Rcon Utility

[Foe of Eternity]

Hey everyone, made a little remote control utility for trem
put in the server, port, and rcon password and you will be able to execute commands and view the results in the console

So here it is:
http://www.mediafire.com/?nq7cym0pmosp62x

Enjoy

and as always post any bugs you encounter

[Lakitu7]

Uhh, perhaps you should post the source for such a thing; or else you're expecting someone to put the keys to their servers into a program that may darn well be sending all the logins to you.

[Foe of Eternity]

i'd rather not reveal the password encryption method...but here's the code for sending/receiving rcon commands:

Code: [Select]

        string Add;
        bool ready = false;
        UdpClient cli = new UdpClient();
        private void btnSend_Click(object sender, EventArgs e)
        {
            btnSend.Enabled = false;
            try
            {
                cli = new UdpClient(txtServer.Text, int.Parse(txtPort.Text));
            }
            catch (Exception ee)
            {
                MessageBox.Show("Error\n" + ee.ToString());
            }
            string test = "rcon " + txtPass.Text + " " +txtCmd.Text;
            List<byte> bytes = new List<byte>();
            for( int i = 0; i < 4; i++ )
                bytes.Add((byte)255);
            foreach (char c in test)
                bytes.Add((byte)c);
            byte[] send = new byte[bytes.Count];
            for (int i = 0; i < bytes.Count; i++)
            send[i] = bytes[i];
            cli.Send(send, send.Length);
            txtConsole.Text += "]" + txtCmd.Text;
            cli.BeginReceive(new AsyncCallback(GetPackets), cli);
            ready = false;
            while (!ready)
                Application.DoEvents();
            txtConsole.Text += Add;
            txtConsole.SelectionStart = txtConsole.Text.Length;
            txtConsole.SelectionLength = 0;
            txtConsole.ScrollToCaret();
            txtCmd.Text = "";
            for (int i = 0; i < 7; i++)
            {
                Application.DoEvents();
                Thread.Sleep(100);
            }
            btnSend.Enabled = true;
        }

        private void GetPackets(IAsyncResult iar)
        {
            Add = "";
            try
            {
                IPEndPoint address = new IPEndPoint(IPAddress.Any, int.Parse(txtPort.Text));
                Byte[] receiveBytes = new Byte[0];
                for( int i = 0; i < 1; i++ )
                     receiveBytes = cli.EndReceive(iar, ref address);
                Add = Encoding.ASCII.GetString(receiveBytes);
                Add = Add.Remove(0, 9);
                ready = true;
            }
            catch (Exception ee)
            {
                Add = ee.ToString();
                ready = true;
            }
        }Language is C#
(i know it's not optimized but it doesn't slow it down too much)

i know for a fact it only sends data to the server you tell it to, if you feel more comfortable, you can check the connections it opens
(double checked with WPE)

[Tremulant]

Uhh, perhaps you should post the source for such a thing; or else you're expecting someone to put the keys to their servers into a program that may darn well be sending all the logins to you.

Hey, at least it's not obfuscated to buggery like the last .net project he posted
Seriously, what's so precious about your apps that makes it impossible for you to release the source?

[Foe of Eternity]

The project last time was for stability testing and I released a clean version

As for this project, I released all the code that mattered...I added in encryption when it saves the rcon pass to prevent privacy issues and would rather it not be released so I can reuse it

[Lakitu7]

Unless you post a full source that someone can both inspect and compile themselves, they cannot be safe, because without compiling it themselves they cannot know that the binary posted is actually from the source provided.

It was already a bad idea for people to run server browsers that are closed like this, but for something that handles sensitive login information, it is an extremely bad idea.

[Foe of Eternity]

As I said before I released all the code that mattered (it's enough information to compile it yourself)
However when I get the chance I'll release the source without encryption

But a packet capture utility (such as WPE is enough because it's clear that the only packet sent is to the server you specify with the data you gave it
You would need to worry more about people on your network sniffing the password than the program itself because you can test the program...

[F50]

Not quite, malicous code can be much more clever than that. One way to do it is to keep a list of rcon passwords and servers (one could probably even store it in the executable itself if one so desired), and send them monthly/weekly. Password encryption would be a sensible place to put such malicious code.

I'm sorry you are not getting more support for these tools but this is an open source community, so I hope you understand our skepticism of closed-source code.

[Foe of Eternity]

As I said before I released all the code that mattered (it's enough information to compile it yourself)

[swamp-cecil]

How did you manage to make a program in C# thats actually USEFUL???

[Tremulant]

How did you manage to make a program in C# thats actually USEFUL???

There are loads of useful apps coded in C#(f-spot, banshee, tomboy, etc), yes it adds annoying overheads, but it isn't just another visual basic.

[NotYarou]

you want us to run a blackbox c# app w/o showing src

nothx

[Meisseli]

I guess you need to take the encryption out, then, and release it as open source.

[Undeference]

i'd rather not reveal the password encryption method...

Security through obscurity is no security at all.

[Foe of Eternity]

i'd rather not reveal the password encryption method...

Security through obscurity is no security at all.

i didn't finish the quote but i don't want to release it so i can reuse it...i'm not using security through obscurity

you want us to run a blackbox c# app w/o showing src

nothx

how many times do i need to say i released enough of the source to remake it...i've already made 3 posts repeating this but i'll do it again just for you

As I said before I released all the code that mattered (it's enough information to compile it yourself)

and besides, if you have the source, there's no way to verify that the source that's released is the program that was released...but seriously there's no point in making a malicious program, the tremulous community (and this board specifically isn't very active) isn't exactly large-scale...and hiding the source would raise suspicion, if it was a malicious program a fake source would probably be released as i said earlier

anyway, i'll be releasing the source without the encryption, i was just away for the weekend and didn't have time to release it

[Kiwi]

As I said before I released all the code that mattered (it's enough information to compile it yourself)

and besides, if you have the source, there's no way to verify that the source that's released is the program that was released...

If you release the source, then we could compile it ourselves.  That takes your pre-compiled program out of the loop.

[Teapot]

As author, you are the copyright holder and can use it any way you want, no matter what license you release the source under (which is how MySQL has proprietary and free software versions, for example).
So now we've established that obscurity isn't more secure and you can reuse it how you wish, you have no excuse, unless it is malicious

If you care about incorporating community changes into proprietary products you create, I recommend using the Apache 2.0 License (as used by Google and Apache) but the Modified BSD, Simplified BSD and zlib licenses would all do roughly the same job.

[Foe of Eternity]

how many times do i have to repeat myself
YOU CAN COMPILE THE SOURCE
i gave you enough code that if you knew how to open a C# editor you could compile it

i will not release the full source, no matter how you argue it, so stop trying to convince me there's 'no reason not to release the full source'

i released this for the benefit of the community

if you're so desperate to find the whole source then take the time to decompile it

and seriously, stop posting about how "it could be malicious"
if you think it's malicious, by all means don't download it, as that is a good security practice

[Tremulant]

So, moving away from the topic of full source disclosure, what's the point in this utility, i don't run a server, what would you otherwise use for rcon, how does this app improve on the standard method?

[F50]

It means you can put it on a netbook or phone that lacks openGL. This is not the only way to do so (ssh and screen can also do this), but is one way to do so.

However, you cannot cannot compile the source. Not as given. Sure, it would be easier to figure out what needs done than to write the whole thing myself, but I'd have to re-create your UI, and then try to understand what exactly it is that your code needs done before it can work. Its not working code. There is no reason not to release the rest of the working code (minus the encryption).

What I think we are saying here is that your code is dead until we don't have to care about it to get it to run (compiles without effort).

[RAKninja-Decepticon]

i released this for the benefit of the community

considering it's an open source community with quite a few people running on linux distros, surely you understand the distaste most of us have for closed source software.

it is more than possible to have decent encryption with open source software.

[kharnov]

i gave you enough code that if you knew how to open a C# editor you could compile it

How are we supposed to know if the code you gave us is even in the program?

if you think it's malicious, by all means don't download it, as that is a good security practice

We all think it's malicious. You're not very good at advertising your product.

[Tremulant]

It means you can put it on a netbook or phone that lacks openGL. This is not the only way to do so (ssh and screen can also do this), but is one way to do so.

ssh and screen sounds good to me.

[Foe of Eternity]

So, moving away from the topic of full source disclosure, what's the point in this utility, i don't run a server, what would you otherwise use for rcon, how does this app improve on the standard method?

it's designed for server owners to be able to use rcon without having to open trem with it, so it's useless if you don't own a server/don't have rcon on it

i released this for the benefit of the community

considering it's an open source community with quite a few people running on linux distros, surely you understand the distaste most of us have for closed source software.

it is more than possible to have decent encryption with open source software.

the encryption is just a rijndael cipher, i don't want to release how i encrypted it, not the encryption, so that people can't recreate the password and use it to decrypt the encrypted data

and yes i understand the distaste of closed source software as i use linux too, but the only thing you need to recreate is the gui, all the names and such are pretty self explanatory

Code: [Select]

        string Add;
        bool ready = false;
        UdpClient cli = new UdpClient();
        private void btnSend_Click(object sender, EventArgs e)
        {
            btnSend.Enabled = false;
            try
            {
                cli = new UdpClient(txtServer.Text, int.Parse(txtPort.Text));
            }
            catch (Exception ee)
            {
                MessageBox.Show("Error\n" + ee.ToString());
            }
            string test = "rcon " + txtPass.Text + " " +txtCmd.Text;
            List<byte> bytes = new List<byte>();
            for( int i = 0; i < 4; i++ )
                bytes.Add((byte)255);
            foreach (char c in test)
                bytes.Add((byte)c);
            byte[] send = new byte[bytes.Count];
            for (int i = 0; i < bytes.Count; i++)
            send[i] = bytes[i];
            cli.Send(send, send.Length);
            txtConsole.Text += "]" + txtCmd.Text;
            cli.BeginReceive(new AsyncCallback(GetPackets), cli);
            ready = false;
            while (!ready)
                Application.DoEvents();
            txtConsole.Text += Add;
            txtConsole.SelectionStart = txtConsole.Text.Length;
            txtConsole.SelectionLength = 0;
            txtConsole.ScrollToCaret();
            txtCmd.Text = "";
            for (int i = 0; i < 7; i++)
            {
                Application.DoEvents();
                Thread.Sleep(100);
            }
            btnSend.Enabled = true;
        }

        private void GetPackets(IAsyncResult iar)
        {
            Add = "";
            try
            {
                IPEndPoint address = new IPEndPoint(IPAddress.Any, int.Parse([quote author=kharnov link=topic=15440.msg220325#msg220325 date=1301287581]
[quote author=Foe of Eternity link=topic=15440.msg220306#msg220306 date=1301279453]
i gave you enough code that if you knew how to open a C# editor you could compile it
[/quote]

How are we supposed to know if the code you gave us is even in the program?

[quote author=Foe of Eternity link=topic=15440.msg220306#msg220306 date=1301279453]
if you think it's malicious, by all means don't download it, as that is a good security practice
[/quote]

We all think it's malicious. You're not very good at advertising your product.
[/quote]Port.Text));
                Byte[] receiveBytes = new Byte[0];
                for( int i = 0; i < 1; i++ )
                     receiveBytes = cli.EndReceive(iar, ref address);
                Add = Encoding.ASCII.GetString(receiveBytes);
                Add = Add.Remove(0, 9);
                ready = true;
            }
            catch (Exception ee)
            {
                Add = ee.ToString();
                ready = true;
            }
        }txtConsole - a textbox representing the console
txtCmd - a textbox representing the entered command
btnSend - a button that when clicked runs btnSend_Click
txtPort - a textbox representing the server port
txtPass - a textbox representing the password
txtServer - a textbox representing the server address

as i said, everything is self explanatory; i would've expected anyone who wanted the source to be able to figure this out...

i gave you enough code that if you knew how to open a C# editor you could compile it

How are we supposed to know if the code you gave us is even in the program?

if you think it's malicious, by all means don't download it, as that is a good security practice

We all think it's malicious. You're not very good at advertising your product.

how are we supposed to know the tremulous executable contains what the source says it does?

you can't.
i gave you enough information to make it yourself if you don't trust it

also, in case you didn't notice, IT'S FREE
it's not a product, i don't care if no one downloads it, as i said i was releasing it for the benefit of the community, if they don't want to use it, it doesn't matter to me
READ THIS POST BEFORE POSTING AGAIN (and the following message)

