![]() IRC allows anyone to post in a channel, and the concept of usernames allows each member of a botnet to be uniquely identified. However, IRC is not limited to one-way communications. If necessary, a botnet herder can create multiple channels to provide different instructions to subsets of the botnet. This provides a simple solution to botnet C2, since the attacker only needs to maintain an IRC server capable of handling the volume of traffic created by the bots. When a botnet herder posts in a channel that the members of the botnet are listening to, all of them receive a copy of the command. IRC is ideal for botnet C2 because IRC channels act as “broadcast” communications. For example, a botnet herder may need to inform the botnet of the time and target of a DDoS attack. Managing a botnet requires the ability to send commands to each member. A common use of botnets is to perform Distributed Denial of Service (DDoS) attacks, where the botnet tries to overwhelm a target with more traffic and data than it can handle, degrading or destroying its ability to respond to legitimate requests. The features that IRC provides are uniquely suited to command-and-control for botnets.Ī botnet is a collection of computers that is under the control of a “botnet herder.” These machines are typically used to perform a synchronized attack against some target. While legitimate usage of IRC has declined over time, the protocol is not dead. IRC protocol analysis for incident response But like the plaintext version, it can be run on any port. The official convention for encrypted IRC traffic is to run it on 6697. ![]() However, it is possible to run IRC while encrypted with TLS/SSL as well. The server will then respond with a response code and optional data regarding the status of the request or containing the information that the user wanted.īy default, IRC is a plaintext protocol, meaning that anyone with access to an organization’s network traffic could read the data flowing over IRC. A client can send a certain command (like NICK) along with a set of optional parameters. However, this cannot be used during live capture (like many protocol-based filters), so it is recommended to filter based on IRC ports (like 6667 instead).Īs shown in the image above, IRC is a text-based protocol. IRC traffic can be filtered in Wireshark using the irc command. While the presence of IRC on the traffic does not necessarily indicate an attack, it might be worth investigating since IRC is commonly used for communication by botnets. However, its usage has declined over time as alternatives (like Slack) have become popular. Have fun.IRC is a simple but powerful protocol for text-based chat. If you don't put the -w switch to write the capture, you'll see it right in your terminal which can be handy just to see if anything's coming in on the wire and you don't care enough to look too closely at the packets. That'll do the same as above, but log any LDAP traffic on port 389. Tshark -i eth0 port 389 -w /tmp/mycapture.pcap That'll log packets from interface eth0, only to IP 1.2.3.4, and log them to the file /tmp/mycapture.pcap Tshark -i eth0 host 1.2.3.4 -w /tmp/mycapture.pcap But, if you knew how to set up capture filters, you might wind up with a much smaller file to begin looking at.Īnyway, from a Linux box with tshark on it, here's a couple of commands to get you started: So, if you just mirrored a port that your IPO was on, fired up Wireshark with no filters, and let it go, you might get a huge file to filter through after. The former sets up Wireshark to only log packets that match your filter, while the latter takes the complete capture and only displays packets that match the capture. If you're going between IPO Servers, you can capture from the command line.īasically, with Wireshark, you've got capture filters and display filters.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |