ToRat: useful admin tool
A Cross Platform Remote Administration tool written in Go using Tor as its transport mechanism currently supporting Windows, Linux, MacOS clients.
DISCLAIMER
USE FOR EDUCATIONAL OR INTERNAL TESTING PURPOSES ONLY
How to use ToRat Docker Image
TL;DR
git clone https://github.com/lu4p/ToRat.git
cd ./ToRat
sudo docker build . -t torat
sudo docker run -it -v "$(pwd)"/dist:/dist_ext torat
Prerequisites
- Install Docker on Linux
- ubuntu https://docs.docker.com/install/linux/docker-ce/ubuntu/
- debian https://docs.docker.com/install/linux/docker-ce/debian/
- fedora https://docs.docker.com/install/linux/docker-ce/fedora/
- centos https://docs.docker.com/install/linux/docker-ce/centos/
- arch
sudo pacman -s docker
Install
Clone this repo via git
git clone https://github.com/lu4p/ToRat.git
Change Directory to ToRat
cd ./ToRat
Build the ToRat Docker Container
you need to build a part of the container yourself to get a own onion address and certificate all prerequisites are met by the prebuilt torat-pre image in other to make quick build times possible
sudo docker build . -t torat
- Run the container
- will drop directly into the ToRat Server shell
- the -v flag copies the compiled binaries to the host file system
to connect a machine to the server shell just run one of the client binaries on another system
sudo docker run -it -v "$(pwd)"/dist:/dist_ext torat
In another shell run the client.
sudo chown $USER dist/ -R cd dist/dist/client/ ./client_linux
See the client connect
In your Server shell you should now see something like [+] New Client H9H2FHFuvUs9Jz8U connected!
You can now select this client by running select
in the Server Shell which will give you a nice interactive chooser for the client you want to connect to. After you choose a client you drop in an interactive shell on the client system.
Notes
Contents of ToRat/dist
after docker run
$ find ./dist
./dist/
./dist/dist
./dist/dist/client
./dist/dist/client/client_linux # linux client binary
./dist/dist/client/client_windows.exe # windows client binary
./dist/dist/server
./dist/dist/server/key.pem # tls private-key
./dist/dist/server/banner.txt # banner
./dist/dist/server/cert.pem # tls cert
./dist/dist/server/ToRat_server # linux server binary
Preview
Client Commands
Command | Info |
---|---|
cd | change the working directory of the client |
ls | list the content of the working directory of the client |
shred | delete files/ directories unrecoverable |
screen | take a Screenshot of the client |
cat | view Textfiles from the client including .docx, .rtf, .pdf, .odt |
alias | give the client a custom alias |
down | download a file from the client |
up | upload a file to the client |
speedtest | speedtest a client's internet connection |
hardware | collects a variety of hardware specs from the client |
netscan | scans a clients entire network for online devices and open ports |
gomap | scan a local ip on a clients network for open ports and services |
escape | escape a command and run it in a native shell on the client |
reconnect | tell the client to reconnect |
help | lists possible commands with usage info |
exit | background current session and return to main shell |
Server Commands
Command | Info |
---|---|
select | select client to interact with |
list | list all connected clients |
alias | select client to give an alias |
cd | change the working directory of the server |
help | lists possible commands with usage info |
exit | exit the server |
Current Features
Architecture
- RPC (Remote procedure Call) based communication for easy addition of new functionality
- Automatic upx leads to client binaries of ~6MB with embedded Tor
- sqlite via gorm for storing information about the clients
- client is obfuscated via garble
Server Shell
- Cross Platform reverse shell (Windows, Linux, Mac OS)
- Supports multiple connections
- Welcome Banner
- Colored Output
Tab-Completion of:
- Commands
- Files/ Directories in the working directory of the server
Unique persistent ID for every client
- give a client an Alias
- all Downloads from client get saved to ./$ID/$filename
Persistence
Windows:
- [ ] Multiple User Account Control Bypasses (Privilege escalation)
- [ ] Multiple Persistence methods (User, Admin)
Linux:
- [ ] Multiple Persistence methods (User, Admin)
Tor
Fully embedded Tor within go
the ToRATclient communicates over TLS encrypted RPC proxied through Tor with the ToRatserver (hidden service)
- [x] anonymity of client and server
- [x] end-to-end encryption
optional transport without Tor e.g. Use Tor2Web, a DNS Hostname or public/ local IP
- [x] smaller binary ~3MB upx'ed
- [ ] anonymity of client and server
Upcoming Features
- [ ] Bulk Commands
- [ ] Persistence and privilege escalation for Linux
- [ ] Persistence and privilege escalation for Mac OS
- [ ] Support for Android and iOS (needs fix of https://github.com/ipsn/go-libtor/issues/12)
- [ ] File-less Persistence on Windows
Contribution
All contributions are welcome you don't need to be an expert in Go to contribute.
You may want to join the #torat
channel over at the Gophers Slack