[Tremulant]

So, moving away from the topic of full source disclosure, what's the point in this utility, i don't run a server, what would you otherwise use for rcon, how does this app improve on the standard method?

it's designed for server owners to be able to use rcon without having to open trem with it, so it's useless if you don't own a server/don't have rcon on it

Sorry, i think i confused you, i was inquiring what one would use for rcon if they didn't have access to your app, trem itself or ssh and screen were the answers.

also, in case you didn't notice, IT'S FREE
it's not a product, i don't care if no one downloads it, as i said i was releasing it for the benefit of the community, if they don't want to use it, it doesn't matter to me
READ THIS POST BEFORE POSTING AGAIN (and the following message)

Surely rcon passwords are rather sensitive pieces of information, not the kind of thing anyone wants to feed into some random guy's app, and if someone's capable of building their own clean version from your source they're probably also capable of figuring out ssh.
If you don't care that no one uses it, that's fine, i personally would care, if i'd bothered to write the program and felt that it was worth the effort, i'd want to provide source that builds and runs on multiple platforms. Have you considered starting a sourceforge or google code account and turning your trem tools into a real project? I imagine people are quite happy to type their rcon password when it's needed, if you just want to strip out the password saving and hashing code i'm sure people wouldn't mind. If you do choose this route, good luck.

You really must appreciate that you're some guy, posting binaries on mediafire for an app that accepts peoples server addresses and rcon passwords as input, anyone would have to be pretty braindead to take that risk.

[Teapot]

i will not release the full source, no matter how you argue it, so stop trying to convince me there's 'no reason not to release the full source'

You

• dumped a binary on the community
  
• did not give us reasons which withstand examination for keeping the code proprietary
• released code we can't use since it isn't under a free license
  
• became completely irrational like the above

How would you react to such a guy's program?

Your reasons examined...

i'd rather not reveal the password encryption method...

Security through obscurity is no security at all.

i didn't finish the quote but i don't want to release it so i can reuse it...i'm not using security through obscurity

the encryption is just a rijndael cipher, i don't want to release how i encrypted it, not the encryption, so that people can't recreate the password and use it to decrypt the encrypted data

Fail. So this reason doesn't make sense.

would rather it not be released so I can reuse it

As author, you are the copyright holder and can use it any way you want

And your only remaining reason doesn't make sense.

Assuming the app is proprietary because it's malicious is currently the only option available to us.

Now you hopefully understand why your program hasn't been accepted by the community.

[Undeference]

This is not the only way to do so (ssh and screen can also do this), but is one way to do so.

That's obviously the most secure method: disable rcon entirely and send commands over an encrypted connection to the server.

Code: [Select]

echo -e '\xff\xff\xff\xffrcon [rconPassword] [cmd]' | nc -uw1 [addr] [port]e.g.,

Code: [Select]

echo -e '\xff\xff\xff\xffrcon blah cp You all suck' | nc -uw1 127.0.0.1 30720As for this "Rcon Utility", I have no idea where/why encryption would be used anyway, since rcon does not use encryption.

i didn't finish the quote but i don't want to release it so i can reuse it...i'm not using security through obscurity

I don't know how/why you're using encryption, but I think you need to look up the meanings of the word security.

[Foe of Eternity]

i will not release the full source, no matter how you argue it, so stop trying to convince me there's 'no reason not to release the full source'

You

• dumped a binary on the community
  
• did not give us reasons which withstand examination for keeping the code proprietary
• released code we can't use since it isn't under a free license
  
• became completely irrational like the above

How would you react to such a guy's program?

Your reasons examined...

i'd rather not reveal the password encryption method...

Security through obscurity is no security at all.

i didn't finish the quote but i don't want to release it so i can reuse it...i'm not using security through obscurity

the encryption is just a rijndael cipher, i don't want to release how i encrypted it, not the encryption, so that people can't recreate the password and use it to decrypt the encrypted data

Fail. So this reason doesn't make sense.

would rather it not be released so I can reuse it

As author, you are the copyright holder and can use it any way you want

And your only remaining reason doesn't make sense.

