
So if you don't know if this limitation is active on the server you can't modify the -d delay otherwise if exists one chance on a billion to find the right password you will fail due to the half-second packet dropping.

The brute forcing and wordlist options in multircon were added only for fun, not for a real usage (at least not with the half-second limit).

inorog · **Joined:** 25 Mar 2008 01:25 **Posts:** 2

Ok so what if anyone places {}[],./'":;}{???? it wont fiind any password right"?

aluigi · **Posted:** 25 Mar 2008 11:25

depends by the charset used by the attacker, but nobody is so mad to use a similar charset for a brute forcing attack so a similar rcon password is virtually safe

inorog · **Joined:** 25 Mar 2008 01:25 **Posts:** 2

Hmm i don't understand how to put a charset could you please explain?
lets say i want to do on this server :
76.104.244.111 29070
What would the code be?

aluigi · **Posted:** 26 Mar 2008 01:11

the charset can be selected using the just the -b option, for example -b 10 azAZ09 will use the charset which goes from the low and high case chars 'a' to 'z' and the numbers.
Other charsets over byte 0x7f are probably a bit more difficult to set since I don't know how to pass these chars via command-line, anyway the brute forcing function supports any byte from 0x01 to 0xff (only 0x00 is out)