Jump to content

Irc Hacking In 2012


science
 Share

Recommended Posts

I've been asleep. When I went to bed, hak5 did not exist and the most l33t thing online was neworder.box.sk .

Now I'm awake and I'm the Op of an IRC channel on Freenode and Dalnet. I don't want anyone to take over my channel and make a fool of me, so I went to see what the attack vectors of a potential blackhat might be. Sadly, the once rich collection of tools at my former mothership have not been updated since 1999 for the most part. Thus they are, perhaps, slightly out of date.

So, what have I missed? More to the point -- what's the status quo? If I am running WeeChat, lets say, other than a flood/DOS how might I be attacked? Are there any strong scripts? Any vulns? I don't see any relevant exploits listed in exploit-db.

Thank you.

Link to comment
Share on other sites

I've been asleep. When I went to bed, hak5 did not exist and the most l33t thing online was neworder.box.sk .

Now I'm awake and I'm the Op of an IRC channel on Freenode and Dalnet. I don't want anyone to take over my channel and make a fool of me, so I went to see what the attack vectors of a potential blackhat might be. Sadly, the once rich collection of tools at my former mothership have not been updated since 1999 for the most part. Thus they are, perhaps, slightly out of date.

So, what have I missed? More to the point -- what's the status quo? If I am running WeeChat, lets say, other than a flood/DOS how might I be attacked? Are there any strong scripts? Any vulns? I don't see any relevant exploits listed in exploit-db.

Thank you.

I'm sure whatever exploits are either known out there, or secret with whomever found them. You would have to look up server specific attacks depending on what the network uses. But bigger networks like freenode have a pretty big team behind them and I'm sure are on top of any exploit and getting them addressed.

They just mostly know about WiFi here :/

We have a large range of knowledge here, not just WiFi ;).

Link to comment
Share on other sites

I was mainly just teasing, Mr. P. Although it does seem like 95% of hak5 revolves around WiFi, but you're right that there's a richer set of knowledge, such as with the plug experts.

Still, you do realize you just told him that either exploits don't exist or they do and the information is out there on the Internet unless it's not... so in other words we have no clue ;) Just for the record Mr. P is actually extremely smart and knows a ton about computing/hacking. So I should probably phrase that observation that we have no clue with "with all due respect"...I just think the OP may have randomly touched upon a chink in the hak5 armor or something, though.

I believe there was a good script called wIRC, but it's about 5 years old and was mainly just anti-mIRC kills and scripted insults. I will admit that I have no clue for the linux clients like WeeChat or Freenode/Dalnet. WeeChat did have some exploits but they're patched and like you said I use exploit-db to look for them since it comes as a default link in BT5...

Link to comment
Share on other sites

IRC has been around for a while and many security measures have been taken. If you roll your own server, I'm sure there are settings that could be exploited. But having a big, well known server like freenode you probably will not have issues. Even if you do, it will not be hard to have them fix the problem. They seem to be pretty responsive in #freenode.

I know I can be vauge, hateful, etc. It depends how I'm feeling that day and sometimes how much I've had to drink :P. Also a lot of the questions or requests are easily found with a few minutes of searching on Google. I'm not really into "spoon feeding" those who just want answers. It's kind of like asking a linux user how to do specific things in linux. They will tell you to read the man pages instead of spoon feeding an answer. You learn something that way as well :P. /rant

Link to comment
Share on other sites

I'm very skeptical that any major vulnerabilities for IRC or any other major protocols are public. If they were then the internet wouldn't be very reliable.

I loled...and then I loled again. The internet is run by hamseters and held together by ductape and bobby pins. The underpinnings of the internet itself are its own worse enemy. If it were secure, we wouldn't need pentesters or anti-virus and that big shiny box in the corner of the corporate network that lets all the attackers come in unnoticed.

Link to comment
Share on other sites

Please post what you consider a major public vulnerability to illustrate your point.

IRC networks are known for bots and attacking users on their networks. They make use of scanner scripts/bots to attack users in the channels, and also attack websites from their channels and vice versa. Bots can be controlled, via PHP on websites, and used to attack other sites or people in the channel against their direct IP. Just depends on the IRC network and how they set them up, if intentional to attack other networks, how would you know? This isn't a public vulnerability in the IRC protocol, its an inherent trust issue with the nature of how IRC works and how people abuse it.

To illustrate my point, check this: http://pastebin.com/HE1qP1yh

Its a paste I put up this evening, showing someone scanning my site for timthumb plugin. Its was initiated via an IRC channel to scripts located on remote servers. They run these types of scanning networks to install reverse shells on as many sites as they can find, then the php bots post back to the channels with various bot nicks with what they found and the addresses for the shells.

Now, lets say that I run a site that has both wordpress and an IRC server. If someone comprised the server via wordpress or IRC, they could probably take over the channels of anyone on the server. They also have scanners, that connect to and scan IRC networks and channels from other IRC networks, or directly from web based PHP scripts, so while IRC in general might not be being taken over directly, they may be taking over your machine in the process of you being on the network or a channel admin. Reputable networks like Freenode that let you register and use a vhost mask your IP to help protect you somewhat, but if your client itself is week and they use any DCC to figure out your real IP and scan your real host, you just put yourself that much more at risk. Its like fish in a barrel on IRC networks. You are at the mercy of the network you join and what measures you put in place between you and the IRC Server/channel(s).

Link to comment
Share on other sites

When I said major public exploits, I was referring to mainly server exploits that would pose major threats to the functionality of the protocol, not the fact that IRC can be used to control botnets or as a medium to obtain IP addresses to scan. If you connect from behind a decent router and don't get socially engineered, you can more or less use it in peace, same for the rest of the internet. Yes I know SSLStrip and ettercap, but I'm talking about from over the internet.

Link to comment
Share on other sites

When I said major public exploits, I was referring to mainly server exploits that would pose major threats to the functionality of the protocol, not the fact that IRC can be used to control botnets or as a medium to obtain IP addresses to scan. If you connect from behind a decent router and don't get socially engineered, you can more or less use it in peace, same for the rest of the internet. Yes I know SSLStrip and ettercap, but I'm talking about from over the internet.

Just because it doesn't show up on this list: http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=irc&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve= doesn't mean one doesn't exist. The ops main concern was his irc client and getting his channel taken over. Someone bruteforcing his nick authentication to the server is always a possibility too. Doesn't have to be some publicly disclosed 0-day for IRCd itself to have something happen. People get their channel's attacked all the time. IRC is not fort Knox.

Link to comment
Share on other sites

So you use a strong password and a secure client, problem solved. Millions use IRC (and the internet in general) everyday without problems.

Yeah, because no one uses weak software and weak passwords on the internet. That would just be silly.

Link to comment
Share on other sites

Ok, so the original question was about exploits in IRC? And MrProtocol gave the exact correct answer. There is no across the board exploit. As a developer, that would be one of the first bugs I would fix. When looking for vulnerabilities, you are looking for them in a specific piece of software and version.

digip is right too. Google hacking isn't hacking into Google...its using Google to expose targets. IRC is most commonly used in hacking for bot nets.

If you want to hack an IRCD, grab a version of it, and start poking holes. Or even better, if you can find the source, dig through that for holes. You can look at the Anope module list and find a few modules that have massive holes in them, for instance, http://modules.anope...page=view&id=42

That module has problems in many places, mostly revolving around its access system. The bugs that are mentioned mostly shutdown all services...

If everyone knew a fuck-all vulnerability, then no one would use that software. So in most cases, when someone finds a fuck-all vulnerability, they keep quiet about it, tell the devs, or sell it. I say most cases meaning security experts, most you've never and will never hear of.

Edited by bwall
Link to comment
Share on other sites

I don't think I have enough of a history on this forum (or any forum, for security reasons) to dig into the "is it okay to ask questions or should the forum be replaced with a link to google" debate*. It's fine by me if people want to ask and answer questions here though, getting much more quality and reputable answers in a more reliable and custom form than what you'd get with only your own research.

I just want to say OVER 9,000 INTERNETS to DigiP.

I don't know how hackers could possibly think things are secure. I live in digip's world. There are vulnerabilities EVERYWHERE. If you're OP and you've been inexplicitly out of the loop since 1999 you're probably overwhelmed with all the many new holes in security to catch up with as a pen tester or, in his case, an IRC Op I guess.

As it happens, IRC is actually one of my least favorite parts of the Internet (logs+pointless chatter, IMHO) so I don't know much about it and I've never even had voice let alone been an Op or admin or whatever. But even I knew about wIRC and there are toooons of vulnerabilities that affect big fat networks like DalNET, EFnet, Freenode,etc. Why? Because the IRC clients can be determined on all those nets -- and those clients have exploits, hacks, bugs, you name it. Maybe not every client at every given moment but in wIRC they have about 200 different kills built in that worked at the time and about 25% of them still work years later.

Especially for mIRC which may as well be called insecureIRC. I see all this without being 10% of the hacker that Mr. P is and with spending an average of 10 minutes on IRC per year.

Oh yea, one more thing -- there are billions of bots in IRC right? Good and evil. Well, many of those bots can be pwned. Not to mention, there's plenty of room for the strongest tool in the traditional hacker's toolbox... the same tool that just got like 50,000 linux users' credit cards stolen from WH-whatever the server billing company... social engineering!

This is basic, but you can go on there and watch quietly, see when people come and go. See the Op/voice handoffs or whatever. Wait, patiently for some key dude to leave, get his nick or one that's similar (like if his is "pos1tronics" yours is "pos1tron1cs" with the same other info in your profile) and when the current Op is going offline or something you say "Hey buddy, I'll take over". I know that's a rough example, but I hope the general point is conveyed.

* Love you, Mr.P <3! You da man and you help people all the time despite what you say! You love it and we love you ;)

Edited by whitehat
Link to comment
Share on other sites

I don't know how hackers could possibly think things are secure.

The computers are more or less secure, the humans are not. The groups taking down big scores aren't using IRC and ddos attacks to do it, they're socially engineering other humans.

FYI - IRC played a key role in comms in the 2003 Iraq invasion for whatever that's worth and it went completely fine.

I know it's good for business, but I hope you do realize that if everyone goes around preaching about how unsafe/insecure the internet is, eventually people won't use it any more.

Edited by bobbyb1980
Link to comment
Share on other sites

The computers are more or less secure, the humans are not. The groups taking down big scores aren't using IRC and ddos attacks to do it, they're socially engineering other humans.

FYI - IRC played a key role in comms in the 2003 Iraq invasion for whatever that's worth and it went completely fine.

I know it's good for business, but I hope you do realize that if everyone goes around preaching about how unsafe/insecure the internet is, eventually people won't use it any more.

The internet IS unsfae and IS insecure. I'm not saying it can't be used safely, but its under constant attack. I see it on a daily basis, I've found THOUSANDS of domains that have been compromised, and a shit ton of IRC bot networks, reverse shells on all kinds of compromised servers, and bot programs written in php, perl, asp and compiled single executable linux programs. And a lot of the sites I find compromised, are large businesses who are oblivious to the attacks, some of which have blown me off when I try contacting them. Ignorance is the greatest threat on the internet, not the next sexy 0-day, and if anyone thinks that everything is hunky dory if you play it safe, more than likely you've already been compromised and don't even know it.

In May alone, I had over 400 attempts at breaking into my site. Those are the ones I know of. Of all of them, they all had caches of revese shells on compromised sites and IRC networks, with bots doing the command and control, both on web servers and on irc servers. Just last night I finally deobfuscated one such PHP script that starts a bot on a webserver, controlled by an IRC network.

Here is the obfuscated bot. WARNING! NO NOT UPLOAD AND VISIT THE PAGE FROM YOUR SERVER. It will automatically contact their IRC network and start using your server to carry out attacks on other networks, trying sql injection and tim thumb attacks - http://pastebin.com/X47LFCgS The deobfuscated code is also up on pastebin. Follow my twitter to get the link, but first see if you can reverse this to plain text, all of it, and you will see the passwords for their IRC bot to logon and report back to the IRC channel that controls it.

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...