IRCP

- information gathering tool for irc servers
git clone git://git.acid.vegas/IRCP.git
Log | Files | Refs | Archive | README | LICENSE

README.md (4655B)

      1 # Internet Relay Chat Probe (IRCP)
      2 
      3 ![](.screens/ircp.png)
      4 
      5 *TRIPLE 6 SEVEN OCULOUS*
      6 
      7 A robust information gathering tool for large scale reconnaissance on [Internet Relay Chat](https://en.wikipedia.org/wiki/Internet_Relay_Chat) servers, made for future usage with [internetrelaychat.org](https://internetrelaychat.org) for public statistics on the protocol.
      8 
      9 Meant to be used in combination with [masscan](https://github.com/robertdavidgraham/masscan) checking **0.0.0.0/0** *(the entire IPv4 range)* for ports **6660-6669**, **6697**, **7000**, & other common IRC ports.
     10 
     11 The idea is to create a *proof-of-concept* documenting how large-scale information gathering on the IRC protocol can be malicious & invasive to privacy, while also yielding deep-dive look at the IRC protocol & it's internal statistics & commonalities.
     12 
     13 ## Usage
     14 The only required arguement to pass is a direct path to the targets list, which should be a text file containing a new-line seperated list of targets.
     15 
     16 Targets must be a valid IPv4 or IPv6 address & can optionally be suffixed with a port.
     17 
     18 Edit [ircp.py](https://github.com/internet-relay-chat/IRCP/blob/master/ircp.py) & tweak the settings to your favor, though they rest with sane defaults.
     19 
     20 ## Order of Operations
     21 First, an attempt to connect using SSL/TLS is made, which will fall back to a standard connection if it fails. If a non-standard port was given, both standard & secure connection attempts are made on the port as-well. The **RPL_ISUPPORT** *(005)* response is checked for the `SSL=` option to try & locate secure ports.
     22 
     23 Once connected, server information is gathered from `ADMIN`, `CAP LS`, `COMMANDS`, `HELP`, `MODULES -all`, `VERSION`, `IRCOPS`, `MAP`, `INFO`, `LINKS`, `SERVLIST`, `STATS p`, & `LIST` replies. An attempt to register a nickname is then made by trying to contact NickServ.
     24 
     25 Lastly, every channel is joined with a `WHO` command sent & every new nick found gets a `WHOIS` sent. Registered channels & nicks are issued a NickServ/ChanServ `INFO` command. CTCP requests are sent to channels & nicks aswell.
     26 
     27 Once we have finishing scanning a server, the information found is saved to a JSON file. The data in the logs are stored in categories based on [numerics](https://raw.githubusercontent.com/internet-relay-chat/random/master/numerics.txt) *(001 is RPL_WELCOME, 322 is RPL_LIST, etc)* & events *(JOIN, MODE, KILL, etc)*.
     28 
     29 Everything is done in a *carefully* throttled manner for stealth to avoid detection. An extensive amount research on IRC daemons, services, & common practices used by network administrators was done & has fine tuned this project to be able to evade common triggers that thwart what we are doing.
     30 
     31 ## Preview
     32 ![](.screens/preview.png)
     33 
     34 ## Threat Scope
     35 While IRC is an generally unfavored chat protocol as of 2023 *(roughly 7,000 networks)*, it still has a beating heart *(over 300,000 users & channels)* with potential for user growth & active development being done on [IRCv3](https://ircv3.net/) protocol implementations.
     36 
     37 Point is..it's is not going anywhere. With that being said, every network being on the same port leads way for a lot of potential threats:
     38 
     39 * A new RCE is found for a very common IRC bot
     40 * A new 0day is found for a certain IRCd version
     41 * Old IRC daemons running versions with known CVE's
     42 * Tracing users network/channel whereabouts
     43 * Mass spamming attacks on every network
     44 
     45 Mass scanning *default* ports of services is nothing new & though port 6667 is not a common target, running an IRCd on a **non-standard** port should be the **standard**. If we have learned anything in the last 10 years, using standard ports for *anything* is almost always smells like a bad idea.
     46 
     47 ![](.screens/base.png)
     48 
     49 ## Todo
     50 * Built in identd
     51 * Checking for IPv6 availability *(SSL= in 005 responses may help verify IPv6)*
     52 * Support for IRC servers using old versions of SSL
     53 * Support for hostnames in targets list *(Attempt IPv6 & fallback to IPv4)*
     54 * Support for multiple vhost
     55 * How do we handle the possibility of connecting to multiple servers linked to same network?
     56 * Seperate lists for failed & banned networks.
     57 * Learn network target-change throttles from 439 **ERR_TARGETTOOFAST** replies *(Research IRCd defaults)*
     58 * Store last command execute to detect triggers
     59 
     60 ## Opt-out
     61 You can request to opt out of our scans by sending an email to [scan@internetrelaychat.org](mailto://scan@internetrelaychat.org)
     62 
     63 ___
     64 
     65 ###### Mirrors
     66 [acid.vegas](https://git.acid.vegas/IRCP) • [GitHub](https://github.com/internet-relay-chat/IRCP) • [GitLab](https://gitlab.com/internetrelaychat/IRCP) • [SuperNETs](https://git.supernets.org/internetrelaychat/IRCP)