Badgers Tab

The badger’s context menu provides a variety of ways to interact with the badger.

Badger Console

Badger’s interactive console can be accessed by double clicking a badger or right clicking and selecting the Load button or the Load Adjacent Tab button. The Load Adjacent Tab opens multiple console side by side, whereas the load option will just tab it up to the existing console. You can also select multiple badgers with your mouse or use shift-click and load all of them simultaneously. The title for the badgers console can be changed using the title <titlename> command in the console, and the screen can be cleared using cls/clrscr. Clearing the screen does not delete the output logs. It just clears it up temporarily till the console is closed and started again. All the output of the badgers are stored in the logs directory on the ratel server in a hierarchial manner.

Clear Command Queue

Badgers are asynchronous in nature. Once a badger completes its sleep cycle, it will connect to the server to request all the tasks in queue, download the tasks, run the requested command and return a response next time it checks in. When a badger is in stasis, the commands are held in queue on the server. The Clear Cmd-Q queue removes any existing commands queued on the server for a badger. The queued commands can only be cleared before the badger checks-in and retrieves the command. Once the commands are fetched by the badger, it is auto-removed from the server since they have served their purpose.

Malleable Profile Switcher

HTTP/HTTPS Malleable profiles can be changed on the fly for badgers. The malleable profile can be added as a profile to the Payload Profiler or dynamically generated when you add a new listener. Once the profiles are added to the server, you can change the profile of the Badger at any time by right clicking the Badger and selecting ‘Switch Profile’ Option. You also have an option to load a json file (profile format) directly from disk. This is similar to using the switch_profile command from the console. This will NOT spawn a new Badger on the host, but will show up under a new Badger ID on the server since the token of the badger changes due to the new profile.

Process Manager

A Graphical Process Manager can be accessed by right clicking a badger and selecting Process Manager. This is the similar to the ps command from the badger’s console.

The process manager provides additional options such as searching for a process, killing a process, changing the PPID for fork&run and stealing a token.

File Explorer

The File Explorer of Brute Ratel provides a graphical user interface to interact with local and remote file systems. When you select File Explorer from the badger’s context menu, it opens the C: drive by default. You can double click each folder and view the content inside them. The right hand side shows the File names in the selected directory, date modified and the file size. If for some reason, the directory is not accessible, the error would show up in the badger’s console. You can also access network paths by entering them in the location input box in the File Explorer.

Arsenal

Crypt Vortex

Crypt Vortex is a ransomware simulation module which uses a custom encryption algorithm to encrypt the files. It can encrypt and decrypt files on a host alongside providing a few options for customization such as recursive folder encryption support. You can run this command by right clicking a badger and selecting Arsenal->Crypt Vortex.

You can encrypt or decrypt a specified path. The encrypt option provides 4 options. The first one is the encryption key, second option is the path to encrypt and the third option is the extension of the file after the encryption completes. This command also supports an additional optional argument to specify only the selected type of files you want to encrypt. For example, if you want to encrypt only Word and Excel files, you can select .docx and .xlsx with comma separation.

Encryption is recursive. So if your path contains multiple folders and if those folders contain more folders, then all the folders will be recursively encrypted one by one. The below figure shows the directory which contains 4 files. The cryptvortex command also returns the status of the encrypted files and the password used to encrypt them. If you decide at a later time that you want to decrypt some files, then you can still find the password in the badger logs.

The below figure shows the encrypted content of a simple text file which looks like garbage. Once the encryption process completes, the original file is deleted from the disk. Take heavy caution while running this since it can heavily damage the host if you don’t know what you are doing.

Similar to encryption, Brute Ratel also provides a decrypt option. This is a reverse algorithm which decrypts the files in a provided path. It also takes in an extension of a file which it will add to the name of the decrypted files.

We choose .dec as the decrypted file extension, so it will decrypt all the files in the given directory and store them on the same path with .dec extension.

And the below figure shows the decrypted contents of the file.

LDAP Sentinel

LDAP Sentinel is provided as a reflective DLL as well as an inline option in badger. This command/modules provides a graphical user interface to query various Active Directory objects and attributes. This can be useful to search SPNs, Domain Admins, Groups/Services or other objects within the Active Directory environment. You can start LDAP Sentinel by right clicking a badger and selecting Arsenal->LDAP Sentinel.

LDAP Sentinel provides several prebuilt queries to query the Active Directory. It also provides a query filter if you want to search for a specific attribute. These queries are exactly the same as Microsoft’s Ldap Syntax and you can also write your own queries. You can select how you want to run your query, whether via process injection or directly from within the badger.

Below is an example of built in query to search for all SPNs. If you select the Forest checkbox, it will query the forest as a whole. The below figure shows the output on the badger’s console.

Similarly, LDAP Sentinel provides you a lot of prebuilt queries by default to enumerate the Active Directory objects and attributes.

One more example below shows the LDAP filter to search Canonical Names for the Domain Admins Group (cn=Domain Admins).

This filter will search and return all users in the Domain Admin group.

LDAP Sentinel also provides an option to run raw LDAP queries on any domain/forest of your choice. All queries will run in memory using the ActiveDS WinAPIs. The below figure shows an LDAP query running on the bruteratel.corp domain to find all users whose passwords are set to ‘Never Expire’. The future versions of LDAP Sentinel will include several built-in LDAP queries so that users wont have to write most of the common LDAP queries manually.

Below is an example of inline ldap query running directly from the badger’s console. This option is pretty handy to quickly perform raw queries with an option to specify whether to query a domain or a forest (drop down box on right).

Socks Bridge

Socks Bridge is a Socks4a reflective DLL which can be injected to any process. It is a connecter which connects to Boomerang’s HTTP/HTTPS Socks Server. The socks profile is full configurable and can be accessed by right clicking a badger and selecting Arsenal->Socks Bridge. Socksbridge can be used to proxy pivot any internal resource such as RDP, Web Servers or any other applications.

The socks configuration can be configured to access a HTTP or a HTTPS Socks server. Below example uses port 80. Make sure you have the Boomerang Proxy Server in place before you inject the Socks proxy. Once you have created the server, you can connect to the server using a configuration like the figure below.

The badger’s console will return an output to display the exact configuration that was sent to the reflective DLL which would be injected to the newly created process which was set using set_child.

In the below image, the top left block displays the arguments used to start a HTTP Socks Server using Boomerang which uses port 9050 as proxy server and port 80 as socks server for the badger. The top right part is the proxychains which is using remmina to socks proxy into localhost (since localhost is the same server as that of the socks server for me). The bottom right shows the proxychains.conf config which is localhost and port 9050 and the bottom left shows the successful RDP connection to localhost on 3389 (which is our socksbridge DLL trying to RDP to localhost and returning the output here).

Clickscript

Click Scripting is a feature which allows users to automate execution of bulk commands. Unlike the ‘Autoruns’ feature which lets a user to auto-execute several commands on the first connection of badger, Click Scripts are basically a list of multiple commands which can be chained together to execute one command after the other at any point of time. This helps with automated execution of commands belonging to different Tactics and Techniques of MITRE ATT&CK which can be pretty useful during Purple Team engagements. Below is an example of some discovery based commands which are grouped into a single click script called ‘Discovery’.

To add a new click script, select C4 Profiler->Clickscripts. This will open a new dialog box where we can add a new script using the ‘+’ icon. Once a script script has been added, new commands can be added to it by selecting the script and then clicking on the button highlighted in the below figure.

After adding the scripts, the Click Script Runner can be loaded by right clicking a badger and selecting Load ClickScript. This will open a new tab where different scripts can be run by a single click as shown in the earlier figure. Click Scripts can also be added directly into the C4 profile in a simple key value format as below.

{
    "click_script": {
        "Credential Dumping": [
            "samdump",
            "shadowclone",
            "dcsync"
        ],
        "Discovery": [
            "id",
            "pwd",
            "ipstats",
            "psreflect echo $psversiontable",
            "net users",
            "scquery"
        ]
    }
}

Export Metadata

The export to csv option helps export one or more of badger’s metadata to a CSV file, something useful while building reports.

Marking Badgers

The Mark dead option is used to mark badgers as dead which do not connect back. This can be used to filter out dead badgers and they will be greyed out. Important thing to note is that if the badger checks-in after marking dead, it will be auto-marked as undead. The below image shows an example of badger b-0 and b-2 as marked dead.

Exit Techniques

Sometimes during assessments, you may have injected your badger into a legitimate process which was already running. In such scenarios, you might not want the whole process to exit when you kill your badger, especially if you are injected into something sensitive like explorer.exe or a browser. For such scenarios, you can request badger to just exit the current thread instead of the whole process using the Exit Thread option here or by typing exit_thread in the badger’s console. The Exit Process exits the whole process instead of just the current thread.