connects you to an IRC server program which runs on a remote computer somewhere on the Internet.
***********************
You may already have an IRC server running on your ISP. Customer service at your ISP should be able to
help you with instructions on how to use it. Even easier yet, if your Web browser is set up to use Java, you can run IRC straight from your browser once you have surfed into a Web-based IRC server.
Where are good IRC servers for meeting other hackers?
There are several IRC servers that usually offer hacker channels. EFNet (Eris-Free Network)links many IRC
servers. It was originally started by the Eris FreeNet (ef.net). It is reputed to be a “war ground” where you might get a chance to really practice the IRC techniques we cover below.
Undernet is one of the largest networks of IRC servers. The main purpose of Undernet is to be a friendly place with IRC wars under control. But this means, yes, lots of IRC cops! The operators of these IRC servers have permission to kill you not only from a channel but also from a server. Heck, they can ban you for good.
They can even ban your whole domain.
************************************
Newbie note: A domain is the last two (or sometimes three or four) parts of your email address. For example, aol.com is the domain name for America Online. If an IRC network were to ban the aol.com domain, thatwould mean every single person on America Online would be banned from it.
************************************
************************************
You can get punched in the nose warning: If the sysadmins at your ISP were to find out that you hadmanaged to get their entire domain banned from an IRC net on account of committing ICMP bombing or
whatever, they will be truly mad at you! You will be lucky if the worst that happens is that you lose your account. You’d better hope that word doesn’t get out to all the IRC addicts on your ISP that you were the dude that got you guys all kicked out.
************************************
IRCNet is probably the same size if not larger than Undernet. IRCNet is basically the European/Australian split off from the old EFNet.
Yes, IRC is a world-wide phenomenon. Get on the right IRC network and you can be making friends with
hackers on any continent of the planet. There are at least 80 IRC networks in existence. To learn how to contact them, surf over to: http://www.irchelp.org/. You can locate additional IRC servers by surfing over to http://hotbot.com or http://digital.altavista.com and searching for “IRC server.” Some IRC servers are ideal for the elite hacker, for example the l0pht server. Note that is a “zero” not an “O” in l0pht.
****************************************
Evil genius tip: Get on an IRC server by telneting straight in through port 6667 at the domain name for that server.
****************************************
But before you get too excited over trying out IRC, let us warn you. IRC is not so much phun any more because some d00dz aren’t satisfied with using it to merely say naughty words and cast aspersions on
people’s ancestry and grooming habits. They get their laughs by kicking other people off IRC entirely. This is because they are too chicken to start brawls in bars. So they beat up on people in cyberspace where they don’t have to fret over getting ouchies.
But we’re going to show some simple, effective ways to keep these lusers from ruining your IRC sessions.
However, first you’ll need to know some of the ways you can get kicked off IRC by these bullies.
The simplest way to get in trouble is to accidentally give control of your IRC channel to an impostor whose goal is to kick you and your friends off.
You see, the first person to start up a channel on an IRC server is automatically the operator (OP). The operator has the power to kick people off or invite people in. Also, if the operator wants to, he or she may pass operator status on to someone else.
Ideally, when you leave the channel you would pass this status on to a friend your trust. Also, maybe
someone who you think is your good buddy is begging you to please, please give him a turn being the
operator. You may decide to hand over the OP to him or her in order to demonstrate friendship. But if you mess up and accidentally OP a bad guy who is pretending to be someone you know and trust, your fun chat can become history.
One way to keep this all this obnoxious stuff from happening is to simply not OP people you do not know.
But this is easier said than done. It is a friendly thing to give OP to your buddies. You may not want to appear stuck up by refusing to OP anyone. So if you are going to OP a friend, how can you really tell that IRC dude is your friend?
Just because you recognize the nick (nickname), don’t assume it’s who you think it is! Check the host
address associated with the nick by giving the command "/whois IRCnick" where “IRCnick” is the nickname of the person you want to check.
