search

dougy147 / mcbash

bash script to find valid MAC addresses on some IPTV platform
GNU General Public License v3.0
85 stars 34 forks source link

Adding check for SN and DEV ID 1/2 #16

Open frozen905 opened 11 months ago

frozen905 commented 11 months ago

I am reposting this after deleting the message earlier this year, because suddenly it looks like there is renewed interest both via the original dev and a new pull request..

The app can be made infinitely more effective by adding in additional flags to check for serial number, and then optionally device id 1 & 2 as well.

I know exactly what needs to be done but I am not a coder. If anybody wants to take a crack at adding this in, I think it would take no more than a few mins of your time!

Please feel free to contact me outside of here for easier communication as well, @wizardstorm on Telegram, or happy to continue here as well

Thanks again !

dougy147 commented 11 months ago

Hi @frozen905,

Would you mind explaining what SN and devices IDs are useful for? Let's say my server is http://test-mcbash.sh:8080, how can I find SN and device ID 1 & 2 ? And what should mcbash do with that ?

I might take a look at it !

Cheers

rockydares commented 11 months ago

Well, some portals check for serial number and also match device_id1 and device_id2 for playing channels. IPTV player will successfully login with MAC and show channels but will not play channels if not the right device_id or SN. I was away from stalker portal for long, I'll search for some portals that has this feature and I'll share them here.

frozen905 commented 11 months ago

Sorry for the delay - I have other python scripts from Telegram "dubious sources" that can explain the logic of how to check for these.

Indeed, modern stalker portals will return "This device is not registered" or "Device Conflict" errors when passing simply MAC address alone. Serial numbers, and device ID 1 and device ID 2 are passed in additional strings inside the URL using an additional structure. I have tons of examples. We generate these values using SHA256 and MD5 I believe, I'll cross check my scripts for reference shortly!

I can also post many portals that require it, just not sure if this allowed here.

I have ALL of this info and more, would love to assist - I just am not a coder, so I need you guys to add it. It will make mcbash infinitely more useful in 2023.

rockydares commented 11 months ago

I have other python scripts from Telegram "dubious sources" that can explain the logic of how to check for these.

Hi, could you please share the python script for the login machanism requiring sn and device_ids? All though, device_ids change while SN remains the same for a MAC. I know some mac scanner (runs on windows only) that can log onto any portal using only MAC. It automatically detects SN and other info.

dougy147 commented 11 months ago

Hi guys,

@frozen905 could you try the latest version with the option --enhanced-auth and say if that's of any help?

I've found this (and tried to include it in the latest commit) but am not sure how to structure it in the GET request : 

SN = 13th first character of uppercase(md5sum(MAC)) 
DEV ID 1 = uppercase(sha256sum(MAC))
DEV ID 2 = ??? same ?
Signature = ???
rockydares commented 11 months ago

Hi, I have generated an mitm proxy flow from an app. I am just posting the get_profile request of the portal server which is main function to login:

type:             stb
action:           get_profile
hd:               1
ver:              ImageDescription: 0.2.18-r23-250; ImageDate: Wed Aug 29 10:49:53 EEST 2018; PORTAL version: 5.6.1; API Version: JS API version: 343; STB API version: 146; Player Engine version: 0x58c
num_banks:        2
sn:               EA32DC71A0D9A
stb_type:         MAG250
client_type:      STB
image_version:    218
video_out:        hdmi
device_id:        AEB03003795FB7F9600E6EBD009A9012CEFE8B5A3D9B6035ACBB5E34BDB01DC0
device_id2:       AEB03003795FB7F9600E6EBD009A9012CEFE8B5A3D9B6035ACBB5E34BDB01DC0
signature:        0C3D41B68A0C1DA5AA7C61A2127E1B912260EDA8B1EC324E0A71934B4A53C106
auth_second_step: 1
hw_version:       1.7-BD-00
not_valid_token:  0
metrics:          {"mac":"00:1A:79:57:AD:0E","sn":"EA32DC71A0D9A","type":"STB","model":"MAG250","uid":"","random":"70b9298eebd735499ff68212d1431fc827452d6c"}
hw_version_2:     ab7d6a37bc495c4abe5441aec73ba30299a8afbb
timestamp:        1695917221
api_signature:    262
prehash:          
JsHttpRequest:    1-xml

For that portal, the same SN which is EA32DC71A0D9A gets log onto all other MACs. I don't know if that will work for other portals. Here you can see a string 'random' present in the json which is obtained from the handshake. Here is the reponse from the portal while handshake:

{
    "js": {
        "not_valid": 0,
        "random": "70b9298eebd735499ff68212d1431fc827452d6c",
        "token": "BD12D44F00DBFC292E52AB593E5E1678"
    },
    "text": "generated in: 0.011s; query counter: 1; cache hits: 0; cache miss: 0; php errors: 0; sql errors: 0;"
}
dougy147 commented 10 months ago

Hi, I have generated an mitm proxy flow from an app. I am just posting the get_profile request of the portal server which is main function to login:

Thank you for this detailed answer @rockydares ! That's exactly what we needed I guess. I will modify the handshake grepping accordingly as soon as possible, and keep informed here.

Cheers

frozen905 commented 10 months ago

Sorry guys I've been busy working on another project

Here is the exact auth flow, you should be aiming for:

Attempt auth with just MAC only - if device conflict/device unregistered error, then Attempt with MAC and SN Uppercase only - You get this by by running MD5 on the MAC and trimming to 13 characters and upper casing it. If error or still auth failed, Attempt with MAC and SN Uppercase BUT derived from lowercase MAC. What does this mean? Well 00:1a:79:00:00:00 is a different hash from 00:1A:79:00:00:00 and unfortunately, different STB's will render this in both ways, so both need to be attempted to truly be wrong.

If failure on these still for device conflict/unregistered, then we move to device ID. Device ID is generated from the SHA256 hash of the MAC again, and just like the serial numbers, to really be thorough, the hash from both uppercase AND lowercase need to be uppercased and tested.

Device ID 1 and Device ID 2 are ALWAYS the same.

In total, there are 5 attempts to get in if you really want to try everything: 1> MAC only (This is legacy MCBASH) 2> MAC + SN High 3> MAC + SN Lo 4> MAC + SN High + ID High 5> MAC + SN Low + ID Low

If you try all 5 of these and it still fails, the account is using a hash that's random and you will never get in, time to move on.

Hope this helps , and I can also make .pcap's from OTT Navigator or TiviMate authing on real servers, but it's not needed, I already have all the knowledge from analyzing other scripts

Please feel free to find me on Telegram @wizardstorm and message me there, I can do real time testing with you

dougy147 commented 10 months ago

Thank you @frozen905, will be easy to follow step by step. Be sure this procedure will be implemented in the next commits! Stay tuned :)

Cheers

frozen905 commented 10 months ago

That's awesome, appreciate that! there are many scripts out there that use other languages but never one in bash - mcbash stands alone in this regard, and I appreciate that, and want to see it be the best that it can be! I do not want to post servers on a public forum but if you need any for debugging and testing purposes please reach out any time, thanks again, and cheers as well!!