Post by: H04X on January 05, 2008, 04:54:00 AM
Maybe it would be a good idea to run ethereal/wireshark off a hub or a spaning port on a switch or router when connecting to Live and seeing what the hell is actually sent to M$. I doubt its a SSH/SSL connection and Live is just a Network that uses TCP/IP so the traffic should be able to be analysed. If anyone wants to have a bash and send me the packets - IM me for my email address and I'll / we can try to work it out.
I imagine it will be a simple 3 way handshake followed by sending an "hash" of the console. If this doesnt match - ban the console (probably done via the MAC address - which can be spoofed btw)
I think the answer to bannings on Live lies in finding out whats sent to M$ on both a normal and a moddified xbox. Then we can work on the packets potentially crafting/spoofing legitimate ones and then connect to Live.
I've checked the Assigned ports from IANA and both TCP and UDP ports 3074 are assigned to XBOX...
I dont agree with hacking - but if it didnt happen I wouldnt have a job! however, I've hacked my iPod touch using the TIFF image buffer overflow and now I can install 3rd part applications. this is done by a simple buffer overflow and creating a Putty session into the iPod using wireless from a PC. Now onto my point....
Imagine if you could do the same to an XBOX. e.g connect it to your PC, throw some network traffic at it, crash the stack and gain full read writes to the machine... how kool would that be?!
Ive just checked on the search engine begining with a G and found NO results for "wireshark/ethereal xbox traffic" - it looks like this kind stuff hasnt been done yet!
Obviously Live doesnt let you browse the internet or view images but (and im sorry if im getting "geeky") somewhere there must be an unchecked boundary where you can cause an overflow. This could allow you to modify the dashboard - install your own apps - connect to live using spoofed credentials and play away etc etc etc
some of you might understand all that / some might not. I think there could be some massive scope though.
Remember, Im not on about hacking each other xbox's whilst on live im talking about a similar method to the iPod touch Jailbreak hack and getting the most out of your console.
Thoughts...
H04X
Post by: No_Name on January 05, 2008, 05:00:00 AM
The packets are encrypted with a per-session kerbos (sp) key.
Post by: H04X on January 05, 2008, 09:31:00 AM
How much is Kerberos actually used though? I doubt the whole session is on port 88. I can understand using it however im still interested in the idea especially as kerberos requires network time to be reasonably accurate.
Id still like to see some traffic if anyone has any/will capture me some. Ive also found a post about the original xbox but not the 360.
thoughts...
H04X (IMG:style_emoticons/default/smile.gif)
Post by: angrypond on January 06, 2008, 05:45:00 PM
Post by: torne on January 07, 2008, 05:49:00 AM
QUOTE(H04X @ Jan 5 2008, 04:31 PM) 
How much is Kerberos actually used though? I doubt the whole session is on port 88. I can understand using it however im still interested in the idea especially as kerberos requires network time to be reasonably accurate.
A random session key is set up via the kerberos exchanges, and all further communication is encrypted using that key. There is no plaintext data to look at whatsoever.
Post by: javaoverride2003 on January 07, 2008, 08:15:00 PM
One-Time Pads.
The cipher itself is exceedlingly simple. To encrypt plaintext, P, with a key, K, producing ciphertext, C, simply compute the bitwise exclusive-or of the key and the plaintext:
C = K^P
To decrypt ciphertext, C, the recipient computes
P = K^C
It's that simple, and it's perfectly secure, as long as the key is random and is not compromised
one time key pads can use anything as a reference or key for the cypher, due to the nature of only two people knowing what the key is it's impossible to break, a rotating key used only once can not be cracked, you need to know the variables used in the cypher.
one of the typical one time keys used during the cold war was a deck of cards shuffled to a specific order and used only once. it couldn't be cracked till very recently and still requires weeks and a message longer than 52 characters, for better and quicker results the longer the message the easier it is to compromise.
as i said it is useless for transmission streams but when used for it's original purpose is still unbreakable especially when poly character cyphers where used to eep the message short
Post by: scuba156 on April 16, 2008, 11:29:00 AM
the security on anything xbox 360 related is alot tighter than an iPod touch
Post by: foogrrr on April 21, 2008, 02:13:00 PM
QUOTE
without knowing the private MS key, its virtually impossible, and if it did get cracked, it wouldnt be worth anything anyway.
With the keyvault now being complety dissected i wouldn't be suprised if soon (or already have) they find the key that is used to sign the seeds for the kerberos authentication. and XBL services.
And True, without having access to the service no one can really say what it could be used for, because the case still resides that each xbox more than likely has a unique key to sign the seed with to generate the private key. But im sure its worth more than nothing as people find uses for the smallest things.
True the key is not stored in the hypervisor, although that is prolly where the key signing takes place.
cheers, foo