::::::::::::::::::::::::::::::::::::::::::::::::::::::::Dec/98 ::: The Discordant Opposition Journal ::: Issue 1 - File 2 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :Holes in the Dalnet Software: ^cronus^ Dalnet is one of the largest IRC networks that is run over the Internet. It runs custom written software for the services that are provided to the IRC users. This software is used by thousands of people each day as they connect and use the proprietary services. This software contains several strategic flaws that can be used against the IRC network for your own purposes. I will document these flaws without going into too much detail. * Nickserv Nickserv is the service that is used the most on the IRC network. Each user that logs on gets their nickname checked against the Nickserv database. They are given the chance to register their nickname and keep other people from using it. It is used by all the regular Dalnet users and is thus the most commonly used service. All the servers connected to the Dalnet IRC network keep a common and current database that contains all the registered nicknames. And this database software is what is slightly flawed. If you were to set up a program or IRC script that would continually change your nickname to a random string of characters and then register it with the nickserv commands. Essentially the nickserv database on the server will fill up and sooner then you'd think, it will start to corrupt. Once that server registers its database with the rest of the network, all of their databases will become corrupt. When all this happens all nickserv-registered nicknames will no longer be registered and you will have you're picking. And reregistering any nicknames will give you their access privileges in channels where they are auto-ops or even super-ops. Nickserv does not log connections or registration attempts. So brute force hacking is a major possibility when trying to capture a nickname and password. A very simple IRC script could change your nickname to the target one. Repeatedly attempting to register the nickname with words taken from a password file. Each time nickserv changes your nickname to GuestXXXX, your script would changed your nick and continue to try. This could simply be repeated until nickserv consented that you had attempted the correct password. Long, but eventually it will crack the nickserv defences. Social engineering is the next possible way of getting a password. Nickserv often goes offline, when the server called services.dal.net splits from the rest of the network. When this happens you can change your nickname to Nickserv and actually ask the user for his password. As nickserv goes offline so often, this is an extremely possible way of getting passwords. * Chanserv Chanserv is the next most used service on Dalnet. It is the service that enables people to run and maintain channels on the IRC network. It handles commands such as making people auto-ops and changing the topic of a channel. In order for you to make changes to a channel settings you must be granted with founder access. This means that your specific nickname must be recognised as the founder through the use of your nickserv password each time you connect and the founder password once to get your nick registered as founder. As with nickserv, there is the possibility to corrupt the database with multiple registered channels with random names and registered with random passwords. The same IRC script can be used with simple changes to the commands used. As a server attempts to re-sync its chanserv database with the other servers on the network, it will spread he corrupted database file. Once that happens the whole channel network will no longer be under anyone's control. And once again, you will have your picking of channels. Also chanserv has another blatant weakness and it hinges on the fact that nickserv is very insecure. If you manage to claim someone else's nickname, either through brute forcing a password or more intense means, then you will have all their access privileges. Let me explain my thinking further. Someone by the name of Jimbo runs a channel called #JimbosPlace and you want to take over the channel. You manage through whatever means to gain his nickserv password, then you simply swan in though the use of his nickname and his password. You will be recognised as the founder and you will have total control over the channel. Again, like nickserv the other methods should also work. If services go offline for a moment, you could very easily ask for the founder password and without even trying take over the channel. Also brute force attempts at founder access are not logged, so you can try to brute force a password as often as you have time on-line. * Memoserv Memoserv is a service offered to allow registered users of the Dalnet network to send memos to one another. Simple messages can be sent to one another and memoserv holds the memos on the services.dal.net server and waits for the user to collect them. It is possible to essentially knock the services.dal.net server offline. Memoserv allows you to set your options so that when you receive a memo its to be redirected it to another specific nickname. If you were to set up a nickname, A, to bounce memos to another nickname, B, but we also set B to bounce memos to A. A simple IRC script given ten minutes could have hundreds of memos bouncing between the two nicknames forever. Leave that to sit till the services.dal.net server is running at peak usage and the server would buckle and crash. Leaving the whole of Dalnet at your mercy. * Operserv This is the least used service of all the services offered by the Dalnet software. And is, I'm glad to say, just as flawed and dangerous. As always the usual basics ideas work. Brute force attacks and also social engineering. Logging is still not done at all by operserv. Operserv is the group of services given to IRC ops who have total control over the whole of Dalnet. They have total access in all channels and over all the other services. To gain IRC op status through this service is again given though the use of a registered nickname. Having a nick password for a nickname that is an ops nickname means that you have become that op. Apart from the obvious and previously mentioned methods, there is one other way of compromising operserv. Dalnet allows you to telnet into telnet.dal.net so that you can connect to the IRC network without needing an IRC client and simply using the telnet program that is supplied with Windows. This is where the flaw comes in. I do not intend to spell this out for you, as it would mean the demise of Dalnet permanently. Simply put, telnetting into Dalnet means that your source address (ident) seems to come from within the Dalnet network. And by coming from within the internal Network, you can actually 'ask' operserv for op status and be given it without difficulty. Well, that's is for documenting Dalnet flaws and this file may have flaws, I would appreciate corrections mailed to cronus@iol.ie so that I can keep this file up-to-date...