[===================================================================================]
[ The IRC Warfare Tutorial / Written by The Cyber God (e-mail: [email protected]) ]
[ Version 1.1, 24/9/99 / My ICQ#: 7864557 ]
[===================================================================================]
--[Editor Notes]--
Please send comments, questions and feedback to [email protected]
This tutorial has been written by a member of Black Sun Research Facility.
You can always visit us at http://blacksun.box.sk/
Some of the terminology has been taken from BSRF's SendMail tutorial written by R a v e N ([email protected]).
Note: on the next editions, we will cover Link Lookers under the Net-Splits section.
--[Disclaimer]--
We will not help you actualize the things that you will learn here.
The information here is for educational purposes only (for learning how the attacks are done and how to prevent them).
We are not responsible in any way for any damage that might happen to you. This includes software damages and law issues.
--[Table Of Contents]--
What is IRC?
An introduction to the way that IRC works
Some notes on different IRC networks and their daemon software
Why IRC wars started?
What do the others know about me?
How to spoof / hide your identity on the IRC
Bans and how to bypass them
I don't like your nickname... / Getting a user off the IRC
Can I get caught and will I?
What are netsplits and how can they help me?
Channel Takeovers
Some expansion about RAW sessions
War Scripts
Editorial - IRC wars, another perspective
Some interesting articles by Packet
Newbies Corner
* What is a daemon?
* What is a port?
* What is a service?
* What is a timeout (in computer terms)?
* What is TCP and how does it work?
* What is UDP and how does it work?
* What is ICMP and how does it work?
* What is an IP address?
* What is a portscanner?
* What is a services scanner?
* What/who is root?
* What is bandwidth?
* What is a client program?
* What is a DoS attack?
* What is a DNS server?
Appendix A: the +x mode
Bibliography
--[What is IRC?]--
IRC stands for "Internet Relay Chat". Jarkko Oikarinen originally wrote it in 1988. Since starting in Finland, it has been used in over 60 countries around the world. It was designed as a replacement for the "talk" program but has become much, much more than that. IRC is a multi-user chat system, where people meet on "channels" (rooms, virtual places, usually with a certain topic of conversation) to talk in-groups, or privately. There is no restriction to the number of people that can participate in a given discussion or the number of channels that can be formed on IRC.
--[An introduction to the way IRC works]---
All the communications in the world of IRC are done through the server. (This does not includes the DCC (Direct Client Communication) protocol)
When you connect to a server, you send it 2 commands: NICK & USER. These commands are used to identify you on the IRC. Here is the format of the commands:
NICK nickname - Sets your nickname
USER username host server :real name - Set your userid and real name. Host is your host and server is the server you are connecting to.
For example to open a raw IRC session you can telnet to an IRC server on port 6667 or 7000 (the standard ports). Here is an example for telneting my localhost (note: the lines beginning with * have been written by me. The rest are the output I got from the server):
* nick ^TCG^
NOTICE ^TCG^ :*** If you are having problems connecting due to ping timeouts, please type /notice E3AA3478 nospoof now.
PING :E3AA3478
* user ^TCG^ 127.0.0.1 localhost :The Cyber God
:localhost 001 ^TCG^ :Welcome to the DALnet IRC Network ^TCG^[email protected]
:localhost 002 ^TCG^ :Your host is localhost[thegod.actcom.co.il], running version dal4.6.7.DreamForge.win32
:localhost 003 ^TCG^ :This server was created Fri Jul 24 07:48:52 1998
:localhost 004 ^TCG^ localhost dal4.6.7.DreamForge.win32 oiwsghOkcfrRaAb biklmnopstvR
:localhost 005 ^TCG^ NOQUIT TOKEN WATCH=128 SAFELIST :are available on this server
:localhost 251 ^TCG^ :There are 0 users and 0 invisible on 1 servers
:localhost 253 ^TCG^ 4 :unknown connection(s)
:localhost 255 ^TCG^ :I have 0 clients and 0 servers
:localhost 265 ^TCG^ :Current local users: 0 Max: 0
:localhost 266 ^TCG^ :Current global users: 0 Max: 0
:localhost 422 ^TCG^ :MOTD File is missing
:^TCG^ MODE ^TCG^ :+iw
...
ok
As you can see, the second parameter of the USER commands includes my IP. You might be thinking right now that you could enter any IP you want and fake your IP. Well you are wrong. On really older versions of the IRC daemon (Those that were used in Efnet), you WAS able to spoof your IP. But today there are 2 types of antispoof-patches: The one that doesn't care about the IP you entered and connects you using your real IP (which it gets from the socket) and the other one just doesn't allow you to connect to the server until you give your real IP address.
