On this page
|
| SUMMARY | |
| Layer |
: |
Application Layer |
|
| DESCRIPTION |
ICQ actually stands for "I seek you". It is one of the most popular communication tools used on the Internet, besides the good old plain e-mail. ICQ is a user-friendly and real-time Internet tool that allows users to find other people, add them to a contact list, see their online/offline status at any given time, and communicate with them in several different ways. ICQ provides capabilities of messaging, one-on-one or multi-user chat sessions, user-to-user file transfer, sending URLs, playing games, and invoking external applications, like NetMeeting, CoolTalk, or other online-conferencing tools.
The ICQ Program is one of the most popular and most widely spread chat and instant-messaging programs on the Internet, and the community of ICQ users is still growing very rapidly. Most ICQ users do not need to know how the ICQ Protocol works. They are also not aware of or concerned about the security aspects of the ICQ Protocol. The protocol certainly has its vulnerabilities, which the majority of users don't know about.
Reverse-Engineering using SocketSpy
One of the ways to reverse-engineer the ICQ Protocol is by using a tool that traces all network traffic (packets) on a raw socket and dumps them on the screen or in a file. One such tool is SocketSpy which has been developed by WinTech. For any application that uses WINSOCK.DLL, all API calls are intercepted by the Interceptor. DLL and SocketSpy prints out the information of the API calls.
Packet Header
Length | Content (if fixed) | Designation | Description | 2 bytes | 05 00 | VERSION | Protocol version | 4 bytes | 00 00 00 00 | ZERO | Just zeros, purpose unknown | 4 bytes | AA 6C 4E 00 | UIN | Your (the client's) UIN | 4 bytes | 77 72 55 FC | SESSION_ID | Used to prevent 'spoofing'. See below. | 2 bytes | EE C2 | COMMAND | | 2 bytes | A4 01 | SEQ_NUM1 | Starts at a random number | 2 bytes | E8 C6 | SEQ_NUM2 | Starts at 1 | 4 bytes | xx xx xx xx | CHECKCODE | | variable | xx ... | PARAMETERS | Parameters for the command being sent |
Naturally, to figure out the protocol specifications from spying on the packets send through the WinSocket is not trivial and requires much work and effort. Magnus Ihse, who started researching the ICQ protocol V2 early on and published one of the first documents about the ICQ Protocol, formed a mailing list called ICQ-devel due to the huge amount of responses and questions he received. Through constant effort over the years, the participants of the ICQ-devel list reverse-engineered mostly all of the ICQ protocol versions and implemented ICQ Clients on different platforms and in different programming languages.
Protocol Versions
The ICQ Protocol has gone through several version since its inception in 1996. The earlier versions did not use any kind of encryption and had many security holes (see section 4.3). In version 4 some kind of encryption was introduced. Version 5 also uses other means (Session Id. and Sequence number) for security purposes. The latest two versions of ICQ (ICQ98 and ICQ99) are able to use all protocol versions currently still in use (V2 through V5).
- Protocol V1
V1 was the first version of the ICQ Protocol and is no longer in use. This version was never used by any publicly released ICQ clients. I was not able to find any specific documentation on Version 1.
- Protocol V2
Version 2 of the ICQ Protocol was implemented in the first release of ICQ in 1996, which is still available to download at this site. V2 is the oldest version of the ICQ Protocol that is still in use today.
The UDP packet sent from the client to the server has the following general
Length | Content (if fixed) | Name | Description | 2 bytes | 02 00 | VERSION | Identifies the packet as an ICQ packet | 2 bytes | xx xx | COMMAND | Code for service the server should provide | 2 bytes | xx xx | SEQ_NUM | Sequence number | 4 bytes | xx xx xx xx | UIN | The senders UIN | variable | | PARAMETERS | 0 or more parameters (depending on COMMAND) |
The UDP packet sent from the server to the client has the following general layout:
Length | Content (if fixed) | Name | Description | 2 bytes | 02 00 | VERSION | Identifies the packet as an ICQ packet | 2 bytes | xx xx | COMMAND | Code for service the server should provide | 2 bytes | xx xx | SEQ_NUM | Sequence number | variable | | PARAMETERS | 0 or more parameters (depending on COMMAND) |
- Version 3
The second protocol which came out was version 3 which has a simple checksum as security.
Version 3 header is as follows:
2 Bytes | This is the Version of the protocol = 03 00 (Major, Minor | 2 Bytes | This is the Function code. The ones I know are listed below. | 2 Bytes | First Sequence Code These are usually the same | 2 Bytes | Second Sequence Code / | 4 Bytes | This is the user ID of the client user | 4 Bytes | These four bytes are ICQ's weak attempt at security: to get these do the following: check1 = ( data[8] << 24) | ( data[4] << 16 ) | ( data[2] << 8 ) | ( data[6] ); offs1 = Random % length; // offset into packet offs2 = Random % 256;// offset into magic data check2 = ( offs1 << 24 ) | !( data[offs1] << 16 ) | ( offs2 << 8) | !( magic[offs2] ); check = check1 ^ check2; // XOR the two checks |
- Protocol V4
In Version 4, encryption was added to the protocol. The following is the Header for Version 4 packets:
8 | 16 | 32 bits | 4 | 0 | RANDOM | Everything below this point is encrypted | ZEROS | COMMAND | SEQUENCE | SECOND SEQUENCE | UIN | CHECK |
- Protocol V5
The version 5 is the most recent version which has not yet been fully explained anywhere.
An example of a V5 header is shown in Fig. 4.3. Version 5 is used in the newest release of ICQ 99b.
Client-Server Communication
When an ICQ user connects to the Internet, the ICQ NetDetect Agent can automatically detect the connection and launch the ICQ application. First, the ICQ program tries to establish a connection to a Mirabilis ICQ-Server, by sending UDP packets to port 4000. During the login process, the client sends information about itself to the server, including its IP address, the TCP port reserved for ICQ, the user's password and the user's contact list. Once a connection has been established, the client reports its user's online-status and inquires the online-status for each ICQ user on the contact list.
The information provided from any ICQ user during registration is also stored on the ICQ-Server. If someone requests the public information about a certain user, a request command in a UDP packet is sent to the server which then sends back the information about the inquired ICQ user. All UDP packets must be acknowledged, otherwise retransmission will occur after 10 seconds.
Client-Client Communication
For messaging, sending URLs, file transfers, and chat sessions, a Client-to-Client connection using TCP is established. The IP addresses and port numbers for ICQ users are received from the ICQ server upon connection.
Related Protocols
There exist many protocols similar to the ICQ protocol. Even though none of them is as wide-spread as ICQ, they may be important anyway. At least two of them (RVP/PIP and ICGnu) is still under development.
- Instant Messaging and Presence Protocol (IMPP)
The IMPP (formerly known as RVP (Rendez-vous Protocol) / PIP (Presence Information Protocol) is an open protocol being developed by IETF (Internet Engineering Task Force). They've been working on this for quite some time, and should have avoided all mistakes that ICQ has made. If you feel that haven't, they'd surely be glad to hear. I recommend everyone interested in "enhancing" the ICQ protocol to first check if IMPP doesn't already do what you want to do.
- Jabber
Jabber is a ambitious large-scale open source project to create an unified instant messaging protocol, with connections (known as transports) to other IM services, such as ICQ and AIM.
- ICGnu
ICGnu is another initiative to create an open protocol for presence notification and instant messaging. The project seem to have disappeared now, however.
- AIM (AOL Instant Messenger)
Some important understanding about the AIM (AOL Instant Messenger) protocol has been achieved, and writing of a clone has been started. More information about the AIM Protocol and the FAIM clone can be found at Adam Fritzler's web pages.
- Pagoo
There have been some discussion about trying to decode the Pagoo protocol (which are similar to ICQ). However, as far as I know, no information is known at the moment about this protocols. If you know something about them, please send me an e-mail!
|
 Top of Page
|
| EXAMPLES |
|
|
Top of Page
|
| PROTOCOL RELATIONS |
■ Parent layer
■ Child layer
|
Top of Page
|
| GLOSSARY |
|
AIM
Some important understanding about the AIM (AOL Instant Messenger) protocol has been achieved, and writing of a clone has been started. More information about the AIM Protocol and the FAIM clone can be found at Adam Fritzler's web pages.
API
API(Application Program Interface), a set of routines, protocols, and tools for building software applications. A good API makes it easier to develop a program by providing all the building blocks. A programmer puts the blocks together.
Most operating environments, such as MS-Windows, provide an API so that programmers can write applications consistent with the operating environment. Although APIs are designed for programmers, they are ultimately good for users because they guarantee that all programs using a common API will have similar interfaces. This makes it easier for users to learn new programs.
DLL
DLL(Dynamic Link Library) is a library of executable functions or data that can be used by a Windows application. Typically, a DLL provides one or more particular functions and a program accesses the functions by creating either a static or dynamic link to the DLL. A static link remains constant during program execution while a dynamic link is created by the program as needed. DLLs can also contain just data. DLL files usually end with the extension .dll,.exe., drv, or .fon.
A DLL can be used by several applications at the same time. Some DLLs are provided with the Windows operating system and available for any Windows application. Other DLLs are written for a particular application and are loaded with the application.
ICGnu
ICGnu is another initiative to create an open protocol for presence notification and instant messaging. The project seem to have disappeared now, however.
IETF
IETF (Internet Engineering Task Force) is the main standards organization for the Internet. The IETF is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual.
PIP
PIP(Presence Information Protocol) PIP enables the exchange of document based virtual presence information. Virtual presence information is the foundation for virtual neighborhood services which provide users with information about virtual neighbors, ie other users who are close within the virtual document space established by the World Wide Web. PIP also allows the exchange of simple text-based messages.
RVP
RVP(Rendez-vous Protocol)
This assumes the protocol:
*source sends ready-to-send
*destination sends ready-to-receive
*data is exchanged
Data is never buffered, although ready-to-send messages may be. This protocol is likely to be more efficient for long messages, because it eliminates the need to copy data from input-buffer to user space. A ready-to-receive message can include an identifier for the request object at the receiving end. The sending end can reflect this id in the header of the data packet, allowing the input handler at the receiving end to retrieve the relevant request when the data arrives.
SocketSpy
SocketSpy is multipurpose utility unitially created for trapping Winsock, SNMPAPI, ICMP calls and network TCP/UDP traffic of active or new processes. In other words you may investigate already running process or start a new one in Socket Spy debug environment. Later versions of SocketSpy can show I/O File (KERNEL32.DLL) or Windows Registry (ADVAPI.DLL) operations of tested process. For example, you may capture all network and file input/output traffic of IExplore, OutLook Express and other programs. It is possible to capture only file I/O, network I/O, Windows Registry access separately. The utility may be used for trojan and virus finding, high level network protocol study or reverse engineering of network software. In short form results are presented in as Rich Edit text in output window and the full information may be saved as log file.
Really SocketSpy is based on Win32 Debug functions, but if tested process wants to know if debugger present, SocketSpy may block this request and tested process will receive an answer "No".
|
Top of Page
|
| REFERENCES |
|
|
Top of Page
|
| OTHER PROTOCOLS OF TCP/IP SUITE |
|
|
|
|
|
