basicRAT

This is a cross-platform Python 3.6.x Remote Administration Tool (RAT). Currently still a work in progress, and gets hacked on as time allows. See the binaries/ folder for prebuilt client executables.

Disclaimer: This RAT is for research purposes only, and should only be used on authorized systems. Accessing a computer system or network without authorization or explicit permission is illegal.

Features

Cross-platform (Windows, Linux, and macOS)

AES-256 encrypted C2 with D-H exchange

Accepts connection from multiple clients

Command execution

Standard utilities (cat, ls, pwd, unzip, wget)

System survey

Self-destruct

Primitive port scanning

Client reconnect

Usage

Client

C:\>basicRAT_client.exe --ip 127.0.0.1 --port 1337 --timeout 30

Where ip is the basicRAT server IP address, port is the server listening port, and timeout is the number of seconds the client waits to attempt a reconnect to the server (if disconnected). These are the default values if not specified, you will likely need to supply at least an IP and port if using basicRAT outside of your local system.

Server

$ python basicRAT_server.py

____ ____ _____ ____ __ ____ ____ ______ . ,

| \ / |/ ___/| | / ]| \ / || | (\;/)

| o )| o ( \_ | | / / | D )| o || | oo \//, _

| || |\__ | | |/ / | / | ||_| |_| ,/_;~ \, / '

| O || _ |/ \ | | / \_ | \ | _ | | | "' ( ( \ !

| || | |\ | | \ || . \| | | | | // \ |__.'

|_____||__|__| \___||____\____||__|\_||__|__| |__| '~ '~----''

https://github.com/vesche/basicRAT

basicRAT server listening for connections on port 1337.

[?] basicRAT> help

Command | Description

---------------------------------------------------------------------------

cat | Output a file to the screen.

client | Connect to a client.

clients | List connected clients.

execute | Execute a command on the target.

goodbye | Teardown the server and selfdestruct all clients.

help | Show this help menu.

kill | Kill the client connection.

ls | List files in the current directory.

persistence | Apply persistence mechanism.

pwd | Get the present working directory.

quit | Exit the server and keep all clients alive.

scan | Scan top 25 TCP ports on a single host.

selfdestruct | Remove all traces of the RAT from a target system.

survey | Run a system survey.

unzip | Unzip a file.

wget | Download a file from the web.

[?] basicRAT> clients

ID | Client Address

-------------------

1 | 127.0.0.1

[?] basicRAT> client 1

Client 1 selected.

[1] basicRAT> execute uname -a

Running execute...

Linux sandbox3 4.9.17-c9 #1 SMP Thu Mar 23 01:38:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

execute completed.

Build your own stand-alone executable

If you'd rather not use one of the prebuilt binaries, you can easily create your own executable like so:

On Windows you will need:

Nuitka

On Windows you will need a C compiler, see the Nutika usage page.

pefile & PyCryptodome - C:\>python -m pip install pefile pycryptodome

Then run nuitka --recurse-all basicRAT_client.py inside the basicRAT/ repo, which should create a basicRAT_client.exe stand-alone PE (portable executable).

On Linux/macOS you will need:

Nuitka & PyCryptodome - $ pip install nuitka pycryptodome

Then run nuitka --recurse-all basicRAT_client.py inside the basicRAT/ repo, which should create a basicRAT_client.exe (the file extension is unimportant) stand-alone ELF/Mach-O executable.

Authors

Austin Jackson @vesche

Skyler Curtis @deadPix3l

Contributors

@reznok, multiple client connection prototype.

Other open-source Python RATs for Reference