The first method of Anti-Spoofing is most used most in the server version of DALnet and the second is used most by EliteIRCD (which is based on DALnet) and the servers that are based on it.
Now, if it all goes ok then you just opened a raw session to IRC!
All the data transferred to the user (Private Messages/Notices and Channel Events) is transferred from the server. If the user that sent you a message is on a DIFFERENT server than you (but NOT a different network) the message "moves" from the servers until it reaches your server and you. To send someone a message in our raw IRC session type: 'PRIVMSG nick :message' (without the quotes) where nick is the target nickname and message is the message (You must include a : before the message).
When a message moves from server to server it looks like this:
:SenderNick PRIVMSG nick :message
All the IRC commands move from server to server like this. For example when someone uses the NICK command ALL the servers get a notice about it.
--[Some notes on different IRC networks annd their daemon software]--
Different IRC networks have different IRC daemons. It is important to know the futures / limits of the server your network uses. For example, OLD Efnet servers don't know the +b channel mode (ban someone). When trying to start IRC wars you need to know what are the limitations of the server. If it got services, if so does they have a bug that can crash them? Can you obtain Channel Operator in a net-split (we'll get to that)? And so on... During the rest of this tutorial we will discuss different daemon software and bugs, as well as different ways to "get in".
--[Why IRC wars started?]--
Generally, IRC wars started on the IRC network Efnet. In this IRC network you can't register your nickname so ANYONE can use it. If for example someone logged to this IRC network (By the way, did you know that it is the first IRC network ever (!)) and he saw that his nick is taken. He probably said something like "How Rude?!" or "Mother-F*cker" or anything else. Then he started thinking about ways to get this user off the server. Users started to try many different things on each other and that's pretty much how IRC wars started. Today, users might start IRC wars "just for fun", or for taking over channels they don't like or kicking off users they don't like.
--[What do the others know about me?]--
OK people! This is actually the first important thing about the IRC wars. Before starting out you need to know what others can find out about you and what can you find out about them.
If you are not connected through a BNC, firewall or a shell (we'll get to this neat stuff later), what I mean, that if you are connected directly to the IRC, using a dial-up for example users can first of all knows your IP. Newbies might say right now, ok... well.... So he knows my IP... who gives a shit anyway?
Well if you said this you are wrong. Let's take a look on my host (resolved IP) for example:
P34.haifa2.actcom.co.il
| | | |_ You can see that my ISP is in Israel, and so am I (unless I'm dialing to foreign ISPs just to cover my identity, which is a thing people don't do because of... financial issues).
| | |_ You can see that my ISP (Internet Service Provider) is Actcom
| |_ You can see that I am from Haifa (like R a v e N :) ).
My modem number at the ISP's office.
See how many things the host gave you?
1) My ISP
2) My city
3) My country
Now You can also know that if my ISP address is actcom.co.il you can send complains about me to [email protected] for example, give them my IP and tell them what I did to you and they will do the rest.
That is what users know about you. Some times you will only see numbers like 19.114.47.1 and not the host. That is because the server failed to resolve your hostname. To resolve it you can download a program called 'nslookup' from somewhere (note: nslookup comes with all Unix systems), give it the IP and it will try to resolve it. Also see the entry 'DNS Servers' in the Newbies Corner.
Now, for those who don't know you can get the IP/host by "whoising" the user.
To do a whois on a user in mIrc, BitchX, IRCii, Pirch and some other known IRC clients all you need to do is type /whois nickname
To whois someone in our raw connection (the one I taught you how to establish at the beginning) type 'whois nickname' (without the quotes)
Here is what I get when I whois my self in the raw connection:
whois ^TCG^
:localhost 311 ^TCG^ ^TCG^ ~TCG thegod.actcom.co.il * :The Cyber God
:localhost 312 ^TCG^ ^TCG^ localhost :test server
:localhost 317 ^TCG^ ^TCG^ 9 932030074 :seconds idle, signon time
:localhost 318 ^TCG^ ^TCG^ :End of /WHOIS list.
Ok, before I explain what you got here, here is the format:
Format: :server-name raw-number sender target data.
Server-name is the server that gives you the data.
Raw-number is the ID of the data you got (it is used to determine what data you are getting).
Sender: the senders nickname (you!!).
Target: The target (The nick you are whoising).
Data: The data.
Now here is an explanation on all the 4 lines
In the first one you see the user-name and the host of the user, you also see his real name:
~TCG thegod.actcom.co.il * :The Cyber God
| | |_ The user's real name (you can fake this :))
| |_ The user host or IP
|_ The username (set by IdentD, will be explained later, when followed by a '~' you see that the IdentD is NOT running and the Ident (username) might be fake).
