HackTricks
Search…
Pentesting
Powered By GitBook
194,6667,6660-7000 - Pentesting IRC

Basic Information

IRC was originally a plain text protocol (although later extended), which on request was assigned port 194/TCP by IANA. However, the de facto standard has always been to run IRC on 6667/TCP and nearby port numbers (for example TCP ports 6660–6669, 7000) to avoid having to run the IRCd software with root privileges.
For connecting to a server it is required merely a nickname. Once connection is established, the first thing the server does is a reverse-dns to your ip:
It seems that overall there are two kinds of users: operators and ordinary users. For logging in as an operator it is required a username and a password (and in many occasions a particular hostname, ip and even a particular hostmask). Within operators there are different privilege levels wherein the administrator has the highest privilege.
Default ports: 194, 6667, 6660-7000
1
PORT STATE SERVICE
2
6667/tcp open irc
Copied!

Enumeration

IRC can support TLS.
1
nc -vn <IP> <PORT>
2
openssl s_client -connect <IP>:<PORT> -quiet
Copied!

Manual

Here you can see how to connect and access the IRC using some random nickname and then enumerate some interesting info. You can learn more commands of IRC here.
1
#Connection with random nickname
2
USER ran213eqdw123 0 * ran213eqdw123
3
NICK ran213eqdw123
4
#If a PING :<random> is responded you need to send
5
#PONG :<received random>
6
7
VERSION
8
HELP
9
INFO
10
LINKS
11
HELPOP USERCMDS
12
HELPOP OPERCMDS
13
OPERATOR CAPA
14
ADMIN #Admin info
15
USERS #Current number of users
16
TIME #Server's time
17
STATS a #Only operators should be able to run this
18
NAMES #List channel names and usernames inside of each channel -> Nombre del canal y nombre de las personas que estan dentro
19
LIST #List channel names along with channel banner
20
WHOIS <USERNAME> #WHOIS a username
21
USERHOST <USERNAME> #If available, get hostname of a user
22
USERIP <USERNAME> #If available, get ip of a user
23
JOIN <CHANNEL_NAME> #Connect to a channel
24
25
#Operator creds Brute-Force
26
OPER <USERNAME> <PASSWORD>
Copied!

Find and scan IRC services

1
nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 irked.htb
Copied!

Shodan

    looking up your hostname
Last modified 1yr ago