Detect bots/cathook users using NullNexus

[llamasking]

By default, cathook bots will connect to a server called NullNexus which keeps track of all bots and what server they're in.

If you open a websocket connection with a nullnexus server (ws://nullnexus.cathook.club:3000/api/v1/client is the default) and send the following, you'll get a response with all bots that list themselves as on server "1.2.3.4:27015".

{
    "username": "test",
    "type": "dataupdate",
    "data": {
        "server": {
            "connected": true,
            "ip": "1.2.3.4",
            "port": "27015",
            "steamid": "test"
        }
    }
}

Unfortunately, I have never found any bots by filling out a server's ip and port. However if you connect to the socket with multiple clients, each client will show up in the response. That means that either most bots are disabling nullnexus, or the IP or port are being sent differently from how I am sending it in my testing.

Further more, the bots aren't sending their ID in cleartext, but we can still do the exact same hashing method to each user in game to find the bots.

One last thing is that NullNexus has an extra security measure (line 97 in nullnexus.cpp) that isn't currently used, but probably will in the future.

The applicable bits of code are /src/nullnexus.cpp from the cathook repo and the nullnexus-server repo.

[BenCat07]

Line 97 is used.

[PazerOP]

I'll keep this feature in mind, however due to the fact that the nullnexus server is not under the control of a trusted party, and it simply returns user-submitted information, it can't really be trusted as something to reliably identify cheaters. It may still be worth implementing just for curiosity's sake though.

[ClusterConsultant]

It should also be noted that sending connections to an untrusted server period is a massive security risk. If it's implemented at all it needs to be an advanced option with a little warning.

[PazerOP]

If it's implemented at all it will be done through a server under my control acting as a proxy.

[ClusterConsultant]

Is this still relevant? If it is, is it worthwhile or trustworthy? Could see this as a path to a lot of false positives or malicious manipulation.

[incontestableness]

Bots don't use NullNexus by default; only cheaters are automatically connected to it, and they can disable it. As such it's not worth pursuing IMO. I don't know of a way to get the value of gHostSpawnCount through the console so you probably wouldn't be able to authenticate anyways. There are some dirty exploits you can do, but that's not within the scope of this tool, and it's probably not worthwhile.

[PazerOP]

That is a different announcement technique which this issue is not focused on.

[CubeTheVenigret]

It cant detect any users or bots, because nullnexus (source code) support ONLY private ip, if ip is not private it just not responding. I attach that thing (hvh server private ip)

(official tf2 server)

[MrBruz]

This might help lads, it look a couple days but this can get gHostSpawnCount without having to inject any code into tf2. https://gist.github.com/Footsiefat/f03a8c377ffc28a29cedad3c20ddd85e