PS3 Protocol - Apologies, other thread is too old to reply to - PS3Hax Network

War|ord · 06-16-2009

(Please delete this post if it is deemed inappropriate, I am not explicitly stating how to specifically hack the PS3 server authentication, I am just proposing an idea of theory that has the ability to work for anything of this basis)

There is a possibility of getting the login information for servers that the PS3 knows the password to. For example, the server you upload your scores/times to...I can't remember the address of it now and I'm downloading a game update at the moment so I'm not going to look it up but I'm sure plenty of you know which one I'm talking about.

Anyhow, servers like this require HTTP digest authentication. It may be possible to ARP spoof your network, then filter packets in such a way that it modifies the HTTP response of the PS3 record server so that it asks for basic auth instead of digest. If the PS3 blindly complies with this (and there is a good chance it would) then it would send a basic auth of the username and password which would is no better than plaintext (just base64, of course). Again I can't remember, but I think they use HTTPS for this server, but a proxy like Charles has the ability to re-map HTTPS to HTTP on whatever server you'd like. So in effect, you could re-route the PS3 server to your LAN, or any other server (www.google.com could become www.hello.com, for example).

Essentially you would want to do this via linux on another computer connected to your LAN, as Windows ARP spoofing tools only go so far. The best one I've found (that actually works) is SwitchSniffer, but that does not have the ability to re-write packets, it only allows you to block them completely. I have been looking into making a plug-in hook that will intercept packets that are routed through SiwtchSniffer so that re-writing is possible. But as stated by Ps3Rips, it is not my place to be posting about my findings on this if I were to actually do it, because that is simply illegal. The theory, however, is not illegal at all so it's up to you guys what you do with it.

As I say, it only may work. The PS3 might refuse to co-operate if it is asked for basic auth. And it may completely refuse to transfer such details over HTTP if you re-map it from HTTPS to HTTP. Man-in-the-middle SSL decryption is not an option, either, as the PS3 refuses SSL certificates that are spoofed.

Ps3Rips · 06-16-2009

Nice idea and I was working on something similar,
As for the digest to basic?, not sure it would work although it does sound possible.

However the point with Digest is that the server gives out a hash which the ps3 has to decode and then reply with the correct answer. (usually called a nonce),

So if you turned it to basic how would you get the server to accept it?.

I can easilly decode the digest nonce. (the username is in plaintext so no decoding needed) however just decoding means not much as virtually every sony server I've looked at will change the nonce every 5-15 seconds.

Decoding the SSL traffic is the way to go however don't forget about DNAS which sony also have encrypting stuff.

Good luck and if you make any progess I'd be interested in hearing how it was done.
If I do take a look at it then I'll also make a post. with any interesting data I find.

(PS Great first post by the way)

War|ord · 06-16-2009

Yeah you've made some good points.

Getting the server to accept the basic auth is more difficult, but not impossible. You would need to use an advanced proxy (or write one yourself, not too difficult but certainly annoying and time consuming!) which does something a bit like this:

- Force basic auth by modifying HTTP header sent by server -> client
- When client sends back basic auth, decode it and then re-write it into digest auth (based on the type of digest auth being used, of course)

I wouldn't've thought that getting the server to acknowledge anything we send would be important, though, as we can't really do anything with that data that we couldn't just send ourselves if we knew the password being used.

The problem then, assuming that we can bypass SSL (or if we get a PS3 farm we could crack the SSL keys like someone has already done, ha!) and force basic auth, is DNAS. Is it known whether the PS3 uses a new form of DNAS that's different to the PSP? Because if not, would it be possible to reverse the algorithm from a hacked PSP? I'm very weak on my knowledge of encryption so I really wouldn't know anything about this.

I'll give Charles a go tomorrow (or within the next few days when I get time) and see if I can re-map HTTPS to HTTP and then force basic auth. If not, this idea might be out the window =(.

Ps3Rips · 06-17-2009

Not sure on the version of DNAS however it was cracked on the PS2 by Paradox I think.

If its the same then all is ok if its new then will be a pain.

War|ord · 06-19-2009

Just an update...

I failed in re-routing the HTTPS to HTTP, the PS3 tries to send SSL'd data over HTTP instead of plaintext HTTP so they've got the security down with that.

So for now I'm stuck for ideas but all we need is one little breakthrough on the SSL side of things (i.e. the SSL key - maybe the PSP has this?).

06-16-2009	#1
War\|ord Apprentice Join Date: Mar 2008 Posts: 5 Likes: 0 Liked 1 Time in 1 Post Mentioned: 0 Post(s) Tagged: 0 Thread(s)	PS3 Protocol - Apologies, other thread is too old to reply to (Please delete this post if it is deemed inappropriate, I am not explicitly stating how to specifically hack the PS3 server authentication, I am just proposing an idea of theory that has the ability to work for anything of this basis) There is a possibility of getting the login information for servers that the PS3 knows the password to. For example, the server you upload your scores/times to...I can't remember the address of it now and I'm downloading a game update at the moment so I'm not going to look it up but I'm sure plenty of you know which one I'm talking about. Anyhow, servers like this require HTTP digest authentication. It may be possible to ARP spoof your network, then filter packets in such a way that it modifies the HTTP response of the PS3 record server so that it asks for basic auth instead of digest. If the PS3 blindly complies with this (and there is a good chance it would) then it would send a basic auth of the username and password which would is no better than plaintext (just base64, of course). Again I can't remember, but I think they use HTTPS for this server, but a proxy like Charles has the ability to re-map HTTPS to HTTP on whatever server you'd like. So in effect, you could re-route the PS3 server to your LAN, or any other server (www.google.com could become www.hello.com, for example). Essentially you would want to do this via linux on another computer connected to your LAN, as Windows ARP spoofing tools only go so far. The best one I've found (that actually works) is SwitchSniffer, but that does not have the ability to re-write packets, it only allows you to block them completely. I have been looking into making a plug-in hook that will intercept packets that are routed through SiwtchSniffer so that re-writing is possible. But as stated by Ps3Rips, it is not my place to be posting about my findings on this if I were to actually do it, because that is simply illegal. The theory, however, is not illegal at all so it's up to you guys what you do with it. As I say, it only may work. The PS3 might refuse to co-operate if it is asked for basic auth. And it may completely refuse to transfer such details over HTTP if you re-map it from HTTPS to HTTP. Man-in-the-middle SSL decryption is not an option, either, as the PS3 refuses SSL certificates that are spoofed.

06-16-2009	#2
Ps3Rips Senior Member Join Date: Mar 2007 Posts: 1,081 Likes: 8 Liked 88 Times in 52 Posts Mentioned: 0 Post(s) Tagged: 0 Thread(s)	Nice idea and I was working on something similar, As for the digest to basic?, not sure it would work although it does sound possible. However the point with Digest is that the server gives out a hash which the ps3 has to decode and then reply with the correct answer. (usually called a nonce), So if you turned it to basic how would you get the server to accept it?. I can easilly decode the digest nonce. (the username is in plaintext so no decoding needed) however just decoding means not much as virtually every sony server I've looked at will change the nonce every 5-15 seconds. Decoding the SSL traffic is the way to go however don't forget about DNAS which sony also have encrypting stuff. Good luck and if you make any progess I'd be interested in hearing how it was done. If I do take a look at it then I'll also make a post. with any interesting data I find. (PS Great first post by the way) __________________ ************************************ Exploiting Ps3 = while(!(succeed=try()));

06-17-2009	#4
Ps3Rips Senior Member Join Date: Mar 2007 Posts: 1,081 Likes: 8 Liked 88 Times in 52 Posts Mentioned: 0 Post(s) Tagged: 0 Thread(s)	Not sure on the version of DNAS however it was cracked on the PS2 by Paradox I think. If its the same then all is ok if its new then will be a pain. __________________ ************************************ Exploiting Ps3 = while(!(succeed=try()));

		PS3Hax Network - Playstation 3 Hacks and Mods > PS3Hax > PS3 \| Jailbreak & Custom Firmware
PS3 Protocol - Apologies, other thread is too old to reply to

06-19-2009	#5
War\|ord Apprentice Join Date: Mar 2008 Posts: 5 Likes: 0 Liked 1 Time in 1 Post Mentioned: 0 Post(s) Tagged: 0 Thread(s)	Just an update... I failed in re-routing the HTTPS to HTTP, the PS3 tries to send SSL'd data over HTTP instead of plaintext HTTP so they've got the security down with that. So for now I'm stuck for ideas but all we need is one little breakthrough on the SSL side of things (i.e. the SSL key - maybe the PSP has this?).

User Name		Remember Me?
Password