Brute Ratel C4 v0.3 (Vendetta) is now available for download and provides a major update towards lateral movement and payload generation capabilities. We have officially started providing trial licenses of 7 days now which wasn’t possible earlier due to the way the licensing system was programmed.
Brute Ratel now supports lateral movement towards windows systems using a customized PsExec feature. BRc4’s PsExec feature creates a service on a given remote system and starts it using Remote Procedure Calls (RPC). Unlike Microsoft’s PsExec which uses CreateProcess to pipe cmd.exe to our C4, BRc4’s PsExec service contains a shellcode blob for a payload profile provided during the execution of PsExec. This payload can either be SMB, HTTP or a TCP payload and doesn’t necessarily limit you to just SMB badgers. One of the most important OpSec consideration during lateral movement is to keep yourself disguised as a legitimate service. Several PsExec options such as service name, description, service executable name and the type of payload to execute on the remote host are customizable on-the-go via the Payload Profiler option, thus allowing different service names and description in different pivot hosts. PsExec’s service configuration can be changed from C4 Profiler->PsExec Config.
BRc4’s PsExec lead to rise of another feature where you can query, create or delete services locally and remotely over RPC. This allows Red Team Devs to create their own post-exploitation tools and execute them on remote host all just using RPC.
BRc4 now provides two more options to create payloads i.e. DLL and service executable. The DLL can be run using rundll32 or by loading it reflectively into a remote process and the service can be used alongside the sccreate command of the badger to execute them on remote hosts. The service creation option also allows the user to use a custom Service name and Service Description which would be shown on the endpoint once executed remotely.
Nomad badger is another new feature of BRc4 which provides server rotation functionality. You can now provide multiple redirectors to create a Nomad badger. When the badger is executed on a host, it will randomly select the redirectors everytime instead of connecting to a constant C4 server. The redirectors can route all the traffic to your C4 server using something like socat or nginx. This way your original C4 server stays hidden and you can host anywhere from 1 to 100 different redirectors all of which will be selected randomly during badger’s communication. This is a great way to establish connection to your server when you don’t know what categories are allowed by the victim’s proxy server and you have created multiple different servers with different categorization. A simple socat command to use as a redirector would be:
socat TCP4-LISTEN:443,fork TCP4:your_c4_host_IP:443
The earlier versions of BRc4 provided an event viewer and badger statistics dashboard which was a bit cluttered. Upon receiving several requests to change it, I have now provided the option to minimize the space it takes up on UI. A new scratchpad is also added to the dashboard which returns latest web activity on your C4 server for deauthenticated badgers and other web requests. You have the option to hide the dashboard altogether if not required however which wasn’t possible earlier.
Boomerang was another feature which now comes integrated with Ratel server. Several improvements have been made to boomerang which support a customized socks protocol over HTTP with authentication support. BRc4 now supports a customized socks protocol which is much faster than the usual socks proxy. This also means the Ratel server can act as a standalone socks proxy on different servers instead of using the core C4 server as the socks server.
Apart from the above features, Brute Ratel payloads receive several tiny updates to the way how it communicates with the remote badgers for lateral movement. Payload profiler supports duplication of created profiles to quickly edit and modify existing profiles via the GUI to enhance the user experience. A new multi-credential import via CSV option has been added to import leaked credentials found via OSINT directly into the server to utilize it with make_token functionality. Multiple API calls from msvcrt.dll such as memcpy, malloc, realloc and several other low level calls have been rewritten in assembly to avoid debuggers locking onto these APIs to hunt sensitive heap allocated information in memory to harden reversing of the badgers. A new Discord channel has also been created to add support for feature requests, tutorials and bugs for Brute Ratel.