So how do I abuse this to get massive hacker cred with the skiddies by making Serenity 2.0?
nice find
[QUOTE=Leystryku;49310144]
The [B]only[/B] requirement is you having joined their server which they logged your steam cookie,
allowing them to [B]use your steamid [/B] freely.[/QUOTE]
So, as long as I don't join the potential attackers server I should be fine?
[QUOTE=MadParakeet;49310301]So how do I abuse this to get massive hacker cred with the skiddies [...]?[/QUOTE]
You waste some time trying to understand the OP and then give up and pay somebody on fiverr to implement the attack. Then you just bundle it with a [I]"modern"[/I] RAT like Sub7 and a Bitcoin Miner and post it on mpgh. :eng101:
[QUOTE=Leystryku;49310144]spoofing[/QUOTE]
Good job there.
[QUOTE=TheTechPony;49310335]So, as long as I don't join the potential attackers server I should be fine?[/QUOTE]
You as a user are fine; the problem lies within servers. Say a server is running an admin mod such as ulx that authenticates through steamid; if I spoof my steamid as the server owner, I can run the commands a server owner can.
Clarification: Yes they can use your SteamID and impersonate you, but they can't attack you personally, only servers.
[editline]a[/editline] Misunderstood your question. Yes.
Any admin mod should be checking if the player is actually authenticated properly by Steam:
[url]https://github.com/garrynewman/garrysmod/blob/3e138636eb1b0ad6ed785dedf350020755cff5f1/garrysmod/lua/includes/extensions/player_auth.lua#L81-L105[/url]
[QUOTE=zerf;49310355]You as a user are fine; the problem lies within servers. Say a server is running an admin mod such as ulx that authenticates through steamid; if I spoof my steamid as the server owner, I can run the commands a server owner can.
Clarification: Yes they can use your SteamID and impersonate you, but they can't attack you personally, only servers.[/QUOTE]
Reread my post and look at the quote I posted.
[QUOTE=Robotboy655;49310400]Any admin mod should be checking if the player is actually authenticated properly by Steam:
[url]https://github.com/garrynewman/garrysmod/blob/3e138636eb1b0ad6ed785dedf350020755cff5f1/garrysmod/lua/includes/extensions/player_auth.lua#L81-L105[/url][/QUOTE]
Is the PlayerAuthed hook equivalent to using Player:IsFullyAuthenticated?
What's the difference in meaning between the PlayerAuthed and NetworkIDValidated hooks?
[code]D:\Steam\SteamApps\common\GarrysMod\garrysmod\addons_disabled>grep -r IsFullyAuthenticated CATpublic evolve exsto moderator ulib ulx ulx4
ulx4/moon/ulx/sv_init.moon: The player sometimes flags for "IsFullyAuthenticated" on PlayerInitialSpawn.
D:\Steam\SteamApps\common\GarrysMod\garrysmod\addons_disabled>grep -r PlayerAuthed CATpublic evolve exsto moderator ulib ulx ulx4
CATpublic/catv1/lua/cat_core.lua:hook.Add("PlayerAuthed", "CAT_Gatekeeper", function(ply, stid, unid)
evolve/lua/includes/modules/sourcebans.lua: local function PlayerAuthed(ply, steamID)
evolve/lua/includes/modules/sourcebans.lua: hook.Add("PlayerAuthed", "SourceBans.lua - PlayerAuthed", PlayerAuthed);
exsto/lua/exsto/plugins/server/logging.lua:function PLUGIN:ExPlayerAuthed( ply )
exsto/lua/exsto/plugins/shared/time.lua: function PLUGIN:ExPlayerAuthed( ply )
exsto/lua/exsto/server/sv_groups.lua: hook.Call( "ExPlayerAuthed", nil, ply, sid, uid )
exsto/lua/exsto/server/sv_groups.lua:hook.Add( "PlayerAuthed", "ExInitPlayer", exsto.InitializePlayer )
exsto/lua/exsto/server/sv_groups.lua:--hook.Add( "PlayerAuthed", "FakeInitialSpawn", Hook )
ulib/lua/ulib/server/ucl.lua:-- Note that this function is hooked into "PlayerAuthed", below.
ulib/lua/ulib/server/ucl.lua:hook.Add( "PlayerAuthed", "UTEST", function() print( "HERE HERE: Player Authed" ) end )
ulib/lua/ulib/server/ucl.lua:hook.Add( "PlayerAuthed", "ULibAuth", newPlayerAuth, HOOK_MONITOR_HIGH )
ulx4/moon/ulx/sv_init.moon:hook.Add("PlayerAuthed", "ULX Start Client", playerAuth)
D:\Steam\SteamApps\common\GarrysMod\garrysmod\addons_disabled>grep -r NetworkIDValidated CATpublic evolve exsto moderator ulib ulx ulx4
D:\Steam\SteamApps\common\GarrysMod\garrysmod\addons_disabled>[/code]
Exsto and ULX use PlayerAuthed. CAT, evolve and moderator don't use any of the authentication hooks.
