Infrastructure Hacking: IRC Protocol

Today we are going to talk about one of the great protocols of the past: Internet Relay Chat, the prototype for instant messaging. Although those of you of a certain age will be familiar with this protocol, I didn’t use it until I had to make my own IRC server for an exercise at university, implementing every command in C. Many hours reading the RFC 1459 manual…

This protocol runs on port 194 (TCP) and is a client server system. The user downloads the client to his computer, and connects to the server of his choice, where he can chat with other clients in different chat rooms, called channels.

Many IRC servers only require a nickname to connect, while others require a username and password.

There are channel operators, modes, commands…

How To Use An IRC Client

Ejemplos de clientes IRC son X-Chat, HexChat, mIRC, WeeChat…

Examples of IRC clients are X-Chat, HexChat, mIRC, WeeChat…

We are going to show HexChat. You can download it from their website

Infrastructure Hacking: IRC Protocol

We indicate a user name and the server we want to join. For example, we are going to join DALnet. 

Infrastructure Hacking: IRC Protocol

Once on a server, there are several channels. We can view them with the /list command:

Infrastructure Hacking: IRC Protocol

Let’s join the #hackland channel with the command /join #hackland. And we could start chatting. 

IRC has a long history in the hacking world. It has been widely used in the hacktivist world, being the main communication channel for many hacker groups.

IRC and the Hacker Community

The IRC protocol was created in 1988 and quickly became popular among so-called “hackers” who trafficked in pirated software in a world where laws had no place on the Internet. 

These hackers used FTP servers (both private and stolen) as clandestine file-sharing servers. They also used a primitive form of DCC (Direct Client Connection) sending, that would later give way to the famous P2P services such as Ares or Emule.

The beginnings of hacking on IRC are the romantic view of the hacker who sought to overcome all the limits of technology, motivated by the desire to learn.

However, it did not have that view of the hacker community that we have today, but rather it was very much a rivalry between hackers competing for fame.

This rivalry took the form of “wars” in which one hacker would try to take control of rival IRC channels, or in which DoS attacks were carried out against IRC servers.

Keep in mind that we are talking about a time when the Internet was in its infancy and nobody took security into account when designing services. Everyone connected via the telephone line and anyone could see the IP address of another IRC user.

LulzSec IRC leak: the full record | Technology | theguardian.com

This gave rise to attacks such as Nuke attacks, which were nothing more than a DoS based on sending hundreds of corrupted ICMP packets via a modification of the ping tool. These attacks could even cause the famous blue screen. DNS Spoofing attacks to get an IRC server with funny domain names also started to happen. Here you can see for example a manual created by a user on “IRC war tactics” showing different types of attacks.

These wars escalated to the point of installing protection bots on IRC channels, bouncers to hide the IP address, not to mention all the trojans that circulated on IRC servers.

It was a protocol so widely used by this community that when the first Botnets emerged, they used IRC as a Command & Control system.

Architecture

The network structure is in the form of a tree:

Infrastructure Hacking: IRC Protocol

This implies that there must be implicit trust between servers, a malicious server can do great damage to the fabric, and any change to the fabric means having to separate and rejoin other parts of the network.

Attack on a vulnerable version of IRC

I will use this protocol to show the risks that occur in companies, in environments where the priority is to deliver the product as soon as possible and meet the deadline. Normally developers, as well as QA, tend to shorten the process when it comes to testing. 

For example, if you develop a sales page where to buy an item, you have to go through certain steps (choose the item, quantity, fill in personal details, payment methods and process the purchase). The developer will find it very tedious to have to go through all the previous steps every time he wants to check how the purchase is processed, which he will have to do hundreds of times until everything works as expected.

To shorten the process, a developer may tend to create backdoors, in the previous case he could create a temporary button in the first step that when pressed leads directly to the last step, which is the one he is interested in testing.

The problem comes when, due to the pressure to deliver on time or due to the developer’s lack of attention, this backdoor goes into production.

Let’s see a practical example of this with one of the versions of UnrealIRC.

We can see that on this server there is an IRC service on port 8067. The normal way would be to connect with an IRC client as shown above, however let’s see how to do it by connecting directly using ncat or telnet. 

We see an error message as it cannot resolve our hostname:

What we need to do is edit the /etc /hosts file by adding the domain name of the ip, in this case irked.htb:

We can look at how IRC connections are made in RFC 1459.

To initiate a connection, we have to send:

  1. Pass message –  PASS username
  2. Nick message – NICK username
  3. User message – USER username host server : realname

Here we can see the answer that the server gives us:

We get data such as that it is running Unreal3.2.8.1

Searching on google we can quickly find an article describing a backdoor in this version:

https://lwn.net/Articles/392201/

In this article we can see that if the buffer reads a string starting with “AB” it will execute the next thing it puts in, getting an RCE.

We can try running a ping to see if the command is executed. When we do this test it is very important that we use the -c 1 so that it sends a single ping and stops:

To see if it is running, we sniff the traffic with tcpdump:

It has indeed been executed, so it is easy to get a reverse shell:

In this way we have taken advantage of a backdoor that existed in the application itself to gain access to the server.

Although very few people still use this protocol, there are still small groups that continue to use it. Even in one of the most famous certifications in the hacking world, the OSCP (you can see my experience and tips to pass this certification in this post), they give you access to an IRC server so you can ask questions or communicate with other colleagues.

In fact, until a few years ago it was possible to join “hacking classes” given by the Anonymous hacktivist community in the OnionIRC chat.

If you liked the article, I recommend you visit our other articles on infrastructure hacking.

Lethani.

4/5 - (47 votes)

2 thoughts on “Infrastructure Hacking: IRC Protocol”

Leave a comment