IRCP/README.md

# Internet Relay Chat Probe (IRCP)

![](.screens/ircp.png)

*TRIPLE 6 SEVEN OCULOUS*

A robust information gathering tool for large scale reconnaissance on [Internet Relay Chat](https://en.wikipedia.org/wiki/Internet_Relay_Chat) servers, made for future usage with [internetrelaychat.org](https://internetrelaychat.org) for public statistics on the protocol.

Meant to be used in combination with [masscan](https://github.com/robertdavidgraham/masscan) checking **0.0.0.0/0** *(the entire IPv4 range)* for port **6667**.

The idea is to create a *proof-of-concept* documenting how large-scale information gathering on the IRC protocol can be malicious & invasive to privacy.

## Order of Operations
First, an attempt to connect using SSL/TLS on port 6697 is made, which will fall back to a standard connection on port 6667 if it fails. The **RPL_ISUPPORT** *(005)* response is checked for the `SSL=` option to try & locate secure ports.

Once connected, server information is gathered from `ADMIN`, `CAP LS`, `MODULES -all`, `VERSION`, `IRCOPS`, `MAP`, `INFO`, `LINKS`, `STATS p`, & `LIST` replies. An attempt to register a nickname is then made by trying to contact NickServ.

Lastly, every channel is joined with a `WHO` command sent & every new nick found gets a `WHOIS` sent.

Once we have finishing scanning a server, the information found is saved to a JSON file. The data in the logs are stored in categories based on [numerics](https://raw.githubusercontent.com/internet-relay-chat/random/master/numerics.txt) *(001 is RPL_WELCOME, 322 is RPL_LIST, etc)* & events *(JOIN, MODE, KILL, etc)*.

Everything is done in a *carefully* throttled manner for stealth to avoid detection. An extensive amount research on IRC daemons, services, & common practices used by network administrators was done & has fine tuned this project to be able to evade common triggers that thwart what we are doing.

## Opt-out
The IRC networks we scanned are PUBLIC networks...any person can freely connect & parse the same information. Send your hate mail to [scan@internetrelaychat.org](mailto://scan@internetrelaychat.org)

## Config
###### Settings
| Setting       | Default Value                  | Description                                           |
| ------------- | ------------------------------ | ----------------------------------------------------- |
| `errors`      | `True`                         | Show errors in console                                |
| `errors_conn` | `False`                        | Show connection errors in console                     |
| `log_max`     | `5000000`                      | Maximum log size *(in bytes)* before starting another |
| `nickname`    | `"IRCP"`                       | IRC nickname *(`None` = random)*                      |
| `username`    | `"ircp"`                       | IRC username *(`None` = random)*                      |
| `realname`    | `"internetrelaychat.org"`      | IRC realname *(`None` = random)*                      |
| `ns_mail`     | `"scan@internetrelaychat.org"` | NickServ email address *(`None` = random)*            |
| `ns_pass`     | `"changeme"`                   | NickServ password *(`None` = random)*                 |
| `vhost`       | `None`                         | Bind to a specific IP address                         |

###### Throttle
| Setting    | Default Value | Description                                                   |
| ---------- | ------------- | ------------------------------------------------------------- |
| `channels` | `3`           | Maximum number of channels to scan at once                    |
| `delay`    | `300`         | Delay before registering nick *(if enabled)* & sending `LIST` |
| `join`     | `10`          | Delay between channel `JOIN`                                  |
| `nick`     | `300`         | Delay between every random `NICK` change                      |
| `part`     | `10`          | Delay before `PART` from channel                              |
| `seconds`  | `300`         | Maximum seconds to wait when throttled for `JOIN`             |
| `threads`  | `100`         | Maximum number of threads running                             |
| `timeout`  | `30`          | Timeout for all sockets                                       |
| `whois`    | `5`           | Delay between `WHOIS` requests                                |
| `ztimeout` | `200`         | Timeout for zero data from server                             |

## Preview
![](.screens/preview.png)

## Threat Scope
While IRC is an generally unfavored chat protocol as of 2023 *(roughly 7,000 networks)*, it still has a beating heart **(over 300,000 users & channels)* with potential for user growth & active development being done on [IRCv3](https://ircv3.net/) protocol implementations.

Point is..it's is not going anywhere. With that being said, every network being on the same port leads way for a lot of potential threats:

* A new RCE is found for a very common IRC bot
* A new 0day is found for a certain IRCd version
* Old IRC daemons running versions with known CVE's
* Tracing users network/channel whereabouts
* Mass spamming attacks on every network

Mass scanning *default* ports of services is nothing new & though port 6667 is not a common target, running an IRCd on a **non-standard** port should be the **standard**. If we have learned anything in the last 10 years, using standard ports for *anything* is almost always smells like a bad idea.

![](.screens/base.png)

## Todo
* Built in identd
* Checking for IPv6 availability *(SSL= in 005 responses may help verify IPv6)*
* Support for IRC servers using old versions of SSL
* Create a seperate log for failed connections
* Ability to link multiple IRCP instances running in daemon mode together for balancing
* Remote syncing the logs to another server
* Support for handling a target list that contains host:port:ssl for networks on non-standard ports
* Give props to [bwall](https://github.com/bwall) for giving me the idea with his [ircsnapshot](https://github.com/bwall/ircsnapshot) repository
* Confirm nick registered *(most likely through MODE +r)*
* Confirm SSL/TLS connections *(most likely through "You are connected using SSL cipher" NOTICE message)*

## Mirrors
- [acid.vegas](https://git.acid.vegas/ircp)
- [GitHub](https://github.com/acidvegas/ircp)
- [GitLab](https://gitlab.com/acidvegas/ircp)
- [SuperNETs](https://git.supernets.org/acidvegas/ircp)
Initial commit 2023-05-25 20:03:39 +00:00			`# Internet Relay Chat Probe (IRCP)`

			`![](.screens/ircp.png)`

Updated, overall performance & memory improved, code cleaned up 2023-06-01 00:59:30 +00:00			`TRIPLE 6 SEVEN OCULOUS`

Initial commit 2023-05-25 20:03:39 +00:00			`A robust information gathering tool for large scale reconnaissance on [Internet Relay Chat](https://en.wikipedia.org/wiki/Internet_Relay_Chat) servers, made for future usage with [internetrelaychat.org](https://internetrelaychat.org) for public statistics on the protocol.`

			`Meant to be used in combination with [masscan](https://github.com/robertdavidgraham/masscan) checking 0.0.0.0/0 (the entire IPv4 range) for port 6667.`

			`The idea is to create a proof-of-concept documenting how large-scale information gathering on the IRC protocol can be malicious & invasive to privacy.`

			`## Order of Operations`
Updated README 2023-06-01 01:45:43 +00:00			First, an attempt to connect using SSL/TLS on port 6697 is made, which will fall back to a standard connection on port 6667 if it fails. The RPL_ISUPPORT (005) response is checked for the `SSL=` option to try & locate secure ports.
Initial commit 2023-05-25 20:03:39 +00:00
Updated, overall performance & memory improved, code cleaned up 2023-06-01 00:59:30 +00:00			Once connected, server information is gathered from `ADMIN`, `CAP LS`, `MODULES -all`, `VERSION`, `IRCOPS`, `MAP`, `INFO`, `LINKS`, `STATS p`, & `LIST` replies. An attempt to register a nickname is then made by trying to contact NickServ.
Initial commit 2023-05-25 20:03:39 +00:00
Updated, overall performance & memory improved, code cleaned up 2023-06-01 00:59:30 +00:00			Lastly, every channel is joined with a `WHO` command sent & every new nick found gets a `WHOIS` sent.
Initial commit 2023-05-25 20:03:39 +00:00
Updated README 2023-06-01 01:45:43 +00:00			`Once we have finishing scanning a server, the information found is saved to a JSON file. The data in the logs are stored in categories based on [numerics](https://raw.githubusercontent.com/internet-relay-chat/random/master/numerics.txt) (001 is RPL_WELCOME, 322 is RPL_LIST, etc) & events (JOIN, MODE, KILL, etc).`
Initial commit 2023-05-25 20:03:39 +00:00
Updated, overall performance & memory improved, code cleaned up 2023-06-01 00:59:30 +00:00			`Everything is done in a carefully throttled manner for stealth to avoid detection. An extensive amount research on IRC daemons, services, & common practices used by network administrators was done & has fine tuned this project to be able to evade common triggers that thwart what we are doing.`
Updated README 2023-05-28 03:00:51 +00:00
Added opt-out disclaimer 2023-05-28 04:43:17 +00:00			`## Opt-out`
			`The IRC networks we scanned are PUBLIC networks...any person can freely connect & parse the same information. Send your hate mail to [scan@internetrelaychat.org](mailto://scan@internetrelaychat.org)`

8,7\;.\;08,08 15,0\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|4,14▄▀8,01▄▀14-\; 2023-05-29 05:54:23 +00:00			`## Config`
			`###### Settings`
Added multi-logs & memory management has been improved for performance 2023-05-30 00:59:17 +00:00			`\| Setting \| Default Value \| Description \|`
			`\| ------------- \| ------------------------------ \| ----------------------------------------------------- \|`
			\| `errors` \| `True` \| Show errors in console \|
			\| `errors_conn` \| `False` \| Show connection errors in console \|
			\| `log_max` \| `5000000` \| Maximum log size (in bytes) before starting another \|
			\| `nickname` \| `"IRCP"` \| IRC nickname (`None` = random) \|
			\| `username` \| `"ircp"` \| IRC username (`None` = random) \|
			\| `realname` \| `"internetrelaychat.org"` \| IRC realname (`None` = random) \|
			\| `ns_mail` \| `"scan@internetrelaychat.org"` \| NickServ email address (`None` = random) \|
Updated, overall performance & memory improved, code cleaned up 2023-06-01 00:59:30 +00:00			\| `ns_pass` \| `"changeme"` \| NickServ password (`None` = random) \|
Added multi-logs & memory management has been improved for performance 2023-05-30 00:59:17 +00:00			\| `vhost` \| `None` \| Bind to a specific IP address \|
8,7\;.\;08,08 15,0\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|4,14▄▀8,01▄▀14-\; 2023-05-29 05:54:23 +00:00
			`###### Throttle`
8,7\-:.`-,:.`-:08,08 15,0 4,14▄▀8,01▄▀14--:`,--:` 2023-05-29 06:08:29 +00:00			`\| Setting \| Default Value \| Description \|`
			`\| ---------- \| ------------- \| ------------------------------------------------------------- \|`
			\| `channels` \| `3` \| Maximum number of channels to scan at once \|
Added detection for 439 numeric (ERR_TARGETTOOFAST) with the ability to parse the delay seconds until we can retry 2023-05-29 20:25:38 +00:00			\| `delay` \| `300` \| Delay before registering nick (if enabled) & sending `LIST` \|
8,7\-:.`-,:.`-:08,08 15,0 4,14▄▀8,01▄▀14--:`,--:` 2023-05-29 06:08:29 +00:00			\| `join` \| `10` \| Delay between channel `JOIN` \|
			\| `nick` \| `300` \| Delay between every random `NICK` change \|
Added detection for 439 numeric (ERR_TARGETTOOFAST) with the ability to parse the delay seconds until we can retry 2023-05-29 20:25:38 +00:00			\| `part` \| `10` \| Delay before `PART` from channel \|
			\| `seconds` \| `300` \| Maximum seconds to wait when throttled for `JOIN` \|
8,7\-:.`-,:.`-:08,08 15,0 4,14▄▀8,01▄▀14--:`,--:` 2023-05-29 06:08:29 +00:00			\| `threads` \| `100` \| Maximum number of threads running \|
Added detection for 439 numeric (ERR_TARGETTOOFAST) with the ability to parse the delay seconds until we can retry 2023-05-29 20:25:38 +00:00			\| `timeout` \| `30` \| Timeout for all sockets \|
			\| `whois` \| `5` \| Delay between `WHOIS` requests \|
8,7\-:.`-,:.`-:08,08 15,0 4,14▄▀8,01▄▀14--:`,--:` 2023-05-29 06:08:29 +00:00			\| `ztimeout` \| `200` \| Timeout for zero data from server \|
8,7\;.\;08,08 15,0\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|4,14▄▀8,01▄▀14-\; 2023-05-29 05:54:23 +00:00
Added preview 2023-05-28 02:34:24 +00:00			`## Preview`
			`![](.screens/preview.png)`

Updated README 2023-05-30 08:37:49 +00:00			`## Threat Scope`
Updated README 2023-06-01 01:05:09 +00:00			`While IRC is an generally unfavored chat protocol as of 2023 (roughly 7,000 networks), it still has a beating heart *(over 300,000 users & channels) with potential for user growth & active development being done on [IRCv3](https://ircv3.net/) protocol implementations.`
Updated README 2023-05-30 08:37:49 +00:00
Updated README 2023-06-01 01:05:09 +00:00			`Point is..it's is not going anywhere. With that being said, every network being on the same port leads way for a lot of potential threats:`
Updated README 2023-05-30 08:37:49 +00:00
			`* A new RCE is found for a very common IRC bot`
			`* A new 0day is found for a certain IRCd version`
			`* Old IRC daemons running versions with known CVE's`
			`* Tracing users network/channel whereabouts`
			`* Mass spamming attacks on every network`

Updated, overall performance & memory improved, code cleaned up 2023-06-01 00:59:30 +00:00			`Mass scanning default ports of services is nothing new & though port 6667 is not a common target, running an IRCd on a non-standard port should be the standard. If we have learned anything in the last 10 years, using standard ports for anything is almost always smells like a bad idea.`

Updated README 2023-06-01 01:05:09 +00:00			`![](.screens/base.png)`

Initial commit 2023-05-25 20:03:39 +00:00			`## Todo`
CTCP replies 2023-05-26 01:22:42 +00:00			`* Built in identd`
Added a parser for searching logs with ease 2023-05-26 21:57:53 +00:00			`* Checking for IPv6 availability (SSL= in 005 responses may help verify IPv6)`
Added todo: support for outdated ssl servers 2023-05-27 23:20:45 +00:00			`* Support for IRC servers using old versions of SSL`
Updated TODO list 2023-06-05 22:44:25 +00:00			`* Create a seperate log for failed connections`
Added TODO about linking multiple IRCP instances together for load balancing 2023-05-30 07:59:15 +00:00			`* Ability to link multiple IRCP instances running in daemon mode together for balancing`
Better formatting * channel errors output 2023-05-31 04:23:03 +00:00			`* Remote syncing the logs to another server`
Updated, overall performance & memory improved, code cleaned up 2023-06-01 00:59:30 +00:00			`* Support for handling a target list that contains host:port:ssl for networks on non-standard ports`
Added TODO for props to bwall 2023-06-03 23:12:02 +00:00			`* Give props to [bwall](https://github.com/bwall) for giving me the idea with his [ircsnapshot](https://github.com/bwall/ircsnapshot) repository`
Added TODO to confirm nickserv registrations 2023-06-05 00:09:07 +00:00			`* Confirm nick registered (most likely through MODE +r)`
Updated TODO list 2023-06-05 22:44:25 +00:00			`* Confirm SSL/TLS connections (most likely through "You are connected using SSL cipher" NOTICE message)`
Initial commit 2023-05-25 20:03:39 +00:00
			`## Mirrors`
			`- [acid.vegas](https://git.acid.vegas/ircp)`
			`- [GitHub](https://github.com/acidvegas/ircp)`
			`- [GitLab](https://gitlab.com/acidvegas/ircp)`
			`- [SuperNETs](https://git.supernets.org/acidvegas/ircp)`