[Amsn-devel] Re: msn firewall detection and spaces and soap... was proxy, was wake up...

Thu, 13 Apr 2006 22:02:02 -0700

ok Phil, send me the packets! I've been doing some sniffing myself and found out some quite interesting stuff!! look at what I have : 
flow of connection from official client :
-connects to the NS, begins auth...
 +connects to SSL server, authenticate
-continue auth on NS
+download a 1x1 pixel GIF image... http://c.msn.com/c.gif?did=1&t=<T_KEY_FROM_SSL_AUTH_SERVER>&p=<P_KEY_FROM_SSL_SERVER> <-- same as the USR TWN sent to the NS for authentification... +sends 2 malformed RX packets with some binary data of 28 bytes to e450.voice.microsoft.com on port 7001 (UDP packets) 
 +receives 2 malformed RX packets from e450.voice.microsoft.com:7001 (UDP)
+** IMPORTANT ** <-- sends a SOAP request to get the client's configuration!!!! everything is taken from there! the URL for the reflector, the ips of the servers on which to do STUN requests, everything... all the ads to show too, the news, the tabs, the banners, the settings, everything... the SOAP request/response is attached to this mail (getclientconfig.log) ... +sends two SSDP discover to the router, one for service:WANIPConnection:1 and the other for service:WANPPPConnection:1 --+I suppose it should get the answer, but I have no upnp, so it gets a port unreachable error so I don't know what it does after this step in this case. 


then it does some other stuff, still sends from time to time the UDP  
packets to e450.voice.microsoft.com and receive an answer for it... the  
server is 64.4.12.200 and  it sometimes sends an empty UDP packet with no  
destination port to 64.4.12.201 (the same ip as e450.voice.microsoft.com  
but one number up...)



then it does a SOAP request on storage.msn.com.. attached file  
schematizestore.log is the trace.
then it gets fucked up by hundreds of http GET/POST on ads.msn.com and  
whatever.real.com etc... (in short it downloads all the images/text to  
show in the ads pages) but I don't think I saw in it something relevant,  
but there, it still think that I'm firewalled, so I guess it already found  
out what it needed to find... I think those UDPs were some kind of  
protocol (stun or whatever) to see if we're firewalled... maybe I'm  
wrong... but that's what I got...
btw, I created some MSN spaces and found out we receive notifications from  
the server (whether it's our space or someone else's space), the NOT  
command is not recognized and generates a warning in the status log  
(nothing important but a 'msn alerts' plugin would be interesting) I  
attached the command received in notification.log
apart from that, I wanted to get the SOAP request for checking the space  
of someone, but I was unable to find it!! viewing the contact card of  
someone having a space account gave me nothing!! it didn't check if he had  
a space, it didn't show me the space info in the CC and I was unable to  
'open space' from there either!!! :@
I don't know what happened... anyways, I still have the two soap requests  
at work, I'll get them next week or so...
btw, one of the urls from getclientconfig SOAP request was an xml on the  
reflector's website (spotlife), I downloaded it and here it shows :

<?xml version="1.0" encoding="UTF-8" ?>
<locateresponse>
 <reflector>http://mp3reflector.spotlife.net/createTunnel</reflector>
 
<createreflectorsessionurl>http://mp3reflector.spotlife.net/createSession</createreflectorsessionurl>
 <clientmaxbw>384</clientmaxbw>
 <stun1a>64.15.206.213:3478</stun1a>
 <stun1b>66.35.251.197:3478</stun1b>
 <stun1c>216.34.130.245:3478</stun1c>
</locateresponse>


it contains the urls for the reflectors tunel and session creators as well  
as the 3 ips needed for the STUN requests!!! I think we should make next  
version depend on all those values because MSN could shut us off by simply  
shuting down those websites and having new urls to the reflector and  
change the url in the SOAP response.. all official clients will get the  
new URL, and amsn will fail...


KaKaRoTo




On Wed, 12 Apr 2006 14:48:58 -0400, Le Philousophe - Phil  
<[EMAIL PROTECTED]> wrote:



Hi,
I am back ;)

About UDP packets : they aren't UPnP packets... They points to a  
M$ server...

I let you check the join Text dump...

About UPnP, Ethereal mark them as SSDP but I think there is a bug  
somewhere

since my router didn't want to reply to them (ie my NAT was marked as a
non-UPnP NAT)
Phil

Le Tuesday 11 April 2006 22:35, Youness Alaoui a écrit :

of course.


