A brief analysis of the security status of a network game in China-vulnerability research

Author: purple Magic [E.S.T Advisory Group] Source: Evil Octal Information Security team (www.eviloctal.com)
Note: This article has been published in the "Non-security Hacker handbook", please specify the author, and maintain the integrity of the article.
A brief analysis of the security status of some online games in China
First of all, I want to apologize to my readers for support and love before the article starts, I am sorry! In the year I disappeared, I have been playing a very hot online game, the game and the game's agents are currently China's online gaming industry, "mobile", Through a year's online career also called me to experience the bitterness of the game spicy. But the game belongs to the game, I as a network security enthusiasts will naturally for the company and the game to do free security check OH:) based on my previous knowledge of security and the game life of the year really found that the company and the game a lot of security issues. Due to the length of the question I only pick a number of readers and players more concerned about and some major security issues.
In the past 2004 years: Plug, copy, Trojan, stolen number, brush money ... These keywords are filled with the entire Chinese online game market, because some of the game equipment and game coins can sell the RMB, so that some of the interests of the hearts of the people playing the idea of the players and games, followed by the overwhelming variety of Trojans, all kinds of game cheating procedures, all kinds of illegal plug-in, engaged in the sound of the game players cry. In my contact with more than half of the play home because the Trojan lost the game ID and game props, and even many players have lost n times. At the end of 2004, the online gaming company finally launched its claim to be a government bank encryption level of secret security. The following is the company's "trump card" products xx secret insurance: XX secret insurance through the national Ministry of Public Security Assessment, and obtained a security-specific product sales license. "XX Secret Treasure" using advanced technology, every minute to generate a new, and can not re-use the password, called "Dynamic password." Relative to your original game password (we also call it "static password"), this dynamic password is not afraid of the "hacker" network eavesdropping, not easy to guess, not easy to crack and famous. Login game can be entered with your original game password to ensure that the account security. Therefore, the use of "XX secret Treasure", you are equal to have the other difficult to guess, every minute changes in the game password! This technology has been applied to national defense, finance, public security and other fields, has a high security and ease of use, can provide you with a more secure identity authentication services. The company launched the vast majority of players are scrambling to buy, as far as I know some places actually sold broken goods, it seems that players to protect their ID and game props "at all costs." Just a few months in the beginning also did not hear So-and-so ID stolen situation, but recently in the game also heard the player used secret security also lost the event. My hobby is the network security of course to analyze and analyze. In order to analyze the secret insurance I also spent 99 rice to buy 1. After my n sleepless nights study, I summed up the unsafe factors following the secret protection.
After my study found that secret security is not the so-called dynamic password, the security of the host every 1 times will produce 1 6-digit password. Suppose I have pressed 5 times to produce 5 sets of 6-digit passwords, assuming the following 5 groups.
123456
456789
147258
258369
654321
Below with my ID to cooperate with these 5 groups of secret security to land. First enter my ID, password and the first group of security 123456 Landing, the results were successful. 10 minutes later I am using my id, password and the 2nd group of secret security 456789 landing, the result made me plunge glasses, incredibly also landed successfully. #!@#@$#%#%$ Khan. Not that every 1 minutes only a dynamic security, I have been 10 minutes how can I log in? Then after half an hour and I use my id, password with the 5th group of secret security 654321来 landing, incredibly also landed successfully. It seems that XX has the problem of secret retention. Next I use my id, password with the 4th group of secret 258369 login, suggesting dynamic security error landing failed. The above sets of tests are basically a matter of conclusion. Secret security does not have a single dynamic password every 1 minutes, just a cipher memory. In other words, you put your secret in front of the 100 password no matter what time in order to land will be recognized by the server, you can log in. But the middle can't jump a bit. Let's say you first logged in with your secret password for the 10th time and then 1-9 times the password was invalidated and could not be logged in. But it does not affect the 11-100-group password. As long as the order can be fully logged in. And every 1 secret password can only be used 1 times, the landing on the void. This kind of security looks safe, but that's not the case. Suppose a new Trojan, intercepts the player's input ID, password and secret security immediately cut off infected Trojan Machine network connection (this sentence means to cut off the user and the game Server network connection, so that the secret security does not really verify to the game server), and at the same time the player entered the ID, password, The secret security is sent to the hands of the horse-man. The situation can be imagined, the thief will use this did not verify the game server security login game. Steal IDs and game equipment. Lenovo to a few days ago, the player said that there is a secret security situation is also missing the estimate is this approach or is similar. My God, is this the security measures of the government banking class that x is advocating? I really feel sad for Chinese games players.

The above mentioned is the security issue, but also the problem of the game client. Of course the player because the Trojan is missing the responsibility is not entirely in the game company, but the following content you can open eyes, the company's server also has a lot of security risks. First of all, let me introduce you to the game company's server distribution. Now the game has 95 partitions. Each partition has 4-6 different servers, and the company is geographically divided in order to ensure that every player has a smooth game. I am a northern people, so for the game when the speed of the network to choose the server in the Northeast 7X (the specific area of secrecy), first landing game, and then pull up the cmd execution Netstat–an to find the server's IP address:
218.25.xxx.xxx found the IP address habit to scan with Superscan. The results are as follows:
* + 218.25.xxx.xxx
___ 7100
___ 7200
___ 7201
___ 7202
___ 7205
___ 7206
___ 7207
These ports are open to the server. It appears that the server has a firewall and that the open ports are also unconventional. Initially it seems to be in good safety. Take a single server to start looking is impossible, next I am going to do penetration test from the intranet, scan the entire section of the network segment C: 218.25.xxx.1-218.25.xxx.254
Scan to this c segment there are 1 servers in the web system with SQL injection, permissions or SA, Khan ... I'm not going to explain how I got this server. Anyway, I got the system permission, and I logged in 3389. Immediately after I have infiltrated the server executes Ipconfig/all results as follows:
Ethernet Adapter Local Area Connection:

Connection-specific DNS Suffix. :
Description ........... : Intel (R) 82544EI Based network Conne
Ction
Physical Address ..... . : 00-xx-db-xx-33-2a
DHCP Enabled ...... : No
IP address. ...........:218.25.xxx.183
Subnet Mask ........... : 255.255.255.192
Default Gateway ..... . : 218.25.xxx.129
DNS Servers ........... : 202.96.64.68
Next tracert. Tracert 218.25.xxx.xxx Results:
Tracing route to 218.25.xxx.xxx over a maximum of hops

1 ms Ms 218.25.xxx.xxx
From the results I have infiltrated the game server intranet. Next, I'm going to sniff out the ARP based on the port I just scanned. Because I write this article is mainly about the security of the game server, not a hacker tutorial, so I do not introduce too much of the basic knowledge, please readers in the previous article to find. First ARP 7100 port, the result:

Get 218.25.XXX.XXX Hardware address:00-05-dd-27-6c-4a
Get 218.25.XXX.XXX Hardware address:00-c0-9f-27-b9-1b
Get 218.25.XXX.XXX Hardware address:00-0b-db-91-33-2a

Spoof 218.25.10.135:mac of 218.25.xxx.xxx ===> Mac of 218.25.xxx.xxx
Spoof 218.25.10.129:mac of 218.25.xxx.xxx ===> Mac of 218.25.xxx.xxx

Begin to Sniffer ...

61.189.30.xxx (35701)->218.25.10.xxx (7100)
#6 <<<<<bp<<<<<<<<<vba]wrueyrqegw>jphnzyxgzdvojh>xqgo@kh<! 61.189.30.xxx (35701)->2
18.25.10.xxx (7100)
#6 <<<<<bp<<<<<<<<<vba]wrueyrqegw>jphnzyxgzdvojh>xqgo@kh<! 61.189.30.xxx (35701)->2
18.25.10.xxx (7100)
#7 &LT;&LT;&LT;&LT;&LT;BL&LT;&LT;&LT;&LT;&LT;&LT;&LT;&LT;&LT;VBA]WRUEYRQEGO\RH? Hpio@r!61.189.30.xxx (35701)->218.25.10.xxx (7
100)
#7 &LT;&LT;&LT;&LT;&LT;BL&LT;&LT;&LT;&LT;&LT;&LT;&LT;&LT;&LT;VBA]WRUEYRQEGO\RH? Hpio@r!202.110.202.xxx (56820)->218.25.10.xxx
(7100)
#1 <<<<<bl<<<<<<<<<j? Xrh_\oi^xsj?\oi_<ti<!202.110.202.xxx (56820)->218.25.10.xxx (7
100)
#1 <<<<<bl<<<<<<<<<j? Xrh_\oi^xsj?\oi_<ti<!218.25.173.xxx (1154)->218.25.10.xxx (7100)