This “/whois” command will give back to you the email address belonging to the person using that nick. If you see, for example, “d***@wannabe.net” instead of the address you expected, say friend@cool.com,
then DO NOT OP him. Make the person explain who he or she is and why the email address is different.
But entering a fake nick when entering an IRC server is only the simplest of ways someone can sabotage an IRC session. Your real trouble comes when people deploy “nukes” and “ICBMs” against you.
“Nuking” is also known as “ICMP Bombing.” This includes forged messages such as EOF (end of file),
dead socket, redirect, etc.
**************************************
Newbie note: ICMP stands for Internet Control Message Protocol. This is an class of IRC attacks that gobeyond exploiting quirks in the IRC server program to take advantage of major league hacking techniques based upon the way the Internet works.
**************************************
**************************************You can go to jail warning: ICMP attacks constitute illegal denial of service attacks. They are not just harmless harassment of a single person on IRC, but may affect an entire Internet host computer, disputing service to all who are using it.
***************************************
For example, ICMP redirect messages are used by routers to tell other computers “Hey, quit sending me that stuff. Send it to routerx.foobar.net instead!” So an ICMP redirect message could cause your IRC messages to go to bit heaven instead of your chat channel.
EOF stands for “end of file.” “Dead socket” refers to connections such as your PPP session that you would be using with many IRC clients to connect to the Internet. If your IRC enemy spoofs a message that your socket is dead, your IRC chat session can’t get any more input from you. That’s what the program “ICMP
Host Unreachable Bomber for Windows” does.
Probably the most devastating IRC weapon is the flood ping, known as “ICBM flood or ICMPing.” The idea
is that a bully will find out what Internet host you are using, and then give the command “ping-f” to your host computer. Or even to your home computer. Yes, on IRC it is possible to identify the dynamically
assigned IP address of your home computer and send stuff directly to your modem! If the bully has a decent computer, he or she may be able to ping yours badly enough to briefly knock you out of IRC. Then this
character can take over your IRC session and may masquerade as you.
**********************
Newbie note: When you connect to the Internet with a point-to-point (PPP) connectio n, your ISP’s hostcomputer assigns you an Internet Protocol (IP) address which may be different every time you log on. This is called a “dynamically assigned IP address.” In some cases, however, the ISP has arranged to assign the uses the same IP address each time.
**********************
Now let’s consider in more detail the various types of flooding attacks on IRC.
The purpose of flooding is to send so much garbage to a client that its connection to the IRC server either becomes useless or gets cut off.
Text flooding is the simplest attack. For example, you could just hold down the “x” key and hit enter from time to time. This would keep the IRC screen filled with your junk and scroll the others’ comments quickly off the screen. However, text flooding is almost always unsuccessful because almost any IRC client (the program you run on your computer) has text flood control. Even if it doesn’t, text must pass through an IRC
server. Most IRC servers also have text flood filters.
Because text flooding is basically harmless, you are unlikely to suffer anything worse than getting banned or possibly K:lined for doing it.
******************************************
Newbie note: “K:line” means to ban not just you, but anyone who is in your domain from an IRC server. For example, if you are a student at Giant State University with an email address of IRCd00d@giantstate.edu, then every person whose email address ends with “giantstate.edu” will also be banned.
*******************************************
Client to Client Protocol (CTCP) echo flooding is the most effective type of flood. This is sort of like the ping you send to determine whether a host computer is alive. It is a command used within IRC to check to see if someone is still on your IRC channel.
How does the echo command work? To check whether someone is still on your IRC channel, give the
command “/ctcp nick ECHO hello out there!” If “nick” (where “nick” is the IRC nickname of the person you are checking out) is still there, you get back “nick HELLO OUT THERE.”
What has happened is that your victim’s IRC client program has automatically echoed whatever message
you sent.
But someone who wants to boot you off IRC can use the CTCP echo command to trick your IRC server into thinking you are hogging the channel with too much talking. This is because most IRC servers will
automatically cut you off if you try text flooding.
So CTCP echo flooding spoofs the IRC into falsely cutting someone off by causing the victim’s IRC client to automatically keep on responding to a whole bunch of echo requests.