The second line:
localhost :test server
| |_ Comment about the server (set by the server admin)
|_ The server that user is connected to
Third line:
9 932030074 :seconds idle, signon time
| |_When the user signed in
|_ How many seconds has he been idle
Last line:
:End of /WHOIS list.
|_ Shows you that there is no more data.
Also, when users know your IP they can start almost any Denial of Service (DoS) attack on your host like WinNuke (Arggg... Lame Lame Lame!!!) or a lovely ping flood that will chew up all of your bandwidth, depending on the attacker's bandwidth (for more info and more sophisticated DoS attacks, see the DoS tutorial at blacksun.box.sk).
--[How to spoof / hide your identity on thhe IRC]--
After seeing what users can find out about you, it is time to learn how to hide your identity.
There is no easy and lame way to do this. Here are the most knows ways: FireWall, WinGate and a Bouncer aka (As Knows As) BNC.
We will start from the firewall.
The firewall we are talking about is software that runs on some machine and is used to filter incoming packets (packets that arrive to the machine which is running the firewall) and outgoing packets (packets that are sent from the machine which is running the firewall). Some firewalls are not configured very well and allow anyone to connect to them. The hard part is to find a working one that will allow you to use it to connect through it, and once you are connected, using it so users that will whois you or dns you will see the firewall's IP! If, for example, there is a misconfigured FireWall on the host firewall.someone.com, you can use it in mIRC, for example, by starting the mIRC program (I use the newest version 5.6, go download it at www.mirc.co.uk) and:
1. Click on the Files menu, then Options.
2. On the topmost label of the tree where you can see 'Connect', If you see a '+' next to it click it. If you see a '-' go to the next step
3. Click on the sub-item Firewall (duh...)
4. Be sure the 'Use SOCKS firewall' checkbox is marked (has an 'X' in it).
5. In the Hostname field, write the IP / Hostname of the firewall. For example lets use firewall.someone.com
6. Leave the USER ID and PASSWORD empty, and make sure the port in 1080.
7. Click OK.
Now, next time you will type /server ... To connect to the IRC server the connection will be relayed through the firewall, so if someone will whois you he would see something like this:
:localhost 311 ^TCG^ ^TCG^ ~TCG firewall.someone.com * :The Cyber God
:localhost 312 ^TCG^ ^TCG^ localhost :test server
:localhost 317 ^TCG^ ^TCG^ 9 932030074 :seconds idle, signon time
:localhost 318 ^TCG^ ^TCG^ :End of /WHOIS list.
You can see that my host is NO LONGER thegod.actcom.co.il, instead it is now firewall.someone.com!!
Now I am protected. You might be asking right now where to get the firewalls hosts. One idea is go asking your friends. Other is going to Altavista (www.altavista.com) and searching for "firewall AND list" and stuff like that.
Another way of spoofing your IP is a WinGate. WinGate is software for Windows that is used to let several computers that are connected through a local network of some sort to use one computer's Internet access. It also allows you to fake your IP _EXACTLY_ the same way. After installing WinGate, anyone will be able to use it if you don't configure it well (I personally recommend using SyGate instead). To find Wingate addresses you can ask your friends, run a Wingate scanner that will scan whole subnets for Wingates or look for lists on the web.
Note: newer versions of the IRC daemons will automatically check for an open Wingate or a firewall, and if they will detect one they will kill your session and might even K-Line (Ban the host from using the server/network) the host as well.
Now, on to the Bouncer (aka BNC) spoofing.
Bouncer is software that runs on Unix computers. If, for example, there is a BNC on bnc.shell.com on port 1234, you can connect to it by typing: /server bnc.shell.com 1234
After that you should be getting something like this:
-BNC- Please type your password via /quotee pass <password>
Crap... You need a password. If you know the password you have no problem. Just type '/qoute pass password' (without the quotes), and replace 'password' is your password.
If you don't know the password you need to ask the guy that gave you the BNC (or you could always hack the server... ;) but this tutorial is about IRC warfare, not hacking servers and getting passwords). You should also ask him if it (the BNC) has vhosts. Vhosts are multiple IPs and hostnames for the same BNC. If it has vhosts, you can set your active host by typing '/quote vip the.host.name.here' (as you should be able to figure by now, it is done without the quotes).
After this you type '/conn server'. For example /conn irc.dal.net will connect you to irc.dal.net with the bouncer's host.
Note: unlike firewalls and badly configured Wingates, the server cannot detect a BNC, so there is no chance you will be banned for using it.