Question on detecting dc++ clients
Moderator: Moderators
-
- Posts: 9
- Joined: 2003-01-04 12:41
Question on detecting dc++ clients
Trying to make a script to kill stealth clients.
While trying to figure out the DC++ code, it looks as if there is extended info in either the $LOCK or $KEY messages that would contain just what i need. Two questions:
- what is the structure of those messages?
- is that extended info sent only on client-client handshaking, or on clietn-hub as well?
Aftertought: the only DC protocol description I've found so far is the one from suxx. Is there anything else at all?
Theek
While trying to figure out the DC++ code, it looks as if there is extended info in either the $LOCK or $KEY messages that would contain just what i need. Two questions:
- what is the structure of those messages?
- is that extended info sent only on client-client handshaking, or on clietn-hub as well?
Aftertought: the only DC protocol description I've found so far is the one from suxx. Is there anything else at all?
Theek
-
- Posts: 506
- Joined: 2003-01-03 07:33
you can also read on:
http://www.lwave.ca/DCHub/protocol.html or you can try
i recomend that you listen on the traffic sent and recv from a dc++ client to be able to see what it send and do not send...
http://www.lwave.ca/DCHub/protocol.html or you can try
i recomend that you listen on the traffic sent and recv from a dc++ client to be able to see what it send and do not send...
Everyone is supposed to download from the hubs, - I don´t know why, but I never do anymore.
-
- Posts: 9
- Joined: 2003-01-04 12:41
Thanks, mate, that helps.
Seems i'm running into a blind alley here. There is extended info but just on the $lock command:
CryptoManager() : lock("EXTENDEDPROTOCOLABCABCABCABCABCABC"), pk("DCPLUSPLUS" VERSIONSTRING "ABCABC") { };
And clients never send $locks to the hub, they just respond with $key ...
Seems i'm running into a blind alley here. There is extended info but just on the $lock command:
CryptoManager() : lock("EXTENDEDPROTOCOLABCABCABCABCABCABC"), pk("DCPLUSPLUS" VERSIONSTRING "ABCABC") { };
And clients never send $locks to the hub, they just respond with $key ...
maybe you should consider letting a client side bot handle this
maybe my undocumented linux perl bot's can be of use:
http://wza.digitalbrains.com/users/walt ... t/03/perl/
5.pl is a working client bot,
it shows the hub traffic, and connect's to active users to tell them it is a bot and has no filelist
maybe my undocumented linux perl bot's can be of use:
http://wza.digitalbrains.com/users/walt ... t/03/perl/
5.pl is a working client bot,
it shows the hub traffic, and connect's to active users to tell them it is a bot and has no filelist
http://dc.selwerd.nl/hublist.xml.bz2
http://www.b.ali.btinternet.co.uk/DCPlusPlus/index.html (TheParanoidOne's DC++ Guide)
http://www.dslreports.com/faq/dc (BSOD2600's Direct Connect FAQ)
http://www.b.ali.btinternet.co.uk/DCPlusPlus/index.html (TheParanoidOne's DC++ Guide)
http://www.dslreports.com/faq/dc (BSOD2600's Direct Connect FAQ)
Gadget has made an Hub-script that seems to work
(haven't tested it myself)
http://gadget.no-ip.info/
search for "Tag Hider"
(haven't tested it myself)
http://gadget.no-ip.info/
search for "Tag Hider"
http://dc.selwerd.nl/hublist.xml.bz2
http://www.b.ali.btinternet.co.uk/DCPlusPlus/index.html (TheParanoidOne's DC++ Guide)
http://www.dslreports.com/faq/dc (BSOD2600's Direct Connect FAQ)
http://www.b.ali.btinternet.co.uk/DCPlusPlus/index.html (TheParanoidOne's DC++ Guide)
http://www.dslreports.com/faq/dc (BSOD2600's Direct Connect FAQ)
-
- Posts: 9
- Joined: 2003-01-04 12:41
I've seen gadget's script but i don't think it is correct. Besides not catching all, which no script will ever achieve, i fear it kicks some nmdc clients as well. I concluded that after inspecting the script, and some recent reports from users indicate the same. Thanks for the link, now I can discuss it with him.
Oh, and a client-side script seems to resource unfriendly at the moment, but thanks for the suggestion.
Oh, and a client-side script seems to resource unfriendly at the moment, but thanks for the suggestion.
