Ratel Server

The Ratel Server is an API driven server which works over HTTP, DNS and WebSocket. Operators can use the API documentation provided alongside the BRc4 package to automate some of the tasks that are normally performed using the Commander UI. Ratel Server primarily operates over websocket to take commands from the UI/Operator’s client and either consume the request or forward the command in the request to the badger. All requests and responses, sent and received by the Ratel Server are in JSON. The Ratel Server also accepts a few command-line arguments. The user can start the server by providing the required command-line arguments, or provide a JSON configuration file (C4 Profile) and automate several tasks on the server. When you start a server for the first time, you have to supply the admin username and password. Alternatively it also accepts a certificate and a key file which it uses for HTTPS and WebSocket connections. Ratel server can be started in either boomerang mode or ratel mode.

Ratel Mode

Ratel mode is the core server mode which interacts with badgers, starts listener and is your main C2 communication channel. Boomerang and Brute Ratel are not supposed to be run on the same server for operational security since Boomerang agents when injected by the badger, create a lot of HTTPS traffic due to the nature of socks proxy. Brute Ratel mode can be started as shown in the image below.

Boomerang Mode

In Boomerang mode, the server acts as a standalone Socks Proxy Server over HTTPS. The -host argument specifies the HTTPS server where the badgers would connect to send the pivot data, and the proxychains host/port can be specified using the -proxy argument. Boomerang mode also accepts a password for socks authentication and ssl key/cert for HTTPs encryption. All invalid requests/scans from third parties will also be shown by the server if -v option is selected, or it can also be written to a file using the -o option. The full usage of Boomerang Socks4a proxy server is detailed here.

Updating Brute Ratel Package

The Brute Ratel package can be updated using the -update command-line argument from the ratel server console (brute-ratel-linx64/brute-ratel-armx64). Upon attempting to update, it will ask you to enter the License key and the registered email ID. If you have lost your license key, you can request for a duplicate one by contacting support@bruteratel.com.