I'm sorry if I left your admin mod out.
EDIT: See below
[QUOTE=Leystryku;49310550]When someone spoofes his steamid PlayerAuthed is still called, while NetworkIDValidated isn't.
NetworkIDValidated is called pretty much as soon as IsFullyAuthenticated starts returning true.[/QUOTE]
Someone [sp]meep[/sp] has been abusing this on my server and exploiting net to in turn cause a crash with what I'd assume was a bot with the persistence.
[QUOTE=AeroGames;49310514]Someone [sp]meep[/sp] has been abusing this on my server and exploiting net to in turn cause a crash with what I'd assume was a bot with the persistence.[/QUOTE]
Good.
[QUOTE=!cake;49310498]Exsto and ULX use PlayerAuthed. CAT, evolve and moderator don't use any of the authentication hooks.
I'm sorry if I left your admin mod out.[/QUOTE]
To be honest though, you really would not think to Authenticate the player when it should be done as they connect. You shouldn't have to.
[QUOTE=!cake;49310498]Is the PlayerAuthed hook equivalent to using Player:IsFullyAuthenticated?
What's the difference in meaning between the PlayerAuthed and NetworkIDValidated hooks?
[code]D:\Steam\SteamApps\common\GarrysMod\garrysmod\addons_disabled>grep -r IsFullyAuthenticated CATpublic evolve exsto moderator ulib ulx ulx4
ulx4/moon/ulx/sv_init.moon: The player sometimes flags for "IsFullyAuthenticated" on PlayerInitialSpawn.
D:\Steam\SteamApps\common\GarrysMod\garrysmod\addons_disabled>grep -r PlayerAuthed CATpublic evolve exsto moderator ulib ulx ulx4
CATpublic/catv1/lua/cat_core.lua:hook.Add("PlayerAuthed", "CAT_Gatekeeper", function(ply, stid, unid)
evolve/lua/includes/modules/sourcebans.lua: local function PlayerAuthed(ply, steamID)
evolve/lua/includes/modules/sourcebans.lua: hook.Add("PlayerAuthed", "SourceBans.lua - PlayerAuthed", PlayerAuthed);
exsto/lua/exsto/plugins/server/logging.lua:function PLUGIN:ExPlayerAuthed( ply )
exsto/lua/exsto/plugins/shared/time.lua: function PLUGIN:ExPlayerAuthed( ply )
exsto/lua/exsto/server/sv_groups.lua: hook.Call( "ExPlayerAuthed", nil, ply, sid, uid )
exsto/lua/exsto/server/sv_groups.lua:hook.Add( "PlayerAuthed", "ExInitPlayer", exsto.InitializePlayer )
exsto/lua/exsto/server/sv_groups.lua:--hook.Add( "PlayerAuthed", "FakeInitialSpawn", Hook )
ulib/lua/ulib/server/ucl.lua:-- Note that this function is hooked into "PlayerAuthed", below.
ulib/lua/ulib/server/ucl.lua:hook.Add( "PlayerAuthed", "UTEST", function() print( "HERE HERE: Player Authed" ) end )
ulib/lua/ulib/server/ucl.lua:hook.Add( "PlayerAuthed", "ULibAuth", newPlayerAuth, HOOK_MONITOR_HIGH )
ulx4/moon/ulx/sv_init.moon:hook.Add("PlayerAuthed", "ULX Start Client", playerAuth)
D:\Steam\SteamApps\common\GarrysMod\garrysmod\addons_disabled>grep -r NetworkIDValidated CATpublic evolve exsto moderator ulib ulx ulx4
D:\Steam\SteamApps\common\GarrysMod\garrysmod\addons_disabled>[/code]
Exsto and ULX use PlayerAuthed. CAT, evolve and moderator don't use any of the authentication hooks.
I'm sorry if I left your admin mod out.[/QUOTE]
[url]http://i.imgur.com/UeO5r3G.png[/url]
When someone spoofes his steamid PlayerAuthed is still called, while NetworkIDValidated isn't.
NetworkIDValidated is called pretty much as soon as IsFullyAuthenticated starts returning true.
[QUOTE=AeroGames;49310514]Someone [sp]meep[/sp] has been abusing this on my server and exploiting net to in turn cause a crash with what I'd assume was a bot with the persistence.[/QUOTE]
so ddosing is the way to combat it?
[QUOTE=MeepDarknessM;49309620][img]http://i.imgur.com/lc4BnK2.png[/img]

This guy owns AeroRP and has a shit ton of fake servers.
