MSN Chat
Authentication
MSN Chat used two types of authentication; NTLM and GateKeeper. NTLM (Windows New Technology LAN Manager) is a well known authentication mechanism that is able to authenticate a user to a local server, or Active Directory domain. Only Admins, Sysops and Guides could authenticate using NTLM, and it was the default for the MSN Chat Admin Client.
GateKeeper Authentication
GateKeeper authentication is a simple authentication method designed purely to ensure that only official clients could connect to the MSN Chat service. Version 2 of the authentication allowed the client to specify their own unique GUID to the server, providing a semi-unique ID for guest users.
Early versions of the official MSN Chat Client included a MSN Chat Protocol Control object that could be used by programmers to connect their own programs to the MSN Chat Network. As of version 4, the MSN Chat Protocol Control was no longer included as part of the MSN Chat client.
Versions 1 and 2 of the GateKeeper authentication were vulnerable to a MITM (Man in the Middle) attack, where an unofficial client could temporarily load the official client and relay the authentication data between the official client and the server.
GateKeeper version 2 was decompiled and re-written as a python script, which was then published to the web as source code. The original python script had issues with decoding and encoding the raw data, and didn’t work on every attempt. The source code was ported to multiple programming languages, with the most notably being MSL (mIRC Scripting Language), which was the scripting language of the most popular IRC client, mIRC.
Version 3 of the GateKeeper authentication added the target hostname/IP address to the authentication calculation, which ensured that users could no longer connect the official client to localhost and relay the authentication data. By the time version 3 was fully deployed, it was already well known within the community of users who used unofficial clients what had changed, and allowed them to modify their scripts/programs to continue to connect to the MSN Chat Network.
There was a modified version of the MSN Chat client distributed known as M$NChatX, which always connected to localhost even when the correct hostname was used, allowing unofficial clients to once again access MSN Chat Network using the MITM attack.
Until the late 2010’s, long after the MSN Chat Network had closed, all clients continued to use a variation of the python source code. Whilst the programs did correctly authenticate, it was quite clear from their source code that they were still using a decompiled version of the official client as the code had been pre-optimised by a compiler and did not actually contain the HMAC-MD5 key. First the key was discovered, and shortly after, the method of authentication was discovered.
--> AUTH GateKeeper I :GKSSP\\0XX\x03\\0\\0\\0\x01\\0\\0\\0
<-- AUTH GateKeeper S :GKSSP\\0XX\x03\\0\\0\\0\x02\\0\\0\\0!@#$%^&*
--> AUTH GateKeeper S :GKSSP\\0XX\x03\\0\\0\\0\x03\\0\\0\\0ZZYYXXWWVVUUTTSSAABBCCDDEEFFGGHH
<-- AUTH GateKeeper * 465465464@GateKeeper 0--> AUTH GateKeeperPassport I :GKSSP\\0XX\x03\\0\\0\\0\x01\\0\\0\\0
<-- AUTH GateKeeperPassport S :GKSSP\\0XX\x03\\0\\0\\0\x02\\0\\0\\0!@#$%^&*
--> AUTH GateKeeperPassport S :GKSSP\\0XX\x03\\0\\0\\0\x03\\0\\0\\0ZZYYXXWWVVUUTTSS\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0
<-- AUTH GateKeeperPassport S :OK
--> AUTH GateKeeperPassport S :00005Ahiodsfdsnlkjn...
<-- AUTH GateKeeperPassport * @GateKeeperPassport 0