I was wondering the logon packet sequence for SC/BW/W2BE on to battle.net. Bnetdocs has been down for about 18 hours that I know of, and I'm just looking for some information.
http://www.userloser.net/packetref (http://www.userloser.net/packetref)
wow, open bnetdocs is still in existance, nice.
Quote from: Maddox on July 29, 2004, 05:13 PM
http://camel.ik0ns.com:86/wiki/index.php
I always use that because it's open to every one and anyone can add or correct things.
Seems to be currently down :-\ or just running really slow.
And Userloser's Packet Referral is great but it doesn't discuss 0x3A, 0x29 logon responses. Other than that, it's great.
Edit: And the reason I think this is necessary is because he is using SC/BW/W2.
Quote from: ChR0NiC on July 29, 2004, 05:48 PM
And Userloser's Packet Referral is great but it doesn't discuss 0x3A, 0x29 logon responses. Other than that, it's great.
Laziness explains that. Maybe later tonight I'll work on it since I found some fun stuff in SSHR.
Quote from: Maddox on July 29, 2004, 05:13 PM
http://camel.ik0ns.com:86/wiki/index.php
I always use that because it's open to every one and anyone can add or correct things.
I've had some problems accessing it from that URI now and then. He suggests using the redirector:
http://wiki.ik0ns.com
Quote from: UserLoser. on July 29, 2004, 05:51 PM
Laziness explains that. Maybe later tonight I'll work on it since I found some fun stuff in SSHR.
Sorry I didn't mean it as an attack on you :-[
Quote from: Myndfyre on July 29, 2004, 06:06 PM
I've had some problems accessing it from that URI now and then. He suggests using the redirector:
http://wiki.ik0ns.com
Thanks runs much better than the original
Quote from: Maddox on July 29, 2004, 05:13 PM
http://camel.ik0ns.com:86/wiki/index.php
I always use that because it's open to every one and anyone can add or correct things.
Cool :)
I like it because it hasn't IPbanned me for typing my password wrong 3-4 times. :-\
*shakes fist* Damn you bnetdocs for banning me!
Off topic: Eli_1, about your signature, how do you SAIL in a canoe? Can you really do that?
I moved house, so I lost my connection for a bit. It's back up now.
Eli: I've removed that ban as well now. BnetDocs will no longer ban normal accounts for failed logons.
Message
We're sorry, but BnetDocs is currently unavailable. Please try again later.
Got that after I logged in
gogo open bnet docs!
hmm. It's really there now. DNS was being screwy.
Why do you require accounts at all? Why don't you just open it to the public and make an optional login for privileged users? At least allow people to stay logged in for weeks at a time.
Quote from: Maddox on July 29, 2004, 08:25 PM
Why do you require accounts at all? Why don't you just open it to the public and make an optional login for privileged users? At least allow people to stay logged in for weeks at a time.
I agree, it may not take much to login, but sometimes it drives me crazy that I have to type in my password :P
Quote from: ChR0NiC on July 29, 2004, 09:26 PM
Quote from: Maddox on July 29, 2004, 08:25 PM
Why do you require accounts at all? Why don't you just open it to the public and make an optional login for privileged users? At least allow people to stay logged in for weeks at a time.
I agree, it may not take much to login, but sometimes it drives me crazy that I have to type in my password :P
Get Mozilla Firefox. You won't ever have to type in a password again.
Quote from: UserLoser. on July 29, 2004, 09:45 PM
Quote from: ChR0NiC on July 29, 2004, 09:26 PM
Quote from: Maddox on July 29, 2004, 08:25 PM
Why do you require accounts at all? Why don't you just open it to the public and make an optional login for privileged users? At least allow people to stay logged in for weeks at a time.
I agree, it may not take much to login, but sometimes it drives me crazy that I have to type in my password :P
Get Mozilla Firefox. You won't ever have to type in a password again.
It has voice recognition?
Now that's truly a great way to input your password. Someone could listen in...and you can't say weird ones like xkJ867Z
If someone can suggest a secure way to do it then I'll add a 'remember my logon' checkbox. It can't:
- Store password in cookie
- Keep session open forever
shout -- I have no idea. I saw storm say it in a previous thread, and I just had to use it as my sig. I was crackin' up.
Arta -- Thanks. :D
I still can't get to bnetdocs...
