Disclamer: I hate it when ppl have disclamers in capital letters, it's not like your going to read it just because it's in damn caps, who read these stupid things anyways? Anyhow....the author has responisible for the use of this infomation, blah blah blah, it is for educational use only, yadie yadie yada.... If you get caught fux0ring up someone, it's your fault, this faq is *hypothetical*, i do not condone this sort of behavour (heh).
start the real stuff ;)
I think it is time someone, somewhere, somehow wrote an upto date "Howto takeover an IRC channel". I was browsing one a few weeks-months-years whatever and it was so wrong, it's getting a little more tough, sorting out the idiots from the morons.
O.k, so this is how it goes. Your in a chan and the OPs or users in that chan are pissing you off, so you think you should shut them up by owning there stupid little channel for a week or ten, there are a few ways to go about it:
1.) Own the OPs, ride a split (you can't get OPs when there are OPs allready in the chan)
2.) Own everyone in the chan and cycle to get ops
3.) Spoof and/or Bounce an OPs IP/Domain, wait for someone to whore you OPs
4.) Hack the bot, get ops off it, or get it to take the chan, then get OPs
5.) Hack the server the bot is on (or a *nix user) to hack the bot (or the user), then revert to #4
************************** Number One ********************************
We'll start with the most basic, owning the OPs. Get on a Shell, wingate or get a friend to version the OPs in the channel, getting their version reply/s therefore knowing what OS they are using (mirc, pirch, WinBitchX, WinIrcii = Windows. IRCle, homer, MacIRC, MacBitchX, ShadowIRC, Snak = MacOS. BitchX, Ircii = linux, sunOS, *BSD, Solaris....), or you can portscan them seeing what TCP ports they are using and getting version of the services, this way you can find out what they are using aswell, ie.WarFTP (winblows), Telnet (usualy *nix), Nothing (A smart whore).
Once you find out what OS's they are using, you can rumage through your exploits and use them against the ppl. The most affective/quick kill against windows are things like; ice for ice.bx script, teardrop, winnuke (yeah some of these are old, but ppl forget to patch themselves a lot), land, icmp echo, puke, basicaly anything that works quickly. However, if they are using a firewall the kill will take longer, smurfing will works and so will fragmented packetes (which pass through some firewall protocals, but i dunna want to go into that :P ). If there is a dude using a distribution of unix (linux, SunOS, BSD....), and he is on a PPP/SLIP account (dialup) it is easiest to just packet them with something like pepsi, pepsi5, quench, burn.... or smurf'em, otherwise you can go into the nitty critty of exploiting there system (which i'll go into on the part of hacking the system to hack the bot/user). If one of the OPs is using MacOS (which isn't very often as if should be), you can smurf them or packet them, use icmp echo, land attack....
So just say you've got rid of all the OPs (yay), now it is a test to see who can get OPs off a split. A split is when one of the IRC servers on the network (ie. EFnet, Undernet, IRCnet, Slacknet {irc.slackenet.org}) has lost connection (split) away from the Network, when this happends the IRC server used to think that if you joined a channel on the split IRC server you were making a new one (cause you are the only one in that channel, all the other ppl should be on different server/s that are still part of the linked Network), this means you whore OPs and when the server rejoins with the Network you get to keep the OPs. However, now days when a server splits and you join a channel it says shit like "Due to a Netsplit you cannot gain OPs in this channel", so what you have to do is keep cycling the chan (parting then rejoining, you can get a script for this, easy to write) after a while the server will give you OPs, and when the server rejoins the Network you get to keep the OPs (as long as you have killed all the OPs before hand, you can't get OPs off a split when there are allready OPs in the channel). About now you should have whore'd OPs, but you might have to wait a long time for a netsplit, heh i should have mentioned that earlier, but if your a packet monkey you can get your monkey friends together and split a server.
************************** Number Two *******************************
If there are only a few ppl in the channel, or you think you can take them all out, go ahead. Like i said before, get their OS versions and exploit them, use something against them that will own'em. Once you have completed the deed and there is no one left in the channel, you can part the channel then join it and you will have OPs.
