Microsoft Notification Protocol forensics

A brief forensic consideration of the Microsoft Notification Protocol (MSNP). …

Microsoft's MSNP is an instant messaging protocol for use by the .NET Messenger Service and the instant messaging clients that connect to it, such as Windows Live Messenger (WLM). For this reason it is sometimes referred to as the WLM protocol or the Messenger protocol.

MSNP does not provide encryption. This can be mitigated with client-side encryption.

MSNP has gone through multiple versions. Beginning with MSNP16, Multiple Points of Presence (MPOP) is supported, allowing an account to be simultaneously logged in at multiple locations with chats replicated on all clients. Current open source implementations, however, are based on the older MSNP8 which does not support MPOP. If you log in to a second client, the first client is automatically logged out and is informed that "you have signed on from another location". The second client receives no such message.

This provides a tripwire with which to detect someone accessing your account. Using an open source client, when finished chatting set your presence to invisible instead of logging out. Leave the computer running. If an attacker enters your account, you will see that you have been logged out with the above message. Depending upon the client, you may be able to log the time of the occurrence.

MSNP on Wikipedia


About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s