Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
fakebo(1)		     UNIX Reference Manual		     fakebo(1)

       fakebo -	fake Back Orifice and NetBus trojan server

       fakebo [	-dihbav	] [ -c config_file ]

       This file documents version 0.4.2 of fakebo, the	fake Back Orifice (BO)
       and NetBus server for Linux and other Unices.

       Have you	ever wanted to know who	is trying to access your computer with
       Back  Orifice  or  NetBus?  This	program	fakes these trojan servers and
       logs every connection from their	clients. Connections can be logged  to
       a  file,	 to stdout, to stderr or to syslog.  fakebo can	also send fake
       pings and replies back to the trojan client.

       fakebo can emulate a BO server with three possible levels of realism:

	      If the option userealfakebo is turned on	in  the	 configuration
	      file, fakebo will	do its best to emulate a real BO server.

       Custom replies
	      If the option usecustomreplies is	turned on, fakebo will send to
	      the client a different message for each type of incoming	packet
	      received.	The messages sent in replies are specified by the user
	      in separate files	(see section CUSTOM REPLIES).	If  RealFakeBO
	      is  turned on, custom replies will not be	used unless the	built-
	      in RealFake server fails to produce a reply.

       Fixed reply
	      If both previous methods either  fail  or	 are  configured  out,
	      fakebo  will  send  to  the  client  the message specified under
	      bomessage	in  the	 configuration	file,  whatever	 the  incoming
	      packet may be.

       You  may	want to	auto start fakebo when you connect to the Net via PPP.
       To do that, just	put "fakebo" in	/etc/ppp/ip-up,	and it will run	fakebo
       when  PPP  is  activated.  Don't	 forget	to put something like "killall
       fakebo" in /etc/ppp/ip-down...

       -c config_file
	      Path to the configuration	 file.	If  this  option  is  omitted,
	      fakebo will search a file	named fakebo.conf in the following di-
	      rectories: /etc, /usr/local/etc, $HOME and .  (the  current  di-

       -v     Turn on verbose logging.

       -d     Print to stderr the configuration	parameters. This option	is for
	      debugging	purposes.

       -i     Log the BO packet	numbers	together with their description,  oth-
	      erwise only the description is logged. This option is for	debug-
	      ging purposes.

       -b     Start fakebo as a	daemon.	When started with this option,	fakebo
	      closes  all file descriptors, disassociates itself from the con-
	      trolling terminal	and puts itself	in the background.

       -a     Print an "about" message and exit.

       -h     Print a short summary of options and exit.

       The configuration file is a simple plain	text  file.   Lines  beginning
       with  `#'  and  empty  lines are	treated	as comments. Each command is a
       couple keyword value.  Values can be either strings (enclosed in	double
       quotes  unless otherwise	stated), integers or booleans. A boolean is an
       integer which can be 0 (zero) for turning the option off	or 1 for turn-
       ing it on.

       user string
	      If  fakebo  is started by	root, it will su to the	user specified
	      here after opening the log file. This is intended	to avoid  com-
	      promising	the system, should the program have any	security hole.
	      If custom	replies	are used, the user owning the  fakebo  process
	      must have	read access to the files containing the	replies.

       boport integer
	      The  UDP	port to	listen for BO connections. The default port is
	      31337, it	is also	the default port in BO itself. In fact,	boport
	      can  also	 be  the  name of an UDP port (as defined in /etc/ser-
	      vices) without quotes.

       nbport integer
	      The UDP port to listen for NetBus	connections.

       startasdaemon boolean
	      Start fakebo as a	daemon.	This has the same effect as the	-b op-

       bofakever string
	      Fake  BO version (not longer than	10 characters).	 it's used for
	      sending BO version when sendfakereply is on.  Now	you  can  fool
	      attacker	that you have a	computer infected with a newer version
	      of BO... ;)

       nbfakever string
	      Fake NetBus version (not longer than  10	characters).  This  is
	      sent to the client in the	greeting message.

       bomessage string
	      Message  which  will  be sent to BO client if both RealFakeBO or
	      custom replies either fail or are	configured out.

       nbmessage string
	      Message which will be sent to NetBus client when accessed.

       logfile string
	      File where all attempts are logged (full	path).	stdout	stands
	      for STandarD OUTput, stderr stands for STandarD ERRor.

       user string
	      user who should own the process if started by root

       logconnection boolean
	      If  you  want  to	 log  IP  where	it comes from and what type of
	      packet is.

       logreceivedpackets integer
	      There are	5 possible values (0, 1, 2, 3, 4) for logging received
	      packets:	0:  do	not  log, 1: log only command 2: log command &
	      data fields (most	common)	3: log command,	data and header	fields
	      (for  debugging  purposes).   4: log packet hex dump, along with
	      everything from above

       logsendingpackets integer
	      There are	4 possible values (0, 1, 2, 3) for logging packets  to
	      send:  0:	do not log, 1: log only	command, 2: log	command	& data
	      fields (most common), 3: log command,  data  and	header	fields
	      (for  debugging  purposes).   4: log packet hex dump, along with
	      everything from above

       lognotbopackets boolean
	      If you want to log contents of non-BO packets.

       sendfakereply boolean
	      If you want to send fake replies to pings	from  the  client  (it
	      will  display  a	message	as if you had BO).  Very useful	to set
	      when somebody sweeps your	domain and you	want  him  to  believe
	      that you have BO server installed.

       machinename string
	      Used  for	 fake  ping replies for	forming	fake ping packet. This
	      must be a	single word.

       logtimeanddate boolean
	      Log time and date	of received packet.

       silentmode boolean
	      Make it silent.  If this option is set fakebo  will  not	answer
	      the  message  back  to BO	client.	 Note that pings will still be
	      replied back to the client. Turn off sendfakereply if  you  want
	      to  make fakebo completely silent	(very useful if	you don't want
	      that public knows	that their activity is logged).

       bufferedlogging boolean
	      This option is used for turning on or off	buffered output	to log
	      file.   fakebo runs a little faster if buffering is on. I	recom-
	      mend not to use buffering.

       logtosyslog integer
	      May be: 0: do not	log via	syslog,	1: log via syslog, 2: log  via
	      syslog verbosely.

       toexecutescript boolean
	      If  you  set  this option, fakebo	will execute the program which
	      you specify under	parameter executescript	(see  below)  when  it
	      receives	the BO packet.	It is a	sort of	plug-in, so you	can do
	      everything you want with his IP. You can for example run	whois,
	      finger,  traceroute or something else, but putting nuke, or land
	      or some similar attack in	the script is  not  very  smart	 (then
	      you're like the one attacking you!)

       executescriptshell string
	      Path  to	the shell that will be used to expand command line pa-
	      rameters when running a custom script. The shell must accept the
	      `-c' option.

       executescript string
	      This  parameter  is  only	 used when toexecutescript is set.  In
	      this case, fakebo	will execute  the  command  line  you  specify
	      here.  A	`!'  in	the command line will be replaced by the IP of
	      the attacker. If you want	to insert a literal `!', you  have  to
	      type `\!'. You can put here several commands separated by	a `;',
	      like in the shell.  Likewise, a `%' will be replaced by the text
	      `backorifice'  or	 `netbus',  depending upon which trojan	origi-
	      nated the	attack.

       usecustomreplies	boolean
	      With this	you can	specify	for every BO command a	different  an-
	      swer  to	the attacker. It's very	useful if you want to make him
	      believe he is doing everything right.  Note: if  option  silent-
	      mode is on, this parameter is ignored.  See the next section for
	      details on custom	replies.

       customrepliespath string
	      For every	client command you can specify a different  answer  to
	      the  attacker.   You  just  have to make the text	file for every
	      command.	The hexadecimal	identification of the command is added
	      to  the path.  If	option usecustomreplies	is off,	this parameter
	      doesn't have any effect.	If the file for	some command cannot be
	      found, then a generic message is used (message parameter).

       tocrackpackets boolean
	      Try to crack BO packets with password and	log encryption key. It
	      takes less than a	second to crack	the password on	 average  Pen-
	      tium. If you're low on CPU resources you should say no (0) here.

       ignorehost string
	      If  set to anything else than "NONE", fakebo will	ignore connec-
	      tions from the specified host.

       userealfakebo boolean
	      If set, fakebo will use its built-in RealFake(tm)	BO  server  to
	      properly	emulate	 responses to the BO client, and hopefully RE-
	      ALLY confuse them... Don't worry,	it may look real, but it is as
	      harmless as a crax0r using a windoze box.

       When option usecustomreplies is set in the configuration	file and Real-
       FakeBO either fails or is configured out, fakebo	will send the contents
       of  a  file in reply to each command.  The name of the file is obtained
       by appending the	hexadecimal value of the command to the	prefix	speci-
       fied  in	 parameter  customrepliespath.	For example: let's say you set
       customrepliespath to "/etc/fakebo/reply." and you want to have  a  spe-
       cial  answer  when the attacker issues the command "get System Informa-
       tion" (hex value	04).  Then you just have  to  write  your  message  in
       /etc/fakebo/reply.04...	and keep watching the confused attacker. ;-)

       Don't forget to make these files	readable by the	user owning the	fakebo
       process (user parameter in the configuration file).

       The hex values associated with the commands are:

       02     System Reboot

       03     System Lock Up

       04     List System Passwords

       05     View Console

       06     Get System Information

       07     Log Pressed Keys

       08     Send KeyPress Log

       09     Show A Dialog Box

       0A     Delete A Value from The Registry

       0B     Create TCP redirection (proxy)

       0C     Delete TCP redirection

       0D     List TCP redirections

       0E     Start Application

       0F     End Application

       10     Export a share resource

       11     Cancel share export

       12     Show Export List

       13     Resend Packet

       14     Enable HTTP Server

       15     Disable HTTP Server

       16     Resolve Host Name

       17     Compress a File

       18     Uncompress a File

       19     Plug-in execute

       1A     (unknown)

       1B     (unknown)

       1C     (unknown)

       1D     (unknown)

       1E     (unknown)

       1F     (unknown)

       20     Show active processes

       21     Kill a process

       22     Start a process

       23     Create a key in the registry

       24     Set the Value of a key in	registry

       25     Delete a key in registry

       26     Enumerate	registry keys

       27     Enumerate	registry values

       28     Capture a	static image

       29     Capture a	video stream

       2A     Play a sound file

       2B     Show Available Video capture devices

       2C     Capture the screen to a file

       2D     Start sending a file using TCP

       2E     Start receiving a	file using TCP

       2F     List (running) plug-ins

       30     Kill Plugin

       31     List directory

       32     (unknown)

       33     (unknown)

       34     Find a file

       35     Delete a file

       36     View file	contents

       37     Rename a file

       38     Copy a file

       39     List all network devices

       3A     Connect to network resource

       3B     End connection of	a network resource

       3C     Show NetWork Connections

       3D     Create Directory (folder)

       3E     Remove directory

       3F     Show Running Applications

	      Default configuration file.

       The original author and current maintainer of fakebo is Vlatko  Kostur-
       jak - KoSt <>, <>

       Code,  ideas, spelling... were contributed by (in completely random or-
       der): Robert  Avilov  -	DryLLaR	 <>,  Edgar	 Bonet
       Orozco	     <>,	   Olaf	       Tuinder
       <>,	Hans  Jorgensen	  <>,
       Sinisa  Lolic  <>,  Marcus  Herbert - rhoenie <rhoenie@rho->,  Jwit  <>,  Folkert	 van   Heusden
       <>	and  Bjoern  Bendix  <>, Dezso E.
       Moldvai	-  MDE	<>,	Mike   Kershaw	 <dragorn@mel->,  c.o.d  @  WLU, Wolfram Kleff <>,
       Michiel	Steltman  <>,  Doug	 Schieferstine
       <>,   Javi	 Polo  <>,
       Jochem	 Wichers     Hoeth     <>,     Ian     Kumlien
       <>,  Miodrag  Vallat <>,	Norman
       Meilick <>, J. Padfield <>, Marc Quin-
       ton  <>,  Dop  Ganger <>, Michael
       <>, Ian Bishop <>,  Groovy  Pants  Gus
       <gus@SB7.YOONIX.NET>,   Gerald  Swann  <>,
       Eric Hedberg <>,  Gregory  T.	Norris
       <>, Robert Szarka <>, Michel Ar-
       boi <>,	David Grant  <>,	Scott  Edwards
       <>,     Martin	 Kammerhofer	<dada@sbox.tu->, Michel Kaempf <>, Chris Knipe  <savage@sav->,  Justin Wienckowski	<>, Daniel P. Stasinski
       <>, Larry Reckner <larryr@Capital.NET>, Ivan Brozovic
       <>, Dobrica Pavlinusic <>	and others...

       Copyright (C) 1999 Vlatko Kosturjak.

       fakebo is free software;	you can	redistribute it	and/or modify it under
       the terms of the	GNU General Public License as published	 by  the  Free
       Software	 Foundation;  either version 2 of the License, or (at your op-
       tion) any later version.

       fakebo is distributed in	the hope that it will be useful,  but  without
       any  warranty;  without even the	implied	warranty of merchantability or
       fitness for a particular	purpose.  See the License for more details.

       You should have received	a copy of the GNU General Public License along
       with  fakebo; see the file COPYING.  If not, write to the Free Software
       Foundation, Inc., 59 Temple Place, Suite	330,  Boston,  MA   02111-1307

       The  most  recent  released  version of fakebo is always	available from

Linux				   May 1999			     fakebo(1)


Want to link to this manual page? Use this URL:

home | help