ircwar.html

a collection of mega hacking tools

finder, takeover, fake dcc's, telnet, wartools addons.
<BR>Cons: NONE!

<P><A NAME="editorial"></A><B><U>[Editorial - IRC wars, another perspective]</U></B>
<BR>Note: Most of this is taken from an article that was written by Ntd
(ntd@mirc.net). I feel that this article has the best perspective about
the IRC wars.
<BR>Note 2: If you are a newbie and you think IRC wars are a great form
of hacking, and doing complex attacks you might want to skip this chapter
and read it another time.

<P><B>IRC WAR? A LOAD OF SILLY NUKES</B>
<BR>Right, first things first, nukes - or properly, Denial of Service (DoS)
attacks - are technically nothing to do with IRC war. They operate directly
from the attacker to the victim's IP, and IRC comes into it only inasmuch
as it gives the attacker a ready source of IP addresses to attack, and
perhaps a "motive" for doing it (e.g, "they banned me!"). But, attackers
could just as easily collect IPs from services such as ICQ (which, incidentally,
has to be one of the most idiotically insecure protocols ever invented,
yet many people who bemoan IRC attack happily run ICQ, and probably don't
even check the option to hide their IP which is useless anyway because
there are lot of patches that will always show you the IP even if the user
chose to hide it).

<P><B>IRC WAR DOESN'T HELP IMPROVE SECURITY</B>
<BR>Surely the stupidest argument against IRC war, is that unlike other
forms of hacking, it does not help anybody because it doesn't contribute
to increased security. There is a mass of evidence showing quite clearly
that this is not the case. Why did Microsoft release a winsock that was
not vulnerable to the port 139 OOB nuke? Because that nuke became so widely
abused. Why do current versions of mIRC have an option to only enable the
identd server during connection? Because mIRC 5.3 had an ident exploit
with which mIRC could be crashed. Why, in fact, have flood attacks become
so obsolete? Because ircds now contain anti-flood code written directly
in response to flood abuse. Of course these attacks are irritating and
disruptive at the time, but in the long term they have undoubtedly led
to more secure code in operating systems, clients and irc daemons.

<P><B>IRC WAR IS NOT REAL HACKING</B>
<BR>Again, this stems from a misunderstanding of what IRC war is. Essentially
there are two types: TCP/IP attacks (ICMP nuke, smurf, fraggle, ping of
death) and ircd based attacks (nick collisions, lag collisions, serverops,
hacking o:lines, bogus bans). While the first category are almost exclusively
"lame cracking" (that is, the user needs only to download a program and
can then use it without any actual knowledge), the second category is more
ambiguous. I know one person who finds many exploits by working with the
ircd code (which is of course almost always free for download) - and finding
bugs by working with the source is as "real" as hacking can get. Within
a few days of their implementation he found ways of bypassing the ircnet
ircd patches designed to protect against open socks servers and deliberate
nick collisions. He even found a method by which a normal client could
completely crash a server remotely. And what did he do with this knowledge...?

<P><B>DOS ATTACKS</B>
<BR>Yes, they are illegal, and yes they are disruptive. Furthermore, many
DoS attacks affect many more people than those targeted, the most obvious
example being the smurf attack. I am one of a group of friends who run
a few of the biggest channels on ircnet, and these channels are regularly
attacked by war groups intent on taking them. I make no exaggeration when
I say that several times a week, if not everyday, members of the original
channel opers complain that they are being smurfed by members of groups
attempting to take the channel. These smurf attacks are capable of taking
down entire ISPs and that IRC warriors recklessly use these attacks against
single users just to take an irc channel is utterly inexcusable in my opinion.

