BACK ORIFICE

Back Orifice 2000 (BO2k) is the next generation of backdoor access tools that followed Netbus. BO2k allows for greater functionality for the attacker and even provides expansion, as it was designed to accept specially designed plug-ins. Because all of the available plug-ins would warrant a discussion much too detailed for this book, only the base BO2k program will be presented here.

BO2k can be located at most security web sites, including the following: http://www.packetstormsecurity.com and http://www.securityfocus.com. The most current versions, including a Linux client, can be found at http://www.bo2k.com. The project has moved to SourceForge.

Implementation

BO2k provides many of the same options provided by Netbus. To have a BO2k server capable of backdooring a victim server, you must initially configure it using the BO2k server configuration tool on the attacker's machine. The following steps will prepare a BO2k server using the wizard started the first time BO2k is executed:

  1. When the wizard splash screen is presented, click Next.

  2. The wizard prompts you to enter the server executable that will be edited. Because many copies of the server can be available (one potentially for each victim), the correct one must be chosen in this screen.

  3. BO2k is one of the few packaged backdoor tools that allows the option of running over Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). Typically, TCP is chosen if connection stability is an issue. UDP is usually chosen if a difficult time traversing a security architecture is encountered (that is, a security administrator may inadvertently leave some UDP ports open to the world).

    Note 

    The fact that BO2K provides the option of leveraging UDP or TCP makes it a hacker favorite.

  4. Because most attackers will want to use TCP to control the BO2k server, the next screen queries the port number that will be used. Because port 80 is typically allowed more than any other port through a security architecture, select it.

    Note 

    BO2k offers encryption for the client/server communication channel. The version we downloaded offered only XOR encryption, which is known to be weak but still better than clear text.

  5. In the next screen, enter the password used to access the server. A backdoor password is a good thing for the attacker/ auditor , but if the world can use it without supplying credentials, that is generally a bad thing.

    As the wizard finishes, the server configuration tool is loaded for further customization. The wizard will fill out most of the important information for you.

  6. Now make sure the server is loaded on startup. This will prevent the BO2k server from going down between reboots on the victim machine. To do this, select the Startup folder in the lower-left Option Variables pane. The option to make the server load on startup is in the Startup folder.

  7. Click Save Server when you are finished making any changes.

After the server has been configured, it is up to you to install it on the victim server. Only the executable bo2k.exe file must be executed on the victim machine. When it has been executed, it will open the port you configured. Notice in the following illustration that port 80 is now open for the victim machine:

Now connect to the victim machine:

  1. Start the bo2kgui.exe program.

  2. In the opening screen, choose File Add Server if the server you created is not already in the list. The Edit Server Settings dialog box opens, where you can complete the information for the victim server.

  3. Once you have finished configuring the connection, click OK.

  4. Double-click the BO2k server you just created, and a Server Command Client dialog box will appear.

  5. Click the Click To Connect button. As you connect, the button will change to Disconnect, as shown in the illustration at right, and you will see the server version printed across the Server Response pane.

After you've connected to the server, the client is allowed to perform many actions. The simplest thing is to query the server for its version number or perhaps Ping it to determine whether the server allows ICMP network traffic:

BO2k also allows you to perform many "system activities." These include rebooting the victim machine, locking the machine (which may not be considered a strange activity on a Windows machine!), or obtaining other system information (see the illustration at right).

Although most people think they are safe from attackers if they run the Secure Shell (SSH) protocol, it can always be thwarted if someone steals a password. The easiest way to steal a password is to sniff the keyboard activity. For example, if I log in as kjones and type my password as loggedin , an attacker would be able to receive this traffic with BO2k.

Many times an attacker will gain control of a system to masquerade her IP address when she attacks or visits other systems on the Internet. In Chapter 15, we discuss data redirection tools. BO2k also has this ability built in. As you can see in the screenshot at left, we are able to open port 2222 on the victim server and redirect the traffic to http://www.foundstone.com on port 80. Now, any connections we make to the victim server on TCP port 2222 will be forwarded to http://www.foundstone.com's port 80, and Foundstone's logs will show the victim machine's IP address as the connector!

After a machine is compromised within an internal victim's network, the attacker typically tries to expand his influence by enumerating the network shares available to the machine he's compromised. This can be accomplished with the functions under M$ Networking, as seen in the following screenshot:

Since one of the goals when you gain access to a box is to run processes (perhaps additional backdoors or sniffers), you may wish to check the status of the processes on the victim machine. Under Process Control, you can list, start, or kill processes at will. If your goal instead is to view what is currently displayed on the victim machine's monitor, BO2k gives you this ability within the Multimedia folder.

Maybe the goal is to ravage the file system. Simply searching for *.mdb files may reward the attacker with databases full of credit card information or other fun things. Under the File/Directory folder, shown in Figure 10-2, you can search for, transmit, and create files that you may need from the victim machine.


Figure 10-2: Use File/Directory to access files on the victim machine.


Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net