@ A few hints against specific OS's:
Most following DoS attacks are part of denial.sit (from my Denial.txt) for Happle.
Windows:
1234.c
arp.html
arp_fun.txt
bloop.c
boink.c
coke.c
cvn.c
echok.c
flushot.c
fraggle.c
gargamel
gayezoons.c
gewse.c
hell
ikill.c
ipbomb.c
ipfrag.c
jolt.c
killwin.c
kkill.c
land.c
lin
icmp_echo.c
click.c
newpep.c
nuke.c
nuke2
octopus.c
orgasm.c
papasmurf-linux.c
pinger.c
pingexploit.c
poink.c
pong.c
puke.c
quench.c
rc8.c
resetter.c
rfc1644.txt
rpk.c
rst_flip.c
sesquipedalian.c
sf_paus.c
slice.c
smack.c
smurf.c
smurf.txt
smurf4.c
solaris_land.c
solaris_ping.txt
ssynk4
storm.c
stuffit.c
syndrop.c
synful.c
synk4.c
synsol.c
sysfog.c
targa.c
teardrop.linux
thc.c
udpdata.c
udpdenial.c
winarp.c
windows98.pingflood.txt
wingate-killer.pl
wingate-killer.sh
wingatecrash.c
MacOS:
land.c
Icmp_echo.c
puke.c
click.c
papasmurf.c
smurf.c
smurf4.c
pepsi5.c
pepsi.c
resetter.c
rst_flip.c
quench.c
*nix:
land.c
smurf.c
papasmurf.c
pepsi5.c
pepsi.c
resetter.c
rst_flip.c
quench.c
I'm not going to list many attacks for *nix because there are so many, most are for an attack against one application, so i'd be here for a while ;)
************************** Number Three ******************************
So where upto Spoofing and/or Bouncing, i'll start with the bouncing. Wingating (bouncing as some ppl call it, use wingates for this only when there is a ppp/slip/dialup/cable {sometimes it can pass off}, because the IPs are different all the time and the other OPs won't know it's not their buddy) is used for many things, what a wingate actualy is, is a piece of software for winblows that allows number of computers to get on the internet through one connection. It can be used for IRC, http proxy, Hotline etc. What you want to do to get OPs, is scan one (if not all) of the OPs domain/s (cause there usualy is more than one OP ;) ) for wingates, so you can use a wingate scanner, or just service scan the domain on port 1080, if there is a reply (TCP) that means it is a wingate or proxy. Say you scanned one of the OPs domains and you found a wingate on one, what you do here is connect to the wingate on port 23 in your irc client, it should look like this:
/server i.am.a.wingate:23
connecting......connected
Wingate >
What you do here is try an connect to an IRC server, so we do as follows:
/quote server irc.iamanircserver.com:6667
then the wingate will say "Connecting to irc.iamanircserver.com:6667" . When it says this and the IRC client gives yoou some text saying " Finding ident ", "Looking up hostname" and "Found Hostname" once those three are done, type the following:
/quote nick <the nick you want>
/quote user <user> <user> <user> <user>
where <user> is what username you want, this will connect you to the IRC server, once you are connected and happy kill the OP who's domain you are bouncing from, because he's the only one who is going to know that you are not him, he'll warn the others about a takeover attempt. Once you have owned the OP, join the channel with his nick and wait to get OP'ed by another OP, or you can say stuff like "Quick OP me, someone's trying to take the chan!" shit like that ;)
Things you have to watch out for are stuff like, if you don't have the same version reply as the OP you are trying to impersonate, so turn ctcp off, if one of the OPs ask why, say that someone was trying to ctcp flood you with random hostnames, it was hard to ignore, just spend some time loking at the OP you are gunna impersonate, just act like them and they should OP you (unless they make you OP yourself from the bot, just make up some other lame shit).
