NAME

SYNOPSIS

DESCRIPTION

Have you ever wanted to know who is trying to access your computer with Back Orifice or NetBus? This program fakes these trojan servers and logs every connection from their clients. Connections can be logged to a file, to stdout, to stderr or to syslog. fakebo can also send fake pings and replies back to the trojan client.

fakebo can emulate a BO server with three possible levels of realism:

RealFakeBO

If the option userealfakebo is turned on in the configuration file, fakebo will do its best to emulate a real BO server.

Custom replies

If the option usecustomreplies is turned on, fakebo will send to the client a different message for each type of incoming packet received. The messages sent in replies are specified by the user in separate files (see section CUSTOM REPLIES). If RealFakeBO is turned on, custom replies will not be used unless the built-in RealFake server fails to produce a reply.

Fixed reply

If both previous methods either fail or are configured out, fakebo will send to the client the message specified under bomessage in the configuration file, whatever the incoming packet may be.

You may want to auto start fakebo when you connect to the Net via PPP. To do that, just put "fakebo" in /etc/ppp/ip-up, and it will run fakebo when PPP is activated. Don't forget to put something like "killall fakebo" in /etc/ppp/ip-down...

OPTIONS

-c config_file

Path to the configuration file. If this option is omitted, fakebo will search a file named fakebo.conf in the following directories: /etc, /usr/local/etc, $HOME and . (the current directory).

-v

Turn on verbose logging.

-d

Print to stderr the configuration parameters. This option is for debugging purposes.

-i

Log the BO packet numbers together with their description, otherwise only the description is logged. This option is for debugging purposes.

-b

Start fakebo as a daemon. When started with this option, fakebo closes all file descriptors, disassociates itself from the controlling terminal and puts itself in the background.

-a

Print an "about" message and exit.

-h

Print a short summary of options and exit.

CONFIGURATION FILE

user string

If fakebo is started by root, it will su to the user specified here after opening the log file. This is intended to avoid compromising the system, should the program have any security hole. If custom replies are used, the user owning the fakebo process must have read access to the files containing the replies.

boport integer

The UDP port to listen for BO connections. The default port is 31337, it is also the default port in BO itself. In fact, boport can also be the name of an UDP port (as defined in /etc/services) without quotes.

nbport integer

The UDP port to listen for NetBus connections.

startasdaemon boolean

Start fakebo as a daemon. This has the same effect as the -b option.

bofakever string

Fake BO version (not longer than 10 characters). it's used for sending BO version when sendfakereply is on. Now you can fool attacker that you have a computer infected with a newer version of BO... ;)

nbfakever string

Fake NetBus version (not longer than 10 characters). This is sent to the client in the greeting message.

bomessage string

Message which will be sent to BO client if both RealFakeBO or custom replies either fail or are configured out.

nbmessage string

Message which will be sent to NetBus client when accessed.

logfile string

File where all attempts are logged (full path). stdout stands for STandarD OUTput, stderr stands for STandarD ERRor.

user string

user who should own the process if started by root

logconnection boolean

If you want to log IP where it comes from and what type of packet is.

logreceivedpackets integer

There are 5 possible values (0, 1, 2, 3, 4) for logging received packets: 0: do not log, 1: log only command 2: log command & data fields (most common) 3: log command, data and header fields (for debugging purposes). 4: log packet hex dump, along with everything from above

logsendingpackets integer

There are 4 possible values (0, 1, 2, 3) for logging packets to send: 0: do not log, 1: log only command, 2: log command & data fields (most common), 3: log command, data and header fields (for debugging purposes). 4: log packet hex dump, along with everything from above

lognotbopackets boolean

If you want to log contents of non-BO packets.

sendfakereply boolean

If you want to send fake replies to pings from the client (it will display a message as if you had BO). Very useful to set when somebody sweeps your domain and you want him to believe that you have BO server installed.

machinename string

Used for fake ping replies for forming fake ping packet. This must be a single word.

logtimeanddate boolean

Log time and date of received packet.

silentmode boolean

Make it silent. If this option is set fakebo will not answer the message back to BO client. Note that pings will still be replied back to the client. Turn off sendfakereply if you want to make fakebo completely silent (very useful if you don't want that public knows that their activity is logged).

bufferedlogging boolean

This option is used for turning on or off buffered output to log file. fakebo runs a little faster if buffering is on. I recommend not to use buffering.

logtosyslog integer

May be: 0: do not log via syslog, 1: log via syslog, 2: log via syslog verbosely.

toexecutescript boolean

If you set this option, fakebo will execute the program which you specify under parameter executescript (see below) when it receives the BO packet. It is a sort of plug-in, so you can do everything you want with his IP. You can for example run whois, finger, traceroute or something else, but putting nuke, or land or some similar attack in the script is not very smart (then you're like the one attacking you!)

executescriptshell string

Path to the shell that will be used to expand command line parameters when running a custom script. The shell must accept the `-c' option.

executescript string

This parameter is only used when toexecutescript is set. In this case, fakebo will execute the command line you specify here. A `!' in the command line will be replaced by the IP of the attacker. If you want to insert a literal `!', you have to type `\!'. You can put here several commands separated by a `;', like in the shell. Likewise, a `%' will be replaced by the text `backorifice' or `netbus', depending upon which trojan originated the attack.

usecustomreplies boolean

With this you can specify for every BO command a different answer to the attacker. It's very useful if you want to make him believe he is doing everything right. Note: if option silentmode is on, this parameter is ignored. See the next section for details on custom replies.

customrepliespath string

For every client command you can specify a different answer to the attacker. You just have to make the text file for every command. The hexadecimal identification of the command is added to the path. If option usecustomreplies is off, this parameter doesn't have any effect. If the file for some command cannot be found, then a generic message is used (message parameter).

tocrackpackets boolean

Try to crack BO packets with password and log encryption key. It takes less than a second to crack the password on average Pentium. If you're low on CPU resources you should say no (0) here.

ignorehost string

If set to anything else than "NONE", fakebo will ignore connections from the specified host.

userealfakebo boolean

If set, fakebo will use its built-in RealFake(tm) BO server to properly emulate responses to the BO client, and hopefully REALLY confuse them... Don't worry, it may look real, but it is as harmless as a crax0r using a windoze box.

CUSTOM REPLIES

Don't forget to make these files readable by the user owning the fakebo process (user parameter in the configuration file).

The hex values associated with the commands are:

02

System Reboot

03

System Lock Up

04

List System Passwords

05

View Console

06

Get System Information

07

Log Pressed Keys

08

Send KeyPress Log

09

Show A Dialog Box

0A

Delete A Value from The Registry

0B

Create TCP redirection (proxy)

0C

Delete TCP redirection

0D

List TCP redirections

0E

Start Application

0F

End Application

10

Export a share resource

11

Cancel share export

12

Show Export List

13

Resend Packet

14

Enable HTTP Server

15

Disable HTTP Server

16

Resolve Host Name

17

Compress a File

18

Uncompress a File

19

Plug-in execute

1A

(unknown)

1B

(unknown)

1C

(unknown)

1D

(unknown)

1E

(unknown)

1F

(unknown)

20

Show active processes

21

Kill a process

22

Start a process

23

Create a key in the registry

24

Set the Value of a key in registry

25

Delete a key in registry

26

Enumerate registry keys

27

Enumerate registry values

28

Capture a static image

29

Capture a video stream

2A

Play a sound file

2B

Show Available Video capture devices

2C

Capture the screen to a file

2D

Start sending a file using TCP

2E

Start receiving a file using TCP

2F

List (running) plug-ins

30

Kill Plugin

31

List directory

32

(unknown)

33

(unknown)

34

Find a file

35

Delete a file

36

View file contents

37

Rename a file

38

Copy a file

39

List all network devices

3A

Connect to network resource

3B

End connection of a network resource

3C

Show NetWork Connections

3D

Create Directory (folder)

3E

Remove directory

3F

Show Running Applications

FILES

AUTHORS

Code, ideas, spelling... were contributed by (in completely random order): Robert Avilov - DryLLaR <ravilov@barok.foi.hr>, Edgar Bonet Orozco <edgar@bonet.polycnrs-gre.fr>, Olaf Tuinder <olaf@warserver.warande.uu.nl>, Hans Jorgensen <borisj@get2net.dk>, Sinisa Lolic <vegi@usa.net>, Marcus Herbert - rhoenie <rhoenie@rhohost.chillout.org>, Jwit <jwit@sinnerz.com>, Folkert van Heusden <flok99@dds.nl> and Bjoern Bendix <bbendix@primusnetz.de>, Dezso E. Moldvai - MDE <mde@thepentagon.com>, Mike Kershaw <dragorn@melchior.nerv-un.net>, c.o.d @ WLU, Wolfram Kleff <wkleff@bigfoot.com>, Michiel Steltman <Michiel.Steltman@siennax.com>, Doug Schieferstine <doschie@global2000.net>, Javi Polo <javipolo@infomail.lacaixa.es>, Jochem Wichers Hoeth <wiho@chem.uva.nl>, Ian Kumlien <iank@smi.mas.lu.se>, Miodrag Vallat <miodrag@multimania.com>, Norman Meilick <alvin@gmx.de>, J. Padfield <olorin@netlink.com.au>, Marc Quinton <Marc.Quinton@stna.dgac.fr>, Dop Ganger <dop@fop.ns.ca>, Michael <nouse@gmx.de>, Ian Bishop <ibishop@globec.com.au>, Groovy Pants Gus <gus@SB7.YOONIX.NET>, Gerald Swann <gswann@pompano.pcola.gulf.net>, Eric Hedberg <hedberge@gridley.acns.CARLETON.edu>, Gregory T. Norris <haphazard@socket.net>, Robert Szarka <szarka@downcity.net>, Michel Arboi <arboi@bigfoot.com>, David Grant <dave@reach.net>, Scott Edwards <scott.edwards@iname.com>, Martin Kammerhofer <dada@sbox.tu-graz.ac.at>, Michel Kaempf <maxx@via.ecp.fr>, Chris Knipe <savage@savage.za.org>, Justin Wienckowski <jwiencko@vt.edu>, Daniel P. Stasinski <dannys@karemor.com>, Larry Reckner <larryr@Capital.NET>, Ivan Brozovic <ibrozovi@linux.hr>, Dobrica Pavlinusic <dpavlin@foi.hr> and others...

COPYRIGHT

fakebo is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

fakebo is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the License for more details.

You should have received a copy of the GNU General Public License along with fakebo; see the file COPYING. If not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

AVAILABILITY