Commands List
--- Simple Commands --
Ping
Send a ping to the server. If the server is connected/alive, it will respond.
Query
Primarily sent by the client whenever it determines that it needs to synchronize
itself with the server. Whenever a server-side plugin is added, the client sends this
command to retrieve a new list of commands that the server is capable of. If you have
auto-query turned off on the client, or you wish to synchronize the client, send this command
to refresh things
--- System Commands ---
Reboot Machine
Reboots the server machine. Asks no questions. This will kill your connection to the server.
Lock-up Machine
Makes the server machine completely unresponsive. The mouse will not move, and the keyboard will not work. Grinding halt.
Also makes the BO2K server unresponsive and will kill your connection to the server after the protocol times out.
List Passwords
Under Windows 95/98 this lists the passwords that are stored in the Internet Explorer password cache.
If you've ever checked the 'Remember My Password' box, your password will be available here. Under Windows
NT, it performs a PWDump-like password hash dump, suitable for import into L0phtCrack.
Get System Info
Returns information about the system, including machine name and the capacity of the
storage devices attached to it.
--- Keylogging ---
Log Keystrokes
Captures the keystrokes that the user of the server machine types at the keyboard to a disk
file. Also tells you what windows they typed the keystrokes into, so you can understand what they
were doing. Parameters:
Disk File (Required) - The full pathname of the file to put the keystroke logs into.
End Keystroke Log
Stops logging keystrokes.
--- GUI Commands ---
System Message Box
Puts up a dialog box on the server screen. The dialog box appears on top of everything
else and makes a beep sound. Parameters:
Title (required) - The text to put in the title of the message box.
Text (required) - The body of the message that is in the message box.
--- TCP/IP Commands ---
Map Port -> Other IP
Binds to a TCP port and redirects all traffic to that port over to a different IP address. You can use this
command to 'bounce' TCP connections off of the BO2K server. Parameters:
Server Port (required) - The TCP port number that is to be redirected.
Target IP Address:Port (required) - The destination of the port redirection.
Map Port -> Console App
Binds to a TCP port and redirects the standard input and output from a console application to the port.
This can be used to simulate a 'remote shell'. Parameters:
Port (required) - The TCP port number on the server to put the console on.
Full command line (required) - The full command line of the program that you wish to execute.
Map Port -> HTTP Fileserver
Serves HTTP requests over A TCP port. The HTTP server allows you to browse the filesystem of
the server machine and the local network neighborhood. The HTTP server can be 'rooted' at a particular directory
in order to restrict which files people can download and browse through. Parameters:
Port (required) - The port number to put the HTTP server on.
Root Path (optional) - The optional root directory of the browsable filesystem.
Map Port -> TCP File Receive
Receives a file that is send to the chosen port via a raw send (such as with Netcat), and dumps it directly
to a file. Useful as a quick-and-dirty, unencrypted, file transfer method. Parameters:
Port (required) - The port number to receive the file on.
Pathname (required) - The pathname to receive the file to.
List Mapped Ports
Returns a list of which ports on the server machine are mapped to which services.
Remove Mapped Port
Removes a mapped port, stopping whatever service it was providing. Use this to turn off a console app spawn,
the HTTP fileserver, TCP File Receive, etc. Parameters:
Port (required) - the port that the service you wish to stop was spawned on.
TCP File Send
Sends a file directly from the server to a target machine via TCP. Suitable for send a file to another server
running the "TCP File Receive" port service. Parameters:
Source Port (optional) - The desired source port on the server from which to send the file data. If you do not
choose a source port, one will be selected at random.
Target Address:Port (required) - The target machine's TCP receive service address.
Pathname (required) - The name of the file on the server to send to the remote machine.
--- M$ Networking ---
Add Share
Shares a machine resource on the server. Right now limited to drives/paths. Parameters:
Pathname (required) - The pathname that you want to share to the world.
Share Name (required) - The name that you wish the share to be known as.
Remove Share
Unshares a machine resource on the server. Parameters:
Share Name (required) - The name of the share that you wish to remove.
