my xbox live hacking blog

Well, as you can find out using the packet sniffer, the first thing the xbox tries to do is create trust between itself and the xbox live server, it does this using kerberos, it connects to PASSPORT.NET (I believe the same service that does hotmail logins).
Now, since you redirected all traffic from the xbox, you are impersonating this server as well.

The first thing to do is install the kerberos server.
I just did apt-get install krb5-kdc krb5-admin-server, if you are using ubuntu, do the same, else either install it using your distro's repositories or from source, get it here: http://web.mit.edu/Kerberos/

ok, now to configure it:
here is the config file i am using, it is saved as /etc/krb5kdc/kdc.conf (may be different for you if you installed it from source). Note: the lines may have got broken when i posted them, it should be obvious by the indentation where.

[kdcdefaults]
kdc_ports = 750,88
[libdefaults]
default_realm = PASSPORT.NET
default_etypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
permitted_enctypes = des3-hmac-sha1 des-cbc-crc rc4-hmac
dns_lookup_realm = false
dns_lookup_kdc = true
[logging]
kdc = FILE:/var/log/kdc.log
[realms]
PASSPORT.NET = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
default_principal_flags = +preauth
supported_enctypes = aes256-cts:normal aes128-cts:normal rc4-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal
}

now start the server:
/etc/init.d/krb5-kdc start
/etc/init,d/krb5-admin-server start

Ok, first you must create the server principle for the xbox live server, run kadmin.local, it should give you a console, now run addprinc krbtgt/XBOX.COM@PASSPORT.NET
enter whatever you like for the password, it is unimportant.

now, to determine the name of the xbox connecting, to do this run tail -f /var/log/kdc.log and make the xbox try and connect, you should see something telling you the client was not found in the database, it will give you the name of the server and of the client, the client is the one beginning SN. ignore the @PASSPORT.NET bit at the end, copy the rest of the name to the clipboard.

now, run "addprinc " use the name you just copied (remember not to include @PASSPORT.NET but do include \@xbox.com).
I don't yet know what password should be used, set it to anything for now, I will post it when I find what it should be.

now, if you try and connect, the error in the kdc log should be
"Decrypt integrity check failed", which means bad password. Since we don't know what password the xbox has, we don't know how to reply (you can't just lie and say it was the right password), the password isnt sent.

now apparently people have managed to extract a couple of keys from the xbox firmware, one of them may be what we need for this, I will go trawling the web to see if I can find it.

ok, by the way, you will probably want to mess about with a packet sniffer at some point, so install one now. I recommend wireshark (previously called ethereal). Just apt-get it if you are in ubuntu, or yum if in fedora, or just install from source.

Now, to redirect communication to your machine.

Since you already set up the xbox to use your machine as the gateway, the packets are now coming to it. Trouble is, they are either getting routed on to the real server or being ignored, to change this you need to use iptables, install it if you don't have it.
use the following command:

iptables -t nat -A PREROUTING -s 192.168.0.18 -j REDIRECT

Replace 192.168.0.18 with the address of the xbox.

Well done, you now have a fake xbox live server, too bad it does nothing yet.

my xbox live hacking blog

Thursday 13 September 2007

step 3: kerberos

step 2

Step 1

first post.

Blog Archive

About Me