MSN protocol analysis

MSN protocol analysis

I. Overview
MSN Messenger usually uses port 1863 For communication (in actual use of sniff tracking to find that MSN communication uses port 1863 For communication ). In msn
In the work of messenger, the local client and the three servers communicate and exchange data through the Protocol. (Dispatch server, Notification Server
Tchboard server ). Communication between the local client and each server is mainly performed in two forms: command and message.
The dispatch server is mainly used to initialize the connection server. The user first uses the address messenger.hotmail.com and port 1863 to connect to the dispatch server, and then connects to the Notification Server Based on the IP address and port returned.
The notification server is MSN.
In the main Workspace of messenger, almost all operations must be connected and exchanged with the notification server, including user status changes, chat requests, and email notifications. Real
During work, the IP address and port of the Notification Server are fixed as 64.4.13.195: 1863.
Command: most data is sent in standard command format. The standard command format consists of three parts, starting with a command identifier, followed by a parameter, ending with a behavior. The parameters are separated by spaces.
Points.
Message: it is a unique command method. It starts with MSG and ends with a number at the end of the first line of each message to indicate the number of bytes (including the MIME header and the body part) of the following message ). The
The MIME header of the binary behavior, generally in the form of mime-version:
1.0, ending with a line break. The next row represents the type of message to be sent. The defined format is Content-Type :*/*;
Charset = UTF-8, where */* indicates the message type. charset = UTF-8 is completely optional and is related to whether to use this parameter and the defined message type. Subsequent MIME headers
End with two line breaks to differentiate message subjects.
Transaction ID: each command and message sent from the client to the server contains a transaction
Id. It is located behind the command identifier and MSG. After receiving the corresponding commands and messages from the client, the server returns the corresponding transaction
Id returned to the client, the client according to the transaction
ID to determine which request the server is responding. After each client sends a command or message to the server, transaction ID is automatically added with 1.
2. Start msn
Initialize connection
(1) The first step of connection is to connect to the dispatch server. Open a TCP socket and connect to the dispatch server through port messenger.hotmail.com and port 1863.
(2) After the dispatch server is successfully connected, the local client sends a ver command to the dispatch server, with msnp7 msnp6 msnp5 msnp4 cvr0 (Protocol Version) as the parameter. After receiving the request, the server returns the ver command. If the parameter is 0, the negotiation fails.
(3) After the local client receives a reply, it sends a non-parameter INF request to the server to request an authentication algorithm. When the dispatch server receives the message, it returns MD5.
(4) The local client sends the USR command to the server based on the returned parameters. The first parameter is the MD5 returned by the server, and the second parameter is the email address requested by the client for login. The server returns an XFR Command Based on the received request, and returns the IP address and port of the Notification Server as a parameter to the client.
(5) The client connects to the Notification Server Based on the IP address and port. The following is the actual communication process between the client and the dispatch server.
Connect: messenger.hotmail.com 1863
>>> Ver 0 msnp7 msnp6 msnp5 msnp4 cvr0
<Ver 0 msnp7 msnp6 msnp5 msnp4 cvr0
>>> INF 1
<INF 1 MD5
>>> USR 2 MD5 I [email] example@passport.com [/Email]
<XFR 2 NS 64.4.12.132: 1863 0
Disconnect

Connect to the Notification Server
After successfully connecting to the notification server, the operations performed in the first three steps are the same as those on the dispatch server.
(6)
Similarly, the local client sends the USR command to the Notification Server Based on the returned parameters. Two parameters are input, and the first one is returned by the Notification Server.
MD5. The second parameter is the email address that the customer logs on. After receiving the request, the server returns USR, which contains two parameters: MD5 s #.#. #. # Is MD5 hash.
(7) the client sends another USR based on the response received, and the parameter is MD5 s #. Where # MD5 returned by the last Server
Hash in hexadecimal notation. The server returns USR after receiving the message. The parameter is OK user @ host name.
1. User @ host is the email address of the user login, and name is the ing name of the user.
(8) after a user successfully logs on to MSN, the client sends a chg request to the server requesting the server to modify the status of the New Login User. The parameter is NLN. The NLN parameter indicates online. This is the first step to initialize the user status after each user logs in. The communication process between the notification server and the client is as follows.
Connect: 64.4.12.132 1863
>>> Ver 3 msnp7 msnp6 msnp5 msnp4 cvr0
<Ver 3 msnp7 msnp6 msnp5 msnp4 cvr0
>>> Inf 4
<Inf 4 MD5
>>> USR 5 MD5 I [email] example@passport.com [/Email]
<USR 5 MD5 s 1013928519.693957190
>>> USR 6 MD5 s 23e54a439a6a17d15025f4c6cbd0f6b5
<USR 6 OK [email] example@passport.com [/Email] My % 20 screen % 20 name 1
>>> Chg 7 NLN
<Chg 7 NLN
Continue session...