List Shares
Lists which shares on the system are available and which paths/resources they map to. Also shows hidden shares.
List Shares on LAN
Enumerates the shares on the server's local network. Like network neighborhood.
Map Shared Device
Maps a share on a remote machine to a local drive letter. Much like 'mounting' a remote share.
Local Name (required) - The local name of the shared device (Drive letter).
Remote Share Path (required) - The UNC Pathname to the remote share
Username:Password (optional) - The username/password pair used to share this device if the machine is in "share password" mode.
Unmap Shared Device
Unmaps a share on a remote machine from a local drive letter. Much like 'unmounting' a remote share. Parameters:
Local Name (required) - The local name of the shared device.
List Connections
Lists which machines are connected to the server, using shared resources.
--- Process Control ---
List Processes
Shows the process list for the server machine, with process names and process identifiers. Optionally on
Windows NT, you can specify the name of an alternate Windows NT machine to dump the process table of remotely. Parameters:
Remote machine (optional) - The machine name of the Windows NT machine to retrieve the process table of.
Kill Process
Abruptly terminates a running process on the server machine given its process ID. A list of process IDs is
returned by the previous 'List Processes' command. Parameters:
Process ID (required) - The process ID of the process you wish to terminate.
Start Process
Starts a process by running an executable file on the server. Parameters:
Pathname and arguments (required) - The command line of the program to execute.
--- Registry ---
Create Key
Creates a registry key. Does not set a default value to the key. Parameters:
Full Key Path (required) - The full path from the base of the registry to the key. The HKEY abbreviations
are supported in the key path, for example: "HKLM\Software\Microsoft\Windows" is a valid key, where HKLM is an
abbreviation for HKEY_LOCAL_MACHINE. Valid abbreviations are: HKCR,HKU,HKLM,HKCU, and HKDD.
Set Value
Creates and/or sets the value of a registry key. Parameters:
Full Key Path (required) - The full path from the base of the registry to the key. See above for description.
Type:(Value Name):Value Data (required) - This string is comprised of three sub-parameters: Type can be one of B,D,S,M, or E. Value Name
is the name of the value, and Value Data is the type-specific data to be stored in the key. Valid data formats follow:
B - Binary data type: Value data is formatted as a series of hexadecimal bytes. Eg: B:(rubber ding dong):CD C3 13 37 12 34 56 78
D - DWORD data type: Value data is either a hexadecimal dword (preceded by '0x') or a decimal dword. Eg: D:(booga boo):16823049 or D:(booga boo):0xD34DB33F
S - String data type: Value data is an escaped C string. Valid escape sequences are the same as in C, such as \n, \r, \0, etc. Eg: S:(message):Bite my ass.\nYeah, you.
M - MultiString data type: Value data is a series of escaped C strings, separated by a null character. Eg: M:(twomessages):Bite my ass.\0Also, bite your own.\0
E - ExpandString data type: Value data is a regular string that performs environment variable expansion. Eg: E:(path):c:\\mybutt;d:\\yourbutt;%path%
Delete Key
Deletes a key from the registry. Deletes all values and keys underneath the target key as well. Parameters:
Full Key Path (required) - The full path from the base of the registry to the key. See above for description.
Delete Value
Deletes a value from a registry key. Parameters:
Full Key Path (required) - The full path from the base of the registry to the key. See above for description.
Value Name (required) - The name of the value within the key to delete.
Enumerate Keys
Lists the single-level subkeys of a particular registry key. Parameters:
Root Key Path (required) - The full path from the base of the registry to the key you wish to enumerate subkeys of. See above for description.
Enumerate Values
Lists the values of a particular registry key. Parameters:
Full Key Path (required) - The full path from the base of the registry to the key you wish to enumerate values of. See above for description.
--- Multimedia ---
Capture Video Still
Captures a video image bitmap from a video capture device, such as a Quickcam, or external cameram, and saves it to a disk file. Parameters:
Device # (required) - The number corresponding to the video capture device to capture from. A list of capture devices can be retrieved with the 'List Capture Devices' command below.
Filename (required) - The full pathname of the BMP file to capture the video image to.
Width, Height, BPP (optional) - The width and height of the image to capture, along with the bitmap bit depth. Defaults are 640x480x16bpp.
Capture AVI
Captures a motion video from a video capture device and saves it to the local drive (uncompressed). Parameters:
Device # (required) - The number corresponding to the video capture device to capture from. A list of capture devices can be retrieved with the 'List Capture Devices' command below.
Filename (required) - The full pathname of the AVI file to capture the video sequence to.
Seconds (optional) - The number of seconds to record to the AVI file. Default is 5 seconds.
Width, Height, BPP (optional) - The resolution of the video stream to capture, and the bit depth, Defaults to 160x120x16bpp.
Play WAV File
Plays a WAV audio file through the system default mixer. Parameters:
Filename (required) - The full path name the .WAV audio file to play.
Play WAV File In Loop
Plays a WAV file over and over again. User won't be able to stop the sound. To stop the sound, use the 'Stop WAV File' command below. Parameters:
Filename (required) - The full path name the .WAV audio file to play.
Stop WAV File
Stops whatever audio file is being played through the default mixer.
List Capture Devices
Lists the video capture devices in the system, giving each an index number to refer to them by.
Capture Screen
Captures the desktop screen to a disk file. Like pressing printscreen, pasting
into a paint program, and saving to disk. Parameters:
Filename (required) - The full path name of the file to save the screen image to.
--- File and Directory ---
List Directory
Displays a directory listing of files, their dates and times of creation, and their sizes. Also shows attributes. Parameters:
Pathname (required) - The full pathname from the filesystem root to the desired directory.
Find File
Given a directory and a wildcard file specification, recursively hunts down all files beneath or at the specified directory matching the filespec criteria. Parameters:
Root path (required) - The full pathname from the filesystem root to start searching at.
Filename Spec (required) - The filename wildcard specification to match. Accepts standard '*' and '?' wildcards.
Delete File
Deletes a file via its full pathname. Parameters:
Pathname (required) - The full pathname from the filesystem root to the file to delete.
View File
Views the contents of a text file through the command response window. Useful for browsing small text files. Parameters:
Pathname (required) - The full pathname from the filesystem root to the file to view.
Move/Rename File
Moves a file from one pathname to another. Renames a file if the paths point to the same directory. Can be used to move a file across filesystems and networked machines. Parameters:
Pathname (required) - The full pathname from the filesystem root to the source file to move.
New Pathname (required) - The full pathname from the filesystem root to the destination file.
Copy File
Copies a file from one pathname to another. Can be used to copy a file across filesystems and networked machines. Parameters:
Pathname (required) - The full pathname from the filesystem root to the source file to copy.
New Pathname (required) - The full pathname from the filesystem root to the destination file.
Make Directory
Creates a directory. Will only create one directory at a time. Parameters:
Pathname (required) - The full directory name, ending in the directory to create.
Remove Directory
Removes a directory. Will only remove one directory at a time and will not remove files within a directory. Parameters:
Pathname (required) - The full directory name, ending in the directory to create.
Receive File
Creates encrypted/authenticated socket and receives a file over it. Uses a proprietary transfer protocol, but it's simple and its not FTP (phew!). Parameters:
BINDSTR,NET,ENC,AUTH (opt) - The ubiquitous BO2K binding string specification. Specifies which port, network protocol, encryption type, and authentication type. Any field can be left blank to use the defaults.
Pathname (required) - The full pathname to the file that will be received.
Send File
Creates encrypted/authenticated socket and sends a file over it. Uses a proprietary transfer protocol, but it's simple and its not FTP (phew!). Parameters:
Address(required)[,NET,ENC,AUTH] (opt) - The ubiquitous BO2K connect string specification. Specifies which address to connect to, also specifies network protocol, encryption type, and authentication type. Any field except address can be left blank to use the defaults.
Pathname (required) - The full pathname to the file to send.
List Transfers
Lists which transfers are active to which files over which ports. Lists transfers started with receive, send, or emit file commands.
