::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98 ::: The Discordant Opposition Journal ::: Issue 0 - File 5 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :Surviving IRC: By Rue-the-Day http://www.Rue-the-Day.net/ This focus of this article isn't really about 'hacking' IRC in the sense of the word that most people use, it can be used to give people ideas on ways to exploit flaws on IRC though. When I think about hacking I don't just think about things I can use, I also like to try to think about what others may use against me. I spent a fair amount of time on IRC and became familiar with a lot of the pitfalls that people find themselves in, I decided to write this article to make people aware of them. I'll cover various ways in which you can help to decrease the chances of anything too damaging happening to your system while on IRC. All of this is taken from my own experience [not usually as a victim though], I hope it helps a few people out. Your choice of Client. To connect to irc you need an irc 'client'. What the client does is provide an interface between you and the IRC server. There are many clients out there but a few are used more than others. My personal choice is 'XiRCON', which I would recommend you check out. Its homepage is http://www.xircon.com and you can also get other stuff to do with it like scripts from there. The most popular IRC client is mIRC but as a consequence there are a lot of well documented security flaws in it, I would not consider it anywhere near as good as XiRCON. Even the latest versions of mIRC can be frozen by 'Hanson' programs and all of the earlier versions are vulnerable to other attacks as well. XiRCON has a lot of nice features, it allows multiple server connections easily and uses tcl for it's scripting language which is also used in X-Windows. Give it a look and see what you think. Your choice of IRC Scripts. When you're looking at what you want from an irc script there are some basics that you definitely need such as a link looker to detect netsplits and rejoins and mass modes for kicking and banning, other options are also good. Most scripts have a lot of features that you would probably never need and if you want one that does something specific the chances are that it already exists, if you can't find it then write it yourself! Another important feature is a nice and easy wingate connector but more on that later. A very cool friend of mine once said 'The best script you can have is the one you coded yourself.' and he was right. The script that I use, penance, is one that I've coded some of myself and kludged together from various other scripts that I liked. It has a ctcp cloak, a fake version and general ctcp reply sender, link looker and nethack detector as well as some other stuff, the point is that even though the features it has aren't incredible by any means I get by with it well. You don't need everything with bells on because chances are you won't get a chance to use half of it, when it comes down to it go for practicality over all else. There are loads of script archives available on the web although a lot of them have very questionable quality stuf to offer. It is also worth noting that popular war scripts like 7th Sphere are now k-lined from most of the big servers. I have also heard that 7th Sphere has a trojan feature which allowed it's creators to eavesdrop on people using the script. This is important to consider, many scripts have inbuilt features that you may not be aware of, some will change your username without you being aware of it ['oh, I was wondering why none of my aops were functioning...'] and some allow others to see who else is using the same script on that particular server. Some scripts have sections in them commented out and others ahve features that will only be obvious from taking the time to glance over the code, take the time to do that - get to know the scripts you use. Some scripts will claim various things like deop protection or ban protection but aren't coded properly and therefore can't do what they claim to, others are full of bugs and shouldn't even be released as beta tests - don't place trust in scripts like this. Choose scripts that work and make sure that the features you'll want to use function as they should. Wingating. Anonymity can be hard to achieve on irc, if people know you're ident then pretending to be someone else isn't easy. For instance when I'm on irc my ident will be something along the lines of 'Rue-the-Day Rue-the-Da@p155.portlaoise1.tinet.ie'. With just that information you can narrow down my location to Ireland and even within that to an area around the Portlaoise node for tinet. So how would I conceal my location? Wingating. Wingating allows two computers to share a connection, when it is first installed it has certain defaults running. Like all defaults they aren't necessarily ones that you'd want to leave active, careless admins leave them running though. You can use a wingate to bounce your connection to irc through and therefore appear to be coming from wherever the wingate is set up, for instance I could be 'Rue-the-Day Rue-the-Da@prairienet.nz' or wherever I could find a wingatable connection. You can search for wingates by putting an ip string into a domain or port scanner and scanning for port 23. Domain scanners can be found by searching the web. Once you've found wingatable servers you can then connect to them, this can be done manually or through a script. To connect in mIRC type '/server wingate.ip' and then '/quote irc.chat.net 6667' next type '/quote user blah blah blah@server.net blah' and finally '/quote nick yournick'. The method of connection is similar in XiRCON and there's a script to do it at my site [http://www.Rue-the-Day.net/] that does it as well, written by a friend who wishes to remain anonymous. Netsplits, Link Looker and Nethack protection. What is a netsplit? A netsplit is when a specific server [or servers] splits away from the main server. When this happens [and if you have a script with Link Looker built in] you will be notified, some versions also tell you who split off with the server as well. If a person connects to a server that has split and join a channel that she wishes to hack and nobody else is there then she will be opd. When the server reconnects then she will be opd in the channel and will then have to try to get rid of the other ops. I spent most of my time on DALnet so I'm not sure waht it's like on some of the other servers but when I was there netspklits were very common, we had thirty five at one time once - it was almost every server. A lot of the XiRCON scripts I've seen [including my own, 'penance'] have 'Nethack protection' which basically monitors for anyone riding in on a split server and deops them or devoices them, it will also warn you if the person joins from a split even if they