evilnet / nefarious2

Nefarious IRCu (Based on IRCu 2.10.12)
Other
40 stars 24 forks source link

enhancement /USERIP & /USERHOST #47

Closed WildClaudio closed 8 years ago

WildClaudio commented 8 years ago

Hello i wanted to know if there is possible to remove or change the /userip /userhost command so normal Clients to not be able to use it or instead giving the Real IP/HostName to reply a Local IP "127.0.0.1" for userip and for userhost "IRC.Client.ServerName" we know there are alot of script kiddies who are hunting the real/ip using the /userip command this ofcourse on a ircd.conf which is not using the CloackIP ... this in both situation IPv4 and IPv6 ! Thank You In Advance !!!

jobe1986 commented 8 years ago

USERIP only displays a users real IP for non-IRCops when the victim doesn't have user mode +x or HOST_HIDING_STYLE is set to 1 and the user isn't authed. The same applies to USERHOST as well.

That is only an IRCop or the victim their self can see their real IP and real host using these commands.

You will find that with HOST_HIDING_STYLE 2 or 3, only IRCops and the victim their self can see the real IP and real host of a user with user mode +x. With HOST_HIDING_STYLE 1 whether a real host or real IP is shown is dependant additionally on whether the victim is authed or not.

So if you really want to protect all users' real host and real IPs from being discovered enable HOST_HIDING_STYLE 2 or 3, and ensure all users receive user mode +x upon connect.

I hope this information helps. If not please feel free to ask more questions.

WildClaudio commented 8 years ago

yes that's true i would love to be able to use cloackIP *host_hiding_style 2 or 3" "we are using SERVICES that wont allow us to set those Features" and yes i am using HOST_HIDING_STYLE 1 and all users get +wix umodes uppon on connect but that wont solve the IP problem for example i can "hunt a nickname with notify and even if he is using a spoofhost/virtual host added with a HostServ Service ill be able to find his real IP in just few seconds so the Client would not have time to auth/login to services to hide his IP/hostmask . !!! Being here and talking about this kind of Securities the autojoinchannel feature for normal clients also has a "leak" users/clients that have an autologin Remote/Script code dont have time to send the information to the services and they JOIN the "autojoinchannel" channel set before hiding the real ip/hostname using +x umode maybe an auto-delay join added there first notice as already is the user that will be auto-joining #channelname and then wait few seconds to let the client being able to send auth/login information to services and then joining "a 5 up to 10 seconds delay! !!! thank You In Advance !!

jobe1986 commented 8 years ago

The easiest way to prevent the race condition between connect and auth that would allow IP discovery (even without USERIP and USERHOST commands) would be to enable LOC and/or SASL in the IRCd and services. Note: LOC is a feature designed originally for Nefarious and X3 interoperability, where a user can supply // as a server password to auth to services before the connection completes and in doing so gives the user +x automatically preventing the race condition. SASL is a more standardized equivalent to LOC but requires client side support as well. But the auto +x setting for both is the same. Of course both LOC and SASL require support in whatever services package you use. Without either option there simply is no way to prevent IP/host discovery between connect and auth without breaking the protocol requirements.

Out of interest which services package are you using?

WildClaudio commented 8 years ago

we are using GNUWorld/X with ipv6 support the LOC FEATURE is in test_mode i think its working only with latest ircu version that is in upgrade "mode" too . for now i have /userip IPv4 hidden for normal clients !!! here are the examples !! [14:47:35] * Burst=+Burst@127.0.0.1 <--- an IPv6 Client without VHost/Hostname [14:47:38] * Seven=+~Seven@127.0.0.1 <---- IPv4 [14:47:45] *\ mrleaW=+leaw@127.0.0.1 <--- IPv6

but the IPv6 vhosted ips are shown example !!!

[14:48:41] * Picasso6 is Picasso@IRC.White.Cool <--- IPv6 Vhost /userip Picasso6 [14:48:32] * Picasso6=+Picasso@2605:6400:1:fed5:22:b0ae:7d0a:9a74

now i am in FREEZ mode where is the IPv6 /userip line ..or is the same as for IPv4 but calling for other *.c file or simply to solve the problem maybe a m_userip.c so the userip command to check if the Client is an Admin/Oper and send the real info and disbaled for normal users !!! A S:line USER_IP = "TRUE/FALSE"; would be great !!!

jobe1986 commented 8 years ago

What you found there is a bug, and it isn't limited to just IPv6 users it affects all users who have a /sethost fake host or a services set fake host where the user isn't authed.

And on that noted, said bug is fixed in revision 6672bf8b42a2e090f3139df4037ee4ec24ff907c

Let me know if that resolves your issue and then either you or I can close this issue.

WildClaudio commented 8 years ago

yes that somehow solved or not what i wanted but i did find a TRICK to hide the real IP auto/umode set in ircd.conf "+xiw" would hide all real ips issuing /userip command even if they are not login with the services i have to ask all @ network to add that . Thank You Again !!!