📄 ircwar.html
字号:
| |_When the user signed in
|_ How many seconds has he been idle</PRE>
<PRE>Last line:
:End of /WHOIS list.
|_ Shows you that there is no more data.</PRE>
Also, when users know your IP they can start almost any Denial of Service
(DoS) attack on your host like WinNuke (Arggg... Lame Lame Lame!!!) or
a lovely ping flood that will chew up all of your bandwidth, depending
on the attacker's bandwidth (for more info and more sophisticated DoS attacks,
see the DoS tutorial at blacksun.box.sk).
<P><A NAME="spoof"></A><B><U>[How to spoof / hide your identity on the
IRC]</U></B>
<BR>After seeing what users can find out about you, it is time to learn
how to hide your identity.
<P>There is no easy and lame way to do this. Here are the most knows ways:
FireWall, WinGate and a Bouncer aka (As Knows As) BNC.
<BR>We will start from the firewall.
<BR>The firewall we are talking about is software that runs on some machine
and is used to filter incoming packets (packets that arrive to the machine
which is running the firewall) and outgoing packets (packets that are sent
from the machine which is running the firewall). Some firewalls are not
configured very well and allow anyone to connect to them. The hard part
is to find a working one that will allow you to use it to connect through
it, and once you are connected, using it so users that will whois you or
dns you will see the firewall's IP! If, for example, there is a misconfigured
FireWall on the host firewall.someone.com, you can use it in mIRC, for
example, by starting the mIRC program (I use the newest version 5.6, go
download it at www.mirc.co.uk) and:
<BR>1. Click on the Files menu, then Options.
<BR>2. On the topmost label of the tree where you can see 'Connect', If
you see a '+' next to it click it. If you see a '-' go to the next step
<BR>3. Click on the sub-item Firewall (duh...)
<BR>4. Be sure the 'Use SOCKS firewall' checkbox is marked (has an 'X'
in it).
<BR>5. In the Hostname field, write the IP / Hostname of the firewall.
For example lets use firewall.someone.com
<BR>6. Leave the USER ID and PASSWORD empty, and make sure the port in
1080.
<BR>7. Click OK.
<BR>Now, next time you will type /server ... To connect to the IRC server
the connection will be relayed through the firewall, so if someone will
whois you he would see something like this:
<P>:localhost 311 ^TCG^ ^TCG^ ~TCG firewall.someone.com * :The Cyber God
<BR>:localhost 312 ^TCG^ ^TCG^ localhost :test server
<BR>:localhost 317 ^TCG^ ^TCG^ 9 932030074 :seconds idle, signon time
<BR>:localhost 318 ^TCG^ ^TCG^ :End of /WHOIS list.
<P>You can see that my host is NO LONGER thegod.actcom.co.il, instead it
is now firewall.someone.com!!
<BR>Now I am protected. You might be asking right now where to get the
firewalls hosts. One idea is go asking your friends. Other is going to
Altavista (www.altavista.com) and searching for "firewall AND list" and
stuff like that.
<P>Another way of spoofing your IP is a WinGate. WinGate is software for
Windows that is used to let several computers that are connected through
a local network of some sort to use one computer's Internet access. It
also allows you to fake your IP _EXACTLY_ the same way. After installing
WinGate, anyone will be able to use it if you don't configure it well (I
personally recommend using SyGate instead). To find Wingate addresses you
can ask your friends, run a Wingate scanner that will scan whole subnets
for Wingates or look for lists on the web.
<P>Note: newer versions of the IRC daemons will automatically check for
an open Wingate or a firewall, and if they will detect one they will kill
your session and might even K-Line (Ban the host from using the server/network)
the host as well.
<P>Now, on to the Bouncer (aka BNC) spoofing.
<BR>Bouncer is software that runs on Unix computers. If, for example, there
is a BNC on bnc.shell.com on port 1234, you can connect to it by typing:
/server bnc.shell.com 1234
<BR>After that you should be getting something like this:
<BR>-BNC- Please type your password via /quote pass
<BR>Crap... You need a password. If you know the password you have no problem.
Just type '/qoute pass password' (without the quotes), and replace 'password'
is your password.
<BR>If you don't know the password you need to ask the guy that gave you
the BNC (or you could always hack the server... ;) but this tutorial is
about IRC warfare, not hacking servers and getting passwords). You should
also ask him if it (the BNC) has vhosts. Vhosts are multiple IPs and hostnames
for the same BNC. If it has vhosts, you can set your active host by typing
'/quote vip the.host.name.here' (as you should be able to figure by now,
it is done without the quotes).
