ToRat is a Cross Platform Remote Administration tool written in Go using Tor as its transport mechanism currently supporting Windows, Linux, MacOS clients.
How to?
TL;DR
git clone https://github.com/lu4p/ToRat.git
cd ./ToRat
sudo docker build . -t torat
sudo docker run -it -v “$(pwd)”/dist:/dist_ext torat
Prerequisites
- Install Docker on Linux
Install
- Clone this repo via git
git clone https://github.com/lu4p/ToRat.git
- Change Directory to ToRat
cd ./ToRat
- Build the ToRat Docker Container
- you need to build a part of the container yourself to get a own onion address and certificate all prerequisites are met by the prebuilt torat-pre image in other to make quick build times possible
sudo docker build . -t torat
- Run the container
- will drop directly into the ToRat Server shell
- the -v flag copies the compiled binaries to the host file system
- to connect a machine to the server shell just run one of the client binaries on another system
sudo docker run -it -v “$(pwd)”/dist:/dist_ext torat
- In another shell run the client.
sudo chown $USER dist/ -R
cd dist/dist/client/
./client_linux
- See the client connect
In your Server shell you should now see something like [+] New Client H9H2FHFuvUs9Jz8U connected! You can now select this client by running select in the Server Shell which will give you a nice interactive chooser for the client you want to connect to. After you choose a client you drop in an interactive shell on the client system.
Notes
Contents of ToRat/dist after docker run
$ find ./dist
./dist/
./dist/dist
./dist/dist/client
./dist/dist/client/client_linux # linux client binary
./dist/dist/client/client_windows.exe # windows client binary
./dist/dist/server
./dist/dist/server/key.pem # tls private-key
./dist/dist/server/banner.txt # banner
./dist/dist/server/cert.pem # tls cert
./dist/dist/server/ToRat_server # linux server binary
Current Features
- RPC (Remote procedure Call) based communication for easy addition of new functionallity
- Automatic upx leads to client binaries of ~6MB with embedded Tor
- the ToRAT_client communicates over TLS encrypted RPC proxied through Tor with the ToRat_server (hidden service)
- anonymity of client and server
- end-to-end encryption
- Cross Platform reverse shell (Windows, Linux, Mac OS)
- Windows:
- Multiple User Account Control Bypasses (Privilege escalation)
- Multiple Persistence methods (User, Admin)
- Linux:
- Multiple Persistence methods (User, Admin)
- optional transport without Tor e.g. Use Tor2Web, a DNS Hostname or public/ local IP
- smaller binary ~7MB upx’ed
- anonymity of client and server
- embedded Tor
- Unique persistent ID for every client
- give a client an Alias
- all Downloads from client get saved to ./$ID/$filename
- sqlite via gorm for storing information about the clients
- client is obfuscated via garble
Server Shell
- Supports multiple connections
- Welcome Banner
- Colored Output
- Tab-Completion of:
- Commands
- Files/ Directories in the working directory of the server
| Command | Info |
|---|---|
| select | Select client to interact with |
| list | list all connected clients |
| alias | Select client to give an alias |
| cd | change the working directory of the server |
| help | lists possible commands with usage info |
| exit | exit the server |
Shell after selection of a client
- Tab-Completion of:
- Commands
- Files/ Directories in the working directory of the client
| Command | Info |
|---|---|
| cd | change the working directory of the client |
| ls | list the content of the working directory of the client |
| shred | delete files/ directories unrecoverable |
| shredremove | same as shred + removes the shredded files |
| screen | take a Screenshot of the client |
| cat | view Textfiles from the client including .docx, .rtf, .pdf, .odt |
| alias | give the client a custom alias |
| down | download a file from the client |
| up | upload a file to the client |
| escape | escape a command and run it in a native shell on the client |
| reconnect | tell the client to reconnect |
| help | lists possible commands with usage info |
| exit | background current session and return to main shell |
| else | the command will be executed in a native shell on the client |
Upcoming Features
- Privilege escalation for Linux
- Persistence and privilege escalation for Mac OS
- Support for Android and iOS needs fix of https://github.com/ipsn/go-libtor/issues/12
- File-less Persistence on Windows
Preview
