IRCP/README.md

# Internet Relay Chat Probe (IRCP)

![](.screens/ircp.png)

*TRIPLE 6 SEVEN OCULOUS*

A robust information gathering tool for large scale reconnaissance on [Internet Relay Chat](https://en.wikipedia.org/wiki/Internet_Relay_Chat) servers, made for future usage with [internetrelaychat.org](https://internetrelaychat.org) for public statistics on the protocol.

Meant to be used in combination with [masscan](https://github.com/robertdavidgraham/masscan) checking **0.0.0.0/0** *(the entire IPv4 range)* for ports **6660-6669**, **6697**, **7000**, & other common IRC ports.

The idea is to create a *proof-of-concept* documenting how large-scale information gathering on the IRC protocol can be malicious & invasive to privacy, while also yielding deep-dive look at the IRC protocol & it's internal statistics & commonalities.

## Usage
The only required arguement to pass is a direct path to the targets list, which should be a text file containing a new-line seperated list of targets.

Targets must be a valid IPv4 or IPv6 address & can optionally be suffixed with a port.

Edit [ircp.py](https://github.com/internet-relay-chat/IRCP/blob/master/ircp.py) & tweak the settings to your favor, though they rest with sane defaults.

## Order of Operations
First, an attempt to connect using SSL/TLS is made, which will fall back to a standard connection if it fails. If a non-standard port was given, both standard & secure connection attempts are made on the port as-well. The **RPL_ISUPPORT** *(005)* response is checked for the `SSL=` option to try & locate secure ports.

Once connected, server information is gathered from `ADMIN`, `CAP LS`, `COMMANDS`, `HELP`, `MODULES -all`, `VERSION`, `IRCOPS`, `MAP`, `INFO`, `LINKS`, `SERVLIST`, `STATS p`, & `LIST` replies. An attempt to register a nickname is then made by trying to contact NickServ.

Lastly, every channel is joined with a `WHO` command sent & every new nick found gets a `WHOIS` sent. Registered channels & nicks are issued a NickServ/ChanServ `INFO` command. CTCP requests are sent to channels & nicks aswell.

Once we have finishing scanning a server, the information found is saved to a JSON file. The data in the logs are stored in categories based on [numerics](https://raw.githubusercontent.com/internet-relay-chat/random/master/numerics.txt) *(001 is RPL_WELCOME, 322 is RPL_LIST, etc)* & events *(JOIN, MODE, KILL, etc)*.

Everything is done in a *carefully* throttled manner for stealth to avoid detection. An extensive amount research on IRC daemons, services, & common practices used by network administrators was done & has fine tuned this project to be able to evade common triggers that thwart what we are doing.

## Preview
![](.screens/preview.png)

## Threat Scope
While IRC is an generally unfavored chat protocol as of 2023 *(roughly 7,000 networks)*, it still has a beating heart *(over 300,000 users & channels)* with potential for user growth & active development being done on [IRCv3](https://ircv3.net/) protocol implementations.

Point is..it's is not going anywhere. With that being said, every network being on the same port leads way for a lot of potential threats:

* A new RCE is found for a very common IRC bot
* A new 0day is found for a certain IRCd version
* Old IRC daemons running versions with known CVE's
* Tracing users network/channel whereabouts
* Mass spamming attacks on every network

Mass scanning *default* ports of services is nothing new & though port 6667 is not a common target, running an IRCd on a **non-standard** port should be the **standard**. If we have learned anything in the last 10 years, using standard ports for *anything* is almost always smells like a bad idea.