Assuming the app is proprietary because it's malicious is currently the only option available to us.

Now you hopefully understand why your program hasn't been accepted by the community.

So, moving away from the topic of full source disclosure, what's the point in this utility, i don't run a server, what would you otherwise use for rcon, how does this app improve on the standard method?

it's designed for server owners to be able to use rcon without having to open trem with it, so it's useless if you don't own a server/don't have rcon on it

Sorry, i think i confused you, i was inquiring what one would use for rcon if they didn't have access to your app, trem itself or ssh and screen were the answers.

also, in case you didn't notice, IT'S FREE
it's not a product, i don't care if no one downloads it, as i said i was releasing it for the benefit of the community, if they don't want to use it, it doesn't matter to me
READ THIS POST BEFORE POSTING AGAIN (and the following message)

Surely rcon passwords are rather sensitive pieces of information, not the kind of thing anyone wants to feed into some random guy's app, and if someone's capable of building their own clean version from your source they're probably also capable of figuring out ssh.
If you don't care that no one uses it, that's fine, i personally would care, if i'd bothered to write the program and felt that it was worth the effort, i'd want to provide source that builds and runs on multiple platforms. Have you considered starting a sourceforge or google code account and turning your trem tools into a real project? I imagine people are quite happy to type their rcon password when it's needed, if you just want to strip out the password saving and hashing code i'm sure people wouldn't mind. If you do choose this route, good luck.

You really must appreciate that you're some guy, posting binaries on mediafire for an app that accepts peoples server addresses and rcon passwords as input, anyone would have to be pretty braindead to take that risk.

ok i'll be even more specific for you
i made it for me and released it here

for the benefit of the community

there's no reason for me to create all of that just so people can feel secure, they can make it themselves if they want to (it really isn't that hard, took maybe 10 minutes to make), i just thought people would be lazy (as they generally are) and want someone to do it for them

and the only reason it's on mediafire is so i can get it from other computers without having to find this topic to download it

you're acting like rconpasswords is like putting a backdoor into your computer, there is nothing you can do with rcon that is permanent or difficult to fix

and read that quote that "makes no sense" again... the encryption is the algorithm used to protect data, how i encrypted it includes password generation and such

and tbh idc what you do with the code

This is not the only way to do so (ssh and screen can also do this), but is one way to do so.

That's obviously the most secure method: disable rcon entirely and send commands over an encrypted connection to the server.

Code: [Select]

echo -e '\xff\xff\xff\xffrcon [rconPassword] [cmd]' | nc -uw1 [addr] [port]e.g.,

Code: [Select]

echo -e '\xff\xff\xff\xffrcon blah cp You all suck' | nc -uw1 127.0.0.1 30720As for this "Rcon Utility", I have no idea where/why encryption would be used anyway, since rcon does not use encryption.

i didn't finish the quote but i don't want to release it so i can reuse it...i'm not using security through obscurity

I don't know how/why you're using encryption, but I think you need to look up the meanings of the word security.

disabling rcon entirely is a lot more secure, yes, but ssh isn't handled by the program (and by everyone's insecurity, wouldn't want it to anyway)

as for encryption, it saves the password on the computer (if you tell it to) and saves the encrypted password

[Teapot]

and read that quote that "makes no sense" again... the encryption is the algorithm used to protect data, how i encrypted it includes password generation and such

So you're relying on people not knowing how you encrypted the password, which is exactly what security through obscurity is. You were saying...

i'm not using security through obscurity

So, as I said, you're not making sense.

[Foe of Eternity]

and read that quote that "makes no sense" again... the encryption is the algorithm used to protect data, how i encrypted it includes password generation and such

So you're relying on people not knowing how you encrypted the password, which is exactly what security through obscurity is. You were saying...

i'm not using security through obscurity

So, as I said, you're not making sense.

actually no, the "security" would be the rijndael cypher (as i said before)
the password is just what's used to decrypt it, you don't tell people the passwords you make do you?
so you're saying that everyone who has ever made a password uses security through obscurity which undeference claims is no security at all
if passwords are no security then why do they still exist?
by definition, security through obscurity is using secrecy in implementation/design to have security
as the only thing i'm hiding is the password, it is not security through obscurity