194,6667,6660-7000 - Pentesting IRC - HackTricks

Search…

👾

Welcome!

About the author

Getting Started in Hacking

🤩

Generic Methodologies & Resources

Pentesting Methodology

External Recon Methodology

Pentesting Network

Pentesting Wifi

Phishing Methodology

Basic Forensic Methodology

Brute Force - CheatSheet

Python Sandbox Escape & Pyscript

Tunneling and Port Forwarding

Search Exploits

Shells (Linux, Windows, MSFVenom)

🐧

Linux Hardening

Checklist - Linux Privilege Escalation

Linux Privilege Escalation

Useful Linux Commands

Bypass Linux Shell Restrictions

Linux Environment Variables

Linux Post-Exploitation

🍏

MacOS Hardening

MacOS Security & Privilege Escalation

🪟

Windows Hardening

Checklist - Local Windows Privilege Escalation

Windows Local Privilege Escalation

Active Directory Methodology

Lateral Movement

Authentication, Credentials, UAC and EFS

Stealing Credentials

Basic CMD for Pentesters

Basic PowerShell for Pentesters

📱

Mobile Pentesting

Android APK Checklist

Android Applications Pentesting

iOS Pentesting Checklist

👽

Network Services Pentesting

Pentesting JDWP - Java Debug Wire Protocol

Pentesting Printers

Pentesting Remote GdbServer

7/tcp/udp - Pentesting Echo

21 - Pentesting FTP

22 - Pentesting SSH/SFTP

23 - Pentesting Telnet

25,465,587 - Pentesting SMTP/s

43 - Pentesting WHOIS

53 - Pentesting DNS

69/UDP TFTP/Bittorrent-tracker

79 - Pentesting Finger

80,443 - Pentesting Web Methodology

88tcp/udp - Pentesting Kerberos

110,995 - Pentesting POP

111/TCP/UDP - Pentesting Portmapper

113 - Pentesting Ident

123/udp - Pentesting NTP

135, 593 - Pentesting MSRPC

137,138,139 - Pentesting NetBios

139,445 - Pentesting SMB

143,993 - Pentesting IMAP

161,162,10161,10162/udp - Pentesting SNMP

194,6667,6660-7000 - Pentesting IRC

264 - Pentesting Check Point FireWall-1

389, 636, 3268, 3269 - Pentesting LDAP

500/udp - Pentesting IPsec/IKE VPN

502 - Pentesting Modbus

512 - Pentesting Rexec

513 - Pentesting Rlogin

514 - Pentesting Rsh

515 - Pentesting Line Printer Daemon (LPD)

548 - Pentesting Apple Filing Protocol (AFP)

554,8554 - Pentesting RTSP

623/UDP/TCP - IPMI

631 - Internet Printing Protocol(IPP)

873 - Pentesting Rsync

1026 - Pentesting Rusersd

1080 - Pentesting Socks

1098/1099/1050 - Pentesting Java RMI - RMI-IIOP

1433 - Pentesting MSSQL - Microsoft SQL Server

1521,1522-1529 - Pentesting Oracle TNS Listener

1723 - Pentesting PPTP

1883 - Pentesting MQTT (Mosquitto)

2049 - Pentesting NFS Service

2301,2381 - Pentesting Compaq/HP Insight Manager

2375, 2376 Pentesting Docker

3128 - Pentesting Squid

3260 - Pentesting ISCSI

3299 - Pentesting SAPRouter

3306 - Pentesting Mysql

3389 - Pentesting RDP

3632 - Pentesting distcc

3690 - Pentesting Subversion (svn server)

3702/UDP - Pentesting WS-Discovery

4369 - Pentesting Erlang Port Mapper Daemon (epmd)

5000 - Pentesting Docker Registry

5353/UDP Multicast DNS (mDNS) and DNS-SD

5432,5433 - Pentesting Postgresql

5555 - Android Debug Bridge

5601 - Pentesting Kibana

5671,5672 - Pentesting AMQP

5800,5801,5900,5901 - Pentesting VNC

5984,6984 - Pentesting CouchDB

5985,5986 - Pentesting WinRM

5985,5986 - Pentesting OMI

6000 - Pentesting X11

6379 - Pentesting Redis

8009 - Pentesting Apache JServ Protocol (AJP)

8086 - Pentesting InfluxDB

8089 - Pentesting Splunkd

8333,18333,38333,18444 - Pentesting Bitcoin

9000 - Pentesting FastCGI

9001 - Pentesting HSQLDB

9042/9160 - Pentesting Cassandra

9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)

9200 - Pentesting Elasticsearch

10000 - Pentesting Network Data Management Protocol (ndmp)

11211 - Pentesting Memcache

15672 - Pentesting RabbitMQ Management

24007,24008,24009,49152 - Pentesting GlusterFS

27017,27018 - Pentesting MongoDB

44134 - Pentesting Tiller (Helm)

44818/UDP/TCP - Pentesting EthernetIP

47808/udp - Pentesting BACNet

50030,50060,50070,50075,50090 - Pentesting Hadoop

🕸

Pentesting Web

Web Vulnerabilities Methodology

Reflecting Techniques - PoCs and Polygloths CheatSheet

Bypass Payment Process

Cache Poisoning and Cache Deception

Client Side Template Injection (CSTI)

