Copy Link
Add to Bookmark
Report

The Discordant Opposition Journal Issue 00 File 05

  

::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98
::: The Discordant Opposition Journal ::: Issue 0 - File 5 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:Surviving IRC:

By Rue-the-Day
http://www.Rue-the-Day.net/

This focus of this article isn't really about 'hacking' IRC in the sense of
the word that most people use, it can be used to give people ideas on ways
to exploit flaws on IRC though. When I think about hacking I don't just
think about things I can use, I also like to try to think about what others
may use against me. I spent a fair amount of time on IRC and became familiar
with a lot of the pitfalls that people find themselves in, I decided to write
this article to make people aware of them. I'll cover various ways in which
you can help to decrease the chances of anything too damaging happening to
your system while on IRC. All of this is taken from my own experience [not
usually as a victim though], I hope it helps a few people out.

Your choice of Client.

To connect to irc you need an irc 'client'. What the client does is provide
an interface between you and the IRC server. There are many clients out
there but a few are used more than others.

My personal choice is 'XiRCON', which I would recommend you check out. Its
homepage is http://www.xircon.com and you can also get other stuff to do
with it like scripts from there. The most popular IRC client is mIRC but as
a consequence there are a lot of well documented security flaws in it, I
would not consider it anywhere near as good as XiRCON. Even the latest
versions of mIRC can be frozen by 'Hanson' programs and all of the earlier
versions are vulnerable to other attacks as well. XiRCON has a lot of
nice features, it allows multiple server connections easily and uses tcl
for it's scripting language which is also used in X-Windows. Give it
a look and see what you think.

Your choice of IRC Scripts.

When you're looking at what you want from an irc script there are some
basics that you definitely need such as a link looker to detect netsplits
and rejoins and mass modes for kicking and banning, other options are also
good. Most scripts have a lot of features that you would probably never need
and if you want one that does something specific the chances are that it
already exists, if you can't find it then write it yourself! Another
important feature is a nice and easy wingate connector but more on that
later. A very cool friend of mine once said 'The best script you can have is
the one you coded yourself.' and he was right.

The script that I use, penance, is one that I've coded some of myself and
kludged together from various other scripts that I liked. It has a ctcp cloak,
a fake version and general ctcp reply sender, link looker and nethack
detector as well as some other stuff, the point is that even though the
features it has aren't incredible by any means I get by with it well. You
don't need everything with bells on because chances are you won't get a
chance to use half of it, when it comes down to it go for practicality over
all else.

There are loads of script archives available on the web although a lot of
them have very questionable quality stuf to offer. It is also worth noting
that popular war scripts like 7th Sphere are now k-lined from most of the big
servers. I have also heard that 7th Sphere has a trojan feature which allowed
it's creators to eavesdrop on people using the script. This is important to
consider, many scripts have inbuilt features that you may not be aware of,
some will change your username without you being aware of it ['oh, I was
wondering why none of my aops were functioning...'] and some allow others
to see who else is using the same script on that particular server. Some
scripts have sections in them commented out and others ahve features that
will only be obvious from taking the time to glance over the code, take the
time to do that - get to know the scripts you use. Some scripts will claim
various things like deop protection or ban protection but aren't coded
properly and therefore can't do what they claim to, others are full of bugs
and shouldn't even be released as beta tests - don't place trust in scripts
like this. Choose scripts that work and make sure that the features you'll
want to use function as they should.

Wingating.

Anonymity can be hard to achieve on irc, if people know you're ident then
pretending to be someone else isn't easy. For instance when I'm on irc my
ident will be something along the lines of 'Rue-the-Day
Rue-the-Da@p155.portlaoise1.tinet.ie'. With just that information you can
narrow down my location to Ireland and even within that to an area around
the Portlaoise node for tinet. So how would I conceal my location? Wingating.

Wingating allows two computers to share a connection, when it is first
installed it has certain defaults running. Like all defaults they aren't
necessarily ones that you'd want to leave active, careless admins leave
them running though. You can use a wingate to bounce your connection to irc
through and therefore appear to be coming from wherever the wingate is set
up, for instance I could be 'Rue-the-Day Rue-the-Da@prairienet.nz' or
wherever I could find a wingatable connection.

You can search for wingates by putting an ip string into a domain or port
scanner and scanning for port 23. Domain scanners can be found by searching
the web. Once you've found wingatable servers you can then connect to them,
this can be done manually or through a script. To connect in mIRC type
'/server wingate.ip' and then '/quote irc.chat.net 6667' next type '/quote
user blah blah blah@server.net blah' and finally '/quote nick yournick'.
The method of connection is similar in XiRCON and there's a script to do it
at my site [http://www.Rue-the-Day.net/] that does it as well, written by a
friend who wishes to remain anonymous.

Netsplits, Link Looker and Nethack protection.

What is a netsplit? A netsplit is when a specific server [or servers]
splits away from the main server. When this happens [and if you have a
script with Link Looker built in] you will be notified, some versions also
tell you who split off with the server as well. If a person connects to a
server that has split and join a channel that she wishes to hack and nobody
else is there then she will be opd. When the server reconnects then she will
be opd in the channel and will then have to try to get rid of the other ops.
I spent most of my time on DALnet so I'm not sure waht it's like on some of
the other servers but when I was there netspklits were very common, we had
thirty five at one time once - it was almost every server.

A lot of the XiRCON scripts I've seen [including my own, 'penance'] have
'Nethack protection' which basically monitors for anyone riding in on a
split server and deops them or devoices them, it will also warn you if the
person joins from a split even if they didn't get oped or whatever.
This combined with Link Looker means that you are constantly aware of
anything going on to do with netsplits. Bots can also be set up to detect
attempted take overs and defend the channel be deopping the person riding
in on the split.

