The brute-forcing of virtual MAC addresses, the thorn in the side of illegal IPTV servers.
Introduction
On July 14, 2024, DAZN, a sports streaming service, acquired the rights to Ligue 1 for 400 million euros.
It offers supporters 2 subscription plans, including one at €30 per month with a 12-month commitment (to watch all Ligue 1 matches except 1 match broadcast by Bein).
Thus, the French supporter must spend €45 per month just to watch Ligue 1. There is no need to continue to prove that this system will not work. Especially since DAZN requires 1.5 million subscribers to be profitable.
Using IPTV is therefore an alternative for these supporters, who are burdened with increasingly high costs each year to watch their favorite team.
This article aims to explore how IPTV works, as well as its server and connection/authentication methods.
Obtaining IPTV for free by "hacking" a server is illegal. This article is intended to inform you about how IPTV works and not to encourage you to obtain it for free or otherwise.
How IPTV Works
Inquiring with others who have IPTV, I identified 2 methods of authentication for accessing IPTV:
- Via a username and password, then through an m3u file
Here’s how this authentication works:
An m3u file is a text file containing a list of channels and their respective "stream" links.
If you want to learn more, public m3u files are available on GitHub: https://github.com/iptv-org/iptv
However, I have noticed that usernames and passwords are generated by the IPTV service provider, and these are generally complex. It is impossible for us to guess them.
- Via a virtual MAC address
This authentication method is notably used for set-top boxes (STBs) sold through marketplaces like Alibaba or Aliexpress. Here’s how it works:
Analyzing Requests Made by IPTV (via STB)
- Handshake between the STB and the server:
The STB sends:
- Its virtual MAC address via the
Cookieheader (mandatory) - Its language (optional)
- Its timezone (optional)
The server responds with a token, which will be used later.
- Requesting subscription information:
The STB will then request information about its subscription via the get_main_info action:
To authenticate, the STB sends:
- Its virtual MAC address via the
Cookieheader and as a GET argument - The token received previously via the
Authorizationheader (Bearer)
These authentication details will be consistently sent by the STB in subsequent requests.
The server responds with the subscription's expiration date. This will be validated by the STB before requesting a stream.
- Requesting the list of channels:
The STB then requests the list of channels via the get_all_channels action:
The server responds with the list of available channels in JSON format.
Each channel link is in the following format:
http://localhost/ch/<number>
- Requesting a channel:
The provided link is a local link. Therefore, it must be modified for use by the STB. This is done via the create_link action:
The server sends a link in the following format:
https://<iptv_streaming_server>/live/<random_string>/<random_string>/<channel_number>.ts?play_token$[TOKEN]
This structure is designed to prevent any link sharing or brute-forcing.
It is also important to note that the token’s lifespan is very short (about 2 minutes).
- Watching the Channel:
The STB then sends a request to view the channel:
The chunk in the response is indeed a video stream. Note also the change in content-type from text/javascript to video/mp2t.
Summary Diagram
Attack Methodology
Let’s assume we want to find a valid virtual MAC address. We would need to craft 2 requests:
- Handshake:
GET /portal.php?action=handshake&type=stb&token=&mac= HTTP/1.1
Host: <iptv_server>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: */*
Cookie: mac=<mac_to_find>;stb_lang=en;timezone=Europe/Paris
If the server responds with a 200 code, then the virtual MAC is valid. However, it might not be associated with an active subscription.
To verify this, we will check with the server if the MAC has an active subscription:
- Requesting Subscription Information:
GET /portal.php?type=acount_info&action=get_main_info&mac=<precendent_mac> HTTP/1.1
Host: <iptv_server>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: */*
Authorization: Bearer <token_precedemment_obtenu>
Cookie: mac=<mac_to_find>;stb_lang=en;timezone=Europe/Paris
We will receive a response in the following format:
{
"js": {
"mac": "<found_mac>", "phone": "<subscription_end_date>"
}
}
Thus, it will be possible to distinguish between valid but expired virtual MAC addresses and valid and active virtual MAC addresses.
It is possible to create your own brute force script, or you can use a tool like 'mcbash,' which also works very well:
Link : https://github.com/dougy147/mcbash
Recognizing and Finding IPTV Servers
A MAC address consists of 6 bytes, or 48 bits. This represents 281,474,976,710,656 possible combinations. It is possible to guess this virtual MAC address, but it will take time.
By analyzing various information leaks, I have observed that all MAC addresses start with 00:1A:79. This reduces the number of possibilities to 2^24 (16,777,216).
Additionally, from these information leaks, I have identified several common points:
- IPTV servers always respond on the
/c/endpoint - IPTV servers commonly have names like
stalker_portalorPORTAL - The HTML code often contains the term
stb
Example:
With this information, it is possible to create a filter on Shodan to find IPTV servers.
http.html:stb http.html:version.js
Given the limited number of requests available on Shodan, I aimed broadly to then filter the results.
version.js is a file common to all these IPTV services. I use it as an initial filter to reduce the number of results.
The query returns 133 IPTV servers, which is enough to get started.
Results
Here are my results of the brute force attack on 10 servers :
Viewing IPTV with the Virtual MAC Address
Once you obtain a virtual MAC address, you have 2 options to view the content:
Via STBEmu (Android / Android TV)
STBEmu is a free application available on the Play Store that allows you to emulate an STB box on your phone to watch any channel.
Once the app is installed, you just need to modify 2 settings in the profile you create:
- In "Portal Settings," then "Portal URL," enter the IPTV server URL (don't forget to include the port), with
/cat the end. - In "STB Configuration," then "Mac Address," enter the virtual MAC address you found.
The serial number is also sent to the server but is not checked. You can leave this parameter at its default value.
Once back on the main page, tap the button in the top left corner (the three bars), then tap "Reload Portal." You should see the channels appear.
Via PiTV (Windows / Mac / Linux)
Download the binary corresponding to your platform from PiTV Releases.
Then, enter the information you found:
Conclusion
We have explored how IPTV works, including the different authentication methods. These methods can be poorly designed, badly protected, and therefore allow access to an IPTV service without necessarily paying.
On another note, the fact that the costs for an average French person are increasing so much to access content for a sport, which is a popular sport, is unacceptable.
It is therefore normal for people to seek alternatives, and IPTV is one such alternative. Raising prices while trying to eradicate these alternative methods is futile. For example, 200,000 people watched the opening match of the 2024-2025 Ligue 1 season via Telegram. A record.
DAZN's gamble is risky, perhaps even doomed to fail...
Finally, I would like to emphasize one point: funding IPTV equates to funding potentially criminal organizations. I encourage those who wish to watch Ligue 1 matches to use legal means, such as the YouTube channel https://www.youtube.com/cazetv, which streams matches for free from Brazil (use a VPN set to Brazil).