didn't get oped or whatever. This combined with Link Looker means that you are constantly aware of anything going on to do with netsplits. Bots can also be set up to detect attempted take overs and defend the channel be deopping the person riding in on the split. With XiRCON you can connect to another server in a different window and so be on both sides of the split at the same time, this is also very handy. It means that you can see what's going on in the channel that you want to take and also who you'll need to deal with to gain control of the channel. Denial of Service attacks [DoS]. Denial of Service in one of it's most basic forms is the 'nuke' or 'icmp bomb'. Although a lot of people out there are patched it's a continual source of amazement to me the large numbers who aren't. Denial of Service attacks mostly work by sending signals to your computer, an example being OOB [out of band data] which will cause net disnconnection, a system error or the closing of certain connections. Ping floods are another common attack used to slow or cut off people's access. When supplied with a target ip a ping flood program will send successive ping requests consuming a huge amount of bandwith and will either result in lag for the victim or a ping timeout. Patches are available to block the flaws that some of the various DoS attacks use, programs such as 'nukenabber' are also on the web and offer further protection. Port watchers will monitor for attempted DoS attacks and warn you of the attempts, some also log the details of the attack for furure referance. Using unux to go on IRC makes you invulnerable to a lot of the more common methods of attack out there and gives you access to DoS attacks like LaTierra and commands like ping -f, XiRCON is available for Linux under the name 'ZiRCON' and while I haven't tried it out I've been told that it's pretty cool. While I could go really in depth into the mechanics of how and why DoS attacks work it would really require a full article to do so. [Psst, check the Zine...] Precautions you can take. This is just a bunch of stuff that I've found useful during my time on irc. If somebody asks you for an address that they can email you at and you aren't sure that you trust them not to turn on you and email bomb you on some later date what do you do? You don't want them to have your actual email address - set up a freemail account and give that address out to people, a usa.net account, like rue-the-day@usa.net, can be gotten at http://netaddress.com/ or a hotmail account can be gotten at http://www.hotmail.com. Accepting files from people you don't know very well can be dangerous as well, if somebody offers 'nuke protection' or some cool sounding program be very dubious as to it's true function. One of the programs that it could in fact be is 'Evilftp' which allows somebody to ftp to your computer through a password protected port and do basically whatever they want to your box, be wary. Back Orifice is another and it is simply a good idea not to accept any files from people you don't know. Some channels have bots or scripts that will send private messages to anyone entering the channel set up to say things like 'for a list of the files available from the #whatever fileserver type '/who *'. This is a particularly easy 'attack' because it's one you do to yourself. Typing '/who *' gives you a listing of all the people on whatever server you're on, like the whole of DALnet or EFnet or whatever. This completely floods you and results in a dead socket and your disconnection from irc. A healthy degree of suspicion can be a good thing on irc. I have seen attempted takeovers of channels in which I'm opd by very convincing IRChackers posing as friends. People on DALnet especially are guilty of having far too much faith in the services that the server provides, nickserv and chanserv. For instance if an enemy of mine decided to use my identity on irc to take over a channel in which I'm a trusted regular he could use a wingate to approximate my ident, let's say he managed 'Rue-the-Day Rue-the-Da@dubexs.iol.ie' now people would see the '.ie' and assume it's me, anyone from Ireland or who pays attention to such things would know that my isp was 'tinet' not 'iol' and that I wasn't in Dublin but all it would take is one person to believe it long enough to op the fake 'me' and the channel would be taken. One way to get around this is to do your best to remember people's idents but then a lot of people spoof and mess around with wingating and vhosting anyway so that isn't too easy to do, some people maintain databases of their friends idents and can access them easily through irc scripts. That's even easier on servers like Undernet or EFnet where anyone can nuke somebody offline and take over their nick. Let's say that the channel that the person posing as me wanted to take over was on DALnet and my nick was registered, surely they wouldn't be able to do it right? Wrong. I have heard of a few ways to hack nickserv and chanserv, some are fact and some are rumour. The easiest way to hack nickserv passwords is to run a bot and bruteforce the person's passsword with a dictionary based attack. If the person doesn't have nickserv enforcement active then there is nothing to stop you posing as the person, chanserv won't op you until you enter the person's password but it should be easy enough to convince people that chanserv is just lagged or fucked up [all too easy to believe -sigh-] and get them to op you. Other methods include using database synchs to re-register existing channels, unsubstantiated but would be easy enough to prove or disprove with a bot or script. Another method currently being investigated by a friend of mine, Cronus [http://homepages.iol.ie/~cronus], is an attack to flood nickserv and cause it to crash making it easier to take over channels. If you know of any other ways in which to exploit DALnet services or irc in general I'd be interested in hearing them, please email me any information you have [root@Rue-the-Day.net]! The Conclusion So what am I saying - trust no one? No, I'm just saying that a healthy amount of skepticism doesn't go astray, if you hear from people that somebody is going around posing as channel regulars then be suspicious of people who don't seem right, usually their behaviour gives them away - somebody who's always polite and cool saying 'op me or dieeeeeee!' suddenly is a bit of a dead give away. If you take nothing else from this article at least realise that there are dangers on irc, try to be aware of them. I hope this helped people to think about it a little more. Speaking of helping people out, I'd really appreciate if anyone out there who knows of flaws or exploits in the various Java chat applets or CGI scripts which allow web based chat to email me [root@Rue-the-Day.net] with them for an article I'm writing. Thanks.