________SWAT MAGAZINE ISSUE TWENTY THREE: NOVEMBER 1999_________ / \___________________________________________/ \ / Eggdrop Hacking \ / By The Mob Boss \ ----------------------------------------------------------------------- Eggdrop is the famous Unix-Based bot created some time ago to put an end to channel takeovers in, believe it or not, #Gay. Its main purpose is to run and maintain a channel, protecting it from takeovers and making sure OP status remains in the hands of its owner and those designated to have OP status. Its quite fun, but time consuming to set up. However it has been a valuable tool in maintaining many channels. Even those who are registered with X or W on Undernet keep Eggdrop bots running in their channels. The point of this article is not to talk about setting Eggdrop bots up (since I am making the assumption you already know how) but rather to discuss possible vulnerabilities with these bots. This is not only Eggdrop but IRC channel security. Since it seems channels are always getting taken I thought this might be a good thing to write about. This is basically how your usual Eggdrop works once it is setup on the channel of its owners choosing. Lets say Joe goes into his channel, #foobar, and wants to get Op'd by his bot. Joe has to message his bot for Op status. Lets say his bots name is Retard. All he has to do is /msg Retard op his-password or he can DCC chat the bot and .op Joe. When he logs in via DCC its called the partyline. Now besides for the password, the ident is what the bot is looking at. That is how he realizes that its Joe. The ident that you see on /whois or when someone enters the channel is what the bot recognizes. If you are not recognized by the bot, then it will just ignore you, meaning /msg and DCC chatting will mean nothing even if you knew the password. Knowing those basics it is easy to see why channels can be considered insecure. Now, on to how we might exploit a bot for Op status. The first step is surveillance of the channel. The point of the surveillance is to pick up on how it is run and what formalities there are to get Op'd. Also, how many bots are in the channel, the kind of bot (most likely Eggdrop), and of course the nicks and idents of the operators. Please keep in mind that the nick does not matter to the bot it is only the ident (something@127.0.0.1 for example) that it looks at. Now when in the channel it is important to be as covert as possible and to keep good notes, especially of the idents of operators. If you are in fear of being detected it would be wise to use a proxy or wingate when connecting, but something obvious with the abbreviation "proxy" would probably not be too wise. Once you have established who the players are its time to see who you could most easily impersonate. For instance, if you see that five different people get Op'd by the bot then you should take a look at what their ISPs are. The best thing to look for is someone who is using a national ISP, for example, AOL or Prodigy. The main thing is something that you can get your hands on one way or another (I will not be discussing ripping off ISPs, sorry). Now if your subject happens to be using AOL, hold your breath, and sign on. Then minimize that shitty little browser and head for IRC. Before you log on IRC, though, you should change all the details to those of the subject, the ident, name, email address, even the nick if you feel so inclined. Now, attempt to DCC chat the bot. If you do get that little Eggdrop greeting screen prompting you for your password then your in luck. Now something weird that happened to me once was, when I /msg'ed the bot it seemed to think that I was a new user and he wanted me to set a password, which I did, and then viola I logged in and had OP status. It was clear that whoever it was assigned for did not log into it yet, or there was a misconfiguration. The point is that if you play around with it long enough your bound to figure a way in because the login process itself is not all that safe. Another possibility is that your target set up their bot to auto-op people, if so then they are pretty dumb since all you have to do is emulate that persons info and you'll have Op status. Now if there is no misconfiguration in the setup of the bot itself you can always try to brute force the bot's password, which of course is not going to be all that easy. One way you might get a password that the target uses is by getting him to sign up with you for something that requires a password. Chances are he uses the same password for many things. If you want to be a script kiddie well you can always go about using a script to do it, it's up to you. Please use this information in an honorable way. Taking channels is not something that you should make a habit of and I can tell you from experience people get pissed when you do. Make sure the benifits out-way the time and effort it wiil take you. In a lot of instances its completely pointless to attempt to take someone's channel. There is a shot that certain IRCops will get pissed with you as well and attempt to ban you. Just think about what your doing before hand. To those who found this text too basic or lame, why did you bother reading this far? -The Mob Boss; http://mobboss.dragx.cx Voice mail and fax: 1-877-203-3043 Edited By Bigh _____________________ / * BBS LIST * /| /____________________/ | | |M | | The Sacrifial Lamb|O | | english.gh0st.net |B | | | | | Ripco BBS |B | | ripco2.ripco.com |O | | |S | | The NorthLand |S | | Underground BBS | | | nub.dhs.org | | | | | | L0pht BBS | | | bbs.l0pht.com | / |___________________|/ This has been a publication written by THE MOB BOSS; He is in no way responsible for the accuracy or results from the use of info in this article. Anything done is totally done at the users discretion. THE MOB BOSS in no way or form supports, aids, or participates in the act of criminal hacking or phreaking. Any ideas, beliefs, and information gathered in all publications published by THE MOB BOSS are strictly for informational purposes only. THE MOB BOSS © 1999 all rights reserved