Goemitar

August 14, 2008

Rcon stealer

Filed under: Uncategorized — Omega @ 2:05 pm

In the past there have been many fake screenshot, videos and programs of so called rcon stealers. All of these are fake and don’t work.

A real rcon stealer is nearly impossible to make. You can only make this if you found a bug/exploit that would allow you to execute your own code on the server (like a buffer overflow). But a bug like this has never been found in the halo server. So it’s impossible to get the rcon password in a few seconds. There is however a second method to find the rcon password: bruteforce it.

The halo server is not protected against bruteforce attacks. So this is possible to make. The downside is that this can take a long time (read: extremely long). If you want to try all possible passwords with only lowercase letters, you already have 217,180,147,158 possible combinations. Let’s say you design a decent algorithm that can test 1000 passwords each second. This is already fast, considering we’re doing this over the internet. But it would still take more than 6 years to test all possible combinations. If you also include numbers and uppercase letters, this would be even more: 225,387,915,461,472 combinations, taking more than 7147 years if we could try 1000 passwords each second. So praticly this method also isn’t usefull.

To demonstrate this I made a quick program. It tries all the passwords with only lowercase letters. It send a rcon command to the server and waits for a reply. If the server says the password was invalid, we try the next one. Repeat untill password found or all combinations have been tried. I tested this on my own server against a very weak password.

Server and client are running on the same computer, so the connection is very fast. Yet it still takes 191 seconds to crack it. And it’s a very weak password since it only uses lower case letters and isn’t long. It tried a total of 2886 combinations, resulting in around 15 attempts each second. The weak point in the current algorithm is that it waits untill the server replies. To increase the speed you could send multiple attempts at the same time, then wait for the results, send multiple attempts again, etc. Once you have a positive match you know the password was in one of these attempts. Try each of these attemps again and you have your password.

Next post on this will include this updated algorithm, and the results of it. But for now it seems your rcon passwords are safe.

Advertisements

5 Comments »

  1. wow nice programming

    Comment by seanaero — August 16, 2008 @ 7:00 pm

  2. Hey, Im relatively new to c++ injections and whatnot, how do yu go about something like this? How do you find the methods to call within an exe? could you possibly send me some example code?
    Thanks…

    matthew@crasxit.net

    Comment by crasx — March 30, 2009 @ 11:14 pm

  3. I am an assesmbly programmer and I am interested in learning more about real world applications for C++ and software conversions for applications.

    I am interested in the same methods the above user is. Could you send me some sample code also?

    luigi4500@yahoo.com

    Comment by luigi4500 — November 25, 2009 @ 5:22 pm

  4. Hello! I’ve been working on a similar project; although my rcon steal uses an entirely different strategy <- (mimics keyboard type to input rcon passwords and reads several pixels to determine the server response). It is horribly inefficient, but I learned a few things: the server can respond to a decently high amount of rcon commands per second.

    I predict that if a program were made to send rcon test passwords as soon as they were generated, w/o regard to how the server responds, it could send approx – 4-5million passwords per second. Perhaps this is just wishful thinking, but I’d like to develop my program to see if it is possible. Yet, I can’t quite understand my debugger/decompiler. So, I was wondering if you might be willing to send me some of your source code, so I would be able to study it and better understand the nature of halo rcon, and eventually find a more efficient way to brute hack rcon. Halo servers aren’t safe yet 😉

    Thank you for your consideration
    -TheNewGuySir
    –and just in case you are willing to share your source ccode
    TheNewGuySir@yahoo.com

    Comment by thenewguysir — June 27, 2010 @ 12:40 am

  5. wow man, do yuo have the program, can i download it?

    Comment by Vitaly Vladimirovich Abilevich — August 21, 2011 @ 3:08 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: