A number of third-party plug-ins are available for BO2k that add functionality for use in various applications. The plug-ins are what make BO2k such a versatile power tool. The following tools are a select few that offer a great example of some of the advanced functionality available in BO2k. After checking these out, see the end of Back Orifice 2000 for links to additional tools not covered here.
One of the basic requirements of any good backdoor is the ability to transfer and execute files. With the stock BO2k client, this is not nearly as straightforward as it could be. Luckily, the BO Tools client plug-in solves this problem (and even a few more). It has two main components: a graphical File Browser and a remote Registry Editor. Both bear a handy resemblance to the native Windows tools of the same function.
Though BO Tools is a client plug-in, it still requires certain plug-ins to be loaded into the server before all of its functionality is available. The required plug-ins are part of the default BO2k package, so no special download should be necessary. It should be noted however, that upgraded versions of these plug-ins may be available in the development section of the BO2k web site. For full functionality, insert each of the following plug-ins into the server binary.
- srv_regfile.dll
This is the only true requirement to run BO Tools. It enables the main functions of both the File Browser and Registry Editor. When inserting it into the server, it is important to pay attention to the new option variables available to the plug-in. I recommend setting File Xfer Net Type, Encryption, and Auth variables to match the plug-ins you loaded into the server. New IO and encryption modules are also discussed in A Few Unix Backdoors. Keep any changes to these in mind, as they need to be reflected in the client configuration.
- srv_system.dll
This plug-in is required to use the File Browser's ability to execute binaries on the remote server. The remote Registry Editor does not work properly without this.
- srv_legacy.dll
Inserting this plug-in allows for a form of native file compression and decompression. It is not absolutely necessary, but it is really nice to have if you plan on pulling large amounts of logs or packet captures from the backdoored server.
If these modules are already on the backdoor, then you are in good shape. If not, insert them, then save, and then execute the new backdoor on the target server.
Client setup is quite straightforward. Get the latest version of the BO Tools package (version 1.501 at the time of this writing). It is available from http://www.bo2k.com/development/#cli_botools. Extract or save cli_botools.dll to the plugins/ subdirectory of the BO2k base directory. Run the bo2kgui client and bring up the Plugin Configuration panel (see Configuring a BO2k Server). Insert the cli_botool.dll plug-in and make note of the cyan-colored BO Tools folder that appears in the Option Variables box. If you made any changes to the File Xfer-related variables in the server, echo those values there. You can also set alternate IO, Encryption, and Authentication defaults for the BO Tools command channel.
Once the cli_botool.dll plug-in is inserted, take note of the new BO Tools item under the Plugins menu. If it is available, and everything is configured properly, you are ready to use the new tools.
Both the BO Tools File Browser and Registry Editor can be accessed in similar manners. The plug-ins operate separately from a typical BO2k server connection and therefore can be accessed from either the Plug-ins → BO Tools menu or the BO Server Connection window's Plug button. The only real benefit to connecting through the BO Server Connection window is that the values for connecting to the File Browser or Registry Editor are filled in automatically by querying the server, which eliminates a little bit of the guesswork.
To begin using either tool, connect to one of your backdoors as you normally would. Then click on the Plug button in the middle of the window (see Figure 11-13). From there, select the BO Tools item, and then choose the tool you wish to use from that menu. The tool and its associated connection window will be displayed.
Tip
If you accessed your tool of choice from the main Plug-ins → BO Tools menu, then you may need to bring up the Connect To window shown in Figure 11-14 by manually selecting Connect → Connect . . . .
When you access the BO Tools Connect To window through the BO Server Connection window, most of the values should be filled in automatically. The options here mimic the basic BO2K server connection options. If you have configured the srv_regfile.dll plug-in within the server to use any nonstandard options, this is the place to make sure that the settings all match. If you configured any of the BO Tools variables while inserting the client plug-in, those defaults may be reflected here. Click OK to begin your File Browser or Registry Editor session. (It is worth noting that you can run multiple File Browsers or Registry Editors for the same backdoor simultaneously.)
After successfully connecting to the backdoor, the File Browser's main boxes become active, but they are still blank. The browser works very similarly to the native Windows Explorer, but with a few simple backdoor specific features.
Get started by entering an existing path into the Location bar. C:\ makes for a good example, as shown in Figure 11-15.
Warning
The File Browser and Registry Editor sometimes appear to hang when you are accessing large file or registry key structures. Often, it is only a matter of time before it finishes loading the structure and returns to normal. This can take up to several minutes. Be patient.
Most of the features available to the File Browser can be accessed through the menu at the top or by right-clicking on a file or directory and choosing an action from the pop up. For example, find a directory in your File Browser containing an executable, and right-click on that executable. You see the pop-up menu similar to the one shown in Figure 11-16. Several of the pop-up options here are worth noting:
- Open → Run Normal/Hidden
These execute the highlighted file in one of two modes: normal or hidden. Normal runs it as if the user sitting at the desktop executed it—if the application has a graphical interface, it is visible to the user at the desktop. Hidden means the application should be run silently in the background; however, it does not quite always happen that way. It is worth testing what you are going to run just to make sure there are not any unhidden results whenever you do it for real.