#5 <<<<<bl<<<<<<<<<wb]uso<lj>xriotnjo\til!218.25.173.xxx (1154)- >218.25.10.xxx (7100)

#5 <<<<<bl<<<<<<<<<wb]uso<lj>xriotnjo\til!202.110.202.xxx (56820 )->218.25.10.xxx (7
100)
#2 <<<<<bx<<<<<<<<<j? Xrh_\oi^{j{ibfkvcfg<!202.110.202.xxx (56820)->218.25.10.xxx (7
100)
...... The following results omit N more. And then I'm sniffing out other ports. Discovery can sniff the game packets, and the game server sends and receives all the data, this is the whole game server packet Oh. I can all peep in. When I get here, I'm going to say, now there is a Trojan can decipher the contents of these packets, this trojan is called "internet Café Killer", the introduction of this Trojan is:, run the Internet Café Killer, click "Start" can, in the Internet café has a person to use this software, the entire Internet Café legend account can be intercepted. From the introduction can be seen this trojan can sniff into the Internet café inside the packet analysis of the game login ID, password, zoning information, equipment information and so on. So suppose I get the author to change the software a little bit, and then put it in the game server intranet I've infiltrated? Wouldn't it be a total of tens of thousands of players in the entire district going to suffer? (I can now sniff through a whole area of all the packets) if these packets fall to the hands of the Trojan author and the plug-in developer ... As a result, we will not speculate that the presence of an internal network server with a vulnerability to illegal sniffing is an absolute and fatal problem. There are a lot of things I can do in the game server intranet. For example, I put up a software called "Internet Marshal", I can cut off the network of the game server, can let all the players in the whole area drop the line, I can also sniff each port to find the server's management port sniffing user and password believes that friends who have played ARP spoofing know. These are nothing. Statement, I just hold the analysis of network security attitude, I am not a network of thieves, so here to give the company a wake-up call to pay attention to network security precautions. The server I mentioned is just the tip of the iceberg in more than 400 groups of servers, and several of the company's gaming servers are in this segment. The purpose of my testing and analysis has been reached, I will not penetrate.

I mentioned above is the game of the company some security problems and deficiencies, the following I mentioned above to some of the corresponding solutions.
The vast number of players to prevent the Trojan problem is still so several:
1 Be sure to install anti-virus software, to choose those who are high efficiency. The main thing is to regularly update the antivirus software patches.
2 have a lot of viruses, worms are based on Windows system vulnerabilities spread, be sure to regularly go to Windows up data update Microsoft's latest security patches. This will ensure the security of the system.
3 do not download some unknown software and plug-in, these plug-ins and software are bundled with a lot of Trojans, there is not to go to some unfamiliar website, I analysis of the Trojan machine is a large number of 1 parts are going to some of the Web site is linked to Trojan horse lost.
4 to the secret insurance manufacturers to make a little suggestion, I hope not to play word games, really produce every 1 minutes only the secret password, protect the interests of the vast number of players, this is your responsibility!
The solution to the server security problem I mentioned is:
1 The most important thing is to ensure the security of all the servers in the intranet, the hacker will attack the whole network if they find a little bit of vulnerability. This is not alarmist, there are many cases.
2 if conditional, it is best to use the router to transfer network segment, the game server is assigned to a network segment of a router. In this way hackers can not be implemented across the network sniffing.

This article is here, I hope the company mentioned in this article to act quickly, and give the vast number of players a clean and safe atmosphere of the game. Also hope that some people with ulterior motives to see this article do not use to sabotage. If you have any objections to this article, please contact me. mail:zihuan@16168.cn by the Purple Magic 7X District, a 41-level small warrior:)

My qq:1108748.
mail:zihuan@16168.cn