Quote from: Arta[vL] on July 29, 2004, 10:34 PM
If someone can suggest a secure way to do it then I'll add a 'remember my logon' checkbox. It can't:
- Store password in cookie
- Keep session open forever
Make a cookie consisting of user name, time, and secret. Something like this:
Adron:12345678:b95d5bbba7e84699ab9286d7a686be00
The secret is calculated in this way:
H:\>echo Adron:12345678:artassecret|md5sum
b95d5bbba7e84699ab9286d7a686be00 *-
"artassecret" could either be a fixed secret value for your application, or a unique secret for each user. It shouldn't be the password, because it mustn't be brute-forceable. A 128-bit random number would be good. You can reset the cookie with a new logon time each time the user visits bnetdocs, or you can set it just once and then the user will have to relogon after a certain time.
Spot any weaknesses here?
Edit: This is the way I made the user name information transfer from the forum to the radio station btw.
Quote from: Adron on July 30, 2004, 11:38 AM
It shouldn't be the password, because it mustn't be brute-forceable. A 128-bit random number would be good.
Spot any weaknesses here?
Uh? No offense but any idiot who is lame enough to try and brute force a BNET Docs password seriously needs a life. I don't get what "BAD" they could do with it anyways, other than logging in and viewing the documents that Arta has provided, which can be done by registering their own account.
Adron: That's how I store session cookies already. I don't want to keep sessions open for extended periods of time. The only other option is to automatically log people on, which requires a usable saved password. Even if that method were used, the old problem that having a hash of a password is the same as having the password itsself still applies.
Chronic: None of this applies to normal users.
Quote from: ChR0NiC on July 30, 2004, 12:09 PM
I don't get what "BAD" they could do with it anyways, other than logging in and viewing the documents that Arta has provided, which can be done by registering their own account.
Viewing information that certain users do not want to be revealed to other people who they may not trust or know.
Quote from: Arta[vL] on July 30, 2004, 12:19 PMI don't want to keep sessions open for extended periods of time.
Why not? It's not exactly a high level of overhead to save a few extra cookies serverside. :)
It exposes the system to session theft.
If you can bruteforce a 160-bit number, get back to me.
Quote from: $t0rm on July 30, 2004, 04:02 PM
If you can bruteforce a 160-bit number, get back to me.
I could..with my quantum computer.
Give every person in India a calculator.
Quote from: $t0rm on July 30, 2004, 11:27 PM
Give every person in India a calculator.
And a carton of smokes >:(
Quote from: Arta[vL] on July 30, 2004, 12:19 PM
Adron: That's how I store session cookies already. I don't want to keep sessions open for extended periods of time. The only other option is to automatically log people on, which requires a usable saved password. Even if that method were used, the old problem that having a hash of a password is the same as having the password itsself still applies.
Chronic: None of this applies to normal users.
It's not a session cookie - it's an automatic logon cookie. You can use the same secret for all users, you don't have to store anything extra for each user that would require resources on the server.
The users won't be having a hash of a password, they'll be having a hash of name + time + shared secret. They can't use that to log on as any other user. They also can't obtain the password from the cookie.
Quote from: Arta[vL] on July 30, 2004, 03:32 PM
It exposes the system to session theft.
This is what people want - the ability to have their computer log them in automatically. That necessarily means that the computer will have whatever token is required to authenticate. And yes, that token could be stolen. Those tokens could be stolen already, from the password cache in IE or whatever corresponding function there is in other browsers.
Since the session cookies are unique to each user, it's not possible to make an attack based on setting the cookie in your domain ahead of time. Since that's impossible, what would remain is to use a cross-site scripting attack. If your site is vulnerable to cross-site scripting, it can be compromised already, so no reason to worry about that any more for this case.
Quote from: ChR0NiC on July 30, 2004, 12:09 PM
Uh? No offense but any idiot who is lame enough to try and brute force a BNET Docs password seriously needs a life. I don't get what "BAD" they could do with it anyways, other than logging in and viewing the documents that Arta has provided, which can be done by registering their own account.
It's about the principles. The same thing could be used to protect your bank account. Now, do you spot any weaknesses there?
Quote from: Adron on July 31, 2004, 07:12 AM
Quote from: ChR0NiC on July 30, 2004, 12:09 PM
Uh? No offense but any idiot who is lame enough to try and brute force a BNET Docs password seriously needs a life. I don't get what "BAD" they could do with it anyways, other than logging in and viewing the documents that Arta has provided, which can be done by registering their own account.
It's about the principles. The same thing could be used to protect your bank account. Now, do you spot any weaknesses there?
actaully not 2 long ago sombody cracked into the visa accounts and they end up having to cancle over a million creidt cards
Why not just have no login? Its saves on thinking a secure way...