Understanding Illegal Streaming

go back / p4p1


Created on Tue. 04 sep 2022



Before anything do not reproduce this blog post on any website I am not hacking any website directly I am just curious on how they work. Reconnaissance on a technical level is not illegal and I am being as careful as I can so that I don't accidentally brake anything or find any vulnerabilities. It also has to be noted that I only stream using netflix and other services because I am a good citizen.

This post is mainly for fun sometimes I just really get curious on how stuff works and I have this obsession with the shady stuff. I always bing watch videos about scammers and stuff like that so that is probably where my obsession with this kind of stuff is shown the most :). Spending nights reversing this kind of stuff I always end up learning neat tricks.

The Target

When I was younger pirating movies was the big main edgy thing to do. Literally everyone and their mom where doing it to the point of really crazy adds like "You wouldn't steal a car, so don't pirate movies"

Let's be honest those things didn't work and where a bit of a joke but some people in france where I am from ended up getting arrested I think with this big thing called hadopi. I wanted to know since all the torrent stuff was a bit out of date but still existing, what is a web equivalent but illegal version of torrenting. After extremely light research I found a few that would fit my needs for this research but one was surprisingly mentioned multiple times. I decided not to disclose them obviously seeing what I'm about to do next.

Recon

The main point of this was understanding how video streaming worked on those websites, what do they use to stream and where do they store all the illegal goods :). After studying a lot of porn site during my last bug bounty adventure (still waiting on the bug to be fixed to disclose it), I started getting curious at what kind of company does business with the "shady" side of businesses, I just find that so much more entertaining.

My first approach on understanding how the player worked I thought dev tools could give me that information, as you can see above they also thought of the same so I thought I was already on the good track. If they try to stop me from doing something it means my answers are behind that thing. Thinking this through my mind went to BurpSuite. I'll cut to the chase, terrible idea, BurpSuite was a big mess with so many requests at once I will get to discover why later but at 3am I am not in the mood for that I know I can find something easier to deal with. Plus at the time I thought video was only send through UDP and that wouldn't be shown on Burp to my knowledge.

I then thought of Wireshark, that would solve my UDP issue. So configuring my browser to dump it's ssl-keys to a file and have me load them into wireshark I could see all of the traffic :)

          
            chromium --ssl-key-file=/home/p4p1/.ssl-key.log
          
        

Bingo I could see more info I then decided to research a bit more into the site. Looking through the UDP traffic I was surprised to not see as many as I was expecting a lot more TCP that usual even when the video was buffering :/ a bit strange. So I went back to the drawing board. Remembering my little websocket project I thought what is actually blocking me from opening devtools could I bypass that?

Bypassing

When I am on the page and I open the devtools I get the page to hang because of this instruction for some reason opening the devtools the debugger gets triggered by this but it doesn't get triggered when the devtools are closed.

After a bit of research I found that debugger is actually a JS instruction to put a brake point in the debugger and I am guessing an other side of the code just check the execution flow and if there is a pause it triggers the routine to put in the "close devtools" message. Now the debugger instruction is not the same as the websocket class it is an actual instruction so it cannot be replaced to a continue by overwriting the function or object. After a bit of research I found this stack overflow post. Thank god for Stack Overflow:

Using this I am now able to really dig deep inside of streaming system.

Answering my questions

This is when I started to understand all of the problems I had up until now. My notions on this kind of stuff was very limited before this project this is why I love doing this kind of weird research I get to fuck with cool projects and learn a bunch of strange stuff. Now my main question how does the streaming actually work. Looking through the network tab in my browser I see a lot of .ts files which I am guessing is type script. Those are loaded when the video buffers in so I am guessing those are actually video data hidden inside of type script files to make it harder to rip from the website so I just copied a request and saved the output to a file on my computer to inspect it more.

After saving it I decided to run the file command against it but the output was not useful to me.

I randomly decided to run it with the vlc program just to see:

Jackpot vlc works I have a 6second clip from what was being streamed, so I am guessing they use .ts to confuse people I am not sure. Next course of action was to find where those chunks where stored. Thanks to the devtools I just had to go on the domain name of where the chunk was stored.

You just cant make this up, this was the webpage I was pissing myself laughing. Pretty cool an other french dude I guess. I did try a few other paths on the page but sadly only 404s. Going back to the original site I looked at the iframe. Copying the link of the iframe (which was on an other domain) I just get a page with the player in full screen. Pretty nice because at least there are not annoying adds now oupsy just fucked their revenue stream there. Looking at the link I was just so confused because it was following this format

          
          https://domain.name/streaming.php?id=AlphaNumericID
          
        

Messing with the id I was able to increment the number by one and find the next episode LMAO.

Going back to the player I looked at a few scripts it was using to be able to run and I kept on seeing a name over and over again jwplayer researching that name I found the company that sells those players which is interesting to know. After all of that I think I pushed my luck a bit to far


I feel like I pushed my luck a bit to far with this I now know a lot about streaming stuff illegally and I have no interest in going further I think it's just cool to see how in JS they can block someone to inspect their code and it felt good bypassing it :)