I think a $ConnectToMe every 30 seconds that has to be forwarded is a _lot_ resource friendlier...TheekAzzaBreek wrote:Oh, and a client-side script seems to resource unfriendly at the moment, but thanks for the suggestion.
of course the client shouldn't run on the same box, but that seems logical
http://dc.selwerd.nl/hublist.xml.bz2
http://www.b.ali.btinternet.co.uk/DCPlusPlus/index.html (TheParanoidOne's DC++ Guide)
http://www.dslreports.com/faq/dc (BSOD2600's Direct Connect FAQ)
http://www.b.ali.btinternet.co.uk/DCPlusPlus/index.html (TheParanoidOne's DC++ Guide)
http://www.dslreports.com/faq/dc (BSOD2600's Direct Connect FAQ)
How to do this with a script.
1. The script must create a new winsock control to listen to client connections.
2. When MyINFO has been received from client, check if it contains a tag.
3. If not, send a "ConnectToMe <clientname> <hubip>:<the port that the winsock is listening on>" to client.
4. Client should request a connection on your winsock, accept it.
5. Client will then send $MyNick <nickname>|$Lock <lockcode> Pk=<pk code>|
6. If this Lock looks like "EXTENDEDPROTOCOLABCABC.." then you have a tag-hider using official dc++ (probably). Disconnect client connection, Kick from Hub connection, case dismissed.
7. If lock contains alot of unreadable garbage, store this in a variable (remember the client's nick, too!) and disconnect the CLIENT CONNECTION.
8. Repeat steps 3-5
9. Now, $Lock could either contain a new set of random chars, or, it could contain _THE SAME SET_ of chars. If it contains the same, repeat step 6. otherwise, drop the client connection and let the client stay.
Remember.. if another client logs in when this process is running, the winsock is not listening anymore, and client wont be checked. Therefore it is wise to create a array of winsocks to accept connections. However, that is not necessary if this function will run upon request, going through each client. I have a similar setup. Works good.
2. When MyINFO has been received from client, check if it contains a tag.
3. If not, send a "ConnectToMe <clientname> <hubip>:<the port that the winsock is listening on>" to client.
4. Client should request a connection on your winsock, accept it.
5. Client will then send $MyNick <nickname>|$Lock <lockcode> Pk=<pk code>|
6. If this Lock looks like "EXTENDEDPROTOCOLABCABC.." then you have a tag-hider using official dc++ (probably). Disconnect client connection, Kick from Hub connection, case dismissed.
7. If lock contains alot of unreadable garbage, store this in a variable (remember the client's nick, too!) and disconnect the CLIENT CONNECTION.
8. Repeat steps 3-5
9. Now, $Lock could either contain a new set of random chars, or, it could contain _THE SAME SET_ of chars. If it contains the same, repeat step 6. otherwise, drop the client connection and let the client stay.
Remember.. if another client logs in when this process is running, the winsock is not listening anymore, and client wont be checked. Therefore it is wise to create a array of winsocks to accept connections. However, that is not necessary if this function will run upon request, going through each client. I have a similar setup. Works good.
Re: How to do this with a script.
Depends on which programming environment you're using - if it's Delphi with Indy you just need one TIdTCPServer, and let it handle multiple connections...aDe wrote:Remember.. if another client logs in when this process is running, the winsock is not listening anymore, and client wont be checked. Therefore it is wise to create a array of winsocks to accept connections. However, that is not necessary if this function will run upon request, going through each client. I have a similar setup. Works good.
Re: How to do this with a script.
QuickDC (quickdc.sf.net) actually has that in the lock too (it might have changed since I last looked in the source though). I wrote a client side bot which detects what client you are using and I noticed that they were the same....though how popular it is I have no idea, so you probably are right.aDe wrote: 6. If this Lock looks like "EXTENDEDPROTOCOLABCABC.." then you have a tag-hider using official dc++ (probably). Disconnect client connection, Kick from Hub connection, case dismissed.
Also the default lock for DC++ K and JDC are similar.
DC++ also has "DCPLUSPLUS" in the Pk=. (and version i think) maybe the other clients have it too, but the point is, the client is not using neomodus dc.
ender: i was talking about VBScript. You can make the VBScript make a new winsock everytime too i suppose. I havent done this with an actual script but it should work. I know a multihub chat script creates new winsocks. Just can't remember which one.
ender: i was talking about VBScript. You can make the VBScript make a new winsock everytime too i suppose. I havent done this with an actual script but it should work. I know a multihub chat script creates new winsocks. Just can't remember which one.
