In 1994 I got my first computer that was capable of getting on the internet. By the end of 1994 I was on IRC chatting and pirating mp3s, movies, and games via file-serving bots. This was long before Napster, boys and girls. In 1994 IRC was kind of the wild west of the internet chat rooms. Unlike AOL or other popular chats available, IRC was and, for the most part still is, made up of the Internet’s worst nightmare – socially awkward, broke, unmonitored, teen-aged, arrogant geeks. In fact, I’m quite positive that IRC was the first thing in my life that made me consider homicide. It was a love-hate relationship from the very beginning and I was addicted.
I’ve often thought that if there was any money in hacking in the late 1990s my life would most likely be very different. Unfortunately, no one really cared about computer security too much and there isn’t much money in protecting something that isn’t cared for. This made it relatively easy to break into computers and fairly tough to get caught. This was long before virus scans and software firewalls were prevalent and a decade before anyone I knew actually made a dollar preventing a break-in by hackers. I’m sure making money with computer security existed, but I’m as equally sure the money was made with government jobs – if you get my drift.
My hacking life began after being attacked by someone on IRC with a Linux computer – something I had never heard of and could barely comprehend. All I knew in the computer world was Windows and mIRC. Apparently, there was a better system out there and these bastard geeks were using it on me! After seeing how the geeks behaved themselves on IRC (constantly talking shit and hiding behind a computer screen thousands of miles away) I followed suit. I figured that no one could really do anything to me anyway and tracking me down would be impossible. After insulting a fellow IRCer, my eyes were opened to something called the “Tear Drop” (later known as teardrop.c). What did TearDrop do? Teardrop sent fragmented packets to Windows machines causing it to freeze up or bluescreen. I was attacked. At first I thought it was simply Windows doing what Windows does best – freezing. Then, after a reboot and another freeze and another reboot and another freeze I realized that perhaps I had pissed in the wrong IRCer’s Cheerios. I let IRC rest a while and came back a few hours later. My suspicions were correct and, after receiving a rather lengthy tongue-lashing, I attempted to befriend my attacker. Naively, I insisted that he teach me how to use this “Linux” program. Looking back I realize that he probably saved us both a bunch of time and effort by simply telling me that there was no way I was going to learn it by myself over IRC and that I needed to get a book on the subject. I refused. Life, as well as IRC, continued on.
Though I don’t remember the details of this part, I did eventually find a way to protect myself from teardrop attacks that involved using computers infected with popular trojan horse viruses and then “bouncing” off these people’s computers. This works in essence like a relay with the trojaned computer in the middle of the traffic to and from IRC (or anywhere else I wanted to go pretending to be the trojaned computer). Though it prevented me from being crashed, it didn’t prevent the trojaned computer from being crashed and causing me to lose my connection to IRC. Thought it wasn’t perfect it did help.
Because I barely knew what linux was and I was still learning Windows I did discover several ways to cause trouble to my enemies on IRC. By 1995 I had developed a system of attacking IRC chatrooms that worked quite well. To my knowledge, it was the first chatroom “cracker” ever created and used against NewNet’s “Chanserv”. Chanserv was an automated bot that gave “ops” (operator status) to owners of chatrooms so that the ops could control their chatroom any way he or she pleased. To gain access to a channel’s operator status you could query Chanserv with command that included a password that the original owner of the channel setup. If you guessed (cracked) the password correctly you would then get complete control of that chatroom. Seems simple enough right? Well, the query was rather long and boring and typing it over and over and trying to keep track of the passwords you already tried in your head was a pain in the ass. So, I wrote an IRC script that actually did it for me. Was I successful often? Not at all. Especially not at first. But when it worked, my god was it funny! That’s when “SirSlappy” started to gain some notoriety. The IRCops (IRC Moderators) couldn’t figure out how I was taking over channels at will. To them it seemed as though I was taking over any channel I chose. In reality, I was taking over every channel whose owner was stupid enough to use the password “love” or something just as silly. That went on for weeks. Once I had some IRC “cred” I used it to befriend a guy that was fairly impressed. His name was EliFi.
EliFi had “shell accounts” and actually gave me access to one on a trade to teach him what I was doing. I actually lied to him and told him that I hacked the channel owner’s computer and stole his password. I didn’t want to give up my secret method yet. Either way he did hold to his part of the bargain and gave me a shell account. A “shell account” is a remote login to another system in another part of the world. I thought it was pretty damn useless initially until I learned that it was running the infamous Linux system. Fortunately for me EliFi already “installed” teardrop for me and once I figured out how to use it I was teardropping every poor bastard on IRC that even thought about crossing my path. “Oh, you don’t like carrots, MrBill0123″? Teardrop for you! “Zack Morris is a homo and not a hero, LadyBear”? Teardrop for you! Bahahahaha… Its was good to be king. Unyielding power only leads to tyranny. Tyranny always seems to fall to the hands of those oppressed. One day I ran across 1995s “Neo”. His name was “UnForgive”. Guess what? Teardrop only made him raise an eyebrow and smile.
UnForgive was hell on the internet. One thing I learned fast – don’t piss this guy off. He told me he lived in Florida and I never really saw a picture of him that was clear. He didn’t look like a nerd really. He was well-versed with Linux and showed me the ropes to the point of walking me through the commands over the phone and doing the best he could to teach me how to use the linux shell accounts. Once I learned how it all worked things really took off. Linux was fun and IRC was a lot more fun not having to worry about being TearDropped or any other attacks. Linux was immune to the attacks that Windows fell victim to. Life on IRC was good and was about to get even better.
One day while attempting to crack websites with my handy-dandy Chanserv cracker I entered a channel and to my surprise I was auto-op’d. I had no idea why. Initially I suspected that I had hacked the channel before and somehow I was getting ops still as the owner of the channel. That wasn’t correct. Before I go any further I need to discuss some technical information.
Anytime you use a computer and access the internet you are given a IP address that consists of numbers separated by periods. For example: 188.8.131.52 . This address will actually “resolve” to something that makes a little more sense if you like. Simply plug those numbers into www.dnstools.com and you’ll see that you get “iad04s01-in-f103.1e100.net”.
Another issue I would run into is that the channel owners would give “auto-operator” status to people based on their IP addresses or what their IP addresses resolved to. So you’re essentially left with something that says, “Chanserv, from now on anyone that joins this channel with an IP address that resolves to ” iad04s01-in-f103.1e100.net” should get operator status immediately.” Sometimes the resolving bit would change some so the admins would use only bits of the resolved part of the IP address to identify legitimate members of the operator group. Something like this: iad0*1-in-*.1e100.net.
So, if you were incredibly lucky you might join a channel with a Chanserv Auto-Operator status setup that included a resolved IP address bit that was incredibly close to your own. If you did run across this you would get ops automatically and be in control of the channel. This rarely happened and when it happened to me it was complete dumb luck. The odds of it happening are very small. Once I figured out what happened I asked myself, “How can I exploit this little bit of information?” After some careful calculations the real demolishing of Chanserv and IRC security was to start.
In order to pull off the attack I needed to know what users in what channels were getting auto-ops. The only way to do this was to monitor the channels I wanted to take over for a few days – then check the logs of the users that were auto-oped. Then I would find all of the IP addresses of the people that were auto-oped. I made an excel spreadsheet with all the channels, the IP addresses of the people getting auto-oped, and what times they were on and not on. After I had a good list, I started scanning for popular trojan infected computers so that I could use my “bounces” that I was using to protect myself from Teardrops earlier in my life. The best part about these bounces is that if you got an infected computer on the same IP range it would very often resolve the IP close enough to get you auto-ops on the channel. After a few hours of scanning I would eventually find an infected computer that I could bounce off that had a very similar IP resolve to the one getting auto-ops in IRC. A little manipulation of my nickname and username on IRC and a channel join – TAH DAH! Instant Ops! In fact, it worked so well I could usually take over the identify of the channel ops instantly. I could convince the owners to give me their channel passwords and tons of other information including access to other linux shells, hacked computers, pictures of their girlfriends and whatever else I wanted.
It was all pretty simple actually. If you asked the security in place on IRC, I couldn’t have been anyone else other than the channel op. Even the admins couldn’t tell the difference. No one could. It would be impossible honestly. It was a complete impersonation of the channel op.
I’m really not sure how this would work on IRC in 2010. I’m not sure it works anymore because I haven’t tried and Chanserv and other IRC Server bots are probably much smarter now. I do know a few years after I got bored with taking over IRC I went back and attempted to crack chanserv for shits and giggles. They had put a password attempt limit at 3 by then so apparently what I did got to be pretty popular.
If anyone is able to duplicate this method now I’d like to hear about it. I’m just interested in knowing whether or not it still works or not.