BO2K Command Usage
Learn about the command structure and the functionality that Back Orifice (BO2K) provides.
October 21, 1999
Simple
Ping | This command simply pings the Back Orifice 2000 (BO2K) server. If you're trying to communicate remotely and the network border blocks ping, the server won't respond. |
Query | This command queries the BO2K server for its capabilities and uses this information to populate the tree control where the commands in this sidebar appear. |
System | |
Reboot | This command reboots the machine. |
Lockup | This command locks up the server, forcing a reboot. |
List Passwords | This command dumps out password hashes from the SAM database. |
Get System Info | This command lists various information about the system, including NetBIOS name; the logged-on user, if any; processor type; OS version and service-pack level; memory statistics; page-file size and usage; and the available disks and associated parameters. |
Key Logging | |
Log Keystrokes | This command lets the user capture all keyboard strokes entered on the system's local console. To use this feature, simply specify a location for the log file. |
End Keystroke Log | This command stops the keystroke logon. |
View Keystroke Log | This command displays all captured keystrokes. |
Delete Keystroke Log | This command deletes the specified keystroke log file. |
GUI | |
System Message Box | This command sends a message to the local console using a pop-up window. |
TCP/IP | |
Map Port -> Other IP | This command lets you map a port on the server that redirects to another IP address and port. With this command, you can relay attack traffic to a target machine without revealing your own source address. A legitimate use might be to traverse a file for specific traffic that a firewall blocks. For example, your firewall might not let Telnet sessions enter the network but will let Telnet sessions originate on the internal network. If you're performing remote administration, you can use this feature to map a port on the server to the Telnet port on another internal server. The only stipulation is that you have to use a port that is open on both the firewall and on the BO2K server. |
Map Port -> HTTP File Server | This command lets you map a built-in Web server to any available port on the system, where you can also specify any directory on the system as the Web root. This functionality makes browsing directories much easier because you can use a Web browser. |
Map Port -> Console App | This command lets you map a console-based application, such as cmd.exe, to an open port on the server. When you Telnet to the port, the specified application launches and you have complete control over it. In the case of cmd.exe, you're essentially establishing a Telnet server on your system because a typical Telnet server on Windows NT drops to a command prompt after you log on. The difference with this command is that absolutely no authentication takes place-anybody with the IP and port address can connect to whichever application is bound to the port. |
Map Port -> TCP File Receive TCP File Send | These two commands work together to allow file transfers to the BO2K server. The first step is to map a port number for file transfers and define the filename and path of the file that the server will receive. Next, you send the command to ready the specified port for a file-transfer connection. To send the file, select TCP File Send and specify an open port on your machine to send the file from, enter the IP and port number for the socket you just started in the previous step, and enter the path and filename of the file to transfer. Click Send command, and the file is on its way. You can download files using the HTTP File Server. |
List Mapped Ports | This command lists all ports BO2K has open, such as those that the Map Port commands listed above opened. |
Remove Mapped Port | This command removes a listening port. |
TCP File Send | This command sends a file over an unencrypted link using a TCP connection. Use this command to transfer a file to a generic client, such as L0pht Heavy Industries' Netcat. See the Map Port -> TCP File Receive command for further details. |
M$ Networking | |
Add Share | This command adds a resource share to the remote computer. Parameters include the remote path for the share and a name by which the network will know the share. |
Remove Share | This command removes a mapped share on the remote computer. |
List Shares | This command lists all available shares on the remote computer. |
List Shares on LAN | This command lists all shares on all machines visible to the remote computer, provided the remote BO2K system has access to other machines on the network. This command is similar to performing a Net View command against each machine on the network. |
Map Shared Device | This command connects to a share on the remote computer, similar to sitting at the remote console and mapping a share on another computer using Windows Explorer or the command line. |
Unmap Shared Device | This command removes a share that you mapped with the Map Shared Device command. |
List Connections | This command lists all open connections on the remote computer, similar to using Server Manager to view the connections on a given system. |
Process Control | |
List Process | This command lists all running processes on the remote computer. This command is similar to viewing Processes under Task Manager and the Control Panel Devices applet at the same time because it lists all services and device drivers running on the remote system, along with their process IDs. |
Kill Process | This command stops a running process by specifying its process ID. |
Start Process | This command starts a process on the remote system by specifying its pathname and any optional startup parameters. |
Registry, | |
Create Key | This command creates a key in the remote system's Registry. |
Set Value | This command sets the value for a key created on the remote system's Registry. |
Get Value | This command views the value of a key on the remote system's Registry. |
Delete Key | This command deletes a key in the remote system's Registry. |
Delete Value | This command deletes a key value in the remote system's Registry. |
Rename Key | This command renames a key in the remote system's Registry. |
Rename Value | This command renames a value in the remote system's Registry. |
Enumerate Keys | This command enumerates all keys in the remote system's Registry tree starting with the specified root key. |
Enumerate Values | This command enumerates a value by specifying the value's key path. |
Multimedia | |
Capture Video Still | This command captures a video still-frame image using the device with the specified device ID. This command writes the image to the specified path and records the video in the specified-size parameter setting. |
Capture AVI | This command captures a video sequence and writes the video to the disk file using the specified parameters. The user can specify the number of seconds to record, video-screen height and width, color depth, and a frame rate. |
Play WAV File | This command plays the specified .wav audio file on the remote system. |
Play WAV File in Loop | This command continuously plays the specified .wav audio file on the remote system. |
Stop WAV File | This command stops a .wav file that is playing. |
List Capture Devices | This command lists all capture devices and their associated device IDs configured on the remote system. |
Capture Screen | This command takes a screen shot of the remote desktop and writes it to a specified file on the remote system. |
File/Directory, | |
List Directory | This command lists the remote directory specified. |
Find File | This command finds the specified file on the remote system. |
Delete File | This command deletes the specified file on the remote system. |
View File | This command dumps the contents of the specified remote file into the Server Response display on the BO2K client. |
Move/Rename File | This command moves or renames a remote file. When you move a file, the New Path parameter needs to be different from the pathname. When renaming a file, the New Path needs to match the file's path, where only the current and new filenames need to be different. |
Copy File | This command copies a file on the remote system from one directory to another. |
Make Directory | This command creates a new directory on the remote system. |
Remote Directory | This command deletes the specified directory on the remote system. |
Set File Attributes | This command sets the file attributes for the specified file on the remote system. |
Receive File | This command opens a socket on the specified port and waits for incoming data on the defined port. This function supports network traffic encryption, which you can specify using the command's parameters. If you don't enter any encryption parameters, this command will use the default encryption parameters in effect on the BO2K server. |
Send File | This command sends a file to a remote system's Receive File socket using the specified encryption parameters. Use this command in conjunction with the Receive File command to securely transfer files between two or more BO2K servers. |
Emit File | This command works with the BOTOOL plugin to transfer data to the plugin's File Browser control. The BOTOOL plugin manages this command automatically by sending any necessary control commands to the server when required. For example, when you download a file using BOTOOL, the plugin automatically issues an Emit File command to the server, which causes the server to open a socket and transfer the specified file back to the client transparent to the user. |
List Transfers | This command lists all active file transfers taking place and all active command sockets waiting for transfers on the remote system. |
Cancel Transfer | This command stops any file transfer in progress or removes any socket listening for incoming data. |
Compression, | |
Freeze File | This command compresses the specified file on the remote system. This command is useful for quickly compressing a file before transferring the file to another remote system. |
Melt File | This command decompresses a file compressed by the Freeze File command. |
DNS, | |
Resolve Hostname | This command performs a forward DNS lookup to discover the IP address of the specified host name. |
Resolve Address | This command performs a reverse DNS lookup to discover the hostname for the specified IP address. |
Server Control, | |
Shutdown Server | This command shuts down the remote BO2K service and optionally deletes the service from the remote system. |
Restart Server | This command restarts the BO2K server component on the remote system, after you provide the remote system with the component's executable filename and path name. |
Load Plugin | This command loads a BO2K plugin into the remote BO2K server. If a required plugin isn't present on the remote system, the server can upload the plugin using any of the file transfer commands. |
Debug Plugin | This command loads a BO2K plugin into the remote BO2K server in debug mode, where the plugin can output debug messages. |
List Plugins | This command lists all BO2K plugins installed on the remote BO2K server. |
Remove Plugin | This command removes the specified BO2K plugin from the remote BO2K server. |
Start Command Socket | This command opens a socket that listens for an incoming BO2K client connection. This command lets multiple users connect to one BO2K server by spawning the process onto another port, as specified in the parameters. You can use the parameters to define encryption requirements for the new process. When encryption parameters aren't specified, the server uses its default parameters. |
List Command Sockets | This command lists all listening BO2K server command sockets. |
Stop Command Socket | This command stops the specified command socket. |
Legacy Buttplugs. | |
Start Buttplug | This command starts an installed legacy Back Orifice plugin. |
List Buttplug | This command lists all installed legacy plugins. |
Stop Buttplug | This command stops the specified legacy plugin. |
Note: Plugins designed for the original Back Orifice program (the predecessor to BO2K) were commonly called Buttplugs. You can upload these plugins to the remote system and subsequently install them using the Start Buttplug command. | |
BOPEEP | |
Start VidStream | This command starts a VidStream on the specified sockets using the specified screen size and frames-per-second (fps) rate. During my tests, I couldn't specify a screen size larger than the size used on the remote system, even when my local system had a larger resolution in effect. Therefore, using a screen size of 640 × 480 works every time. Set the frame rate based on your connection speed. For fast connections, such as local Ethernet or T1 speeds, 10fps or higher works well. If the Bind To parameter doesn't specify a port, BOPEEP will use the preconfigured port number (configured during initial server configuration). After the VidStream starts, use the active port number when connecting with the BOPEEP video control in the BO2K client. For example, if your VidStream is running at the 127.0.0.1 address on port 15151 (default port), enter 127.0.0.1:15151 in the BOPEEP video control to connect. You can also specify an encryption type and network transport. When you omit these parameters, the server uses its default settings. |
Stop VidStream | This command stops the active VidStream and closes the socket. |
Start Hijack | This command starts a keyboard and mouse hijacking server on the specified port using the specified encryption parameters. When no parameters are entered, the server uses its default settings. As with a VidStream, the Hijack parameters are also required to connect BOPEEP's keyboard and mouse hijacking control to the remote system. As in the example above, if your hijack socket is running at 127.0.0.1 on port 14141 (default port), enter 127.0.0.1:15151 in the BOPEEP Hijack control to connect. |
Stop Hijack | This command stops the active Hijack on the remote server and closes the socket. |
About the Author
You May Also Like