Listeners in Brute Ratel provide a variety of ways to configure and handle badger communications. To create a listener, select C4 Profiler->Add Listener. Add Listener takes multiple inputs from user to make the listener look like a legitimate webserver.
It takes a listener name which should be totally unique for the purpose of distinguishing it from other listeners. The Listener Bind Host field takes the IP Address of the interface of the host, the port field takes the port to listen on. The ‘Rotational hosts’ takes in the domain name for external servers, redirectors or set of IP addresses if used internally. The ‘Host header’ is specific to domain fronting. The ‘Extra Headers’ can take in a set of headers to simulate gmail, aws, azure or any other legitimate requests.
The URI field takes multiple comma seperated values. One important note is to not add a preliminary slash to the start of the listener URI in the field. For example, the field should contain ‘content.php,admin.php’ but not ‘/content.php,/admin.php’. The next field OS only takes up ‘windows’ as a parameter since Brute Ratel does not support linux or android at the time being. The SSL field takes up a ‘Yes’ or a ‘No’ to enable or disable SSL for the listener.
The right image above shows the Payload profile named ‘auto-primary-c2’ was automatically created when we created the listener primary-c2. The option ‘Rotational Hosts’ override the ‘Listener Bind Host’ field. This means that if you want to use redirectors in front of the payload, you can enter those in the ‘Rotational Hosts’ field. If this field is empty, the badger would automatically use the Listener Bind Host as the C2 IP/Domain. When you are using a domain, it’s mandatory to add them in the rotational host. You can create a payload for this listener by right clicking the listener and selecting ‘Generate Payload’ or by creating that from the ‘Payload Profilers’ menu.
Finally, we reach the most important and unique option of the Brute Ratel listener which is the authentication type. The listeners support 2 types of authentication:
If you select Common Auth, all badgers will have the same authentication keys. Any badger that tries to communicate will provide an encrypted key to the listener, without which the listener will send a 404 not found to the badger. However, if you select OTA, then you can create a Use-And-Throw (UAT) key for the listener. For example, if you are planning to phish 10 different people, then it’s better to create 10 UAT keys. In this way when a badger connects for the first time, the key will be authenticated, the badger will receive a token and then the key will be removed from the server. Now say for some reason if the security team gets a hold of the same payload, it will never be able to authenticate to the server and the server will always reject the UAT key since it does not exist anymore.
BRc4 listener provides you the option to either manually type in multiple comma seperated keys, or you can select the checkbox ‘Create random set of authentication keys’ and the ratel server will automatically create the specified number of keys for you. If you decide to let the listener create the random keys, you can view them by right clicking the listener and selecting ‘Listener Actions->View Authentication’.
You can also change the authentication keys by right clicking the created listener and selecting Listener Actions->Change Authentication.
Listeners can be stopped by selecting Listener Actions->Stop Listener. Keep in mind that this will also stop all files hosted on the this listener.