___________________________________________________________



GUIDE TO (mostly) HARMLESS HACKING



Vol 4 No. 1: The "MORE" series



MORE on Hacker Wars on Internet Relay Chat (IRC)

____________________________________________________________



Our thanks to Patrick Rutledge, Warbeast, Meltdown and k1neTiK, who all

provided invaluable information on the burning question of the IRC world:

help, they're nuking meee...



	What's the big deal about IRC and hackers? Sheesh, IRC is sooo easy to

use... until you get on a server where hacker wars reign. What the heck do

you do to keep from getting clobbered over and over again?



	Of course you could just decide your enemies can go to heck. But let's

say

you'd rather hang in there. You may want to hang in there because if you

want to make friends quickly in the hacker world, one of the best ways is

over Internet Relay Chat (IRC). 



	On IRC a group of people type messages back and forth on a screen in

almost

real time. It can be more fun than Usenet where it can take from minutes to

hours for people's replies to turn up. And unlike Usenet, if you say

something you regret, it's soon gone from the screen. Ahem. That is, it will

soon be gone if no one is logging the session.



	In some ways IRC is like CB radio, with lots of folks flaming and

making

fools of themselves in unique and irritating ways. So don't expect to see

timeless wisdom and wit scrolling down your computer screen. But because IRC

is such an inexpensive way for people from all over the world to quickly

exchange ideas, it is widely used by hackers. Also, given the wars you can

fight for control of IRC channels, it can give you a good hacker workout.



	To get on IRC you need both an IRC client program and you need to

connect

to a Web site or Internet Service Provider (ISP) that is running an IRC

server program. 



***********************

Newbie note: Any program that uses a resource is called a "client."  Any

program that offers a resource is a "server."  Your IRC client program runs

on either your home computer or shell account computer and connects you to

an IRC server program which runs on a remote computer somewhere on the

Internet.

***********************



	You may already have an IRC server running on your ISP. Customer

service at

your ISP should be able to help you with instructions on how to use it. Even

easier yet, if your Web browser is set up to use Java, you can run IRC

straight from your browser once you have surfed into a Web-based IRC server.



	Where are good IRC servers for meeting other hackers?



	There are several IRC servers that usually offer hacker channels. EFNet

(Eris-Free Network)links many IRC servers. It was originally started by the

Eris FreeNet (ef.net). It is reputed to be a "war ground" where you might

get a chance to really practice the IRC techniques we cover below. 



	Undernet is one of the largest networks of IRC servers. The main

purpose of

Undernet is to be a friendly place with IRC wars under control. But this

means, yes, lots of IRC cops! The operators of these IRC servers have

permission to kill you not only from a channel but also from a server. Heck,

they can ban you for good. They can even ban your whole domain. 



************************************

Newbie note: A domain is the last two (or sometimes three or four) parts of

your email address. For example, aol.com is the domain name for America

Online. If an IRC network were to ban the aol.com domain, that would mean

every single person on America Online would be banned from it.

************************************



************************************

You can get punched in the nose warning: If the sysadmins at your ISP were

to find out that you had managed to get their entire domain banned from an

IRC net on account of committing ICMP bombing or whatever, they will be

truly mad at you! You will be lucky if the worst that happens is that you

lose your account. You'd better hope that word doesn't get out to all the

IRC addicts on your ISP that you were the dude that got you guys all kicked

out.

************************************



	IRCNet is probably the same size if not larger than Undernet. IRCNet is

basically the European/Australian split off from the old EFNet. 



	Yes, IRC is a world-wide phenomenon. Get on the right IRC network and

you

can be making friends with hackers on any continent of the planet. There are

at least 80 IRC networks in existence. To learn how to contact them, surf

over to: http://www.irchelp.org/. You can locate additional IRC servers by

surfing over to http://hotbot.com or http://digital.altavista.com and

searching for "IRC server."  Some IRC servers are ideal for the elite

hacker, for example the l0pht server. Note that is a "zero" not an "O" in

l0pht.



****************************************

Evil genius tip: Get on an IRC server by telneting straight in through port

6667 at the domain name for that server.

****************************************



	But before you get too excited over trying out IRC, let us warn you.

IRC is

not so much phun any more because some d00dz aren't satisfied with using it

to merely say naughty words and cast aspersions on people's ancestry and

grooming habits. They get their laughs by kicking other people off IRC

entirely. This is because they are too chicken to start brawls in bars. So

they beat up on people in cyberspace where they don't have to fret over

getting ouchies.



	But we're going to show some simple, effective ways to keep these

lusers

from ruining your IRC sessions. However, first you'll need to know some of

the ways you can get kicked off IRC by these bullies.



	The simplest way to get in trouble is to accidentally give control of

your

IRC channel to an impostor whose goal is to kick you and your friends off.



	You see, the first person to start up a channel on an IRC server is

automatically the operator (OP). The operator has the power to kick people

off or invite people in. Also, if the operator wants to, he or she may pass

operator status on to someone else. 



	Ideally, when you leave the channel you would pass this status on to a

friend your trust. Also, maybe someone who you think is your good buddy is

begging you to please, please give him a turn being the operator. You may

decide to hand over the OP to him or her in order to demonstrate friendship.

But if you mess up and accidentally OP a bad guy who is pretending to be

someone you know and trust, your fun chat can become history.



	One way to keep this all this obnoxious stuff from happening is to

simply

not OP people you do not know. But this is easier said than done. It is a

friendly thing to give OP to your buddies. You may not want to appear stuck

up by refusing to OP anyone. So if you are going to OP a friend, how can you

really tell that IRC dude is your friend?



	Just because you recognize the nick (nickname), don't assume it's who

you

think it is! Check the host address associated with the nick by giving the

command "/whois IRCnick" where "IRCnick" is the nickname of the person you

want to check.  



	This "/whois" command will give back to you the email address belonging

to

the person using that nick. If you see, for example, "d***@wannabe.net"

instead of the address you expected, say friend@cool.com, then DO NOT OP

him.  Make the person explain who he or she is and why the email address is

different.



	But entering a fake nick when entering an IRC server is only the

simplest

of ways someone can sabotage an IRC session. Your real trouble comes when

people deploy "nukes" and "ICBMs" against you.



	"Nuking" is also known as "ICMP Bombing." This includes forged messages

such as EOF (end of file), dead socket, redirect, etc.



**************************************

Newbie note: ICMP stands for Internet Control Message Protocol. This is an

class of IRC attacks that go beyond exploiting quirks in the IRC server

program to take advantage of major league hacking techniques based upon the

way the Internet works.

**************************************

**************************************

You can go to jail warning: ICMP attacks constitute illegal denial of

service attacks. They are not just harmless harassment of a single person on

IRC, but may affect an entire Internet host computer, disputing service to

all who are using it.

***************************************



	For example, ICMP redirect messages are used by routers to tell other

computers "Hey, quit sending me that stuff. Send it to routerx.foobar.net

instead!" So an ICMP redirect message could cause your IRC messages to go to

bit heaven instead of your chat channel. 



	EOF stands for "end of file." "Dead socket" refers to connections such

as

your PPP session that you would be using with many IRC clients to connect to

the Internet. If your IRC enemy spoofs a message that your socket is dead,

your IRC chat session can't get any more input from you.  That's what the

program "ICMP Host Unreachable Bomber for Windows" does.



	Probably the most devastating IRC weapon is the flood ping, known as

"ICBM

flood or ICMPing." The idea is that a bully will find out what Internet host

you are using, and then give the command "ping-f" to your host computer. Or

even to your home computer. Yes, on IRC it is possible to identify the

dynamically assigned IP address of your home computer and send stuff

directly to your modem! If the bully has a decent computer, he or she may be

able to ping yours badly enough to briefly knock you out of IRC. Then this

character can take over your IRC session and may masquerade as you. 



**********************

Newbie note: When you connect to the Internet with a point-to-point (PPP)

connection, your ISP's host computer assigns you an Internet Protocol (IP)

address which may be different every time you log on. This is called a

"dynamically assigned IP address." In some cases, however, the ISP has

arranged to assign the uses the same IP address each time.

**********************



	Now let's consider in more detail the various types of  flooding

attacks on

IRC.



	The purpose of flooding is to send so much garbage to a client that its

connection to the IRC server either becomes useless or gets cut off.



	Text flooding is the simplest attack. For example, you could just hold

down

the "x" key and hit enter from time to time. This would keep the IRC screen

filled with your junk and scroll the others' comments quickly off the

screen. However, text flooding is almost always unsuccessful because almost

any IRC client (the program you run on your computer) has text flood

control. Even if it doesn't, text must pass through an IRC server. Most IRC

servers also have text flood filters. 



	Because text flooding is basically harmless, you are unlikely to suffer

anything worse than getting banned or possibly K:lined for doing it. 



******************************************

Newbie note: "K:line" means to ban not just you, but anyone who is in your

domain from an IRC server. For example, if you are a student at Giant State

University with an email address of IRCd00d@giantstate.edu, then every

person whose email address ends with "giantstate.edu" will also be banned.

*******************************************



	Client to Client Protocol (CTCP) echo flooding is the most effective

type

of flood. This is sort of like the ping you send to determine whether a host

computer is alive. It is a command used within IRC to check to see if

someone is still on your IRC channel. 



	How does the echo command work? To check whether someone is still on

your

IRC channel, give the command "/ctcp nick ECHO hello out there!" If "nick"

(where "nick" is the IRC nickname of the person you are checking out) is

still there, you get back "nick HELLO OUT THERE."



	What has happened is that your victim's IRC client program has

automatically echoed whatever message you sent. 



	But someone who wants to boot you off IRC can use the CTCP echo command

to

trick your IRC server into thinking you are hogging the channel with too

much talking. This is because most IRC servers will automatically cut you

off if you try text flooding.



	So CTCP echo flooding spoofs the IRC into falsely cutting someone off

by

causing the victim's IRC client to automatically keep on responding to a

whole bunch of echo requests.



	Of course your attacker could also get booted off for making all those

CTCP

echo requests.  But a knowledgeable attacker will either be working in

league with some friends who will be doing the same thing to you or else be

connected with several different nicks to that same IRC server. So by having

different versions of him or herself in the form of software bots making

those CTCP echo requests, the attacker stays on while the victim gets booted

off. 



	This attack is also fairly harmless, so people who get caught doing

this

will only get banned or maybe K:lined for their misbehavior.



******************************

Newbie note: A "bot" is a computer program that acts kind of like a robot to

go around and do things for you. Some bots are hard to tell from real

people. For example, some IRC bots wait for someone to use bad language and

respond to these naughty words in annoying ways.

*************************************



*************************************

You can get punched in the nose warning:  Bots are not permitted on the

servers of the large networks. The IRC Cops who control hacker wars on these

networks love nothing more than killing bots and banning the botrunners that

they catch.

**************************************



	A similar attack is CATCH ping. You can give the command "/ping nick"

and

the IRC client of the guy using that nick would respond to the IRC server

with a message to be passed on to the guy who made the ping request saying

"nick" is alive, and telling you how long it took for nick's IRC client

program to respond. It's useful to know the response time because sometimes

the Internet can be so slow it might take ten seconds or more to send an IRC

message to other people on that IRC channel. So if someone seems to be

taking a long time to reply to you, it may just be a slow Internet.



	Your attacker can also easily get the dynamically assigned IP (Internet

protocol) address of your home computer and directly flood your modem. But

just about every Unix IRC program has at least some CATCH flood protection

in it. Again, we are looking at a fairly harmless kind of attack.



	So how do you handle IRC attacks? There are several programs that you

can

run with your Unix IRC program. Examples are the programs LiCe and Phoenix.

These scripts will run in the background of your Unix IRC session and will

automatically kick in some sort of protection (ignore, ban, kick) against

attackers.  



	If you are running a Windows-based IRC client, you may assume that like

usual you are out of luck. In fact, when I first got on an IRC channel

recently using Netscape 3.01 running on Win 95, the *first* thing the

denizens of #hackers did was make fun of my operating system. Yeah, thanks.

But in fact there are great IRC war programs for both Windows 95 and Unix.



	For Windows 95 you may wish to use the mIRC client program. You can

download it from http://www.super-highway.net/users/govil/mirc40.html. It

includes protection from ICMP ping flood. But this program isn't enough to

handle all the IRC wars you may encounter. So you may wish to add the

protection of  the most user-friendly, powerful Windows 95 war script

around: 7th Sphere. You can get it from http://www.localnet.com/~marcraz/.



 	If you surf IRC from a Unix box, you'll want to try out IRCII. You can

download it from ftp.undernet.org , in the directory /pub/irc/clients/unix,

or http://www.irchelp.org/, or ftp://cs-ftp.bu.edu/irc/. For added

protection, you may download LiCe from ftp://ftp.cibola.net/pub/irc/scripts.

Ahem, at this same site you can also download the attack program Tick from

/pub/irc/tick. But if you get Tick, just remember our "You can get punched

in the nose" warning!



*********************************

Newbie note: For detailed instructions on how to run these IRC programs, see

At http://www.irchelp.org/.  Or go to Usenet and check out alt.irc.questions

*********************************



*********************************

Evil genius tip: Want to know every excruciating technical detail about IRC?

Check out RFC 1459 (The IRC protocol). You can find many copies of this ever

popular RFC (Request for Comments) by doing a Web search.

********************************



	Now let's suppose you are all set up with an industrial strength IRC

client

program and war scripts. Does this mean you are ready to go to war on IRC?



	Us Happy Hacker folks don't recommend attacking people who take over OP

status by force on IRC.  Even if the other guys start it, remember this. If

they were able to sneak into the channel and get OPs just like that, then

chances are they are much more experienced and dangerous than you are.

Until you become an IRC master yourself, we suggest you do no more than ask

politely for OPs back. 



	Better yet, "/ignore nick" the l00zer and join another channel.  For

instance, if #evilhaxorchat is taken over, just create #evilhaxorchat2 and

"/invite IRCfriend" all your friends there. And remember to use what you

learned in this Guide about the IRC whois command so that you DON'T OP

people unless you know who they are.  



	As Patrick Rutledge says, this might sound like a wimp move, but if you

don't have a fighting chance, don't try - it might be more embarrassing for

you in the long run. And if you start IRC warrioring and get K:lined off the

system, just think about that purple nose and black eye you could get when

all the other IRC dudes at your ISP or school find out who was the luser who

got everyone banned.



	That's it for now. Now don't try any funny stuff, OK? Oh, no, they're

nuking meee...



____________________________________________________________



Want to see back issues of Guide to (mostly) Harmless Hacking? See either

http://www.cs.utexas.edu/users/matt/hh.html (the official Happy Hacker

archive site) or:

http://www.geocities.com/TimesSquare/Arcade/4594 

http://www.silitoad.org

http://base.kinetik.org

http://www.anet-chi.com/~dsweir

http://www.tacd.com/zines/gtmhh/ 

http://ra.nilenet.com/~mjl/hacks/codez.htm

http://www.ilf.net/brotherhood/index2.html

http://www.magnum44.com/orion/entry.htm

http://www.geocities.com/NapaValley/1613/main.html



Subscribe to our discussion list by emailing to hacker@techbroker.com with

message "subscribe"

Want to share some kewl stuph with the Happy Hacker list? Correct mistakes?

Send your messages to hacker@techbroker.com.  To send me confidential email

(please, no discussions of illegal activities) use cmeinel@techbroker.com

and be sure to state in your message that you want me to keep this

confidential. If you wish your message posted anonymously, please say so!

Direct flames to dev/null@techbroker.com. Happy hacking! 

Copyright 1997 Carolyn P. Meinel. You may forward or post this GUIDE TO

(mostly) HARMLESS HACKING on your Web site as long as you leave this notice

at the end.

________________________________________________________

Carolyn Meinel

M/B Research -- The Technology Brokers



--

Matt Hinze            OR 

PGP: http://keys.pgp.com:11371/pks/lookup?op=index&search=matt+hinze

ICQ: 1301602                      Please encrypt anything important. 

--

    Source: geocities.com/salim_cm/mainpages/hack/lesson

               ( geocities.com/salim_cm/mainpages/hack)                   ( geocities.com/salim_cm/mainpages)                   ( geocities.com/salim_cm)