Command Injection

Content Security Policy (CSP) Bypass

Cookies Hacking

CORS - Misconfigurations & Bypass

CRLF (%0D%0A) Injection

Cross-site WebSocket hijacking (CSWSH)

CSRF (Cross Site Request Forgery)

Dangling Markup - HTML scriptless injection

Deserialization

Domain/Subdomain takeover

Email Injections

File Inclusion/Path traversal

Formula/Doc/LaTeX Injection

HTTP Request Smuggling / HTTP Desync Attack

HTTP Response Smuggling / Desync

Upgrade Header Smuggling

hop-by-hop headers

JWT Vulnerabilities (Json Web Tokens)

NoSQL injection

OAuth to Account takeover

Parameter Pollution

PostMessage Vulnerabilities

Rate Limit Bypass

Registration & Takeover Vulnerabilities

Regular expression Denial of Service - ReDoS

Reset/Forgotten Password Bypass

Server Side Inclusion/Edge Side Inclusion Injection

SSRF (Server Side Request Forgery)

SSTI (Server Side Template Injection)

Reverse Tab Nabbing

Unicode Normalization vulnerability

Web Tool - WFuzz

XPATH injection

XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)

XXE - XEE - XML External Entity

XSS (Cross Site Scripting)

XSSI (Cross-Site Script Inclusion)

⛈

Cloud Security

Workspace Security

Github Security

Kubernetes Security

Cloud Security Review

😎

Hardware/Physical Access

Physical Attacks

Escaping from KIOSKs

Firmware Analysis

🦅

Reversing & Exploiting

Reversing Tools & Basic Methods

Common API used in Malware

Linux Exploiting (Basic) (SPA)

Exploiting Tools

Windows Exploiting (Basic Guide - OSCP lvl)

🔮

Crypto & Stego

Cryptographic/Compression Algorithms

Cipher Block Chaining CBC-MAC

Crypto CTFs Tricks

Electronic Code Book (ECB)

Hash Length Extension Attack

RC4 - Encrypt&Decrypt

Esoteric languages

Blockchain & Crypto Currencies

🧐

External Platforms Reviews/Writeups

BRA.I.NSMASHER Presentation

INE Courses and eLearnSecurity Certifications Reviews

🦂

C2

✍

TODO

Other Big References

Hardware Hacking

Other Web Tricks

Interesting HTTP

Emails Vulnerabilities

Android Forensics

6881/udp - Pentesting BitTorrent

1911 - Pentesting fox

Online Platforms with API

Stealing Sensitive Information Disclosure from a Web

Post Exploitation

Powered By GitBook

194,6667,6660-7000 - Pentesting IRC

Support HackTricks and get benefits!
Basic Information
IRC was originally a plain text protocol (although later extended), which on request was assigned port 194/TCP by IANA. However, the de facto standard has always been to run IRC on 6667/TCP and nearby port numbers (for example TCP ports 6660–6669, 7000) to avoid having to run the IRCd software with root privileges.
For connecting to a server it is required merely a nickname. Once connection is established, the first thing the server does is a reverse-dns to your ip:
It seems that overall there are two kinds of users: operators and ordinary users. For logging in as an operator it is required a username and a password (and in many occasions a particular hostname, ip and even a particular hostmask). Within operators there are different privilege levels wherein the administrator has the highest privilege.
Default ports: 194, 6667, 6660-7000
PORT     STATE SERVICE
6667/tcp open  irc
Enumeration
Banner
IRC can support TLS.
nc -vn <IP> <PORT>
openssl s_client -connect <IP>:<PORT> -quiet
Manual
Here you can see how to connect and access the IRC using some random nickname and then enumerate some interesting info. You can learn more commands of IRC here.
#Connection with random nickname
USER ran213eqdw123 0 * ran213eqdw123
NICK ran213eqdw123
#If a PING :<random> is responded you need to send
#PONG :<received random>
​
VERSION
HELP
INFO
LINKS
HELPOP USERCMDS
HELPOP OPERCMDS
OPERATOR CAPA
ADMIN      #Admin info
USERS      #Current number of users
TIME       #Server's time
STATS a    #Only operators should be able to run this
NAMES      #List channel names and usernames inside of each channel -> Nombre del canal y nombre de las personas que estan dentro
LIST       #List channel names along with channel banner
WHOIS <USERNAME>      #WHOIS a username
USERHOST <USERNAME>   #If available, get hostname of a user
USERIP <USERNAME>     #If available, get ip of a user
JOIN <CHANNEL_NAME>   #Connect to a channel
​
#Operator creds Brute-Force
OPER <USERNAME> <PASSWORD>
You can, also, atttempt to login to the server with a password. The default password for ngIRCd is 'wealllikedebian'.
PASS wealllikedebian
NICK patrick
USER test1 test2 <IP> :test3
Find and scan IRC services
nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 irked.htb
​Brute Force​
Shodan
looking up your hostname
Support HackTricks and get benefits!

Next - Network Services Pentesting

264 - Pentesting Check Point FireWall-1

Last modified 2mo ago

Copy link

Outline

Basic Information

Find and scan IRC services