Question on detecting dc++ clients

Technical discussion about the NMDC and <a href="http://dcpp.net/ADC.html">ADC</A> protocol. The NMDC protocol is documented in the <a href="http://dcpp.net/wiki/">Wiki</a>, so feel free to refer to it.

Moderator: Moderators

Locked
TheekAzzaBreek
Posts: 9
Joined: 2003-01-04 12:41

Question on detecting dc++ clients

Post by TheekAzzaBreek » 2003-01-04 13:04

Trying to make a script to kill stealth clients.

While trying to figure out the DC++ code, it looks as if there is extended info in either the $LOCK or $KEY messages that would contain just what i need. Two questions:

- what is the structure of those messages?
- is that extended info sent only on client-client handshaking, or on clietn-hub as well?

Aftertought: the only DC protocol description I've found so far is the one from suxx. Is there anything else at all?


Theek

ivulfusbar
Posts: 506
Joined: 2003-01-03 07:33

Post by ivulfusbar » 2003-01-04 13:25

you can also read on:

http://www.lwave.ca/DCHub/protocol.html or you can try


i recomend that you listen on the traffic sent and recv from a dc++ client to be able to see what it send and do not send...
Everyone is supposed to download from the hubs, - I don´t know why, but I never do anymore.

TheekAzzaBreek
Posts: 9
Joined: 2003-01-04 12:41

Post by TheekAzzaBreek » 2003-01-04 13:54

Thanks, mate, that helps.

Seems i'm running into a blind alley here. There is extended info but just on the $lock command:
CryptoManager() : lock("EXTENDEDPROTOCOLABCABCABCABCABCABC"), pk("DCPLUSPLUS" VERSIONSTRING "ABCABC") { };

And clients never send $locks to the hub, they just respond with $key ...

Sedulus
Forum Moderator
Posts: 687
Joined: 2003-01-04 09:32
Contact:

Post by Sedulus » 2003-01-04 15:19

maybe you should consider letting a client side bot handle this

maybe my undocumented linux perl bot's can be of use:
http://wza.digitalbrains.com/users/walt ... t/03/perl/
5.pl is a working client bot,
it shows the hub traffic, and connect's to active users to tell them it is a bot and has no filelist
http://dc.selwerd.nl/hublist.xml.bz2
http://www.b.ali.btinternet.co.uk/DCPlusPlus/index.html (TheParanoidOne's DC++ Guide)
http://www.dslreports.com/faq/dc (BSOD2600's Direct Connect FAQ)

Sedulus
Forum Moderator
Posts: 687
Joined: 2003-01-04 09:32
Contact:

Post by Sedulus » 2003-01-05 15:49

Gadget has made an Hub-script that seems to work
(haven't tested it myself)

http://gadget.no-ip.info/
search for "Tag Hider"
http://dc.selwerd.nl/hublist.xml.bz2
http://www.b.ali.btinternet.co.uk/DCPlusPlus/index.html (TheParanoidOne's DC++ Guide)
http://www.dslreports.com/faq/dc (BSOD2600's Direct Connect FAQ)

TheekAzzaBreek
Posts: 9
Joined: 2003-01-04 12:41

Post by TheekAzzaBreek » 2003-01-07 15:11

I've seen gadget's script but i don't think it is correct. Besides not catching all, which no script will ever achieve, i fear it kicks some nmdc clients as well. I concluded that after inspecting the script, and some recent reports from users indicate the same. Thanks for the link, now I can discuss it with him.

Oh, and a client-side script seems to resource unfriendly at the moment, but thanks for the suggestion.

Sedulus
Forum Moderator
Posts: 687
Joined: 2003-01-04 09:32
Contact:

Post by Sedulus » 2003-01-07 18:03

TheekAzzaBreek wrote:Oh, and a client-side script seems to resource unfriendly at the moment, but thanks for the suggestion.
I think a $ConnectToMe every 30 seconds that has to be forwarded is a _lot_ resource friendlier...
of course the client shouldn't run on the same box, but that seems logical
http://dc.selwerd.nl/hublist.xml.bz2
http://www.b.ali.btinternet.co.uk/DCPlusPlus/index.html (TheParanoidOne's DC++ Guide)
http://www.dslreports.com/faq/dc (BSOD2600's Direct Connect FAQ)

aDe
Forum Moderator
Posts: 138
Joined: 2003-01-07 09:14
Location: SE
Contact:

How to do this with a script.

Post by aDe » 2003-01-08 15:02

1. The script must create a new winsock control to listen to client connections.
2. When MyINFO has been received from client, check if it contains a tag.
3. If not, send a "ConnectToMe <clientname> <hubip>:<the port that the winsock is listening on>" to client.
4. Client should request a connection on your winsock, accept it.
5. Client will then send $MyNick <nickname>|$Lock <lockcode> Pk=<pk code>|
6. If this Lock looks like "EXTENDEDPROTOCOLABCABC.." then you have a tag-hider using official dc++ (probably). Disconnect client connection, Kick from Hub connection, case dismissed.
7. If lock contains alot of unreadable garbage, store this in a variable (remember the client's nick, too!) and disconnect the CLIENT CONNECTION.
8. Repeat steps 3-5
9. Now, $Lock could either contain a new set of random chars, or, it could contain _THE SAME SET_ of chars. If it contains the same, repeat step 6. otherwise, drop the client connection and let the client stay.

Remember.. if another client logs in when this process is running, the winsock is not listening anymore, and client wont be checked. Therefore it is wise to create a array of winsocks to accept connections. However, that is not necessary if this function will run upon request, going through each client. I have a similar setup. Works good.

ender
Posts: 224
Joined: 2003-01-03 17:47

Re: How to do this with a script.

Post by ender » 2003-01-08 15:14

aDe wrote:Remember.. if another client logs in when this process is running, the winsock is not listening anymore, and client wont be checked. Therefore it is wise to create a array of winsocks to accept connections. However, that is not necessary if this function will run upon request, going through each client. I have a similar setup. Works good.
Depends on which programming environment you're using - if it's Delphi with Indy you just need one TIdTCPServer, and let it handle multiple connections...

TasMan
Posts: 196
Joined: 2003-01-03 08:31
Location: Canada
Contact:

Re: How to do this with a script.

Post by TasMan » 2003-01-08 16:08

aDe wrote: 6. If this Lock looks like "EXTENDEDPROTOCOLABCABC.." then you have a tag-hider using official dc++ (probably). Disconnect client connection, Kick from Hub connection, case dismissed.
QuickDC (quickdc.sf.net) actually has that in the lock too (it might have changed since I last looked in the source though). I wrote a client side bot which detects what client you are using and I noticed that they were the same....though how popular it is I have no idea, so you probably are right.

Also the default lock for DC++ K and JDC are similar.

aDe
Forum Moderator
Posts: 138
Joined: 2003-01-07 09:14
Location: SE
Contact:

Post by aDe » 2003-01-08 16:30

DC++ also has "DCPLUSPLUS" in the Pk=. (and version i think) maybe the other clients have it too, but the point is, the client is not using neomodus dc.

ender: i was talking about VBScript. You can make the VBScript make a new winsock everytime too i suppose. I havent done this with an actual script but it should work. I know a multihub chat script creates new winsocks. Just can't remember which one.

TasMan
Posts: 196
Joined: 2003-01-03 08:31
Location: Canada
Contact:

Post by TasMan » 2003-01-08 20:14

Yeah but some people remove that DCPLUSPLUS part....it really annoys me :?

This is what the lock looks like exactly in DC++ (Unmodified)

Code: Select all

$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS*ABCABC|

* = version
If you'd like a "complete" (of the clients that I know of) list of lock/pk TheekAzzaBreek, pm me.[/code]

TheekAzzaBreek
Posts: 9
Joined: 2003-01-04 12:41

Thanks aDe

Post by TheekAzzaBreek » 2003-01-09 02:24

That is just what i needed.

BTW: it'll be done in Lua, for some new hub soft i won't mention here. Might port it to VB later if it hasn't been done before.

Thanks again

Sedulus
Forum Moderator
Posts: 687
Joined: 2003-01-04 09:32
Contact:

Post by Sedulus » 2003-01-09 03:44

TasMan wrote:Yeah but some people remove that DCPLUSPLUS part....it really annoys me
well, if their clients are extended proto compatible but are not dc++, I think the real name should be in there
TasMan wrote:If you'd like a "complete" (of the clients that I know of) list of lock/pk TheekAzzaBreek, pm me.
great, why not post it here?
http://dc.selwerd.nl/hublist.xml.bz2
http://www.b.ali.btinternet.co.uk/DCPlusPlus/index.html (TheParanoidOne's DC++ Guide)
http://www.dslreports.com/faq/dc (BSOD2600's Direct Connect FAQ)

TasMan
Posts: 196
Joined: 2003-01-03 08:31
Location: Canada
Contact:

Post by TasMan » 2003-01-12 22:09

hence the reason why I didn't want to respond :P

Sid
Posts: 56
Joined: 2003-01-07 18:13
Contact:

DC Faker Client

Post by Sid » 2003-01-25 23:20

I have a very stelthy client in my hub throwing the fallowing locks

Code: Select all

$Lock ;&m@[vr=Wa'v_PWX&qVRjx0ZO?:8'iDO*7(p)u8yT=s*5z7* Pk=6KX%k1.o:-iMg<b=|
$Lock ?N6jA^,%IRB%IqQuIbi0)NgVnTe(R/SGFnZVtGpIjb7gpIWE5G7-KU1E Pk=VCOEcr.wzBDc;(sD|
$Lock lC]/g*+ClvXT56*vAgT0-gt*@8Nv<n>Z4ZlctEo&0i[oI]35p6%Npt(/(K]yVg1 Pk=xr-T7T=h?.AcSRtV|
$Lock q]CxW?/^;4+HPB8?'H=SAfc'b;L?]Al^C3jSV<I0c:NC5ePrkxa1DcRup+ao25jKz0hC Pk=Iv=8SDw[9hJ?3A0P|
$Lock kh'BuQl13+Z&@iY4Jwt+LwrQ>9z^dI2;u0A'&+9FvCBNd+4;g0l(LAc/1Zk:'nX]itW@/6975w=Ij[vU5CJG+a Pk=xu>m%(T[?Kb:>2lJ|
$Lock H'xH8Qpjq;kguXRZ^e;3%'j[XRcn:qscUGAvj>&r)GvYqejZEx=x=]8G=dy^hWZ@<y,5,M*<*/VU&*Y0R.'Nvd*>p2cMnw@vpn/G6&CX>F>s5L)x;b+ Pk=oi^h6m[hcvZ:@N9r|
Not sure how to distigwish between this client and a NMDC client because the locks are seemingly randem, maybe there is a udp way to test the clients but i dont know what the client udp protocal is.
Sid

[email protected]
http://www.1stleg.com
[url=dcHub://Greed.1stleg.com]dcHub://Greed.1stleg.com[/url]

Dj_Offset
Posts: 48
Joined: 2003-02-22 19:22
Location: Oslo, Norway
Contact:

Re: How to do this with a script.

Post by Dj_Offset » 2003-02-22 21:59

TasMan wrote: QuickDC (quickdc.sf.net) actually has that in the lock too (it might have changed since I last looked in the source though). I wrote a client side bot which detects what client you are using and I noticed that they were the same....though how popular it is I have no idea, so you probably are right.
The QuickDC policy is;

$Lock EXTENDEDPROTOCOL?[timestamp] Pk=QuickDC_[Version]_[Platform]

[timestamp] = yyyyd(d)m(m)h(h)m(m)s(s)ms(ms)(ms) -- just to keep some kind of a challenge response system.
Version is: "0.0.5ALPHA" or "0.0.6ALPHA" at the moment
Platform can be; "Linux", "FreeBSD" or whatever reported by "uname" when compiled.
I wrote QuickDC - A DC++ compatible client for Linux and FreeBSD.

cologic
Programmer
Posts: 337
Joined: 2003-01-06 13:32
Contact:

Post by cologic » 2003-02-23 20:25

There doesn't seem to be much of one.

I've found two things sent over UDP so far, $Ping and $SR. You can distinguish between NMDC and DC++ because standard DC++, and most hacks of it, don't respond to $Ping, whereas NMDC does. ($SR returns a search result.)

cologic
Programmer
Posts: 337
Joined: 2003-01-06 13:32
Contact:

Post by cologic » 2003-02-23 20:55

I have a very stelthy client in my hub throwing the fallowing locks ...
Not sure how to distigwish between this client and a NMDC client
Er, I just noticed the internal oddity in that. You don't know how to detect it, but you extract its lock and pk? How are you detecting it now? It seems to be working...

Locked