Jump to content


Xbox Network Traffic

  • Please log in to reply
8 replies to this topic

#1 H04X


    X-S Enthusiast

  • Members
  • 7 posts

Posted 05 January 2008 - 12:18 PM

My job lies in network security and packet analysis, catching hackers/stopping them etc. Most of this is though monitoring and analysing network traffic and packets.

Maybe it would be a good idea to run ethereal/wireshark off a hub or a spaning port on a switch or router when connecting to Live and seeing what the hell is actually sent to M$. I doubt its a SSH/SSL connection and Live is just a Network that uses TCP/IP so the traffic should be able to be analysed. If anyone wants to have a bash and send me the packets - IM me for my email address and I'll / we can try to work it out.

I imagine it will be a simple 3 way handshake followed by sending an "hash" of the console. If this doesnt match - ban the console (probably done via the MAC address - which can be spoofed btw)

I think the answer to bannings on Live lies in finding out whats sent to M$ on both a normal and a moddified xbox. Then we can work on the packets potentially crafting/spoofing legitimate ones and then connect to Live.

I've checked the Assigned ports from IANA and both TCP and UDP ports 3074 are assigned to XBOX...

I dont agree with hacking - but if it didnt happen I wouldnt have a job! however, I've hacked my iPod touch using the TIFF image buffer overflow and now I can install 3rd part applications. this is done by a simple buffer overflow and creating a Putty session into the iPod using wireless from a PC. Now onto my point....

Imagine if you could do the same to an XBOX. e.g connect it to your PC, throw some network traffic at it, crash the stack and gain full read writes to the machine... how kool would that be?!

Ive just checked on the search engine begining with a G and found NO results for "wireshark/ethereal xbox traffic" - it looks like this kind stuff hasnt been done yet!

Obviously Live doesnt let you browse the internet or view images but (and im sorry if im getting "geeky") somewhere there must be an unchecked boundary where you can cause an overflow. This could allow you to modify the dashboard - install your own apps - connect to live using spoofed credentials and play away etc etc etc

some of you might understand all that / some might not. I think there could be some massive scope though.

Remember, Im not on about hacking each other xbox's whilst on live im talking about a similar method to the iPod touch Jailbreak hack and getting the most out of your console.



#2 No_Name


    X-S Freak

  • Members
  • PipPipPipPipPip
  • 1,154 posts

Posted 05 January 2008 - 01:00 PM

You really should have searched harder.

The packets are encrypted with a per-session kerbos (sp) key.

#3 H04X


    X-S Enthusiast

  • Members
  • 7 posts

Posted 05 January 2008 - 04:55 PM

Thanks for the reply Looking on wiki has given me a little further info.

How much is Kerberos actually used though? I doubt the whole session is on port 88. I can understand using it however im still interested in the idea especially as kerberos requires network time to be reasonably accurate.

Id still like to see some traffic if anyone has any/will capture me some. Ive also found a post about the original xbox but not the 360.


H04X smile.gif

#4 angrypond


    X-S Young Member

  • Members
  • Pip
  • 32 posts

Posted 07 January 2008 - 01:45 AM

i would be glad to help, im very interested in all this xbox hacking and anything for me to learn more would be great.

#5 torne


    X-S Expert

  • Members
  • PipPipPip
  • 684 posts
  • Location:London, UK
  • Interests:Reverse engineering, Linux, crazy operating systems voodoo, embedded development
  • Xbox Version:v1.1
  • 360 version:v1 (xenon)

Posted 07 January 2008 - 01:49 PM

QUOTE(H04X @ Jan 5 2008, 04:31 PM) View Post

How much is Kerberos actually used though? I doubt the whole session is on port 88. I can understand using it however im still interested in the idea especially as kerberos requires network time to be reasonably accurate.

A random session key is set up via the kerberos exchanges, and all further communication is encrypted using that key. There is no plaintext data to look at whatsoever.

#6 javaoverride2003


    X-S Enthusiast

  • Members
  • 25 posts
  • Xbox Version:unk
  • 360 version:unknown

Posted 08 January 2008 - 04:15 AM

you have got no hope mate give up now

One-Time Pads.