![](.screens/base.png)

## Todo
* Built in identd
* Checking for IPv6 availability *(SSL= in 005 responses may help verify IPv6)*
* Support for IRC servers using old versions of SSL
* Support for hostnames in targets list *(Attempt IPv6 & fallback to IPv4)*
* Support for multiple vhost
* How do we handle the possibility of connecting to multiple servers linked to same network?
* Seperate lists for failed & banned networks.
* Learn network target-change throttles from 439 **ERR_TARGETTOOFAST** replies *(Research IRCd defaults)*
* Store last command execute to detect triggers

## Opt-out
You can request to opt out of our scans by sending an email to [scan@internetrelaychat.org](mailto://scan@internetrelaychat.org)

___

###### Mirrors
[acid.vegas](https://git.acid.vegas/IRCP) • [GitHub](https://github.com/internet-relay-chat/IRCP) • [GitLab](https://gitlab.com/internetrelaychat/IRCP) • [SuperNETs](https://git.supernets.org/internetrelaychat/IRCP)
Initial commit 2023-05-25 20:03:39 +00:00			`# Internet Relay Chat Probe (IRCP)`

			`![](.screens/ircp.png)`

Updated, overall performance & memory improved, code cleaned up 2023-06-01 00:59:30 +00:00			`TRIPLE 6 SEVEN OCULOUS`

Initial commit 2023-05-25 20:03:39 +00:00			`A robust information gathering tool for large scale reconnaissance on [Internet Relay Chat](https://en.wikipedia.org/wiki/Internet_Relay_Chat) servers, made for future usage with [internetrelaychat.org](https://internetrelaychat.org) for public statistics on the protocol.`

Added support for IPv6 & non-standard ports 2023-06-06 05:17:01 +00:00			`Meant to be used in combination with [masscan](https://github.com/robertdavidgraham/masscan) checking 0.0.0.0/0 (the entire IPv4 range) for ports 6660-6669, 6697, 7000, & other common IRC ports.`
Initial commit 2023-05-25 20:03:39 +00:00
Added support for IPv6 & non-standard ports 2023-06-06 05:17:01 +00:00			`The idea is to create a proof-of-concept documenting how large-scale information gathering on the IRC protocol can be malicious & invasive to privacy, while also yielding deep-dive look at the IRC protocol & it's internal statistics & commonalities.`

			`## Usage`
Fixed format & typos 2023-06-06 05:23:46 +00:00			`The only required arguement to pass is a direct path to the targets list, which should be a text file containing a new-line seperated list of targets.`

			`Targets must be a valid IPv4 or IPv6 address & can optionally be suffixed with a port.`
Added support for IPv6 & non-standard ports 2023-06-06 05:17:01 +00:00
			`Edit [ircp.py](https://github.com/internet-relay-chat/IRCP/blob/master/ircp.py) & tweak the settings to your favor, though they rest with sane defaults.`
Initial commit 2023-05-25 20:03:39 +00:00
			`## Order of Operations`
Fixed format & typos 2023-06-06 05:23:46 +00:00			First, an attempt to connect using SSL/TLS is made, which will fall back to a standard connection if it fails. If a non-standard port was given, both standard & secure connection attempts are made on the port as-well. The RPL_ISUPPORT (005) response is checked for the `SSL=` option to try & locate secure ports.
Initial commit 2023-05-25 20:03:39 +00:00
Updated README 2023-06-22 05:15:26 +00:00			Once connected, server information is gathered from `ADMIN`, `CAP LS`, `COMMANDS`, `HELP`, `MODULES -all`, `VERSION`, `IRCOPS`, `MAP`, `INFO`, `LINKS`, `SERVLIST`, `STATS p`, & `LIST` replies. An attempt to register a nickname is then made by trying to contact NickServ.
Initial commit 2023-05-25 20:03:39 +00:00
Updated README 2023-06-22 05:15:26 +00:00			Lastly, every channel is joined with a `WHO` command sent & every new nick found gets a `WHOIS` sent. Registered channels & nicks are issued a NickServ/ChanServ `INFO` command. CTCP requests are sent to channels & nicks aswell.
Initial commit 2023-05-25 20:03:39 +00:00
Updated README 2023-06-01 01:45:43 +00:00			`Once we have finishing scanning a server, the information found is saved to a JSON file. The data in the logs are stored in categories based on [numerics](https://raw.githubusercontent.com/internet-relay-chat/random/master/numerics.txt) (001 is RPL_WELCOME, 322 is RPL_LIST, etc) & events (JOIN, MODE, KILL, etc).`
Initial commit 2023-05-25 20:03:39 +00:00
Updated, overall performance & memory improved, code cleaned up 2023-06-01 00:59:30 +00:00			`Everything is done in a carefully throttled manner for stealth to avoid detection. An extensive amount research on IRC daemons, services, & common practices used by network administrators was done & has fine tuned this project to be able to evade common triggers that thwart what we are doing.`
Updated README 2023-05-28 03:00:51 +00:00
Added preview 2023-05-28 02:34:24 +00:00			`## Preview`
			`![](.screens/preview.png)`

