|RealFakeBO||If the option userealfakebo is turned on in the configuration file, fakebo will do its best to emulate a real BO server.|
|Custom replies||If the option usecustomreplies is turned on, fakebo will send to the client a different message for each type of incoming packet received. The messages sent in replies are specified by the user in separate files (see section CUSTOM REPLIES). If RealFakeBO is turned on, custom replies will not be used unless the built-in RealFake server fails to produce a reply.|
If both previous methods either fail or are configured out,
fakebo will send to the client the message specified under
bomessage in the configuration file, whatever the incoming packet may be.
-c config_file Path to the configuration file. If this option is omitted, fakebo will search a file named fakebo.conf in the following directories: /etc, /usr/local/etc, $HOME and . (the current directory). -v Turn on verbose logging. -d Print to stderr the configuration parameters. This option is for debugging purposes. -i Log the BO packet numbers together with their description, otherwise only the description is logged. This option is for debugging purposes. -b Start fakebo as a daemon. When started with this option, fakebo closes all file descriptors, disassociates itself from the controlling terminal and puts itself in the background. -a Print an "about" message and exit. -h Print a short summary of options and exit.
The configuration file is a simple plain text file. Lines beginning with # and empty lines are treated as comments. Each command is a couple keyword value. Values can be either strings (enclosed in double quotes unless otherwise stated), integers or booleans. A boolean is an integer which can be 0 (zero) for turning the option off or 1 for turning it on.
user string If fakebo is started by root, it will su to the user specified here after opening the log file. This is intended to avoid compromising the system, should the program have any security hole. If custom replies are used, the user owning the fakebo process must have read access to the files containing the replies. boport integer The UDP port to listen for BO connections. The default port is 31337, it is also the default port in BO itself. In fact, boport can also be the name of an UDP port (as defined in /etc/services) without quotes. nbport integer The UDP port to listen for NetBus connections. startasdaemon boolean Start fakebo as a daemon. This has the same effect as the -b option. bofakever string Fake BO version (not longer than 10 characters). its used for sending BO version when sendfakereply is on. Now you can fool attacker that you have a computer infected with a newer version of BO... ;) nbfakever string Fake NetBus version (not longer than 10 characters). This is sent to the client in the greeting message. bomessage string Message which will be sent to BO client if both RealFakeBO or custom replies either fail or are configured out. nbmessage string Message which will be sent to NetBus client when accessed. logfile string File where all attempts are logged (full path). stdout stands for STandarD OUTput, stderr stands for STandarD ERRor. user string user who should own the process if started by root logconnection boolean If you want to log IP where it comes from and what type of packet is. logreceivedpackets integer There are 5 possible values (0, 1, 2, 3, 4) for logging received packets: 0: do not log, 1: log only command 2: log command & data fields (most common) 3: log command, data and header fields (for debugging purposes). 4: log packet hex dump, along with everything from above logsendingpackets integer There are 4 possible values (0, 1, 2, 3) for logging packets to send: 0: do not log, 1: log only command, 2: log command & data fields (most common), 3: log command, data and header fields (for debugging purposes). 4: log packet hex dump, along with everything from above lognotbopackets boolean If you want to log contents of non-BO packets. sendfakereply boolean If you want to send fake replies to pings from the client (it will display a message as if you had BO). Very useful to set when somebody sweeps your domain and you want him to believe that you have BO server installed. machinename string Used for fake ping replies for forming fake ping packet. This must be a single word. logtimeanddate boolean Log time and date of received packet. silentmode boolean Make it silent. If this option is set fakebo will not answer the message back to BO client. Note that pings will still be replied back to the client. Turn off sendfakereply if you want to make fakebo completely silent (very useful if you dont want that public knows that their activity is logged). bufferedlogging boolean This option is used for turning on or off buffered output to log file. fakebo runs a little faster if buffering is on. I recommend not to use buffering. logtosyslog integer May be: 0: do not log via syslog, 1: log via syslog, 2: log via syslog verbosely. toexecutescript boolean If you set this option, fakebo will execute the program which you specify under parameter executescript (see below) when it receives the BO packet. It is a sort of plug-in, so you can do everything you want with his IP. You can for example run whois, finger, traceroute or something else, but putting nuke, or land or some similar attack in the script is not very smart (then youre like the one attacking you!) executescriptshell string Path to the shell that will be used to expand command line parameters when running a custom script. The shell must accept the -c option. executescript string This parameter is only used when toexecutescript is set. In this case, fakebo will execute the command line you specify here. A ! in the command line will be replaced by the IP of the attacker. If you want to insert a literal !, you have to type \!. You can put here several commands separated by a ;, like in the shell. Likewise, a % will be replaced by the text backorifice or netbus, depending upon which trojan originated the attack. usecustomreplies boolean With this you can specify for every BO command a different answer to the attacker. Its very useful if you want to make him believe he is doing everything right. Note: if option silentmode is on, this parameter is ignored. See the next section for details on custom replies. customrepliespath string For every client command you can specify a different answer to the attacker. You just have to make the text file for every command. The hexadecimal identification of the command is added to the path. If option usecustomreplies is off, this parameter doesnt have any effect. If the file for some command cannot be found, then a generic message is used (message parameter). tocrackpackets boolean Try to crack BO packets with password and log encryption key. It takes less than a second to crack the password on average Pentium. If youre low on CPU resources you should say no (0) here. ignorehost string If set to anything else than "NONE", fakebo will ignore connections from the specified host. userealfakebo boolean If set, fakebo will use its built-in RealFake(tm) BO server to properly emulate responses to the BO client, and hopefully REALLY confuse them... Dont worry, it may look real, but it is as harmless as a crax0r using a windoze box.
When option usecustomreplies is set in the configuration file and RealFakeBO either fails or is configured out, fakebo will send the contents of a file in reply to each command. The name of the file is obtained by appending the hexadecimal value of the command to the prefix specified in parameter customrepliespath. For example: lets say you set customrepliespath to "/etc/fakebo/reply." and you want to have a special answer when the attacker issues the command "get System Information" (hex value 04). Then you just have to write your message in /etc/fakebo/reply.04... and keep watching the confused attacker. ;-)
Dont forget to make these files readable by the user owning the fakebo process (user parameter in the configuration file).
The hex values associated with the commands are:
02 System Reboot 03 System Lock Up 04 List System Passwords 05 View Console 06 Get System Information 07 Log Pressed Keys 08 Send KeyPress Log 09 Show A Dialog Box 0A Delete A Value from The Registry 0B Create TCP redirection (proxy) 0C Delete TCP redirection 0D List TCP redirections 0E Start Application 0F End Application 10 Export a share resource 11 Cancel share export 12 Show Export List 13 Resend Packet 14 Enable HTTP Server 15 Disable HTTP Server 16 Resolve Host Name 17 Compress a File 18 Uncompress a File 19 Plug-in execute 1A (unknown) 1B (unknown) 1C (unknown) 1D (unknown) 1E (unknown) 1F (unknown) 20 Show active processes 21 Kill a process 22 Start a process 23 Create a key in the registry 24 Set the Value of a key in registry 25 Delete a key in registry 26 Enumerate registry keys 27 Enumerate registry values 28 Capture a static image 29 Capture a video stream 2A Play a sound file 2B Show Available Video capture devices 2C Capture the screen to a file 2D Start sending a file using TCP 2E Start receiving a file using TCP 2F List (running) plug-ins 30 Kill Plugin 31 List directory 32 (unknown) 33 (unknown) 34 Find a file 35 Delete a file 36 View file contents 37 Rename a file 38 Copy a file 39 List all network devices 3A Connect to network resource 3B End connection of a network resource 3C Show NetWork Connections 3D Create Directory (folder) 3E Remove directory 3F Show Running Applications
/usr/local/etc/fakebo.confDefault configuration file.
The original author and current maintainer of fakebo is Vlatko Kosturjak - KoSt <firstname.lastname@example.org>, <http://surf.to/kost>
Code, ideas, spelling... were contributed by (in completely random order): Robert Avilov - DryLLaR <email@example.com>, Edgar Bonet Orozco <firstname.lastname@example.org>, Olaf Tuinder <email@example.com>, Hans Jorgensen <firstname.lastname@example.org>, Sinisa Lolic <email@example.com>, Marcus Herbert - rhoenie <firstname.lastname@example.org>, Jwit <email@example.com>, Folkert van Heusden <firstname.lastname@example.org> and Bjoern Bendix <email@example.com>, Dezso E. Moldvai - MDE <firstname.lastname@example.org>, Mike Kershaw <email@example.com>, c.o.d @ WLU, Wolfram Kleff <firstname.lastname@example.org>, Michiel Steltman <Michiel.Steltman@siennax.com>, Doug Schieferstine <email@example.com>, Javi Polo <firstname.lastname@example.org>, Jochem Wichers Hoeth <email@example.com>, Ian Kumlien <firstname.lastname@example.org>, Miodrag Vallat <email@example.com>, Norman Meilick <firstname.lastname@example.org>, J. Padfield <email@example.com>, Marc Quinton <Marc.Quinton@stna.dgac.fr>, Dop Ganger <firstname.lastname@example.org>, Michael <email@example.com>, Ian Bishop <firstname.lastname@example.org>, Groovy Pants Gus <gus@SB7.YOONIX.NET>, Gerald Swann <email@example.com>, Eric Hedberg <firstname.lastname@example.org.CARLETON.edu>, Gregory T. Norris <email@example.com>, Robert Szarka <firstname.lastname@example.org>, Michel Arboi <email@example.com>, David Grant <firstname.lastname@example.org>, Scott Edwards <email@example.com>, Martin Kammerhofer <firstname.lastname@example.org>, Michel Kaempf <email@example.com>, Chris Knipe <firstname.lastname@example.org>, Justin Wienckowski <email@example.com>, Daniel P. Stasinski <firstname.lastname@example.org>, Larry Reckner <larryr@Capital.NET>, Ivan Brozovic <email@example.com>, Dobrica Pavlinusic <firstname.lastname@example.org> and others...
Copyright © 1999 Vlatko Kosturjak.
fakebo is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
fakebo is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the License for more details.
You should have received a copy of the GNU General Public License along with fakebo; see the file COPYING. If not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
The most recent released version of fakebo is always available from <http://cvs.linux.hr/fakebo/>
|Linux||FAKEBO (1)||May 1999|