hacktricks/network-services-pentesting/pentesting-irc.md

# 194,6667,6660-7000 - Pentesting IRC

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- 你在一个**网络安全公司**工作吗？你想在HackTricks中看到你的**公司广告**吗？或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！

- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)

- 获得[**官方PEASS和HackTricks的衣物**](https://peass.creator-spring.com)

- **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)，或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**

- **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。

</details>

## 基本信息

IRC最初是一个**纯文本协议**（尽管后来扩展了功能），在请求后被分配了IANA的**194/TCP端口**。然而，事实上的标准一直是在**6667/TCP**和附近的端口号上运行IRC（例如TCP端口6660-6669、7000），以**避免**必须以**root权限**运行IRCd软件。

连接到服务器只需要一个**昵称**。一旦连接建立，服务器首先会对你的IP进行反向DNS查询：

![](https://lh5.googleusercontent.com/C9AbjS9Jn4GvZJ-syptvebGU2jtI4p1UmLsmkBj3--utdFjft1B3Qfij3GDiUqxyp9wq\_mbupVdUtfW-\_rSo1W\_EPFZzCQ7iHSn7-DK3l4-BfylIHluQBNrDWxO0lxCuAMz8EkQ9oi9jwDlH6A)

总体上看，**有两种类型的用户**：**操作员**和普通**用户**。要登录为**操作员**，需要一个**用户名**和一个**密码**（在许多情况下还需要特定的主机名、IP甚至特定的主机掩码）。在操作员中，有不同的特权级别，其中管理员拥有最高特权。

**默认端口：**194、6667、6660-7000
```
PORT     STATE SERVICE
6667/tcp open  irc
```
## 枚举

### 横幅

IRC可以支持**TLS**。
```bash
nc -vn <IP> <PORT>
openssl s_client -connect <IP>:<PORT> -quiet
```
### 手动

在这里，您可以看到如何使用一些**随机昵称**连接和访问IRC，然后枚举一些有趣的信息。您可以在[这里](https://en.wikipedia.org/wiki/List\_of\_Internet\_Relay\_Chat\_commands#USERIP)了解更多IRC命令。
```bash
#Connection with random nickname
USER ran213eqdw123 0 * ran213eqdw123
NICK ran213eqdw123
#If a PING :<random> is responded you need to send
#PONG :<received random>

VERSION
HELP
INFO
LINKS
HELPOP USERCMDS
HELPOP OPERCMDS
OPERATOR CAPA
ADMIN      #Admin info
USERS      #Current number of users
TIME       #Server's time
STATS a    #Only operators should be able to run this
NAMES      #List channel names and usernames inside of each channel -> Nombre del canal y nombre de las personas que estan dentro
LIST       #List channel names along with channel banner
WHOIS <USERNAME>      #WHOIS a username
USERHOST <USERNAME>   #If available, get hostname of a user
USERIP <USERNAME>     #If available, get ip of a user
JOIN <CHANNEL_NAME>   #Connect to a channel

#Operator creds Brute-Force
OPER <USERNAME> <PASSWORD>
```
你也可以尝试使用密码登录服务器。ngIRCd的默认密码是'wealllikedebian'。
```bash
PASS wealllikedebian
NICK patrick
USER test1 test2 <IP> :test3
```
### **查找和扫描IRC服务**

To find and scan IRC services, you can use various tools and techniques. Here are some steps you can follow:

1. **Port scanning**: Use a port scanning tool like Nmap to identify open ports on the target system. IRC services typically use port 6667 or 6697 for SSL/TLS connections.

2. **Banner grabbing**: Once you have identified the open ports, you can use tools like Telnet or Netcat to connect to the IRC service and retrieve the banner. The banner often contains information about the IRC server and its version.

3. **Enumeration**: Use IRC enumeration tools like IRCSniff or IRCSpy to gather information about the IRC channels, users, and server configuration. These tools can help you identify potential vulnerabilities or misconfigurations.

4. **Brute-forcing**: If you have valid usernames or nicknames, you can use tools like Hydra or Medusa to perform brute-force attacks and attempt to guess passwords for IRC accounts.

5. **Exploitation**: Once you have gathered enough information, you can search for known vulnerabilities in the IRC server software or plugins. Exploiting these vulnerabilities can give you unauthorized access to the IRC server or compromise user accounts.

Remember to always obtain proper authorization before performing any scanning or testing activities. Unauthorized access to IRC services or any other system is illegal and unethical.
```bash
nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 <ip>
```
### [暴力破解](../generic-methodologies-and-resources/brute-force.md#irc)

### Shodan

* `查找你的主机名`

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks 云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- 你在一家**网络安全公司**工作吗？你想在 HackTricks 中看到你的**公司广告**吗？或者你想获得**PEASS 的最新版本或下载 HackTricks 的 PDF**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！

- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)

- 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)

- **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram 群组**](https://t.me/peass)，或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**

- **通过向[hacktricks 仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud 仓库](https://github.com/carlospolop/hacktricks-cloud)提交 PR 来分享你的黑客技巧**。

</details>