Iii. Voice conversation
Communication Process
(1) The local client sends two new tchboard server addresses to the Notification Server (64.4.13.195: 1863), one of which is used to send the request and the other to accept the reply. As shown in the following table:

Secondary connection port range protocol type direction info
6891-6900 TCP inbound sending
6891-6900 TCP outbound binding ing

The client sends the XFR command to the server over TCP. The parameter is sb. After receiving the request, the notification server returns the same result with the XFR command. In the parameter, the IP address and port of the tchboard server are the login serial number of the tchboard server. For example:
>>> XFR 10 sb
<XFR 10 Sb 64.4.12.193: 1863 cki 16925950.1016955577.17693
(2) The client connects to the two tchboard servers through the TCP protocol based on the returned IP address and port.
(3) After the connection is successful, the client sends the USR command to the two tchboard servers. The first parameter is the actually connected email address, and the second parameter is the second parameter, which returns the tchboard Server login serial number. If the message is sent successfully, the tchboard server returns the USR command. The first parameter is OK. For example:
>>> USR 1 [email] example@passport.com [/Email] 16925950.1016955577.17693
<USR 1 OK [email] example@passport.com [/Email] Mike
(4) When inviting the other party to talk, pass the registered email address of the other party as a parameter to the Cal command, and then send the tchboard server. After receiving the request, the server returns an ID number. At the same time, the server sends the joi command to the client and uses the email address of the requested party as the first parameter. For example:
>>> Cal 2 [email] name_123@hotmail.com [/Email]
<Cal 2 ringing 11752099
<Joi [email] name_123@hotmail.com [/Email] name_123
All the preceding steps are performed simultaneously between the local client and the two tchboard servers.
(5) When the customer wants to perform a voice conversation, the local client sends a request to the tchboard server (assuming that the IP address of the tchboard server is 64.4.12.192, Port: 1863 ). The request format is as follows:
Msg 4 N 277
Mime-type: 1.0
Content-Type: text/X-msmsgsinvite; charset = UTF-8
Application-Name: request service type
Application-guid: {5d3e02ab-6190-11d3-bbbb-00c04f795683}
Session-Protocol: SM1
Context-data:
Requested: sip_a; capabilities: sip_a, sip_v
Invitation-command: Invite
............
(6) After the server 64.4.12.192 receives the request, it replies with Ack, indicating that the request has been received.
(7) When the requester accepts your voice conversation invitation, reply to the tchboard server (assuming the IP address is 64.4.12.159, Port: 1863) and send a reply to the local client. The reply format is as follows:
MSG [email] name_123@hotmail.com [/Email] name_123
Mime-type: 1.0
Content-Type: text/X-msmsgsinvite; charset = UTF-8
Invitation-command: accept
............
IP-Address: returns the IP address of the Requested Party.