With XiRCON you can connect to another server in a different window and so
be on both sides of the split at the same time, this is also very handy. It
means that you can see what's going on in the channel that you want to take
and also who you'll need to deal with to gain control of the channel.

Denial of Service attacks [DoS].

Denial of Service in one of it's most basic forms is the 'nuke' or 'icmp
bomb'. Although a lot of people out there are patched it's a continual
source of amazement to me the large numbers who aren't.

Denial of Service attacks mostly work by sending signals to your computer,
an example being OOB [out of band data] which will cause net disnconnection,
a system error or the closing of certain connections. Ping floods are another
common attack used to slow or cut off people's access. When supplied with a
target ip a ping flood program will send successive ping requests consuming
a huge amount of bandwith and will either result in lag for the victim or a
ping timeout.

Patches are available to block the flaws that some of the various DoS
attacks use, programs such as 'nukenabber' are also on the web and offer
further protection. Port watchers will monitor for attempted DoS attacks
and warn you of the attempts, some also log the details of the attack for
furure referance. Using unux to go on IRC makes you invulnerable to a lot
of the more common methods of attack out there and gives you access to
DoS attacks like LaTierra and commands like ping -f, XiRCON is available for
Linux under the name 'ZiRCON' and while I haven't tried it out I've been
told that it's pretty cool.

While I could go really in depth into the mechanics of how and why DoS
attacks work it would really require a full article to do so.
[Psst, check the Zine...]

Precautions you can take.

This is just a bunch of stuff that I've found useful during my time on irc.
If somebody asks you for an address that they can email you at and you
aren't sure that you trust them not to turn on you and email bomb you on
some later date what do you do? You don't want them to have your actual
email address - set up a freemail account and give that address out to
people, a usa.net account, like rue-the-day@usa.net, can be gotten at
http://netaddress.com/ or a hotmail account can be gotten at
http://www.hotmail.com.

Accepting files from people you don't know very well can be dangerous as
well, if somebody offers 'nuke protection' or some cool sounding program be
very dubious as to it's true function. One of the programs that it could in
fact be is 'Evilftp' which allows somebody to ftp to your computer through a
password protected port and do basically whatever they want to your box, be
wary. Back Orifice is another and it is simply a good idea not to accept any
files from people you don't know.

Some channels have bots or scripts that will send private messages to
anyone entering the channel set up to say things like 'for a list of the
files available from the #whatever fileserver type '/who *'. This is a
particularly easy 'attack' because it's one you do to yourself. Typing
'/who *' gives you a listing of all the people on whatever server you're on,
like the whole of DALnet or EFnet or whatever. This completely floods you
and results in a dead socket and your disconnection from irc.

A healthy degree of suspicion can be a good thing on irc. I have seen
attempted takeovers of channels in which I'm opd by very convincing
IRChackers posing as friends. People on DALnet especially are guilty of
having far too much faith in the services that the server provides, nickserv
and chanserv. For instance if an enemy of mine decided to use my identity on
irc to take over a channel in which I'm a trusted regular he could use a
wingate to approximate my ident, let's say he managed
'Rue-the-Day Rue-the-Da@dubexs.iol.ie' now people would see the '.ie' and
assume it's me, anyone from Ireland or who pays attention to such things
would know that my isp was 'tinet' not 'iol' and that I wasn't in Dublin
but all it would take is one person to believe it long enough to op the
fake 'me' and the channel would be taken. One way to get around this is to
do your best to remember people's idents but then a lot of people spoof and
mess around with wingating and vhosting anyway so that isn't too easy to do,
some people maintain databases of their friends idents and can access them
easily through irc scripts.

That's even easier on servers like Undernet or EFnet where anyone can nuke
somebody offline and take over their nick. Let's say that the channel that
the person posing as me wanted to take over was on DALnet and my nick was
registered, surely they wouldn't be able to do it right? Wrong. I have heard
of a few ways to hack nickserv and chanserv, some are fact and some are
rumour.

The easiest way to hack nickserv passwords is to run a bot and bruteforce
the person's passsword with a dictionary based attack. If the person doesn't
have nickserv enforcement active then there is nothing to stop you posing as
the person, chanserv won't op you until you enter the person's password but
it should be easy enough to convince people that chanserv is just lagged or
fucked up [all too easy to believe -sigh-] and get them to op you.

Other methods include using database synchs to re-register existing channels,
unsubstantiated but would be easy enough to prove or disprove with a bot or
script. Another method currently being investigated by a friend of mine,
Cronus [http://homepages.iol.ie/~cronus], is an attack to flood nickserv and cause
it to crash making it easier to take over channels.

If you know of any other ways in which to exploit DALnet services or irc in
general I'd be interested in hearing them, please email me any information
you have [root@Rue-the-Day.net]!


The Conclusion

So what am I saying - trust no one? No, I'm just saying that a healthy
amount of skepticism doesn't go astray, if you hear from people that
somebody is going around posing as channel regulars then be suspicious of
people who don't seem right, usually their behaviour gives them away -
somebody who's always polite and cool saying 'op me or dieeeeeee!' suddenly
is a bit of a dead give away.

If you take nothing else from this article at least realise that there are
dangers on irc, try to be aware of them. I hope this helped people to think
about it a little more.

Speaking of helping people out, I'd really appreciate if anyone out there
who knows of flaws or exploits in the various Java chat applets or CGI
scripts which allow web based chat to email me [root@Rue-the-Day.net]
with them for an article I'm writing. Thanks.

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT