Built-in Socks, Burnable Socks and Socks Over DOH

Brute Ratel comes with built-in socks client which uses the current listener as a socks server, and also helps with nested pivoting.

Apart from using the current listener as socks, operators can also use a burnable socks server without injection, either over HTTPS or DNS over HTTPS. The socks client in badger can be started or stopped with the ‘socks_start’ and ‘socks_stop’ command which will also autostart and stop the socks server on the active listener. A list of active socks server on the listener can be found by selecting ‘Server->View Active Socks’ Menu.

To start the socks server, use the ‘socks_start’ command with a given port. The socks client updates the Commander with every socket connection made on the endpoint.

The below video provides a brief example of using socks over Dns Over Https.


The burnable socks server can be used with a different profile and sleep zero (without injection), while still making the badger’s core sleep with the operator provided sleep and jitter values. This means, if the operator does not want to use the current listener as the socks server, then the operator can start a separate socks server with an altogether different profile and request the badger to connect to the socks server using the ‘socks_profile’ and the ‘socks_profile_start’ command just for pivoting. This will only route the socks traffic to the new server, while the badger’s core will still connect to the original listener with the user provided sleep and jitter values to execute commands. In short, single badger connecting to two different servers with different profiles and different sleep time. This temporary profile is auto-cleared from the memory of the badger when the ‘socks_stop’ command is called. Note that while socks is active, the badger’s sleep masking will be disabled.