Yeah but some people remove that DCPLUSPLUS part....it really annoys me
This is what the lock looks like exactly in DC++ (Unmodified)
If you'd like a "complete" (of the clients that I know of) list of lock/pk TheekAzzaBreek, pm me.[/code]
This is what the lock looks like exactly in DC++ (Unmodified)
Code: Select all
$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS*ABCABC|
* = version
-
- Posts: 9
- Joined: 2003-01-04 12:41
Thanks aDe
That is just what i needed.
BTW: it'll be done in Lua, for some new hub soft i won't mention here. Might port it to VB later if it hasn't been done before.
Thanks again
BTW: it'll be done in Lua, for some new hub soft i won't mention here. Might port it to VB later if it hasn't been done before.
Thanks again
well, if their clients are extended proto compatible but are not dc++, I think the real name should be in thereTasMan wrote:Yeah but some people remove that DCPLUSPLUS part....it really annoys me
great, why not post it here?TasMan wrote:If you'd like a "complete" (of the clients that I know of) list of lock/pk TheekAzzaBreek, pm me.
http://dc.selwerd.nl/hublist.xml.bz2
http://www.b.ali.btinternet.co.uk/DCPlusPlus/index.html (TheParanoidOne's DC++ Guide)
http://www.dslreports.com/faq/dc (BSOD2600's Direct Connect FAQ)
http://www.b.ali.btinternet.co.uk/DCPlusPlus/index.html (TheParanoidOne's DC++ Guide)
http://www.dslreports.com/faq/dc (BSOD2600's Direct Connect FAQ)
DC Faker Client
I have a very stelthy client in my hub throwing the fallowing locks
Not sure how to distigwish between this client and a NMDC client because the locks are seemingly randem, maybe there is a udp way to test the clients but i dont know what the client udp protocal is.
Code: Select all
$Lock ;&m@[vr=Wa'v_PWX&qVRjx0ZO?:8'iDO*7(p)u8yT=s*5z7* Pk=6KX%k1.o:-iMg<b=|
$Lock ?N6jA^,%IRB%IqQuIbi0)NgVnTe(R/SGFnZVtGpIjb7gpIWE5G7-KU1E Pk=VCOEcr.wzBDc;(sD|
$Lock lC]/g*+ClvXT56*vAgT0-gt*@8Nv<n>Z4ZlctEo&0i[oI]35p6%Npt(/(K]yVg1 Pk=xr-T7T=h?.AcSRtV|
$Lock q]CxW?/^;4+HPB8?'H=SAfc'b;L?]Al^C3jSV<I0c:NC5ePrkxa1DcRup+ao25jKz0hC Pk=Iv=8SDw[9hJ?3A0P|
$Lock kh'BuQl13+Z&@iY4Jwt+LwrQ>9z^dI2;u0A'&+9FvCBNd+4;g0l(LAc/1Zk:'nX]itW@/6975w=Ij[vU5CJG+a Pk=xu>m%(T[?Kb:>2lJ|
$Lock H'xH8Qpjq;kguXRZ^e;3%'j[XRcn:qscUGAvj>&r)GvYqejZEx=x=]8G=dy^hWZ@<y,5,M*<*/VU&*Y0R.'Nvd*>p2cMnw@vpn/G6&CX>F>s5L)x;b+ Pk=oi^h6m[hcvZ:@N9r|
Sid
[email protected]
http://www.1stleg.com
[url=dcHub://Greed.1stleg.com]dcHub://Greed.1stleg.com[/url]
[email protected]
http://www.1stleg.com
[url=dcHub://Greed.1stleg.com]dcHub://Greed.1stleg.com[/url]
Re: How to do this with a script.
The QuickDC policy is;TasMan wrote: QuickDC (quickdc.sf.net) actually has that in the lock too (it might have changed since I last looked in the source though). I wrote a client side bot which detects what client you are using and I noticed that they were the same....though how popular it is I have no idea, so you probably are right.
$Lock EXTENDEDPROTOCOL?[timestamp] Pk=QuickDC_[Version]_[Platform]
[timestamp] = yyyyd(d)m(m)h(h)m(m)s(s)ms(ms)(ms) -- just to keep some kind of a challenge response system.
Version is: "0.0.5ALPHA" or "0.0.6ALPHA" at the moment
Platform can be; "Linux", "FreeBSD" or whatever reported by "uname" when compiled.
I wrote QuickDC - A DC++ compatible client for Linux and FreeBSD.
Er, I just noticed the internal oddity in that. You don't know how to detect it, but you extract its lock and pk? How are you detecting it now? It seems to be working...I have a very stelthy client in my hub throwing the fallowing locks ...
Not sure how to distigwish between this client and a NMDC client