- Upload...
Selecting this opens a file dialog that allows you to choose a file to upload into the current directory.
- Download Selected
Selecting this also opens a "Browse for Folder" dialog that allows you to choose where to download the selected file.
- Freeze/Melt
BO2k's very own file compression algorithm. It is very useful for compressing logs and whatnot before downloading them.
- Freeze
Creates a compressed copy of the file in the same directory with a .frz file extension.
- Melt
Creates an uncompressed copy of a .frz file and adds the .mlt extension.
It is also worth mentioning the Edit → Freeze/Melt Local File actions. Selecting either of these opens a file dialog that allows you to compress and uncompress local files, respectively. This is a new feature that saves you the trouble of creating and running a backdoor on your own system for the express purpose of freezing and melting files.
The BO Tools Registry Editor has less specialized tools than the File Browser. After successfully connecting to the backdoor from the Registry Editor window (see the earlier section "The BO Tools Connect To window"), a basic root-level registry tree view displays. As with the File Browser, most of the functionality comes by right-clicking on registry folders or keys, as shown in Figure 11-17.
Navigation and use of this tool is just like using the Windows native regedit.exe. Double-click key groups in the left window to expand the tree and bring up related key/value pairs in the right window. Right-click on the tree or in the right window to create a new key or value.
The only feature that really feels missed in this limited Regedit-like tool is the ability to import and export keys through .reg files, which would certainly make manipulation of the registry on a larger scale much easier. Regardless, this is a much better method for dealing with registry keys on your backdoored server than the traditional srv_regfile.dll plug-in commands.
An innovative plug-in called BO Peep gives the BO2k user a real-time view of the backdoored server's desktop as well as the ability to hijack mouse movements and keystrokes. This module is an example of the versatility of BO2k.
BO Peep must be installed on both the client and server. It is composed of two different tools:
- VidStream
Streams a resizable image of the backdoored server's desktop to a client. At runtime, this stream is resizable and has an adjustable frame rate and the ability to use any of BO2k's IO, Encryption, and Authentication plug-ins.
- Hijack
Works best when used in conjunction with VidStream. It is a small client that allows you to take control of the remote server's mouse and keyboard.
Used together, these two tools can be quite powerful and are a great way to perform quick tasks that can only be done through the GUI in a pinch. But if you need to do anything productive with the graphical environment, you may want to install a VNC backdoor (see VNC).
For use of VidStream, this section covers BO Peep Plus version 0.10, which has some nice new features such as a color VidStream that works decently in the performance department. You can get the latest development version of BO Peep Plus from http://www.bo2k.com/development/#misc_bopeep.. It is, however, somewhat unstable. Therefore, if you plan on using Hijack, stick with the more stable Bo Peep version 0.09 from the main BO2k download site.
Warning
BO Peep is currently undergoing some functional changes in development versions that could appear on the market after this book has been printed. There may be differences in how the latest versions are configured or used from the ones I discuss here.
Begin installation by inserting the misc_bopeep.dll plug-in into the server (see Configuring a BO2k Server). The pertinent variables appear in the Option Variables box in a cyan-colored folder labeled BO Peep. The folder contains only the defaults for the configuration of the VidStream and Hijack listeners, but the client can overwrite them at runtime. It is a good idea to set these default variables to take advantage of nonstandard ports and the IO and encryption modules loaded into your backdoor. The two special variables, VidStream X Res and VidStream Y Res, control the horizontal and vertical size of the window around the mouse pointer that the VidStream relays to the client. I leave these at the default and tweak them later once I get a feel for how good the connection is to the backdoor.
Setting up the client is nearly identical to configuring the server portion of the plug-in. Insert the same misc_bopeep.dll plug-in into the client. Set the variables in the cyan-colored BO Peep folder to match the settings you load into the server. When done, select Plugins from the upper menu bar. If the plug-in is successfully loaded, there will be a BO Peep submenu available.
Usage of VidStream requires that first a separate listener service be manually started on the server. So connect as you normally would to the backdoor. If BO Peep is loaded and working on the server, a cyan-colored BO Peep folder is available in the Server Commands box. To get things rolling, focus on the Start VidStream command. (If you take the time to set the defaults in the first place, then you need only worry about setting one mandatory option before you send the command.)
The mandatory option, labeled FPS Speed, or Frames Per Second, should be set to something less than 30. Faster than 30 does not produce any noticeable performance increase. If you are operating on a slower connection, err on the slower side for the frame rate.
The second option allows you to override the defaults set on the server. Normally you would not need to tweak these, but if you would like to find an optimal VidStream viewer resolution, this is where you set it. Anything much larger than 320 × 240 tends to be slow and cumbersome.
The third option, [Bind to], allows you to change the port on which the VidStream listener is listening.
Once you are satisfied with all the listener settings, click Send Command to start the listener. If everything is configured correctly, you see a response similar to that in Figure 11-18.
If you want to stop the VidStream listener at any time, select the Stop VidStream menu command and click Send Command. No options are required for this.
The VidStream client offers a simple interface for viewing the output of the listener. To start it, select BO Peep → VidStream Client from the Plugins menu. A small window containing a blue box and two buttons appears. Click Connect to display a Connect To window, as shown in Figure 11-19. The settings in this window will most likely echo the defaults that you chose while configuring the client BO Peep plug-in. In version 0.10, the Server Address field contains only the default Vidstream listener port. Fix this so that it contains both the address of the host that the listener is running, as well as the port in host:port format. Click OK when you're satisfied that the settings match those of the listener to which you are planning to connect. If everything is set up properly, the blue box in the VidStream client begins to relay real-time screen updates from the area around the mouse pointer on the backdoored server.
The Copy button is worth mentioning. If you see anything to save on the backdoored desktop, clicking the Copy button copies the viewer window to the clipboard. Open up an image editor and paste from the clipboard to save the image.
Warning
You may have some problems pasting screenshots into MSpaint from BO Peep Plus due to MSPaint's lack of JPEG support. Pasting into an editor such as GIMP should work just fine.
To end the session, click Disconnect and close out the client window. Do not forget to stop the VidStream listener when finished. It tends to be a bit of a memory hog if left running. If left too long, the performance impact might actually become noticeable on the backdoored server.
Using VidStream to watch the backdoored desktop is neat, but the real goods lie in being able to actually control the desktop when no one's looking (or when they are looking if you are feeling particularly brazen).
When using Hijack, the slightly older monochrome version in BO Peep 0.09 tends to be faster, less buggy, and more stable than the newer one in BO Peep Plus. Setup and operation of the two versions is the same.
Hijack operates on the same principle as VidStream: start the listener and connect to it with a client that allows you to control the desktop.
Start the listener through the BO Server Connection console with the BO Peep → Start Hijack command. This command takes two different arguments:
[NET,ENC,AUTH]Allows you to override the server's Hijack communication defaults by changing the IO, Encryption, and Authentication plug-ins, respectively.
[Bind To]Operates just like its VidStream counterpart. The number that you enter overrides the Hijack listener's default port.
Remember what you applied for these settings because you'll need to use them when connecting to the listener with the client. Click Send Command; if Hijack starts successfully, a message appears in the Response window.
To stop the Hijack listener at any time, select the BO Peep → Stop Hijack command and click Send Command. No options are required for this command.
Start the Hijack client by selecting BO Peep → Hijack Client from the Plugins menu. A small Console Hijacker window appears with several buttons and input boxes as shown in Figure 11-20. Unless you are connected to a listener or have edited the settings, all but the two buttons on the left will be inactive.
Begin by making sure that the settings are what you want them to be. You can change them at any time you are not in direct control of the backdoored server's desktop. Click Settings to activate the two boxes on the right:
- Mouse delay (msec)
This is the expected time delay (in milliseconds) between moving the mouse on the client to when it is echoed on the server. No need to change this, unless you are having troubles with a slow connection, in which case it might be worth adjusting.
- Machine Switch Hotkey
This is the setting that you need to know. Once connected to the listener, hitting this hotkey allows you to switch between controlling your own desktop and the remote desktop. No need to change the default unless you have something else running that conflicts with that hotkey.
If you made any changes to the settings, click Save to commit the changes and return the Console Hijacker back to its normal state.
To connect to the Hijack listener, click Connect. This displays the familiar Connect To window. The settings here are exactly the same as the connection settings for the VidStream listener (see the earlier section "The VidStream listener"). When you are satisfied that all these match the settings that the listener was configured with, click OK. Once connected to the listener, the two icons at the top right of the window become active.
From now on, usage of Hijack is simple. You can choose to send mouse movements and keystrokes to the backdoor independently or simultaneously, by clicking the buttons of which you wish to control. After choosing which to control, press the Machine Switch Hotkey that you configured moments ago. Notice that your mouse pointer becomes a red dot, similar to the record button on a VCR. This means that any mouse movements or keystrokes (if you choose to send them) are recorded and relayed to the backdoor. For example, click the mouse icon, then Ctrl+Alt+Z (if so configured), and keep an eye on that VidStream you set up earlier. If everything is working correctly, your mouse movements are followed on the backdoor's desktop in the VidStream viewer.
That's it. To disconnect, click the former Connect button (now labeled Disconnect), close the window, and stop your listener.
Warning
When not using your Hijack or VidStream clients and listeners, shut them down. They can be buggy and the performance hit will be very noticeable on the victim's server: enough to blow your cover and all your hard work in setting up the backdoor.