 Welcome to the annual DEF CON convention. This meeting was held at exciting Las Vegas, Nevada, from July 9th, with the 11th, 1999. This is video tape number 44, county user E02K. A lot of blatantly obvious stuff, so if it's blatantly obvious to you, congratulations and you have a clue. First thing you would need to do obviously is download probably the international version of E02K unless you're within the U.S. and you can get the U.S. version which comes with the plugin for triple-dead encryption. Thanks to the government we can't let that go outside the borders and people outside the U.S. are not fortunate enough to have strong encryption on the networks. Call it at cal.com or www.beo2k.com and have it live within a few days and you can download it from there. First thing you're going to want to do is go ahead and just unzip your archive. In the past what would happen would be people would run the server and they would wind up infecting themselves. It would automatically delete and so district was getting flooded with mail saying, hey, why doesn't it work? What happened and it kind of broke on me. This left a rash of people sitting in IOC report 31337 open with no password, getting on left and right in a hard drive suddenly getting formatted in the middle of the night for no reason. This problem has been corrected so you cannot walk all over yourself. When you first run the configuration utility it starts the wizard and when you get used to the utility you can also turn the wizard off so you never have to deal with it again. You very simply walk through and it selects the executable as it sits in the directory that it's run out of. You can browse around and have different ones sitting in different subdirectors or under different names and have different ports, encryption schemes, plugins and whatnot assembled for whatever specific uses you have. You can select that and move forward. Check that one out. Let's start from scratch. Okay, we don't have to reboot. There we go. You have your choice of TCP or UDP networking. The original BO ran on UDP which was less obvious for people with minimum window skills to notice. BO2K moving forward into a more reliable and robust program that's more geared towards actual network administration does TCP where in an office corporate type environment as a land administrator you don't care if your clients and your basically co-workers see what you have going on with their machine because you're allowed to and they can just accept it and deal with it. You're forced to enter a port number and it will not run until you do. And being the US version this already has three days ready to run on it so we're going to go with that. It's recommended you use something at least 14 characters long when you run three days. And then you can finish it right up and that brings you into what is the actual configuration utility. If you turn the wizard off and you run configured this is what you'll be taking straight to. If you turned off the wizard and you never feel the need to turn it back on you can go into just click on the button right there in the upper corner and it does bring the wizard back. Once you're inside you need to select the server that you know run on. And right here we already have a few dozen enabled on it and we're going to go ahead right now and add in the repeat which will give us remote administration to the actual desktop and be able to take control of the keyboard and the mouse on. Moving down on the configuration and I hate touchpads and those little pre-nistiffs and I don't want to touch them or I'll track them. It should really be a lead. We have several options under file transfer. Basically these can just be left to set exactly as they are. Configuration is pretty straightforward when you get right down to it. There's a lot of options and some of them are rather confusing for some people. If you did not run the wizard under TCPRO default port is where you would set it. We did set it to 2000 and you can easily just tweak it there later on if you don't ever want to fire the wizard back up. UDP is the same thing if you're inclined to run that. 13 is just a few of the basic encryption modules as well as I.I. which again you really don't need a mass growth. If you're not using 3Des and you're using XOR this is where you would put in your encryption queue for the XOR encryption. But since we're using 3Des we can leave that blank right now. Start up. Standard networking type is going to be TCP. In the future as other DLLs and plugins come available for that allow you to run over different types of protocols you will be able to set something different in there as well. Binding stream is where we're going to 2000. Cran encryption is 3Des. Authorization we are just going to have set at null and idle timeout is currently set to 60,000 which is good for all intents and purposes and you should never really have to mess with that either. Under stealth we can configure if we want it to run at start up or not. This is what somebody was asking yesterday if you saw the CDC release about being able to put it on floppy or have it set up to run one time and one time only and not have to mess with the legal machine sitting open after that. And right now it's set to disabled so if the machine has it set on it it will not install into the registry and it will not load a boot up. So you do have that option right there. If you're doing testing or you don't feel the need to have the server delete itself you can also have that set to auto-delete or not and by default that is also disabled. So if you run it on yourself you're going to have to really check and see if you did or not because it's not just going to disappear and get cleared. Insidious is a NTV setting which we're not really concerned about. One time path name is how it will display itself both in the registry if it's installed there and so this is the file that it installs itself as. Be a 2K whatever name itself in this case to UMG R32 and install itself in the Windows system directory. We can control if it runs hidden or not and I said we have more NT specific. I don't have NT machines so we're not really going to get into those too much right now. We're going to fill it down. The blue filters are your plugins and the other plugins you add will show up as blue. Triple Des has the encryption stream which we already put in to show some control inside the startup wizard for the configuration and the birdpeat settings you can control your default for your resolutions your network type, where you're binding to and this binds to very high port by default as does the hijack, the encryption screen and your authorization. So it's all pretty straightforward and we'll hear it at that point, save it. Yes. Correct. Birdpeat's default encryption screen is XOR and because we are using the U.S. version of 3ds we do need to change this to 3ds. So we can go ahead and just change it right there save it up and save our server again and well that's already setting up. So your VWORD, correct, normally we need to go through and also on the hijack change the encryption screen from XOR over to 3ds. So at that point you can exit it and hopefully I will be awake by the time the presentation is over. I have the server set up right here to run on this guy and once you have a server running on a client or set of clients you can go to BL2K GUI open it up and by default you wind up with a blank untied up workspace and you can save if you have five or seven servers down below that you use frequently or if you want to break it up departmental for accounting human resources, administration you can run different types of servers with different DLLs for different departments in the company and you can save these workspaces and open up individual ones and have everything already set up and saved and pre-configured for each machine. We're starting a new machine so we'll just call it BL server we need to put in the IP address of the machine followed by the port that you have it set to run on and it's already set up for TCP 3ds and Molloth and it'll say OK and proceed and it comes up and you've already got everything confirmed at the top if you need to go back to change anything you can click right there and it'll bring your configuration back up to change your port or your server and at this point we will connect and this machine is going to bring it up because it doesn't really matter and it shows right here version back up is 2001.0 which shows we are connected and starting at the top and working our way down we have the simpler things that were present in the older BL and you can send simple king packets off to it and you will get them back and they are a bit more reliable since they are TCP based clearly we're basically we query the server as we just didn't reconnect and it will query the server for our capabilities which you'll usually find mostly in the form of plugins down at the bottom under the system folder you can have your fun stuff if you're building a machine walking it up in the event that you have an employee that you happen to find doing something that they shouldn't be or somewhere on the network that isn't properly secured you can lock the machine up to help them from doing anything that they shouldn't be you can get a list of any passwords that are present on the machine that have been cached and you can also go ahead and pull out the system info and let me enlarge this a bit here it's not going to get too much better off of the LCD I don't think unless we're to come up a lot closer and then we shrink them but you can sort of pull up the amount of RAM percentage in use page file spacing and any drives it shows that these are fixed use a CD-WALM and it will also show up network drives as being listed as actual network drives anything mapped out over a Microsoft or a Novel Network key logging is improved greatly you can log to any file anywhere you want and go ahead and fire up the logging and it shows that key logging has actually started and if you were to have something running on the target machine you could actually go back and a great improvement on Bo2k is MPStrope is always present but you can now go through and actually view your keystroke log instead of having to just do an actual view file which would typically have problems after three or four screens worth of tax coming on about a 25-year screen the UDP connection would just kind of clog up and you would sometimes you'd actually have to re-ping the house to actually wait until it and you can see right here it showed I control script but the start menu opened Notepad set a testing key logging with several backspaces in it and then I just backed up and closed it off and it actually said I just announced that before do you want to save and actually just hit no for no and it does actually log that as well and then you can go through and go ahead and delete your keystroke log if you find it's no longer to be abused to you if it's something that you've already shipped out and you don't want anything sitting on your client machine on the very side of things you can pop up the unfamiliar system box that looks as legitimate as anything with the typical OK button and you've got your box tied on any message you want to put inside it I'd show you but I don't have the server up on the display so it's kind of pretty nice at this point under TCP networking we've got all the fun stuff the good old mapping file server where you can give it a port and of course if you're working through a firewall chance to start port 80 is going to be open so you can throw it on there pass through a firewall loop path you can usually link which will pull up a complete browse of the entire machine showing any local drives network drives as well as the network neighborhood any network resources it has mapped out you can use it to bounce a relay like some kids like to do with Ringgate where you can give it a machine and give it an IP and a port on another one you can just go into your server bounce out and hit a second machine and port anywhere you want to and if you're creative you can chain several of these together and bounce between five or six of them it works good on the land but anything outside back coming over the net you're going to see a lot of lag on it mapping port to a console application was similar to what was shown last year and in this case I just grab a port 100 and run command.com and I can easily tell that to the IP on the port and if it's going to work happily which telling on this is probably not going to work it would actually open up a telnet session that would give me basically a complete DOS prompt on the other machine and I would have full command line access to the whole hard drive and any network resources that client has available to it because this machine is really bugging it has a lot of network components installed on it but we weren't too conducive to this demo it's not my machine so I'm kind of stuck we can also go ahead and just un-map any port TCP file received as well as TCP file send work in conjunction with Hobbit's Netcat and it does work really well and it's handy but Netcat now of course it's a very full-featured item and it's really fun to play with so you might want to look into grabbing that otherwise you can listen to ports that are mapped out on the remote box and right here you can see that we have port 100 which is shown as being listed over to command.com on it Microsoft Networking is very similar to last time you can add and remove shares on the remote machine and when you do so you have the icon in Explorer that shows that it is shared you don't have the blue hand to it you just have a standard folder and to the machine running the server as far as it's concerned everything is plain and normal there's nothing odd or distinctly different going on with it it has drive share and it's completely oblivious to it I run through on that but I don't have the sharing installed on the machine so we're unfortunately out of loss on it correct we can thank Microsoft for that one because basically it will be same as with the original back earth there's nothing special that this is doing that was not basically included or considered when Windows was coded it's doing nothing there's no funny experts that it's doing short of any DLLs but the fact that you can have something shared without it showing as a share is a Microsoft issue yes I believe it does yes essentially if you had it said to if the machine could share the firewall on its own if you could add that machine turn on sharing and allow it to share through the firewall then yes if the firewall was an issue blocking native sharing then this would not be able to bypass that and as with the original back earth you can put a list of our processes and actually this blank because there's nothing running on it right now alright I just just notified that the remote machine ID is only for NT and we can't leave the blank since we are connected directly to a single server right now so I just went ahead and fired that notepad on it since I actually had nothing running and you can see that we have notepad down at the bottom DO2K is showing because I do have it running visible I did not go through and do any of the cloaking and hiding on it and up about that we have just a few of the standard MS issues that just sit there and find resources that are running too much you can pick any process that you would like to care and for instance I can go right here and highlight and copy the ID of that process I can right click and copy it I can go to SS paste it into P I'm to BAPS it's in my command and now it's been terminated and if we go back and check again you can see that notepad is no longer running and DO2K is the last entry so you do have full process control over whatever's going on in the machine registry you do have pretty much the same functionalities before you can go through and list keys and view the files values you can delete the values set and create keys completely from scratch this is a kind of a tough way to do you really need to know the registry to have RegEdit open on your machine and hope you don't accidentally delete something on your side by accident with a bad mouse click however I would like to show to you right now but I don't have it handy when DO2 is released from and that is absolutely phenomenal and it opens a RegEdit box which is just like running RegEdit on your local machine and it's all point and click and it's very easy to just click on something edit a value you can surf around and view it as a tree you don't have to know exactly where everything resides but you do have full remote registry control and you do not have to have shared a remote registry activated inside of the Microsoft networking or any multimedia listings I have nothing running on this other machine but you can easily list capture devices and it will list any microphones if I had the camera I would have it plugged in right now but it was left at home but you can plug in the camera on it and I can easily go through and that is listed as Dubai Zero and if I wanted to capture a video still or an ABI I could get a my device number in zero instead of 100 give it a file into safety and as an ABI I would select the seconds and the width and the height and color depth but in one of these values it's the number followed by the comma followed by the next value you don't want to leave any spaces in or it's like there's not going to work for you if you were to search around using the file search which we'll get to in a minute or if you're using the ABI you can use the playbam and we now have the nice annoying factor being able to play in a loop and just plug the heck out of somebody remind the boss that you need a graze maybe you can also in addition to the ABI capture is still which will get you just a single picture of the person sitting in front of the camera or whatever happens to be going on in the office at that time or you can capture a screen which is also a simple capture of the desktop itself we have that fired up or using that cat and file transfer under file and directory we've got a lot of functions to play with you can list anything that resides inside of any file and path and here's everything pulled up and it actually has attributes that are listed to it so you can see if any files are hidden if you want to hide green, bright attributes to anything actually attributes can be changed to be a tour as well as do the attributes as well you can find files you can search off the root of any directory you can search through any path under a root drive on it wildcards are accepted in file name start out wave start out gif any e-l-x-e if you have anything in particular to move you have any full search that is available to you and once you find it you can just go ahead and cut it and paste it in to the box and delete what any file you'd like to get rid of you have a view file which works best on text documents I wouldn't recommend using it on any Microsoft Word documents or Excel sheets because it doesn't really look too pretty it does work well on text and on keystroke blogs which is how you would actually previously view directly you can move and rename files you can copy a file from one directory to another making the move directories file attributes send and receives you miss I'm actually not sure on and you can list any transfers that you have currently queued up that are in process and right now it should show there's nothing because we have nothing but you do have full file access to the remote machine completely and you can as we show go through and actually find hidden and read only files and change access to those however you feel fit to take whatever you need to again also if you do a capture to a BMP or if there's a large file on a server machine that you need to download to yourself you can freeze it and which basically is a mega and a half freezing typically drops to about 300K so you can shrink things down and reduce your network traffic overall and if you're over a dial up or a very limited pipe you can move large files that are compressed a lot quicker DNS you can use the remote machines DNS servers instead of your own to pull up any information that you may be having trouble to resolve if your DNS is down if you don't have anything of your own you can reserve host names on the remote machine as well as and do reverse lit-ups so that's a new feature that's kind of nice to play with if you find yourself using this to admin a large WAN the equipment environment where you have several emphasis across several cities or states and you're having trouble with the machine on one end not being able to hit something you could actually go into the remote machine from your office and try to look up the target that he's trying to hit and see if he does actually have a problem with his DNS and try to figure out if it's actually a problem with the DNS server or his local DNS configuration server control you can shut down a server if you wanted to run it one time but you just use your standard a BRO executable bag you have running constantly you don't feel like running a new one you can run it until you're done using it and shut it down if you run it and type in delete it will shut itself off and delete itself and leave no trace that it was ever there you can restart the server you can load and unload plugins you can debug plugins remotely you can list any plugins that are present and right here it shows that we have both the triple-des and the repeat-loaded you can start and kill off any command sockets associated with it yes yeah you can upload it through the HTTP server or using file transfer you can upload it and dump it into SQL and Windows system and you can easily load it from inside server control and also BO2K does have support for the legacy buttrebs that were out initially with but sniffer the packet sniffer the butt trumpets and whatnot the original plugins are supported and the software development kit that is available with BO is going to allow you to do a lot of the more functional ones that take a lot of advantage of the new functions built into BO2K yes yes and don't fully understand the question no the DNS is strictly a matter of just doing a query on a DNS server same as if you were to do something using one of the IP-based command lines inside of Windows IP or trace route and it just basically does a DNS workup it doesn't do anything other than workups yes you can dump route tables if you were to set up bind a command like command.com to a port and turn it in you can look them up that way repeat we're going to attempt to fire up here I'm going to set the frame rate rather well just initially then we can turn it up from there and ideally it should fire up and it shows that the victory miss started at the IP and at the IP or at the port 15151 which you'll recall we looked at earlier when we put BO into the server and the config utility one thing in order to use DLLs you need to make sure that you have configured them inside your client as well just right here we have triple des in order to use Bo Peep I wanted to add this is the same Bo Peep DLL that we put into the server that we installed on the other machine you install it into your client and we can go through here in Bo Peep and I'm going to move all the settings the same we're going to go through again and change the encryption over to three des from XOR I'm going to set the value on that one and also on and change this to three des as well and then we're so done and if I worked well once we have BO running down on the server we can go to plugins and see we now have a Bo Peep plugin and when Bo Toilers released you'll have that listed down here and any other plugins that actually enhance the communication between the server and the client will appear on this menu so theoretically we should be able to put the big stream client and fire connects and this repair of everything that has already been pre-set into it and you can verify your settings of your port we are using TCP and we did set it to three des as well as the standard mall application and it's not happy with us and there we go you can't really see too much because I'm running a rather small window on it you can see as I move the mouse around oh my you're not seeing this right now and what we can actually do to make things a little nicer is disconnect and come up here and actually turn the frame rate up a bit and this does work best over the LAN and we will connect again and we should notice much more fluid movement on the remote machine so as CDC demonstrated yesterday you can go ahead and turn the the window size up quite a bit and the fun thing about this is we can actually shrink this down out of the way temporarily and order my second one we can go over two plugins open up OPP and go to the hijacked client window and we can power connect and this is just something that was set on earlier as the port turned out sorry one for one for one however the values are correct and we can connect to this as well oh yeah okay let me handle myself I actually need to start hijacked first and we now have hijacked started and once again we can connect and dump in the IP for the server run and the hotkey is currently shown as being control at Z and what I'm going to do here is throw this back up and if I control at Z I start opening first comes to click over I now have the red dot and as I move that over here I now have control of the remote desktop it looks kind of odd but what happens is where the red dot is at represents where the mouse is actually sitting on the remote machine so I move far off of my actual blidstream client window but we can move around here and take a look at everything that is sitting on this desktop and we have full control over that as well as the remote keyboard when you fire this up you essentially lock out the remote keyboard so if you have a user that's having problems with something you can from your desktop take over their machine fix their problem for them and get them on the merry way and go back to plane brake or sitting in IOC or what have you and what it is we get paid for and I'm going to throw off the start menu yes it can't be made big I'm just running it small right now for my own piece of mind basically but you can actually make it almost I know you can get up into the 300s and 400 ranges I've never tried to push it bigger than that unfortunately the same that I'm on at work has a bit of traffic and I never wanted to push it too much further so especially since they didn't know what I was doing in fact all day long and this is just not me confirming it today but basically if I were to have a window open I could actually type into it and the remote mouse and the keyboard is completely locked out and you can't interfere and you know ideally mess anything up too much for the mail that you have if you're playing around with this at home or what a caution is to not load up your peep and hijack your own workstation because your keyboard is not happy about trying to be locked out and controlling it at the same time I control that Z again you can see where connect is now turned off and I resume control to the remote machine and I take control again of my own desktop so that is one of the core functions in my opinion you can also under connection details type of box and it shows at the bottom we have the IP address of part of the machine the current time that's listed and as anything is going on over here it shows our actual network traffic usage and how much is going across the wire so you got an idea as to how much you would need or may not be clogging things up in the process and then dump that connection right now as well I also when you do have file it up you do have a copy option so if you were to find a user doing something inappropriate and you need to use it to justify funds from accounting to say purchase a better firewall or anything that you need useful you can snap a picture of their desktop to clipboard and paste it in the email and send it off to management in a very way 3DS does not show up in the client because it's just a matter of encryption under your plugins so there's nothing that actually 3DS would ever show up for and basically just lets you put in your encryption key and that's that do we have any questions? Yes the question was to show the debug plugin option and let's see here one of the plugins that we have which is listed below and the 3DS is actually a bad option to show it off of yeah I was not too happy about that that was a very bad example for me to choose we'll get back to that in a moment any other questions right now? that to be truth with you I'm actually not entirely sure okay you can set up an SSH tunnel and right through that otherwise there's not what heck a lot you can do because the whole purpose of masquerading is to block everything off unless you feel completely secure I would pretty much stick with SSH I wouldn't want to consider anything else because it would become a vulnerability at that point as it stands as you would download it no but the way it is set up with the software development kit and the abilities of the plugins and what not yes if somebody can write a plugin to do it EO2K is capable of it you'll notice when we actually configure the server if you remember the original BEO you put in an IP either a range or just an actual IP address and a separate box for the port you notice on this one everything is done with putting an IP and then a colon and then the port and by eliminating an actual value for a port that's independent of itself you can hook into something with a modem you can have a DLL that is set up to watch the modem for ringing answer it on the X number of rings and you can set it up the DLL would be able to on this client side right here dial out to a specific number that would connect authenticate and then you would have total remote control of that machine and using the hijacks and the repeat you could then have piece anywhere style control over that machine and the nice thing about it is if anybody happened to be tapping the phone line you would have triple does encryption for the entire session as well the triple does is not used just for authentication but anything going between the two machines is completely encrypted to help prevent against any sniffing attacks yeah so there you go in front the question was can we log time that an application was started and ended by default no but again a plugin could easily take care of that with the original BL where it was writing plugins was not too hard to do the software development kit is gonna make it a lot easier to use than you had in the past so you can do a sort of stuff like we said writing an interface that will allow direct serial communication to serial communication over modem you can't have something that will log file times you could probably write a DLL that would actually track something similar to wind-top usage and see if user complaints about a slow machine exactly why if you had something that was consuming too many resources and also something that would probably work in the future and somebody could easily code for it it was an IPX-SPX DLL which would allow you to run this on a Novel network with 295 clients where you don't actually code any IP addresses on the machines and it's all set up through the Novel server and the Mac address on the card so ideally you'll have availability for that as well and as Dildog said yesterday something that would even allow it to communicate over Appletop as well and put the server down to Mac and you could have a Windows machine control on the Mac or vice versa so it was completely open to allow for many variations of it and what not and allow you to just make something completely flexible and like they said they expect a short amount of time a lot of different variations of it to be turning up on FTP sites and web pages where you could have somebody take it and strip out features that they would allow easier to transport across a modem maybe something that would almost set up what would appear to be an anonymous FTP server on the box on the cable modem or DSL so there's going to be a lot of variations that you're going to be seeing popping up that will do a lot of things that we're not even conceptualizing right now that will hit somebody just a craze and they'll kill them without hands it's really going to be expanding that epic proportions so yeah okay the question was an environment where whenever the machines go to power down on a legitimate shut off they get a re-ghosted image copied over from a network server that they're connected to and how this would function in that environment one of the easiest things you could do to circumvent that is if it's a server if they're connected to a server map where it will attempt to shut itself down and re-ghost its image and there's a server that it's typically logging into every time it's powered up you can easily in the machine or user or system logging scripts have BL automatically run on the server itself and it will reinstall itself every time the machine is booted up theoretically yes mm-hmm yeah several times in the past with the original back Earth I would find several machines with a stock server running on 4.3.3.3.7 with no password and looking around I would hypothetically be on a machine and find two or three other servers running and there's actually fighting each other for control of the server and just each one would find that they would upload their server and run it but they would never kill the process of the default once so other people would take it and keep uploading the servers on different ports different passwords just by listing processes and looking for anything running from SQL and Windows system with the file size about a hundred and twenty-some k with recent upload dates so you can actually go through and in your Bo-Peep setup for both your client and your server it has defaults for the X and the Y window sizing so you can go ahead and you can set it to if you want to build a 4.8.8.600 if you wanted to default it to a large window you can default large windows you can save it and when you launch Bo-Peep on the remote one and on a server for a controller it will automatically pop up into whatever size you've got it coded and saved for and then you'll be running to that window size constantly unless you want to resize I don't know thanks right behind them so it's built in by default in the international versions the stripped-down version of BL with three does is not included and you have three does as an option but it's XOR or you're not going to be up pretty much it's there and that's all you can do about it so it will be encrypted to some of the game what is it drawback what is it 645 4.8.600 what does it use for network traffic yeah it's more network traffic if you try to run it at a high frame rate it will be slowing things down over a land you can run 10 up frames per second you can increase that you can increase the window size on the land you can make it bit lands you can push further but if you're trying to do something over a mode and you're going to want a small window and is it just a matter of bandwidth basically just like anything with more graphic intensive and more day to be transmitted you're going to be really doing a lot more packets just okay the question was using some sort of a video type of client on the server and taking that and encoding it and throwing that through a bo peep and using that instead of the actual bo peep itself conceptually a hardy would be to code depends I guess on how skill they'll code or somebody is But if it's again feasible to do something like that, you could almost feasibly write a DLL that would watch a quick cam, and instead of dumping it to a box on the screen, you could almost dump that down a Bo Peep style plug-in and open up a window on your machine and almost watch a very slow, choppy, real-time video of somebody sitting in their computer typing. So you could actually go so far as to build in something like that as well. Yeah, that's what I was actually aiming towards, was using the quick cam on the remote machine and actually having to DLL hijack that field instead of going to hard disk on the local or yours is actually running over the wire. So, you've had your hand up for a while. Even under NT? Yeah, that was actually, DLL actually explained in a very great detail yesterday exactly how that's accomplished, and it can be done in a way that's set as an actual system process. You can try to find a way to give you the actual run-down on that if you like, but it is possible and it does work. Yes. I'm actually building for a DLL first plug-in myself. Theoretically, not too hard. Again, everything on this is completely open. It's completely open source, it is GPL. You can write DLLs for left and right, easy, now the software development kit, which will make things very easy. You can, the entire source code for BL itself is going to be made available. So, you could actually almost hard-coded it if you were so inclined. But glow-fish encryption should not be too hard to implement. I'm just thinking just the way people think and work, but it'll probably be out in a few weeks, if not soon. Yeah. The question is, is there a way to nice define file feature so it doesn't interfere with what the user's doing? To my knowledge, there is not. Okay, BL2K runs below normal priority, so anything that it executes will also fall at that point or lower and will not interfere that much with anything going on in the user side. I have noticed in doing it that they will pick up, you know, obvious, noticeable hard disk activity. But also, if you wanted to poke around a certain directory or a certain portion of a tree, you can use the directory listing and type in the path that you're looking at and manually look for files in there. Or using the graphical BL2 when that comes out, the file browser that is really magnificent to as well cut down a lot. Is it possible to change the priority? I would imagine since the source code is available, you've created code to run at a different level inside it. It currently is set to run, like we said, lower and it does grab the OS at ring zero, but that shouldn't honestly be non-fileable as well. Yeah. Do that. ICMP IO, is that implemented? Okay, the question is, is the ICMP IO that was discussed yesterday available and that will be coming out in the Loft Heavy Industries pack when that's available. So, okay, the first question was, as a network administrator, how do I protect myself from this? A few of the obvious ones would be the same way you protect yourself from any virus, aside from natural virus scanning, is cut yourself off from the outside world as much as you can, so allowing work to be done in a fair and reasonable fashion, limit any mail attachments that are over a certain size, anything over a certain size can be sent to an administrator and assistant for a manual review. Let's see, educated users, but the human factor is always gonna be the downfall. And that's why BO spread so fast in the first place, that's why an Australian ISP had 79% of their machines infected, their clients. People aren't exactly the sharpest creatures sometimes, so educating your users not to be downloading stuff off the web or restrict their access to sites that they need to perform their job duties, but just a simple common sense that you would use to keep anything else out of your network that you don't want in. If you're really concerned about it, you can try to block off all the ports that you don't need on your firewall, but then again, this can be configured to run over 480 and that combined with Neck Hat, you can actually use to open connections from the inside as well, so there are always gonna be some sort of loop holes that people are gonna try to get through. The other question was, how do I use this as an administrator while avoiding the antivirus utilities? There's a big push on this to make this seen as being as legitimate of an administration tool as possible. And frankly, I completely find it to be one. I've been using BL to admin my network since it came out last year. I've been helping with this for the last two months and it's actually helped me work quite a bit. I've got a Nevelle network with about 295 boxes on it and it's made my life a lot easier. As for protecting yourself from the virus side of it, the antivirus side, that's a tough one. If people start throwing signatures in, it's gonna be getting hit. If you have a skilled code or handy that can modify the source code so it will not generate the same file signature, you can try to step around it that way. There's also hope that ideally companies will not foul to Microsoft and include it as being an antivirus because when you consider when the newest version of Netbus came out, several companies were actually saying because the guy decided to charge for it, finally and call it an administration tool that it suddenly was one just because he changed the name on it and it's still as useful or malicious as its world is back where this was or PC anywhere can be. And the fact that he, the author I've been with so far is to say that mess with your friends by rejecting their CD-ROM constantly doesn't sound like something that an administration tool would have included in the tweet me file that a virus company still thought that it was legitimate enough to not include it. Ideally, this product will be stepping up to the plate and taking on some of the heavy hitters like PC anywhere which in my experience over a, using it over a land at 100 megabit remote control the desktop is still chopping and painful at best. This is much smoother and better I find and a lot more handy to use than PC anywhere. And also one thing was MSNBC had an article quoting someone and I forget who the company he was with, pointing out how this is nothing more than another malicious tool because it was stealth and can be configured to not show up in the process list or in the task bar or anything of the sort. And as Doug pointed out yesterday, Microsoft incorporated that ability on purpose due to a wide range of customer requests and something I pointed out to MSNBC, IBM has a package called the Netfinity Manager which sells for upwards of $10,000 for a small set of licenses that runs stealth. And as a network administrator, I know that I've had users I have like set to open their email in their startup folder and several of them are under the habit of putting their machine, closing everything and then bitching at me that they haven't got emailed for three days. So users can easily defeat an administration utility I know maliciously or completely by accident. So the fact that it runs stealth is right up through the big leagues of IBM and Hewlett Packard and their desktop administration utilities. So hopefully the virus companies will take a clue and not decide to just sweep and abandon this and let it grow and be what it can legitimately be used for. Currently, yes. So, yes, has to start somehow and that's how it does go right now. He asked if it does load itself into the registry key into WIND services like back orifice did originally and the answer is yes it does. So if you think you or a machine that you admin or a friend's machine might be infected, you can check there, check the five or so items that are typically in WIND services and compare them against file sizes or anything fishy that's sitting in the Windows system directory and see if it's BO or BO2K or not. Yeah. Okay, good point was just brought up that some virus packages that do run over lands for large settings you can exclude certain files and you can use or just improve this in an excluded file as well and not have to worry about it. By default the name of it is UNGR32.exe and if a virus scanner was to look for that or consider that to be something that would match a signature, you can easily rename it to your initials, the initials of your company, your phone extension number, you can rename the server to anything you want and include your specific file size because there's a chance that anybody that tries to take your network may have different DLLs loaded than you do and they would obviously not match up to your exact file. So, yes. Currently, the question was any plans on emerging hijacking Bo Peep? Right now Bo Peep consists of two separate portions out of that actually make up Bo Peep, one is the video hijacking, one is the keyboard hijacking and as I actually have them open, you can run the two windows side by side, you can shrink the hijack client out of the way, you can shrink the actual BO2K desktop that we have open right now completely out of the way and we have nothing but the big screen open and hijack the keyboard. Sometimes you do want to hijack video and not keyboard just to monitor a user or say, if you're on your intercom with them, say show me what you're doing so I can see what you're doing wrong and you can actually walk them through and attempt to educate them at the same time and see where they're messing up so you don't always want to take control of the keyboard. But the two cameras simultaneously side by side and it's not a problem. Come back. The question was options on blinking the user screen that is not part of the BO2K. You could probably as easily again, not to say I'm repetitive right at DLL or modify the Bo Peep DLL to include a blinking option. Although by and large for the most part as an administrative tool that's rarely called for because if you have control of a user's desktop, you're logged in as the user with their permission so you're not gonna be touching any part of the network that they shouldn't be seeing anyways. And ideally, one thing that I'm big on is not just fixing my problems but ideally trying to educate my user so they can work more efficiently themselves. So I personally like having the video displayed so they can see what I'm doing and hopefully learn something and not have the same problem again in the future. But blinking screen is something that you could probably easily build in. Or you could just manually launch the blank screen screensaver. And stream it out, what do you mean? The question was doing live keyboard logging and having it actually dump live over a stream to your client instead of writing it to a file. That's something that could physically be done through a DLL, but the problem you would run into is if you leave the DLL running and you shut your server off with the connection breaks it may cause a problem or network congestion but the server's out. Yeah, you could just watch real-time. That could work. I haven't tried it. So theoretically it could be there and if not a DLL could probably take care of it. So, and back. I'm sorry, I can't hear you too well. Live, down the wire. Non-interactive deploying the capabilities down the line. Yes and no. If you're doing it as a land administrator what I've done is with the original VR which had the auto delete built in and there was nothing you could do I put it in a readable only directory on my file server which users cannot delete from and put it in the login script and just had it sit there for about a week to make sure all the machines had been turned on at one point in time. And at that point the machines would boot up and the user would log in it would run DLL and automatically install itself on the machine without any user intervention or even knowledge if I'd done anything similar to that and it wouldn't delete that would sit there waiting for the next machine to boot up and run it also. Otherwise, in order to have it installed on somebody's machine in a malicious way there's the old problem that they came up with last time with buffer overflows and using that to execute malicious code. Or you could dig up the old, it wasn't actually a plugin but Brian and Nidino from NetNinja wrote something called Saramwrap where you could easily take that be over any file and wrap it in and just confuse somebody and you could do that to make them think it's something else. You could wrap that in a program that they use frequently like ICQ so every time they run ICQ it reinstalls itself in case they happen to catch it or just take it and rename it to something like bigtids.exe and let them do it on their own. I've just been notified, I'll take one more question. Yes. The question was if a client machine is in a mode where a screen saver's turned on and I were to hijack the controls on it and really got to click it off. I don't know but we can try to find out real fast. If a machine is in a screen saver mode and you hijack the keyboard and try to take control if it's turned the screen saver off or not. And I'm actually having trouble because it seems like the battery's about done. I'm going to put it back because I was just informed that we are about 10 minutes over right now. So we're going to wrap this up here very quick. I would like to thank CDC for having me do this demo which has been kind of cool. Dildog for coding this monster and I'd like to thank Bomb and Crusader for sending up some laptops so we can get this thing going and everybody for sitting here and you're interested in putting up with me for the last hour or plus. And just for the record the screen saver was turned on and hijacking the stream alone turned it off so without even going into the keyboard hijacking hijacking something with the screen saver and it will automatically kill the screen saver. So there you have it. Yeah that's it.