<P><B>MOTIVATION</B>
<BR>While there are some IRC warriors / hackers like the individual I described
above, it is sadly true that there are many more who are acting from more
dubious motives. To the people who resort to floods, nukes and such tools
just because they are banned from channels, I say: you need to get out
more. What, then is my basic point? My conclusion is that IRC abuse and
hacking is like any other branch of hacking - it ranges from the incredibly
basic and lame to the actually quite skilled and beneficial. At the one
end are the classic 13 year old hax0r wannabes with their CLICK.EXE, and
I am in no way suggesting these people's behaviour should be excused or
tolerated. However, I urge you all to be aware that at the other end of
the scale exist talented, knowledgeable hackers discovering and revealing
bugs in clients, OSes and ircds by a variety of methods and in doing so
making IRC more secure for all of us.

<P>&nbsp;<A NAME="packet"></A><B><U>[Some intresting articles by Packet]</U></B>

<P>=[Ping Flooding]=

<P>1. =What is a ping?=
<BR>A ping is a small file (often 32 bytes) that is sent to another computer
online,
<BR>in which the other computer replys. Basicly it is saying "hello" to
another
<BR>computer. With this is also shows how long it took for the ping to
get there
<BR>and back.

<P>2. =So why is this usefull to me?=
<BR>Well it can and it can not be usefull. If you are going to play a game
like
<BR>quake/quake2 on a server, the faster the ping gets there and back the
better.
<BR>Also, if you are on a fast connection you can nock people of there
ISP
<BR>temperarily. This is called ping flooding, and can work very well.
The best
<BR>thing to flood with is a T1 or better. Even if you don't have more
than a
<BR>28.8 you can lag or kill someone. Here is an example of how ping works

<P><in dos prompt>
<BR>C:\ping 24.131.12.124

<P>this would send a few 32byte packets to that host. Now, this won't do
much
<BR>by itself...but there are more features to pinging that make it very
usefull.
<BR>this is the command I often use

<P>C:\ping -l 2800 -t -w 2000 24.131.12.124
<BR>(good for 28.8 users)

<P>-l is the size of the packet to send, generaly you want to keep trying
higher
<BR>numbers till you find the very most there connection can take....soon
they
<BR>will be to lagged to do much, or get killed. -w is how long it waits
till it
<BR>decides to time out.... -t keeps pinging the IP untill you hit CTRL+Break

<P>there are some other cool switches like -n wich echo floods them, and
-v
<BR>witch specifys the Terms Of Service

<P>=[Net Splits]=

<P>1. =[What is a NetSplit]=
<BR>The large irc servers work, is they link together to provide less lag
and a
<BR>local server to many people. They link together so that people can
talk and
<BR>do what ever and not have to be on the same server. What a netsplit
is, is
<BR>when one server is lagged enough it breaks off from the rest of the
servers
<BR>then becoming its own stand alone server untill it merges again.

<P>2. =[Why Does this matter?]=
<BR>Well it can and it can't matter....It is possible to take over a channel
<BR>through netsplits. So it can matter if you want to protect yourself
from
<BR>this, or do it yourself.
<BR>&nbsp;

<P>3. =[How do I protect myself?]=
<BR>The only way is to have netsplit protection. Alot of people do not
like this
<BR>script, and I do not recomend using it unless you think someone is
trying to
<BR>take your channel. When servers merge it trys to restore the settings
as it
<BR>was before the split. So if you were a channel operator the server
would OP
<BR>you, reset the modes etc etc. When someone takes a channel by a netsplit
they
<BR>get opped by the server, so the script deops anyone who is opped by
the server.
<BR>If you do use this script, make sure people can op themselves automaticly
by
<BR>sending you a message. ...

<P>4. =[How do I take a channel through this?]=
<BR>First you need a link looker, (which comes with this script). What
a link
<BR>looker does is search for servers that are about to or have broken
off. When
<BR>you find a server that has broken off, you need to quickly join that
server
<BR>and go into the channel you want to take over. If no one else is on
that server
<BR>you will be a channel operator. But this is not all you have to do,
because
<BR>when the servers merge again it will deop you. You need to run the
Dysnch script
<BR>which will fill the channel with bans and diffrent modes. Hopefully
it will
<BR>screw up the already screwed channel enough that when the merge happens
it
<BR>thinks you were a channel operator and you keep your OPS. Then you
need to
<BR>quickly run the takeover script so that none of the netsplit protection
(if
<BR>there are any) scripts deop you.

