Since March 10, 2003 - Version 2.1
hypothetic.org

MSN Messenger Protocol

Research - MSNP8

Back To Normal Layout

Authentication example

Here is an example of logging into the MSN Messenger server using version 8 of the protocol. In this example the user "example@passport.com" logs in with version 5 of the official client. His password is "password".

Notification Server

The client first logs into Microsoft's dispatch server (messenger.hotmail.com), is redirected to 207.46.106.35, then logs in successfully. At the time of writing, messenger.hotmail.com resolves to the IP address 207.46.104.20.

<o> Client connects to messenger.hotmail.com, port 1863 (Dispatch Server)

>>> VER 1 MSNP8 CVR0\r\n

<<< VER 1 MSNP8 CVR0\r\n

>>> CVR 2 0x0409 win 4.10 i386 MSNMSGR 5.0.0544 MSMSGS example@passport.com\r\n

<<< CVR 2 6.0.0602 6.0.0602 1.0.0000 http://download.microsoft.com/download/8/a/4/8a42bcae-f533-4468-b871-d2bc8dd32e9e/SETUP9x.EXE http://messenger.msn.com\r\n

>>> USR 3 TWN I example@passport.com\r\n

<<< XFR 3 NS 207.46.106.35:1863 0 207.46.104.20:1863\r\n

<o> messenger.hotmail.com closes connection

<o> client connects to 207.46.106.35, port 1863

>>> VER 1 MSNP8 CVR0\r\n

<<< VER 1 MSNP8 CVR0\r\n

>>> CVR 2 0x0409 win 4.10 i386 MSNMSGR 5.0.0544 MSMSGS example@passport.com\r\n

<<< CVR 2 6.0.0602 6.0.0602 1.0.0000 http://download.microsoft.com/download/8/a/4/8a42bcae-f533-4468-b871-d2bc8dd32e9e/SETUP9x.EXE http://messenger.msn.com.\r\n

>>> USR 3 TWN I example@passport.com\r\n

<<< USR 3 TWN S lc=1033,id=507,tw=40,fs=1,ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom,ct=1062764229,kpp=1,kv=5,ver=2.1.0173.1,tpf=43f8a4c8ed940c04e3740be46c4d1619\r\n

<o> Client authenticates itself with MS Passport

>>> USR 4 TWN S t=53*1hAu8ADuD3TEwdXoOMi08sD*2!cMrntTwVMTjoB3p6stWTqzbkKZPVQzA5NOt19SLI60PY!b8K4YhC!Ooo5ug$$&p=5eKBBC!yBH6ex5mftp!a9DrSb0B3hU8aqAWpaPn07iCGBw5akemiWSd7t2ot!okPvIR!Wqk!MKvi1IMpxfhkao9wpxlMWYAZ!DqRfACmyQGG112Bp9xrk04!BVBUa9*H9mJLoWw39m63YQRE1yHnYNv08nyz43D3OnMcaCoeSaEHVM7LpR*LWDme29qq2X3j8N\r\n

<<< USR 4 OK example@passport.com example%20display%20name 1 0\r\n

the client had to authenticate itself with MS Passport to get the ticket used in the final USR message.

The Passport Nexus

Passport authentication begins with the Passport Nexus, just as logging into Messenger begins with the Dispatch Server. The client sends the following HTTPS GET request for the URL "https://nexus.passport.com/rdr/pprdr.asp", using HTTPS version 1.0:

<o> Client connects to nexus.passport.com, port 443 (Passport Nexus)

>>> GET /rdr/pprdr.asp HTTP/1.0\r\n
\r\n

<<< HTTP/1.1 200 OK\r\n
<<< Server: Microsoft-IIS/5.0\r\n
<<< Date: Mon, 02 Jun 2003 11:57:47 GMT\r\n
<<< Connection: close\r\n
<<< PassportURLs: DARealm=Passport.Net,DALogin=login.passport.com/login2.srf,DAReg=http://register.passport.net/uixpwiz.srf,Properties=https://register.passport.net/editprof.srf,Privacy=http://www.passport.com/consumer/privacypolicy.asp,GeneralRedir=http://nexusrdr.passport.com/redir.asp,Help=http://memberservices.passport.net/memberservice.srf,ConfigVersion=11\r\n
<<< Content-Length: 0\r\n
<<< Content-Type: text/html\r\n
<<< Cache-control: private\r\n
<<< \r\n

<o> nexus.passport.com closes connection

As you can see, the Nexus returned "login.passport.com/login2.srf" as the login server to connect to.

The Login Server

The client sends an HTTPS GET request for the URL given to it by the Nexus. Login servers require you to use HTTPS version 1.1, and therefore to send a "Host" header in every request. Note that the challenge string used here is taken from the USR message sent by the Notification Server.

<o> Client connects to login.passport.com, port 443

>>> GET /login2.srf HTTP/1.1\r\n
>>> Authorization: Passport1.4 OrgVerb=GET,OrgURL=http%3A%2F%2Fmessenger%2Emsn%2Ecom,sign-in=example%40passport.com,pwd=password,lc=1033,id=507,tw=40,fs=1,ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom,ct=1062764229,kpp=1,kv=5,ver=2.1.0173.1,tpf=43f8a4c8ed940c04e3740be46c4d1619\r\n
>>> Host: login.passport.com\r\n\r\n

If the server redirected the client to "https://loginnet.passport.com/login2.srf?lc=1033", the response might look like this:

<<< HTTP/1.1 302 Found\r\n
<<< Server: Microsoft-IIS/5.0\r\n
<<< Date: Mon, 02 Jun 2003 11:58:32 GMT\r\n
<<< PPServer: H: LAWPPLOG5C006\r\n
<<< Connection: close\r\n
<<< Content-Type: text/html\r\n
<<< Expires: Mon, 02 Jun 2003 11:57:32 GMT\r\n
<<< Cache-Control: no-cache\r\n
<<< cachecontrol: no-store\r\n
<<< Pragma: no-cache\r\n
<<< P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"\r\n
<<< Authentication-Info: Passport1.4 da-status=redir\r\n
<<< Location: https://loginnet.passport.com/login2.srf?lc=1033\r\n
<<< \r\n

If the request was successful, the response might look like this:

<<< HTTP/1.1 200 OK\r\n
<<< Server: Microsoft-IIS/5.0\r\n
<<< Date: Mon, 02 Jun 2003 11:59:00 GMT\r\n
<<< PPServer: H: LAWPPIIS6B061\r\n
<<< Connection: close\r\n
<<< Content-Type: text/html\r\n
<<< Expires: Mon, 02 Jun 2003 11:58:00 GMT\r\n
<<< Cache-Control: no-cache\r\n
<<< cachecontrol: no-store\r\n
<<< Pragma: no-cache\r\n
<<< P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"\r\n
<<< Set-Cookie: MSPSec1= ; expires=Thu, 30-Oct-1980 16:00:00 GMT;domain=.passport.com;path=/;HTTPOnly= ;version=1\r\n
<<< Set-Cookie: MSPSec=5Cdd1SshOELpwqafsSuYSiDEuEtP1PUaX99YOZcaoJP3vkIn7DXozt868I7eJNjcWG; HTTPOnly= ; domain=.passport.com;path=/;secure=\r\n
<<< Set-Cookie: MSPAuth=5yDBU0BqvDa7UiY9W9nVEncRXCLD4gjLmtEr2XkunnafkOgdgG5x*CEpqe7MyZEOir*EiA1PbwLKzqCGO671TeTQ$$; HTTPOnly= ; domain=.passport.com;path=/\r\n
<<< Set-Cookie: MSPProf=5a0mKE6PKDsxz!*4apQt0amnQOGLYqcCm78ie!MmHq0KnAiIJM0z0Zajs8NL7ux7Ae0hnH5AAoB!zXIZ9jTA2rcQttC*RKKRsc9k7JflwThB!H0Qa*6ipGcdj5co6taPir; HTTPOnly= ; domain=.passport.com;path=/\r\n
<<< Set-Cookie: MSPVis=507;domain=.passport.com;path=/\r\n
<<< Set-Cookie: MSPPre=esqkk@hotmail.com; HTTPOnly= ; domain=.passport.com;path=/;Expires=Wed, 30-Dec-2037 16:00:00 GMT\r\n
<<< Set-Cookie: MSPShared= ; HTTPOnly= ; domain=.passport.com;path=/;Expires=Thu, 30-Oct-1980 16:00:00 GMT\r\n
<<< Authentication-Info: Passport1.4 da-status=success,tname=MSPAuth,tname=MSPProf,tname=MSPSec,from-PP='t=53*1hAu8ADuD3TEwdXoOMi08sD*2!cMrntTwVMTjoB3p6stWTqzbkKZPVQzA5NOt19SLI60PY!b8K4YhC!Ooo5ug$$&p=5eKBBC!yBH6ex5mftp!a9DrSb0B3hU8aqAWpaPn07iCGBw5akemiWSd7t2ot!okPvIR!Wqk!MKvi1IMpxfhkao9wpxlMWYAZ!DqRfACmyQGG112Bp9xrk04!BVBUa9*H9mJLoWw39m63YQRE1yHnYNv08nyz43D3OnMcaCoeSaEHVM7LpR*LWDme29qq2X3j8N',ru=http://messenger.msn.com\r\n
<<< Content-Length: 0\r\n
<<< \r\n

The client's ticket is t=53*1hAu8ADuD3TEwdXoOMi08sD*2!cMrntTwVMTjoB3p6stWTqzbkKZPVQzA5NOt19SLI60PY!b8K4YhC!Ooo5ug$$&p=5eKBBC!yBH6ex5mftp!a9DrSb0B3hU8aqAWpaPn07iCGBw5akemiWSd7t2ot!okPvIR!Wqk!MKvi1IMpxfhkao9wpxlMWYAZ!DqRfACmyQGG112Bp9xrk04!BVBUa9*H9mJLoWw39m63YQRE1yHnYNv08nyz43D3OnMcaCoeSaEHVM7LpR*LWDme29qq2X3j8N, which is returned to the Notification Server.

If the request failed, the response might look like this:

<<< HTTP/1.1 401 Unauthorized\r\n
<<< Server: Microsoft-IIS/5.0\r\n
<<< Date: Mon, 02 Jun 2003 11:58:15 GMT\r\n
<<< PPServer: H: LAWPPIIS6B077\r\n
<<< Connection: close\r\n
<<< Content-Type: text/html\r\n
<<< Expires: Mon, 15 Sep 2003 07:57:14 GMT\r\n
<<< Cache-Control: no-cache\r\n
<<< cachecontrol: no-store\r\n
<<< Pragma: no-cache\r\n
<<< P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"\r\n
<<< PassportConfig: ConfigVersion=11\r\n
<<< WWW-Authenticate: Passport1.4 da-status=failed,srealm=Passport.NET,ts=-3,prompt,cburl=http://www.passportimages.com/XPPassportLogo.gif,cbtxt=Type%20your%20e-mail%20address%20and%20password%20correctly.%20If%20you%20haven%E2%80%99t%20registered%20with%20.NET%20Passport%2C%20click%20the%20Get%20a%20.NET%20Passport%20link.\r\n
<<< Content-Length: 390\r\n\r\n

Copyright ©2002-2004 to Mike Mintz.
<http://www.mikemintz.com/>