(8) When the local machine receives the reply, it sends a message to the server 64.4.12.159 in the following format:
Msg 4 A 237
Mime-type: 1.0
Content-Type: text/X-msmsgsinvite; charset = UTF-8
Invitation-command: accept
............
IP-address: the IP address and port of the Local Machine
(9) after the server 64.4.12.159 receives the message, it returns an ACK command, indicating that it has received the message.
(10) then, the requester connects to UDP based on the IP address and port of the local client for data transmission.
4. Send files
Communication Process
(1) the communication process of file operations is the same as that of the first four steps of the voice conversation, but only one tchboard server is applied for Sending File Operations (assuming IP Address: 64.4.12.164, Port: 1863 ).
(2) When the customer wants to send a file, the local client sends a request to the server 64.4.12.164 in the following format:
Msg 4 N 277
Mime-type: 1.0
Content-Type: text/X-msmsgsinvite; charset = UTF-8
Application-Name: File Transfer
Application-guid: {5d3e02ab-6190-11d3-bbbb-00c04f795683}
Invitation-command: Invite
Invitation-COOKIE: 33267
Application-file: readme.txt
Apply-filesize: 60904
(3) After receiving the request, the server 64.4.12.164 returns a reply to the local client after the user of the requester accepts the request. The format is as follows:
MSG [email] example@passport.com [/Email] Tim 179
Mime-type: 1.0
Content-Type: text/X-msmsgsinvite; charset = UTF-8
Invitation-command: accept
Invitation-COOKIE: 33267
Launch-Application: false
Request-data: IP-address:
Note: The last line contains requests for the local IP address and port number.
(4) After receiving the reply, the local machine immediately sends a message to the server 64.4.12.164 in the following format:
Msg 4 N 238
Mime-type: 1.0
Content-Type: text/X-msmsgsinvite; charset = UTF-8
Invitation-command: accept
Invitation-COOKIE: 33267
IP-Address: 10.44.102.65
Port: 6891
Authcookie: 93301
Launch-Application: false
Request-data: IP-address:
Note: the message contains the local IP address and port.
(5) The respondent then makes a TCP connection based on the IP address and port of the local client to send the file.
V. Video conversation
Communication Process
The communication process of a video conversation is the same as that of a voice conversation. We also apply for two tchboard servers and connect them through UDP for data transmission.
6. Sending instant messages
Send instant messages
The communication process for sending instant messages is the same as that for the first four steps of the voice conversation, but only one tchboard server is applied for (assuming IP Address: 64.4.12.174, Port: 1863 ). Complete the above four steps
After connecting to the server 64.4.12.174, if the local client needs to send an instant message to another client, it will send a message to the server 64.4.4.12.174,
The content to be sent is included in the message in the following format:
MSG 3 A 157
Mime-type: 1.0
Content-Type: text/plain; charset = UTF-8
X-MMS-im-format: fn = Microsoft % 20 sans % 20 serif; EF = I; CO = 000000; cs = 0; pF = 22

Hello! How are you?
Note: The last line is the sent content.
Receive instant messages
If a client sends an instant message to your local machine, the server 64.4.12.174 connects to the local client tchboard server to send a message. The message format is as follows:
MSG [email] example@passport.com [/Email] Mike 157
Mime-type: 1.0
Content-Type: text/plain; charset = UTF-8
X-MMS-im-format: fn = Microsoft % 20 sans % 20 serif; EF = I; CO = 000000; cs = 0; pF = 22

Hello! How are you?
Note: The parameter after the first line of MSG command is the email address of the other client, and the last line is the sent content.
7. Start the Whiteboard
Communication Principle
(1) The communication principle is basically the same as that in the previous steps of the voice conversation communication principle, but it is different in step 1. The local host is directed to the server (64. 4.12.160: 1863) only one IP address is returned for messages sent without the local port number. The structure is as follows:
Msg 4 A 237
Mime-type: 1.0
Content-Type: text/X-msmsgsinvite; charset = UTF-8
Invitation-command: accept
............
IP-address: the IP address of the local machine.
(2) then the server 64. 4.12.160 replies to ack.
(3) The local client sends a qry request to the Notification Server (64.4.13.195: 1863) to determine whether to maintain a connection with the server 64.4.13.195.
(4) The server 64.4.13.195 returns a non-parameter command qry, which indicates OK.
(5) A message is then sent by the server 64. 4.12.160. Its structure is as follows:
MSG [email] name_123@hotmail.com [/Email] name_123
Mime-type: 1.0
Content-Type: text/X-msmsgsinvite; charset = UTF-8
Invitation-command: Context
Context-data: 10.1.1.211: 13374
............
Note: the context-data option contains the IP address and port number of the requester.
(6) the local machine makes a TCP connection to the requested Party and then exchanges data.
8. enable application sharing
The communication process is the same as that when the Whiteboard is enabled.
9. Problems Found
Because the MSN documents and materials related to searching through the Internet are relatively early and different from the current version, some details are still different, such as using sniff to track packet sending in practice.
The current version of MSN is not initialized to connect to the dispatch server at startup, but directly connected to the notification server.
The IP address and port of the Notification Server are not returned by the dispatch server, but have been actually specified (64.4.13.195: 1863 ).
10. Solution
Obtain IP addresses and ports
(1) First, a connection is established between the local client and the server 64.4.13.195: 1863 according to the Notification Server (64.13.195: 1863.
(2) When you open a new window, the local client requests the IP address and port of the tchboard server to the server 64.4.13.195: 1863, and then
Create a connection between the IP address and port of the tchboard server. We can obtain the request tchboard Server Based on the packet returned by the server 64.4.13.195: 1863.
. The server returns the result in the following command format: XFR 10 Sb 64.4.12.193: 1863 cki
16925950.1016955577.17693. We can intercept this packet based on the command line keyword XFR, and then parse the IP address and port of the tchboard server.

(3) After the tchboard server and the client are connected successfully, the local client sends a message to the tchboard server before the operation, inviting the other Party to join. If the recipient accepts your invitation,
The tchboard server sends you a message to accept your invitation. There is a keyword IP-address in the message, which may contain the IP address and port of the other party or only
IP address. If the port number is included, use ":" to distinguish it. If the option IP-address does not contain a port, you need to find another keyword port, which may have a port number (send file back
This keyword exists in the returned message, and does not appear in other operations ).
(4) When the local client receives a response from the tchboard server, it replies to a message again. It may also contain the IP address and port of the Local Machine. Therefore, you need to perform the analysis in the same way as step 3,
Obtain the IP address and port of the local machine. With the exception of enabling the whiteboard function, the IP address and port returned by the local client are stored in the context-Data Option of the message. Finally, it is created between the local machine and the invitee.
Create a connection. All messages in the MSN communication process start with MSG. After the data packet is intercepted, analyze whether the first line starts with MSG, and then find the keyword IP address in the message-
Address, port, and context-data to obtain the IP address and port to establish a connection.
Determine whether the established connection is TCP or UDP.
In MSN, only the connections between voice conversations and video dialogs are UDP. First, the client sends an operation request packet to the server. A data entry in the packet indicates the request operation type. The keyword is
Starts with application-name and then represents the relevant data in ASCII code. The ASCII code of the voice conversation and video conversation is the same, both of which are 3A 20 E8 AF.
Ad E9 9f B3 E5 af B9 E8 af 9d 0d 0a, wherein 3A 20 is a colon and space, 0d
0a is the carriage return and line feed. The request operation type can be obtained by intercepting this data. Application-name exists only once. This parameter is included only when the first request is sent.
The data does not exist. When the server returns an IP address and a port, a connection needs to be established to determine which operation request is required. Therefore, an invitation-
Cookie, which contains a string of randomly generated numbers. This data is returned to the client in the packets returned by the server. Therefore, the client can identify the specific operation request based on the returned ID.
IP address and port. Based on the application-Name and invitation-Cookie, we can distinguish which operation request is followed by the established connection and
Whether the connection is TCP or UDP.
Note: The ASCII codes corresponding to other operation types are:
File Transfer: 3A 20 E6 96 87 E4 BC A0 E8 be 93 0d 0a
Enable whiteboard: 3A 20 E7 99 BD E6 9d BF 0d 0a
Remote Assistance: 3A 20 E8 BF 9C E7 A8 8B E5 8d 8f E5 8A A9 0d 0a
Enable application sharing: 3A 20 E5 Ba 94 E7 94 A8 E7 A8 8B E5 Ba 8f E5 85 B1 E4 Ba AB 0d 0a
In addition, the sent message does not contain this data.