Of course your attacker could also get booted off for making all those CTCP echo requests. But a
knowledgeable attacker will either be working in league with some friends who will be doing the same thing to you or else be connected with several different nicks to that same IRC server. So by having different versions of him or herself in the form of software bots making those CTCP echo requests, the attacker stays on while the victim gets booted off.
This attack is also fairly harmless, so people who get caught doing this will only get banned or maybe
K:lined for their misbehavior.
******************************
Newbie note: A “bot” is a computer program that acts kind of like a robot to go around and do things foryou. Some bots are hard to tell from real people. For example, some IRC bots wait for someone to use bad language and respond to these naughty words in annoying ways.
*************************************
********************** ***************
You can get punched in the nose warning: Bots are not permitted on the servers of the large networks. The IRC Cops who control hacker wars on these networks love nothing more than killing bots and banning thebotrunners that they catch.
**************************************
A similar attack is CATCH ping. You can give the command “/ping nick” and the IRC client of the guy
using that nick would respond to the IRC server with a message to be passed on to the guy who made the
ping reques t saying “nick” is alive, and telling you how long it took for nick’s IRC client program to respond. It’s useful to know the response time because sometimes the Internet can be so slow it might take ten seconds or more to send an IRC message to other people on that IRC channel. So if someone seems to
be taking a long time to reply to you, it may just be a slow Internet.
Your attacker can also easily get the dynamically assigned IP (Internet protocol) address of your home
computer and directly flood your modem. But just about every Unix IRC program has at least some CATCH
flood protection in it. Again, we are looking at a fairly harmless kind of attack.
So how do you handle IRC attacks? There are several programs that you can run with your Unix IRC
program. Examples are the programs LiCe and Phoenix. These scripts will run in the background of your
Unix IRC session and will automatically kick in some sort of protection (ignore, ban, kick) against attackers.
If you are running a Windows -based IRC client, you may assume that like usual you are out of luck. In fact, when I first got on an IRC channel recently using Netscape 3.01 running on Win 95, the *first* thing the denizens of #hackers did was make fun of my operating system. Yeah, thanks. But in fact there are great IRC
war programs for both Windows 95 and Unix.
For Windows 95 you may wish to use the mIRC client program. You can download it from
http://www.super-highway.net/users/govil/mirc40.html. It includes protection from ICMP ping flood. But
this program isn’t enough to handle all the IRC wars you may encounter. So you may wish to add the
protection of the most user-friendly, powerful Windows 95 war script around: 7th Sphere. You can get it from http://www.localnet.com/~marcraz/.
If you s urf IRC from a Unix box, you’ll want to try out IRCII. You can download it from ftp.undernet.org , in the directory /pub/irc/clients/unix, or http://www.irchelp.org/, or ftp://cs -ftp.bu.edu/irc/. For added protection, you may download LiCe from ftp://ftp.cibola.net/pub/irc/scripts. Ahem, at this same site you can also download the attack program Tick from /pub/irc/tick. But if you get Tick, just remember our “You can get punched in the nose” warning!
*********************************
Newbie note: For detailed instructions on how to run these IRC programs, seeAt http://www.irchelp.org/. Or go to Usenet and check out alt.irc.questions
*********************************
*********************************
Evil genius tip: Want to know every excruciating technical detail about IRC? Check out RFC 1459 (The IRCprotocol). You can find many copies of this ever popular RFC (Request for Comments) by doing a Web
search.
********************************
Now let’s suppose you are all set up with an industrial strength IRC client program and war scripts. Does this mean you are ready to go to war on IRC?
Us Happy Hacker folks don’t recommend attacking people who take over OP status by force on IRC. Even
if the other guys start it, remember this. If they were able to sneak into the channel and get OPs just like that, then chances are they are much more experienced and dangerous than you are. Until you become an IRC
master yourself, we suggest you do no more than ask politely for OPs back.
