Network Uptime

You are reading:
Under the Surface of Azeroth:
A Network Baseline and Security Analysis
of Blizzard's World of Warcraft

Step 5: Authenticating into the World of Warcraft

The authentication process into the World of Warcraft universe is relatively straightforward. Once the version check has completed, the World of Warcraft login screen appears.



The login screen is a very graphical full-screen display complete with wisps of smoke, flaming torches, and an orchestral ovation. Even though the screen is rich with sensory input, there's absolutely nothing happening over the network. There are no packets transferred while the account information is entered into the login screen.

Once the "Login" button is pressed, a TCP connection on port 3724 is made to us.login.worldofwarcraft.com. The next obvious step is for the username and password to be sent to the central authentication sever. Although the password is not sent in plain text across the network, the account name is easily readable inside the network packet.

The authentication process actually occurs in three quick steps:

* The account name and account password is verified

* A list of available World of Warcraft Realms and IP addresses are received from the login server

* The character select screen is loaded


Verifying the username and password

The login process begins with sending the account name to the World of Warcraft login server in frame 6. This frame also contains the version number of the client so that the World of Warcraft login server can perform a final verification of the client software. Prior to this point, every version check could have been bypassed by simply disconnecting from the live Internet connection.

No. Rel Time Del Time Size Total Bytes Source Destination Protocol Info 1 0.000000 0.000000 88 88 192.168.1.101 cns.bonitasprngs.fl.naples.comcast.net DNS Standard query A us.logon.worldofwarcraft.com 2 0.044431 0.044431 344 432 cns.bonitasprngs.fl.naples.comcast.net 192.168.1.101 DNS Standard query response A 12.129.224.112 A 12.129.224.113 A 12.129.224.114 A 12.129.224.115 A 12.129.224.116 A 12.129.224.117 A 12.129.232.109 A 12.129.232.110 A 12.129.232.111 A 12.129.232.112 A 12.129.232.113 A 12.129.232.114 A 12.129.232.115 A 12.129.232.116 A 12.129.224.110 A 12.129.224.111 3 0.045009 0.000578 66 498 192.168.1.101 us.logon.worldofwarcraft.com TCP 3791 > 3724 [SYN] Seq=0 Len=0 MSS=1260 WS=3 4 0.125289 0.080280 66 564 us.logon.worldofwarcraft.com 192.168.1.101 TCP 3724 > 3791 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=0 5 0.125416 0.000127 60 624 192.168.1.101 us.logon.worldofwarcraft.com TCP 3791 > 3724 [ACK] Seq=1 Ack=1 Win=513920 Len=0 6 0.199446 0.074030 97 721 192.168.1.101 us.logon.worldofwarcraft.com TCP 3791 > 3724 [PSH, ACK] Seq=1 Ack=1 Win=513920 Len=43 7 0.279465 0.080019 60 781 us.logon.worldofwarcraft.com 192.168.1.101 TCP 3724 > 3791 [ACK] Seq=1 Ack=44 Win=5840 Len=0 8 0.280925 0.001459 173 954 us.logon.worldofwarcraft.com 192.168.1.101 TCP 3724 > 3791 [PSH, ACK] Seq=1 Ack=44 Win=5840 Len=119 9 0.360621 0.079696 129 1083 192.168.1.101 us.logon.worldofwarcraft.com TCP 3791 > 3724 [PSH, ACK] Seq=44 Ack=120 Win=513800 Len=75 10 0.450667 0.090046 82 1165 us.logon.worldofwarcraft.com 192.168.1.101 TCP 3724 > 3791 [PSH, ACK] Seq=120 Ack=119 Win=5840 Len=28 11 0.466466 0.015798 60 1225 192.168.1.101 us.logon.worldofwarcraft.com TCP 3791 > 3724 [PSH, ACK] Seq=119 Ack=148 Win=513768 Len=5 As mentioned previously, the account name information in frame 6 is sent as plain text without any type of encryption. Frame 7 is a TCP acknowledgement to the information in frame 6, and frame 8 is a frame of additional information sent from the logon server. This additional content in frame 8 may include a "salt" value that's used to create a hash of the password.

Frame 9 appears to be the password hash that was created by combining the password with the dynamic salt value. Because the salt is different every time, the password hash is also different each time. This provides additional account security because the account password is not only hashed, but the hashed value changes each time.

This analysis of the password transmission is an educated guess based on the information traversing the network. Although the details of the password transfer aren't public knowledge, it's useful to know that the password is not sent in the clear and the information transferred is different each time.