<P>After this you type '/conn server'. For example /conn irc.dal.net will
connect you to irc.dal.net with the bouncer's host.
<P>Note: unlike firewalls and badly configured Wingates, the server cannot
detect a BNC, so there is no chance you will be banned for using it.
<P><A NAME="bans/bypass"></A><B><U>[Bans and how to bypass them]</U></B>
<BR>Channel Operators might ban you after you have done something in their
channel that made them angry :( .
<BR>To bypass a ban you first need to know the ban type. There are a few
ban types:
<BR>1. nick!*@* - Bans you by your nickname. All you need to do is change
your nick (by typing /nick newnick, or in raw session NICK newnick) and
you can reenter the channel.
<BR>2. *!user@* - Bans you by your Ident (UserID). If your computer is
not running an IdentD daemon (A win9x with mIRC for example) you can easily
change your Ident by clicking on the File menu, selecting Options, opening
the 'Connect' sub-tree, clicking the IdentD label and changing the User
ID. If you are under a Unix / Linux machine that is already running an
IdentD daemon, you can't change it because it automatically sets your ident
username to your login name. To change this you need to logon to the IRC
through a Bouncer because bouncers fake you IdentD.
<BR>3. *!*@host - You are banned by your IP / host. All you need to do
is to connect through a firewall or a Wingate.
<BR>Some times the bans are more complex like ^TCG^!*@*.actcom.co.il.
<BR>This ban will prevent anyone named ^TCG^ with host that ends with .actcom.co.il
<BR>If you are interested here is the format:
<PRE>Nick!user@host / IP
| | |_ The IP or hostmask.
| |
| |_ Your username. The IdentD sets this. When running IdentD daemon it
| mostly not faked but when running windows or connection through a
| bouncer it is probably faked.
|
|_The user nickname. If might also contain wildcards like *T*C*G*.
This will prevent anyone with the letters T, C and G (in this order)
to join the channel.</PRE>
<PRE>Examples: ^TCG!*@*.actcom.co.il
| | |_________The server
| |_Your Ident user (defined as the wildcard '*', meaning ANYTHING)
|_Your nickname</PRE>
As you probably know, channels have different modes. For example +o to
make a certain person an OP (Operator), +b to ban a person etc'. To set
a ban you type: /mode #Channel +b nick!user@host and to remove a ban you
type /mode #Channel -b nick!user@host
<BR>On a raw session you don't need the '/'.
<P><A NAME="nolikename"></A><B><U>[I don't like your nickname... / Getting
a user off the IRC]</U></B>
<BR>The easiest way to get a user off the IRC is using a program called
"Click2" for Windows.
<BR>If might not always work and it is considered extremely lame, but it
might work sometimes.
<BR>After you got this program, do the following:
<BR>1. Set the "Packets to:" option box to "Clinet"
<BR>2. In the Server textbox fill-in the TARGET server. You can figure
it out by doing a /whois or a /dns on the target's nickname.
<BR>3. In the Client textbox fill-in the TARGET IP address. You can also
figure this by doing a /whois or /dns on him but if he uses any spoofing
technique like a BNC or a Wingate it won't harm him even a bit (it may
harm the Wingate / Firewall / BNC, though).
<BR>4. Be sure that you set it to send 64 packets every 1000ms in the 2
textboxes at the end of the window.
<BR>5. The client start port should be 1024 and the stop 1500.
<BR>6. Now hit nuke....
<BR>This is what you will see if it worked and you were in a channel, and
the target in also in this channel:
<BR>*** Quits: ^TCG^ (Connection reset by peer)
<BR>(Or something likes this)
<P>The target should see something like this:
<BR>*** [10053] Software caused connection abort
<P>If it is not working, you won't see anything and he won't either. If
he is running some packet-logger that logs ICMP packets he will see your
IP but most users do not run these.
<P>Another lame way is to try winnuking the address. I won't explain here
how to do it and what winnuke is because it has nothing to do with this
tutorial (see R a v e N's DoS tutorial for Winnuke information, as well
as information on more sophisticated attacks).
<P>Here is a more complex way.
<BR>You will need a flood program like "Floods". (Ask me if you want it)
<BR>After running it or any other flooding script that is based on clone
loading you connect the clones to the target IRC server. (~6 clones should
do the job)
<BR>Before we continue, I want to explain you how this works.
<BR>Each user on the IRC got something called SendQ and RecvQ. They contain
the data the user is sending / receiving.
<BR>They also have a maximum value. If this value is achieved, the server
will automatically close their connection.