Cancel Transfer
Cancels a file transfer either in progress, or one that has not yet started. Cancels transfers started with receive, send, or emit file commands. Parameters:
Pathname (required) - The full pathname to the file associated with the transfer to cancel.
--- File Compression ---
Freeze File
Compresses a single file. Not compatible with the original Back Orifice Freeze File procedure, but employs slightly better compression this time. Parameters:
Pathname (required) - The source pathname from the filesystem root to the file to compress.
Output Pathname (required) - The output pathname from the filesystem root to the file to write the compressed output to.
Melt File
Uncompresses a single file that has been compressed with "Freeze File". Not compatible with the original Back Orifice Freeze File procedure. Parameters:
Pathname (required) - The source pathname from the filesystem root to the file to uncompress.
Output Pathname (required) - The output pathname from the filesystem root to the file to write the decompressed output to.
--- Resolver ---
Resolve Hostname
Resolves a host name to a network address using a DNS query. Parameters:
Hostname (required) - The hostname string to resolve.
Resolve Address
Resolves a network address to a hostname using a DNS inverse query. Parameters:
Address (required) - The network address to reverse-resolve.
--- Server Control ---
Shutdown Server
Shuts the BO2K Server down completely. The server will lose all connections and will be unresponsive (cause it isn't running!). Parameters:
DELETE option (optional) - If you fill this field in with the phrase 'DELETE', it will fully uninstall the BO2K server such that it doesn't run
any more upon boot-up or login. Does not remove the actual installed file, however. It just won't run on startup.
Restart Server
Shuts down and restarts the BO2K Server. Useful if you have made any configuration changes or if the BO2K server has been corrupted or is behaving
strangely due to poorly written plugins or whatnot. The server will lose all connections but will remain responsive once it comes back up. Parameters:
Host process name (optional) - If you are running under Windows NT, and not as a service, you can choose to hop the BO2K server around between
different processes' address space. This is of limited usefulness, but it does make you feel like the 'ghost in the machine'.
Load Plugin
Dynamically loads an external BO2K plugin DLL. Runs all of the plugin initialization code and registers new commands with the server. Parameters:
Plugin filename (required) - The full pathname from the root of the filesystem to the plugin DLL you wish to load.
Debug Plugin
Dynamically loads an external BO2K plugin DLL using a more debugger-friendly loading method. This method requires that the DLL is a standard Windows DLL, but allows
for debugger interaction with the plugin. For developers only. Parameters:
Plugin filename (required) - The full pathname from the root of the filesystem to the plugin DLL you wish to load.
List Plugins
Gives a list of which BO2K plugins are currently loaded.
Remove Plugin
Unloads a plugin via its plugin number. Plugin number is determined from the output of the "List Plugins" command. Parameters:
Plugin number (required) - The plugin number to unload as returned by the List plugins command.
Start Command Socket
Starts up a BO2K command socket that a client can connect to, authenticate with, and send encrypted commands to. Parameters:
[NETMOD][,ENC][,AUTH] (optional) - the network module, encryption, and authentication settings for the command socket. If any of these are left blank, defaults are used.
[Bind Str] (optional) - The binding string for the command socket. This is optional, but is usually filled in. If it's not, then the default binding string is used.
List Command Sockets
Lists the command sockets that the BO2K server has made available. Lists socket information along with the internal 'command socket #'.
Stop Command Socket
Shuts down a BO2K command socket. This can be used to shut down all sockets, btw. And that's probably not a good idea. Parameters:
Command Socket # (required) - The number of the command socket to shut down, as returned by the 'List Command Sockets' command.
--- Legacy BUTTplugs ---
Start BUTTPlug
Runs an original Back Orifice BUTTPlug function. Parameters:
PluginDLLPath::FunctionName (required) - 'PluginDLLPath' is the full path to the BUTTPlug plugin DLL. Two colons separate the function name to execute.
List BUTTPlugs
Lists which original Back Orifice BUTTPlug functions are currenly active.
Stop BUTTPlug
Deactivates an original Back Orifice BUTTPlug function. Parameters:
Plugin # (required) - The number of the BUTTPlug function to terminate. This number can be retrieved via the 'List BUTTPlugs' command.