On Tue, 11 Apr 2006 16:30:24 -0400, Sander Hoentjen <[EMAIL PROTECTED]>

wrote:
> and with upnp you can forward a port automatically
>
> On Tue, 2006-04-11 at 15:17 -0400, Youness Alaoui wrote:
>> ok, if the ip is something like 235.235.235.235 or 255.255.255.255 or

>> whatever, it means it uses UPNP.. UPNP is simply udp packages sent  
to a
>> specific broadcast IP, so I guess it uses upnp to detect if it's  
behind
>> upnp router.. but if there is no upnp router, then it must use  
another

>> way

>> to find whether it is firewalled or not (i think with upnp you can  
ask

>> the
>> router whether we're firewalled or not).
>>
>> KKRT
>>
>> On Tue, 11 Apr 2006 15:14:19 -0400, Vivia Nikolaidou
>>
>> <[EMAIL PROTECTED]> wrote:
>> > Hi everyone,
>> >
>> > fwd-ing phil's mail as he can't send from his sf address...
>> >
>> > ---------- Forwarded message ----------
>> > Date: Tue, 11 Apr 2006 21:05:14 +0200
>> > From: "[EMAIL PROTECTED]" < >
>> > To: vivia <[EMAIL PROTECTED]>
>> > Subject: Fw:Re: Proxy (was: Re: [Amsn-devel] WAKE UP EVERYONE!!!!)
>> >
>> > Hi,
>> > from my Uncle's home ;)

>> > I already did the sniff and found some interesting things but it  
seems

>> > it uses UDP to check the connection... Very strange... But anyway I
>>
>> have
>>

>> > the sniff and doesn't seem to be so complicated... It contains the  
IP

>> > adress in hex form and a port if I remember well... Not sure though
>>
>> and
>>
>> > as I am not at home....
>> > Phil
>> >
>> >  > On Mon, 10 Apr 2006, Youness Alaoui wrote:
>> >  >
>> >> > why name subject 'proxy' ??
>> >>
>> >> because i am tiiiiiiiiiiired :) ok ppl, false alarm!
>> >>

>> >> > anyways, the nat detection is very important IMHO, not only do  
we

>>
>> get
>>
>> >> > thousands of reports about "ouhh, it says I'm firewalled", but
>>
>> also,
>>
>> >> in
>> >>
>> >> > the case of an FT, if both use amsn, both are not firewalled but
>>
>> both
>>
>> >> > amsns think they are firewalled, they will use the SB, simply
>>
>> because
>>
>> >> > FTs don't work the same as webcams...
>> >>
>> >> yeah but it will work, even if it's slow!
>> >>
>> >> > disassembling ink will take years, same for audio clips and
>>
>> 'whatever
>>

>> >> > fancy M$ thing', while nat detection is not that difficult  
maybe a

>> >> > simple sniff will give us a very simple solution, maybe not...
>>
>> maybe
>>
>> >> > we'll need the hostname of the port checker and for that, we'll
>>
>> just
>>
>> >> > have to disassemble and look for 'nat' in the strings the
>>
>> executable
>>

>> >> > contains.. maybe there's a proprietary hash that needs to be  
RE-ed

>>
>> and
>>
>> >> > in that case, it will take too long and at that point it's not
>> >>
>> >> necessary
>> >>

>> >> > anymore, we'll have to find another server than MS servers...  
but I

>> >> > still think it's worth it to spend some time on this issue...
>> >>
>> >> yeah, if you put it this way :) if we can find it without RE-ing,
>>
>> sure!
>>
>> >> now who's going to sniff M$N? :P
>> >>
>> >>
>> >> -------------------------------------------------------
>> >> This SF.Net email is sponsored by xPML, a groundbreaking scripting
>> >> language

>> >> that extends applications into web and mobile media. Attend the  
live

>> >> webcast
>> >> and join the prime developer group breaking into this new coding
>> >> territory!
>>

>>  
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

>>
>> >> _______________________________________________
>> >> Amsn-devel mailing list
>> >> Amsn-devel@lists.sourceforge.net
>> >> https://lists.sourceforge.net/lists/listinfo/amsn-devel
>> >
>> > Accédez au courrier électronique de La Poste : www.laposte.net ;
>> > 3615 LAPOSTENET (0,34 /mn) ; tél : 08 92 68 13 50 (0,34/mn)
>> >
>> > Accédez au courrier électronique de La Poste : www.laposte.net ;
>> > 3615 LAPOSTENET (0,34 €/mn) ; tél : 08 92 68 13 50 (0,34€/mn)
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding
> territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
> _______________________________________________
> Amsn-devel mailing list
> Amsn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/amsn-devel




--
KaKaRoTo


Attachment:
getclientconfig.log

Description: Binary data



Attachment:
shematizestore.log

Description: Binary data



Attachment:
notification.log

Description: Binary data














    











					Reply via email to