<BR>Flood programs and flood scripts load clones (computer-operated IRC
"users") and start sending lot of crap to the target nick, causing his
RecvQ to fill up and he should get disconnected :).
<P>So after you launched the program, you start flooding. I can't tell
you exactly how because there are lot of programs and I can't explain you
how every one works, but I can help you via my e-mail: talrun@actcom.co.il
<BR>There are also more advanced programs that support clone loading through
firewalls and Wingates. When a user loses his connection to the IRC because
of such an attack, everyone on every channel he was present on will see
the following:
<BR>*** Quits: ^TCG^ (Excess Flood)
<P>Another way of disconnecting a user from the IRC is exploiting a bug
in his OS. You need to determine his OS and start this attack on him. There
are lots of different types of attacks. To learn about them, read R a v
e N's DoS tutorial.
<P><A NAME="cought"></A><B><U>[Can I get caught and will I?]</U></B>
<BR>First of all, it depends on what you are going to do or already did.
<BR>When you are going to take over a channel for example, if you are doing
it without hiding your identity first (See previous chapter) you can get
caught but nothing will probably happen to you. You might receive a DoS
attack that can terminate your IRC session or lag you like hell. If you
are using a bouncer for example, you won't get caught for this. But if
you "click" someone and he logs the packets he can e-mail your ISP with
your IP and they might kill your account.
<BR>
<P>If you are killing someone with a netsplit (See next chapter) you won't
get caught and nothing will happens to you since you haven't done anything
illegal.
<P>Also, it is good to know as much as possible about your target. If you
see some one that is named 'Ass^Hole' for example, you have no good reason
to go packet him or flood him. He might have access to an OC3 or a DS-3
line (Extremely fast connections to the Internet) and he might also detect
your attacks and start flooding you in return. Trust me, you don't want
this to happen. One day my T3 line got ping flooded from an OC3 line and
it stopped working for about 30 minutes. Just for your information, OC3
can transfer up to 255Mbit and a T3 can transfer up to 9Mbit (I think).
If such a line will flood your computer you don't stand a chance.
<P><A NAME="netsplit"></A><B><U>[What are netsplits and how can they help
me?]</U></B>
<BR>Large IRC networks consist of various servers. A NetSplit occurs when
a link between one of the servers and the others gets broken because of
lag or other reasons. All users that were connected to this channel will
be separated from the others as long as the netsplit occurs.
<BR>Therefore, lots of channels become empty, and get closed. When you
will join a channel that became empty, or you left only 1 user in the channel
and you will cycle it, there is a chance that you will obtain the channel
operator status (OP, @).
<BR>On a NetJoin (When the server relink to the entire network again) you
might still have the channel operator status. On new servers, you won't
get the operator status when the network is in a spilt mode, but if you
could find an old server or network you just might get lucky. Breaking
a connection between 2 servers by yourself is very difficult. You need
to pick 2 servers that are already lagged and start ping-flooding the target
server from a fast connection.
<BR>Once a netjoin occurs, it is recommended to have a war script (we'll
get to those) that will DeOP everyone on the channel so other OPs won't
be able to DeOP you.
<P>NetSplits can also let you disconnect a user from the IRC. Let's say
you want to disconnect a user named 'Lamer'. When a netsplit occurs, there
are two different possibilities:
<BR>1) The target user ('Lamer', in our case) was on the server that did
the netsplit and has left the IRC network, but will return once a netjoin
occurs (shouldn't take a lot of time).
<BR>2) The user is still on the network and has nothing to do with the
netsplit.
<BR>If number 1 occurs then all you need to do is connect to the network
using his nickname and wait for the netjoin. When the servers will re-link
they will see that there are 2 users with the same nickname. Such thing
cannot possibly happen, so one user must be killed. The user that was NOT
on the network, (which means he was on the splitted server) will probably
get killed. If option 2 occurs then all you can do is to put a clone (open
another IRC sesssion), connect to the splitted server and change your nick
to his nick. When the servers will rejoin there is a small chance that
he will get killed, so cross your fingers. :)
<P>Now, for the 1,000,000$ question: how do I detect a netsplit? You can
detect a netsplit if the user(s) quit message is "Server1 Server2". For
example:
<PRE>Lamar has quit IRC (irc.magic.com irc.freei.net)
| |_Server2
|_Server1</PRE>
This message tells you that there is a split between irc.magic.com and
irc.freei.net
<BR>The second server (Server2) is the server that left the net.
<P><A NAME="takeover"></A><B><U>[Channel Takeovers]</U></B>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -