Back Orifice Tutorial (Autumn, 1998) ------------------------------------ By skwp The hacker group known as Cult of the Dead Cow (CdC) recently released a great hacking tool known as Back Orifice, or BO, on August 1, 1998. On August 9, the client code was ported to UNIX. The legitimate purpose of BO is the remote administration of one s machine. BO affects Win95/98 but not NT. The following article explains the uses of BO, how it works, and how to prevent it from attacking you. Much of this information is taken from BO documentation, and resources on the Net. How It Works BO consists of two parts, a client and a server. You have to install the server on the machine you wish to gain access to. The server is included in the BO installation as boserver.exe. Once run, it self-installs, and then erases itself. After that the server machine will run BO server every time it starts up. The process is not visible in the processes list (Ctrl+Alt+Del). The server exec itself copies itself to c:\windows\system as ".exe." The server can be configured using boconfig.exe, which allows you to specify the name of the file (default: " .exe"), description in registry, port (default: 31337), and password (default: no password) among other things. Once the server is installed, you can use boclient.exe (bounix for the unix versions), or bogui.exe (graphical) to access the server machine. The client sends encrypted UDP (connectionless) packets to the server machine in order to communicate. How to Get It Installed Here's where our favorite skill, social engineering, comes in. Make up any kind of bullshit story in order to get the person to run this file. Pretend to be a lamer, say it is a new game, tell them it's a couple of xxx pics in self extracting format. Be original, and don't push them to run the file this will make people suspicious. When they run it they may say something like, What the fuck? It disappeared! This is when you know that you have full access to their machine. Using the Client The client interface has many features. You can read the supplied docs. I will discuss some of the more fun features and their uses. Once you start the client you can type "help" or "?" for assistance on available commands. First of all to connect to a machine you have BO'ed, use "host ". Now you can use standard DOS commands (dir, cd, copy, del, etc.) to move around on this person's hard drive. However, this is awkward and takes a long time. Luckily, BO includes a built in http server so that you can download and upload files to the machine. Use "httpon " to activate the http server. Now you can access their machine through a web browser on that port. (I use Netscape; my friend reports weird problems accessing BO'ed machines while using Internet Exploiter.) BO includes a convenient form on the bottom of the page for you to upload files. Fun things to do while browsing: look at person's pr0n, read personal docs, steal warez. Another fun thing to do, which tends to scare the sh*t out of people, is to display a dialog box on their computer. Use "dialog " to make a dialog box pop up on their machine. I have found that in the windows boclient, the dialogs do not come out right if you use quotes. I'm not sure about the LINUX version as I have not been able to test it. However, using the GUI client for windows this bug does not exist. Be careful using this as it lets people know that their machine is in the process of being owned and they tend to reboot as quickly as possible. If this happens you can use the sweep command to sweep their subnet and find their machine again (in the case of dynamic IPs). You can also use the multimedia "sound" feature to play sounds on their machine. Specify the full path to the sound. The network commands menu allows you to view their network and share resources. This may prove to be very fun. Share their printer and print out a nice message telling them how to remove BO (discussed later). You can also have fun with processes. Use "proclist" to list running processes, and "prockill" and "procspawn" to kill and spawn new processes, respectively. This is useful, for example, if you have modified some sort of ini files (like mIRC) and you need them to restart the program. Just kill the program and they will probably restart it, thinking it was just a stupid Windows bug. One of the more fun features of BO is keystroke logging. This feature will log all keystrokes in a very convenient manner, including the name of the window where they were typed, into a text file on the person's machine. Use the http server to download/view this file. Another convenient way to get passwords is the "passes" command, which lists cached passwords. I have found many unencrypted passwords sitting around in this way, including passwords to Tripod homepages and PPP accounts. Finally, you can redirect ports and tie console apps to ports. For example, if this person is running a 31337 WaReZ fTP SeRvEr, you may want to redirect all connections to port 21 to pentagon.mil, or whitehouse.gov. I can only think of one example of tying apps to ports which is included in BO, and that is to tie command.com so that you have a DOS shell on their machine. Usually you can just put it on port 23 (default telnet port), which makes it a lot easier. I have found, however, that accessing their machine in this way is extremely slow for some reason. Other features of BO include modifying the registry, capturing screenshots and movies from attached input devices, and using plug-ins (read included plug-in docs for info on how to write them), locking up the machine, and rebooting it. BO and plug-ins (buttplugs) can be downloaded at: http://www.cultdeadcow.com/tools/ How to Get Rid of It According to the ISS Security Alert Advisory made on August 6, BO installs itself by entering itself into the registry. To stop BO from starting every time the machine boots, edit the key at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\RunServices and look for any suspicious program names. The length of the BO exe is close to 124,928 bytes, give or take 30 bytes. Erase this entry, and erase the file itself. If possible, format your hard drive and reinstall all OSes and software, as the use of BO may be part of a larger security breach. The full text of the ISS Advisory can be found at: http://www.iss.net/xforce/alerts/advise5.html Microsoft's Response "This is not a tool we should take seriously or our customers should take seriously." - EDMUND MUTH OF MICROSOFT, as reported by The New York Times. Well, Microsoft was wrong. There have been an estimated 65,000 downloads of the BO software package, and I myself have owned over 15 machines using it (I was bored, wanted to look at other people s pr0n....). Conclusion Back Orifice is a fun toy, but you must remember hacker ethics while using this tool. Do not put something like "@echo y | format c:" in autoexec.bat. The purpose of hacking is to learn and create, not to destroy.