Updated README 2023-05-30 08:37:49 +00:00			`## Threat Scope`
Fixed markdown error 2023-06-18 05:05:48 +00:00			`While IRC is an generally unfavored chat protocol as of 2023 (roughly 7,000 networks), it still has a beating heart (over 300,000 users & channels) with potential for user growth & active development being done on [IRCv3](https://ircv3.net/) protocol implementations.`
Updated README 2023-05-30 08:37:49 +00:00
Updated README 2023-06-01 01:05:09 +00:00			`Point is..it's is not going anywhere. With that being said, every network being on the same port leads way for a lot of potential threats:`
Updated README 2023-05-30 08:37:49 +00:00
			`* A new RCE is found for a very common IRC bot`
			`* A new 0day is found for a certain IRCd version`
			`* Old IRC daemons running versions with known CVE's`
			`* Tracing users network/channel whereabouts`
			`* Mass spamming attacks on every network`

Updated, overall performance & memory improved, code cleaned up 2023-06-01 00:59:30 +00:00			`Mass scanning default ports of services is nothing new & though port 6667 is not a common target, running an IRCd on a non-standard port should be the standard. If we have learned anything in the last 10 years, using standard ports for anything is almost always smells like a bad idea.`

Updated README 2023-06-01 01:05:09 +00:00			`![](.screens/base.png)`

Initial commit 2023-05-25 20:03:39 +00:00			`## Todo`
CTCP replies 2023-05-26 01:22:42 +00:00			`* Built in identd`
Added a parser for searching logs with ease 2023-05-26 21:57:53 +00:00			`* Checking for IPv6 availability (SSL= in 005 responses may help verify IPv6)`
Added todo: support for outdated ssl servers 2023-05-27 23:20:45 +00:00			`* Support for IRC servers using old versions of SSL`
Added support for IPv6 & non-standard ports 2023-06-06 05:17:01 +00:00			`* Support for hostnames in targets list (Attempt IPv6 & fallback to IPv4)`
Updated TODOs 2023-06-29 05:07:37 +00:00			`* Support for multiple vhost`
Throttle fine funed again, loop_nick more ranomized, README updated TODOs 2023-06-29 05:02:41 +00:00			`* How do we handle the possibility of connecting to multiple servers linked to same network?`
Updated TODOs 2023-06-29 05:07:37 +00:00			`* Seperate lists for failed & banned networks.`
			`* Learn network target-change throttles from 439 ERR_TARGETTOOFAST replies (Research IRCd defaults)`
Forgot to import tarfile 2023-07-24 02:45:17 +00:00			`* Store last command execute to detect triggers`
Added support for IPv6 & non-standard ports 2023-06-06 05:17:01 +00:00
			`## Opt-out`
Throttle fine funed again, loop_nick more ranomized, README updated TODOs 2023-06-29 05:02:41 +00:00			`You can request to opt out of our scans by sending an email to [scan@internetrelaychat.org](mailto://scan@internetrelaychat.org)`
Initial commit 2023-05-25 20:03:39 +00:00
Updated mirrors 2023-06-26 08:04:09 +00:00			`___`

			`###### Mirrors`
Updated mirrors (FUCK sourcehut) 2023-09-12 20:17:29 +00:00			`[acid.vegas](https://git.acid.vegas/IRCP) • [GitHub](https://github.com/internet-relay-chat/IRCP) • [GitLab](https://gitlab.com/internetrelaychat/IRCP) • [SuperNETs](https://git.supernets.org/internetrelaychat/IRCP)`