[img]http://i.imgur.com/t0yR1B5.png[/img]
Here's the one that's still up atm.
I say this is pretty terrible.[/QUOTE]
[editline]a[/editline]
and i actually didn't use this at all :x
[QUOTE=MeepDarknessM;49310563]so ddosing is the way to combat it?[/QUOTE]
I guess reading would help; "he" is the key word there.
[QUOTE=AeroGames;49310590]I guess reading would help; "he" is the key word there.[/QUOTE]
and then "he" ddosed me again and you unfriended me while "he" did that :o
[QUOTE=MeepDarknessM;49310633]and then "he" ddosed me again and you unfriended me while "he" did that :o[/QUOTE]
lol - talk shit get smacked son
If you run servers with fake player counts because you have crap servers that you can't get players on then you are asking to be hacked.
Don't come crying here about it.
[QUOTE=The Commander;49310689]If you run servers with fake player counts because you have crap servers that you can't get players on then you are asking to be hacked.
Don't come crying here about it.[/QUOTE]
Hacking is never the correct answer, and whatever he does with his own servers is honestly none of your business.
The simple fact that you are attacking his property is not only disrespectful, but immensely immature. You can handle it in a completely different manner than the current one. You don't see me throwing stuff at people I don't like in real life, so why would you harass people online that you don't like?
Same goes for the other side.
[QUOTE=The Commander;49310689]If you run servers with fake player counts because you have crap s
ervers that you can't get players on then you are asking to be hacked.
Don't come crying here about it.[/QUOTE]
Do your homework kid. I've been getting player counts upward of 80 before I did this. I barely get more players. It just looks cooler.
Edit : [url]https://www.reddit.com/r/gmod/comments/3volv9/this_is_an_unacceptable_way_to_promote_your/[/url]
If you read that people have no complaints about the server itself. Only the method of exposure.
People that make servers with fake player counts hurt the gmod community as a whole.
New players are likely going to join his server won't they if they see it at the very top because he is faking the count.
[QUOTE=The Commander;49310741]People that make servers with fake player counts hurt the gmod community as a whole.
New players are likely going to join his server won't they if they see it at the very top because he is faking the count.[/QUOTE]
That doesn't mean you go around hacking and doing damage to his servers.
Attacking as in spreading news about what he does, and explaining why it is bad - yes.
DDoSing and in general being malevolent in your activities towards his community and server - no.
Find a way to fix the issue that doesn't result in you looking just as bad.
This could not be further from the correct place to discuss who is right and who is wrong.
So my question is:
is there currently a way, along with PlayerAuthed, to combat this for the time being?
[QUOTE=Z0mb1n3;49310780]This could not be further from the correct place to discuss who is right and who is wrong.
So my question is:
is there currently a way, along with PlayerAuthed, to combat this for the time being?[/QUOTE]
[QUOTE=Robotboy655;49310400]Any admin mod should be checking if the player is actually authenticated properly by Steam:
[url]https://github.com/garrynewman/garrysmod/blob/3e138636eb1b0ad6ed785dedf350020755cff5f1/garrysmod/lua/includes/extensions/player_auth.lua#L81-L105[/url][/QUOTE]
[QUOTE=Z0mb1n3;49310780]This could not be further from the correct place to discuss who is right and who is wrong.
So my question is:
is there currently a way, along with PlayerAuthed, to combat this for the time being?[/QUOTE]
[QUOTE=Leystryku;49310550]
When someone spoofes his steamid PlayerAuthed is still called, while NetworkIDValidated isn't.
NetworkIDValidated is called pretty much as soon as IsFullyAuthenticated starts returning true.[/QUOTE]
Can players get past steamid bans with this?
[editline]13th December 2015[/editline]
[QUOTE=Robotboy655;49310400]Any admin mod should be checking if the player is actually authenticated properly by Steam:
[url]https://github.com/garrynewman/garrysmod/blob/3e138636eb1b0ad6ed785dedf350020755cff5f1/garrysmod/lua/includes/extensions/player_auth.lua#L81-L105[/url][/QUOTE]
If players can get past steamid bans with this then there's still a problem.
I'm going to add a ban check on NetworkIDValidated and hopefully that will kick them.
[QUOTE=!cake;49310902]other quotes[/QUOTE]
So basically use CheckPassword to log the person connecting, and run it against NetworkIDValidated; if the latter is not called, then they are spoofing?
_Kilburn seems to have addressed the issue.
Same goes for the net length exploit.
[IMG]http://i.imgur.com/sI71CQB.png[/IMG]
Not sure if he pushed the updates to the dev build yet, but they should be there soon.
Meep now has my cookie
[editline]13th December 2015[/editline]
I need an adult
Sorry, you need to Log In to post a reply to this thread.