<P>=[Advanced Nuking]=

<P>Nuking is fun for the whole family, but sometimes it's not just "wham
bam thank you ma'am". On
<BR>occasion, it requires you to be a little creative to successfully nuke
someone. hopefully
<BR>we will give you some ideas on how to become a pheared nuker.

<P>** Open ports:
<BR>In order to become a successful nuker, you must learn to find as much
information about your
<BR>target as possible. One of the most important elements to nuking is
finding the right ports
<BR>to nuke. the default IRC server ports are 6660-6669, with 6667 being
the most commonly used.
<BR>One thing you may discover throughout your nuking 'career' is that
most servers offer different
<BR>ports that are open for IRCing. The easiest way to find out the open
ports is to check the
<BR>Message Of the Day, for 90% of all IRC servers will list their open
ports in the motd. To get
<BR>the message of the day simply type '/motd irc.server.net'. This will
display the motd and allow
<BR>you to find the open ports (usually). Now you can nuke these ports,
increasing your chances of
<BR>success.

<P>** Their Connection:
<BR>Another thing you may want to do is find out whether your target is
on a shell account, or a
<BR>dial-up account. Under normal circumstances, dial-up users are easier
to nuke then shell accounts
<BR>for reasons we won't go into right now. To find out which they are
using, simply take the last
<BR>part of their IP and try to visit to the ISP's homepage. Again, there
are many servers that
<BR>will describe their services on their web-page. Usually, if their ip
is two or three legible
<BR>words only interupted by a period, then it is a shell. For instance,
<BR>"jkrondike@mainsys.postex.net" would most likely be a shell account,
while
<BR>"yourmom@modem29.er.actil.net" is usually a dial-up.

<P>** Nuking Shell Users:
<BR>If you're using windows, you should download a program that will allow
you to finger a server.
<BR>Cyberkit is a good program, for it has Ping, Finger, Traceroute, etc.
<BR>get it at http://www.ping.be/cyberkit/cyber.zip, or go find one of
your own. there are hundreds
<BR>to choose from. (no we're not being endorsed by cyberkit, it's just
a kickass proggie)
<BR>Most shell account users will login from a dial-up account, and if
finger is running on their
<BR>shell, it should display the dial-up IP address. Finger the server
and once you know this, use
<BR>your nuker to disconnect them from their shell by replacing the IRC
server with their shell
<BR>account address, and use the IP you found through finger as the client.
Use ports 22 24 as the
<BR>server ports, in place of 6660 6669. Port 23 is the default telnet
port, so nuking from 22 to 24
<BR>will effictivly disconnect them from their shell account. this usually
causes your target to
<BR>quit irc with "Where did my controling terminal go?" quit message.
it's pretty funny when it
<BR>works.

<P><A NAME="bib"></A><B><U>[Bibliography]</U></B>
<BR>My personal experience.
<BR>IRCing with telnet - Understanding IRC protocol, by ech0 Security -
HTTP: <A HREF="http://ech0.cjb.net">http://ech0.cjb.net</A>.
<BR>Request for Comments (RFC): #1459, May 1993, By J. Oikarinen and D.
Reed
<BR>Black Sun Research Facility (<A HREF="http://blacksun.box.sk">blacksun.box.sk</A>).
<BR>IRC War, Another Perspective - by Ntd
<BR>Some articles by some guy named Packet.

<P>The IRC Warfare Tutorial / Written by <A HREF="mailto:talrun@actcom.co.il">The
Cyber God</A> | Updated , 7/20/01 by <A HREF="mailto:rammal81@hotmail.com">Mikkkeee</A>
<BR>My ICQ#: 7864557

<P>EOF
</BODY>
</HTML>