Spoofing is a whole different thing, you need something like ADMsn00fID, or snoof which is based on ADM's "ADMsnOOfID" code. Also you need an valid nameserver to run it on, like you need to be on the nameserver to use it (telnet, ssh), this works against some IRC servers, how it works is you use the NS (nameserver) to cache your IP on the IRC server, but it caches your IP as whatever you want ie. 127.0.0.1 = happle.owns.me.com, when we all know the IP doesn't reslove to that ;) The only thing that needs to be valid is the domain, in this case it's me.com, so now you log onto the IRC server and it should say something like:
Finding Ident...
Looking up hostname, cached
Found hostname
etc
See how it says "cached"? It doesn't look up your IP because it's easier to just use the one that has been cached from the nameservers login, so now you can waltz into that channel with whatever hostname you want (also good for evading bans, or getting OPed by auto opping bots {some owners of bots just add bots as +a, this auto OPs anyone with that Hostname and ident, not good, but fun for taking chans}) and whore OPs :) If you want further information about spoofing, look it up :P Or wait till i get off my lazy arse and write something desent about spoofing.
*************************** Number Four ******************************
Hacking bots is always a fun thing to do, it funny to see what ppl say when there own bot takes the chan or OPs someone who does. Well there's a couple of things we can do here, i'm gunna start with brute force hacking the bot. How to brute force hack a bot is reasonably easy, all you have to do is find out what port the bot is listening on (bots have open tcp ports for there own telnet ie. 56773), you can either get a fast tcp scanner and scan the host for open ports above say..... 8000 to about 99999, or spoof one of the OPs IPs and try to /msg <bot> op <guess pass> and brute force it that way, it is easy to see if you are +m (master) or +n (owner) on the bot. Most eggdrop's (bot) versions don't have many known holes in them, and if the owner has any sense updates to the newest version as soon as it comes out.
Say you found the telnet port, you need to know someone's user who is on the bot, it's usualy there nick, so if BoB gets OPed by the bot, you use his nick as the user, now you get some program (for there are a couple hanging around and it's reasonably easy to write one) that enter passwds from a dictionary file and brute force hack it (or smart force hack) like a passwd list cracker (ie. Crac for linux), this may take a while, also i have put in a cracker for hacking/cracking eggdrops 1.1.5 and 1.3.x (egghack.tar.gz), while your waiting sit back or try other means of getting OPs. Say after 30mins you crack it and your into the bot, so your jumping around and having a beer for celebration what you do now is have a look at what you have (flags):
.match <user>
or you can do:
.whois <user>
If you have +o (or +m, +n) your fine, if you haven't your a stupid fool and you hacked someone who can't even get OPs, sheesh. So now you can get OPs (yay), all you need to do is:
.op <nick> #<chan>
ie: .op uNF #corrupt
uNF will get OPs and s/he or it can massdeop (mdop) the channel. If you don't want to do it this way because you have a slow connection, get a friend in to help you, or a shell, you can even use the .dump command on the bot for it to mdop the chan. The good thing is, most vauge ppl have got no idea, so if the bot gets kicked for massdeoping and comes back into the channel, it gets oped from the other bots or one of the OPs, so you can try again ;)
************************** Number Five *******************************
Dededede... hmm, I was going to do number five this issue of Happle, in this faq, but i have decided to make number five more extensive. I may get some of it out in Happle 10, deffinatly Happle 11 so check it out.
Want to fake OPs in a chan? Just /join #<chan>ı put a character like that there, it doesn't pickup on /whois , so it looks like you have OPs.
ircN for mirc (a script for mirc) used to be exploited by doing this in a windows IRC client:
/ctcpreply (nickname) ping $quit(owned,by,happle)
Or in any other real IRC client, not some shitty winblows crap, you do this:
/ctcp <nick> ping $quit(owned,by,happle)
Kill nickserv by loading loads of clones and getting them to resister there nicknames, use a script for this, it's way quicker.
There is an buffer overflow in ircd2.8.21, look at ircd_kill.c (this is an old exploit may not work on any irc servers)
If you have +mn on an Eggdrop you can (ofcourse, but for the newbies i'll say it anyway) excute tcl commands ie. .tcl exec ls . This will give you a listing of the dir, or you can try .tcl exec cat /etc/passwd etc... think about it, easy to patch aswell ;) .