Better yet, "/ignore nick" the l00zer and join another channel. For instance, if #evilhaxorchat is taken over, just create #evilhaxorchat2 and "/invite IRCfriend" all your friends there. And remember to use what you learned in this Guide about the IRC whois command so that you DON’T OP people unless you know who
they are.
As Patrick Rutledge says, this might sound like a wimp move, but if you don't have a fighting chance, don't try - it might be more embarrassing for you in the long run. And if you start IRC warrioring and get K:lined off the system, just think about that purple nose and black eye you could get when all the other IRC dudes at your ISP or school find out who was the luser who got everyone banned.
That’s it for now. Now don’t try any funny stuff, OK? Oh, no, they’re nuking meee...
____________________________________________________________
___________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol 3 Number 4
How to Read Email Headers and Find Internet Hosts
Warning: flamebait enclosed!
____________________________________________________________
OK, OK, you 31337 haxors win. I’m finally releasing the next in our series of Guides oriented toward the intermediate hacker.
Now some of you may think that headers are too simple or boring to waste time on. However, a few weeks ago I asked the 3000+ readers of the Happy Hacker list if anyone could tell me exactly what email tricks I was playing in the process of mailing out the Digests. But not one person re plied with a complete answer -- or even 75% of the answer -- or even suspected that for months almost all Happy Hacker mailings have
doubled as protests. The targets: ISPs offering download sites for email bomber programs. Conclusion: it is time to talk headers!
In this Guide we will learn:
· what is a header
· why headers are fun
· how to see full headers
· what all that stuff in your headers means
· how to get the names of Internet host computers from your headers
· the foundation for understandin g the forging of email and Usenet posts, catching the people who forge headers, and the theory behind those email bomber programs that can bring an entire Internet Service
Provider (ISP) to its knees
This is a Guide you can make at least some use of without getting a shell account or installing some form of Unix on your home computer. All you need is to be able to send and receive email, and you are in business.
However, if you do have a shell account, you can do much more with deciphering headers. Viva Unix!
Headers may sound like a boring topic. Heck, the Eudora email program named the button you click to read full headers “blah blah blah.” But all those guys who tell you headers are boring are either ignorant -- or else afraid you’ll open a wonderful chest full of hacker insights. Yes, every email header you check out has the potential to unearth a treasure hidden in some back alley of the Internet.
Now headers may seem simple enough to be a topic for one of our Beginners’ Series Guides. But when I
went to look up the topic of headers in my library of manuals, I was shocked to find that most of them don’t even cover the topic. The two I found that did cover headers said almost nothing about them. Even the
relevant RFC 822 is pretty vague. If any of you super-vigilant readers looking for flame bait happen to know of any literature that *does* cover headers in detail, please include that information in your tirades!
*********************************************
Technical tip: Information relevant to headers may be extracted from Requests for Comments (RFCs) 822(best), as well as 1042, 1123, 1521 and 1891 (not a complete list). To read them, take your Web browser to http://altavista.digital.com and search for “RFC 822” etc.
*************************** ******************
Lacking much help from manuals, and finding that RFC 822 didn’t answer all my questions, the main way I researched this article was to send email back and forth among some of my accounts, trying out many
variations in order to see what kinds of headers they generated. Hey, that’s how real hackers are supposed to figure out stuff when RTFM (read the fine manual) or RTFRFC (read the fine RFC)doesn’t tell us as much as we want to know. Right?
One last thing. People have pointed out to me that every time I put an email address or domain name in a Guide to (mostly) Harmless Hacking, a zillion newbies launch botched hacking attacks against these. All email addresses and domain names below have been fubarred.
******************************* *****************
Newbie note: The verb “to fubar” means to obscure email addresses and Internet host addresses bychanging them. Ancient tradition holds that it is best to do so by substituting “foobar” or “fubar” for part of the address.
