IRC Pentesting

A skill for performing security testing and enumeration of IRC (Internet Relay Chat) services.

Overview

IRC is a plain text protocol originally assigned port 194/TCP by IANA, but commonly runs on ports 6667/TCP and 6660-7000 to avoid requiring root privileges. This skill helps you enumerate IRC servers, identify vulnerabilities, and gather intelligence during security assessments.

Default Ports

• 194/TCP - Original IANA-assigned port
• 6667/TCP - Most common IRC port
• 6660-7000/TCP - Alternative IRC ports

Enumeration

Banner Grabbing

Check if the IRC server supports TLS and gather initial information:

# Basic connection test
nc -vn <IP> <PORT>

# Check for TLS support
openssl s_client -connect <IP>:<PORT> -quiet

Manual Enumeration

Connect to the IRC server with a random nickname and enumerate information:

# Connect with random nickname
USER <random_username> 0 * <random_username>
NICK <random_nickname>

# Handle PING/PONG if server responds with PING :<random>
# Send: PONG :<received_random>

# Information gathering commands
VERSION          # Server version
HELP             # Available help
INFO             # Server information
LINKS            # Server links
HELPOP USERCMDS  # User commands
HELPOP OPERCMDS  # Operator commands
OPERATOR CAPA    # Capabilities
ADMIN            # Admin information
USERS            # Current user count
TIME             # Server time
STATS a          # Server stats (operators only)
NAMES            # List channels and users in each
LIST             # List channels with banners

# User-specific queries
WHOIS <USERNAME>     # User information
USERHOST <USERNAME>  # User hostname (if available)
USERIP <USERNAME>    # User IP (if available)

# Join channels
JOIN <CHANNEL_NAME>

# Attempt operator login (brute force)
OPER <USERNAME> <PASSWORD>

Default Credentials

Some IRC servers have known default passwords:

• ngIRCd:

  wealllikedebian

# Try default ngIRCd password
PASS wealllikedebian
NICK <nickname>
USER <username> <hostname> <server> :<realname>

Nmap Scanning

Use Nmap scripts to identify IRC services and potential vulnerabilities:

# Scan for IRC services and vulnerabilities
nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 <IP>

Shodan Queries

Search Shodan for IRC servers:

• Query:

  looking up your hostname

• Filter by port:

  port:6667

  or

  port:194

User Types

• Regular Users: Need only a nickname to connect
• Operators: Require username and password, have elevated privileges
• Administrators: Highest privilege level

Workflow

1. Identify IRC services - Scan target ports (194, 6667, 6660-7000)
2. Banner grab - Check for TLS and gather version info
3. Connect manually - Use random nickname to enumerate
4. Gather intelligence - Run WHOIS, NAMES, LIST commands
5. Test credentials - Try default passwords and operator brute force
6. Document findings - Record channels, users, and vulnerabilities

Important Notes

• IRC servers perform reverse-DNS lookups on connecting IPs
• Some commands require operator privileges
• TLS support varies by server configuration
• Always obtain proper authorization before testing

Example Session

# Connect and enumerate
nc <IP> 6667
USER testuser123 0 * testuser123
NICK testuser123

# If PING received, respond with PONG
# PONG :<random_string>

# Gather info
VERSION
NAMES
LIST
WHOIS <target_user>

# Try to join channels
JOIN #general
JOIN #admin

When to Use This Skill

Use this skill when:

• You need to enumerate IRC services on a target
• You're performing security assessments involving IRC
• You want to identify IRC vulnerabilities
• You need to gather intelligence from IRC channels
• You're testing IRC server configurations
• You encounter open ports 194, 6667, or 6660-7000 during scanning