The cipher itself is exceedlingly simple. To encrypt plaintext, P, with a key, K, producing ciphertext, C, simply compute the bitwise exclusive-or of the key and the plaintext:

C = K^P
To decrypt ciphertext, C, the recipient computes
P = K^C
It's that simple, and it's perfectly secure, as long as the key is random and is not compromised

one time key pads can use anything as a reference or key for the cypher, due to the nature of only two people knowing what the key is it's impossible to break, a rotating key used only once can not be cracked, you need to know the variables used in the cypher.
one of the typical one time keys used during the cold war was a deck of cards shuffled to a specific order and used only once. it couldn't be cracked till very recently and still requires weeks and a message longer than 52 characters, for better and quicker results the longer the message the easier it is to compromise.
as i said it is useless for transmission streams but when used for it's original purpose is still unbreakable especially when poly character cyphers where used to eep the message short

#7 foogrrr


    X-S Enthusiast

  • Members
  • 20 posts

Posted 14 April 2008 - 11:19 PM

Hi Ho4X,

I can see that someone other than myself is interested in XBL secure data communications. Ive actually been looking into this for a while now (on and off admittidly). And anyone that tells you that breaking the XBL kerberos session or authentication mechinisim is full of themselves or just flaming =)

Given, It is a daunting and almost impossible task, but it can be done. and with the great work of hackers and NAND dumps the enevitability becomes even closer.

I direct your attention to one webpage: http://www.tools.iet...ec-ike-crack-00

Very good information regarding kerberos authentication, weak spots and theory.

Below is a verse i copied to show how the 360 actually does the Kerberos key generation, this can all be verified by searching for the patent for the XBL authentication scheme. ( cant remember address off top of head)

Every console has a predefined key that is used with a seed (provided from the kerberos server) to generate a private key. (every console could have the same key, but highly doubted) and (the seed changes everytime for every private key generation request)

This generation is preformed on the end-of-life ticket established and authenticated but the TGS (Ticket-granting server) which from my understanding is either random or predetermined.

The private key is sent everytime the xbox authenticates to XBL though. Which is what most people see in there packet / wireshark logs (port 88).


This section describes the generation of the one-time passwords.
This process consists of an initial step in which all inputs are
combined, a computation step where the secure hash function is
applied a specified number of times, and an output function where the
64 bit one-time password is converted to a human readable form.

Initial Step

In principle, the user's secret pass-phrase may be of any length.
To reduce the risk from techniques such as exhaustive search or
dictionary attacks, character string pass-phrases MUST contain at
least 10 characters (see Form of Inputs below). All
implementations MUST support a pass-phrases of at least 63
characters. The secret pass-phrase is frequently, but is not
required to be, textual information provided by a user.

In this step, the pass phrase is concatenated with a seed that is
transmitted from the server in clear text. This non-secret seed
allows clients to use the same secret pass-phrase on multiple
machines (using different seeds) and to safely recycle their
secret pass-phrases by changing the seed.

Should you require any more information or have anymore questions feel free to ask.

cheers, foo

#8 scuba156


    X-S Messiah

  • Moderator
  • PipPipPipPipPipPipPip
  • 3,036 posts
  • Location:Australia
  • Xbox Version:v1.4
  • 360 version:v4.0 (jasper)

Posted 16 April 2008 - 06:29 PM

without knowing the private MS key, its virtually impossible, and if it did get cracked, it wouldnt be worth anything anyway. it would change per console, and what could you do after you cracked it? the 360 simply cannot get hacked with a simple buffer overflow due to the hypervisor.

the security on anything xbox 360 related is alot tighter than an iPod touch

#9 foogrrr


    X-S Enthusiast

  • Members
  • 20 posts

Posted 21 April 2008 - 08:37 PM

hey scuba, i think you missed the point of my post.

without knowing the private MS key, its virtually impossible, and if it did get cracked, it wouldnt be worth anything anyway.

With the keyvault now being complety dissected i wouldn't be suprised if soon (or already have) they find the key that is used to sign the seeds for the kerberos authentication. and XBL services.

And True, without having access to the service no one can really say what it could be used for, because the case still resides that each xbox more than likely has a unique key to sign the seed with to generate the private key. But im sure its worth more than nothing as people find uses for the smallest things.

True the key is not stored in the hypervisor, although that is prolly where the key signing takes place.

cheers, foo

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users