************************************************
If you are new to hacking, the headers you are used to seeing may be incomplete. Chances are that when
you get email it looks something like this:
From: Vegbar Fubar <fooha@ifi.foobar.no>
Date: Fri, 11 Apr 1997 18:09:53 GMT
To: hacker@techbroker.com
But if you know the right command, suddenly, with this same email message, we are looking at tons and
tons of stuff:
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)
for techbr@fooway.net id OAA07210; Fri, 11 Apr 1997 14:10:06 -0400
Received: from ifi.foobar.no by o200.fooway.net via ESMTP (950413.SGI.8.6.12/951211.SGI)
for <hacker@techbroker.com> id OAA18967; Fri, 11 Apr 1997 14:09:58 -0400
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no [129.xxx.64.230]) by ifi.foobar.no with ESMTP
(8.6.11/ifi2.4)
id <UAA24351@ifi.foobar.no> for <hacker@techbroker.com> ; Fri, 11 Apr 1997 20:09:56 +0200
From: Vegbar Fubar <fooha@ifi.foobar.no>
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no ; Fri, 11 Apr 1997 18:09:53 GMT
Date: Fri, 11 Apr 1997 18:09:53 GMT
Message-Id: <199704111809.13156.gyllir@ifi.foobar.no>
To: hacker@techbroker.com
Hey, have you ever wondered why all that stuff is there and what it means? We’ll return to this example later in this tutorial. But first we must consider the burning question of the day:
WHY ARE HEADERS FUN?
Why bother with those “blah blah blah” headers? They are boring, right? Wrong!
1) Ever hear a wannabe hacker complaining he or she doesn’t have the addresses of any good computers to explore? Have you ever used one of those IP scanner programs that find valid Internet Protocol addresses of Internet hosts for you? Well, you can find gazillions of valid addresses wit hout the crutch of one of these programs simply by reading the headers of emails.
2) Ever wonder who really mailed that “Make Money Fast” spam? Or who is that klutz who email bombed
you? The first step to learning how to spot email forgeries and spot the culprit is to be able to read headers.
3) Want to learn how to convincingly forge email? Do you aspire to write automatic spam or email bomber programs? (I disapprove of spammer and email bomb programs, but let’s be honest about the kinds of
knowledge their creators must draw upon.) The first step is to understand headers.
4) Want to attack someone’s computer? Find out where best to attack from the headers of their email. I
disapprove of this use, too. But I’m dedicated to telling you the truth about h acking, so like it or not, here it is.
HOW CAN YOU SEE FULL HEADERS?
So you look at the headers of your email and it doesn’t appear have any good stuff whatsoever. Want to
see all the hidden stuff? The way you do this depends on what email program y ou are using.
The most popular email program today is Eudora. To see full headers in Eudora, just click the “blah, blah, blah” button on the far left end of the tool bar.
The Netscape web browser includes an email reader. To see full headers, click on Options, then click the
“Show All Headers” item.
Sorry, I haven’t looked into how to do that with Internet Explorer. Oh, no, I can see the flames coming, how dare I not learn the ins and outs of IE mail! But, seriously, IE is a dangerously insecure Web b rowser because it is actually a Windows shell. So no matter how often Microsoft patches its security flaws,
chances are you will be hurt by it one of these days. Just say “no” to IE.
Another popular email program is Pegasus. Maybe there is an easy way to see full headers in Pegasus, but I haven’t found it. The hard way to see full headers in Pegasus -- or IE -- or any email program -- is to open your mail folders with Wordpad. It is included in the Windows 95 operating system and is the best
Windows editing program I have found for handling documents with lots of embedded control characters
and other oddities.
The Compuserve 3.01 email program automatically shows full headers. Bravo, Compuserve!
Pine is the most popular email program used with Unix shell accounts. Since in order to be a real hacker you will sooner or later be using Unix, now may be a great time to start using Pine.
*************************************************
Newbie note: Pine stands for Pine Is Not Elm, a tribute to the really, truly ancient Elm email program (which is still in use). Both Pine and Elm date back to ARPAnet, the US Defense Advanced Research Projects Agency computer network that eventually mutated into today’s Internet. OK, OK, that was a joke. According to the official blurb, “PINE is the University of Washington's ‘Program for Internet News andEmail’.”
*************************************************
If you have never used Pi