hacking with remote admin tools (rat)
DESCRIPTION
This presentation is a fun introduction to the tools used by script kiddies, namely the Remote Admin Tools (or Remote Access Trojans). These GUI based hacking tools include a lot of funny and scary features.TRANSCRIPT
![Page 1: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/1.jpg)
Hacking with Remote Admin Tools (RATs)
Zoltan BalazsCTO @MRG Effitas
Budapest IT Security MeetupJanuary 2014
![Page 2: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/2.jpg)
Remote admin tools
Could be legitimateUsually it is not
All the features for remote administrationUpload/download filesRegistry editorShell commandsRemote desktop
Using RAT might be illegal, and might be considered as a crime!Don’t try this at home!
![Page 3: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/3.jpg)
Why are these skiddie toolz important?
Only pentesters use meterpreterScript kiddies use RATsNot just "1337 |-|4x0r5” use RATs!
Know your enemy!Malware incident responseForensic investigation
![Page 4: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/4.jpg)
Typical RAT scenario
![Page 5: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/5.jpg)
1998
![Page 6: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/6.jpg)
DEF CON 6 on August 1, 1998
![Page 7: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/7.jpg)
![Page 8: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/8.jpg)
Dictionary to skiddie language
Skiddie worldserver clientFUD
cryptorprivate/elite/gold version
Average worldclient malware on victim
server code @skiddieFully UnDetectablesome lame packer
full version (not demo)
![Page 9: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/9.jpg)
Tutorialz for script bunniez
How to fail at OPSEC?
https://www.youtube.com/results?search_query=setup+rat+tutorialhttp://www.youtube.com/watch?v=NkkqPLVscC4
![Page 10: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/10.jpg)
#opsecfail
![Page 11: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/11.jpg)
#opsecfail
![Page 12: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/12.jpg)
#opsecfail
![Page 13: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/13.jpg)
#opsecfail
![Page 14: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/14.jpg)
#opsecfail
![Page 15: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/15.jpg)
![Page 16: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/16.jpg)
The skiddie’s youtube list on Cyber Threat Task Force (google cache only)
![Page 17: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/17.jpg)
![Page 18: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/18.jpg)
![Page 19: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/19.jpg)
But a script kitty’s life is not just about work
But FUN as well!
![Page 20: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/20.jpg)
Fun manager - Fun menu
![Page 21: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/21.jpg)
Extra fun
![Page 22: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/22.jpg)
Fun feature 3
![Page 23: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/23.jpg)
Fun feature 4 – Matrix chat
![Page 24: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/24.jpg)
Fun feature 5
![Page 25: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/25.jpg)
Ultimate fun …
![Page 26: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/26.jpg)
Ultimate fun feature 6 - Piano
![Page 27: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/27.jpg)
Hacking Internet Explorer
![Page 28: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/28.jpg)
Scary features
![Page 29: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/29.jpg)
Scary feature 1
DLL inject into iexplore.exeProxy awareTransparent proxy authenticationLocal software firewall bypassNo new process running
![Page 30: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/30.jpg)
Scary feature 2 – Melt/uninstall
Melt server deletes the dropper
No wipeForensics restoration possible
Uninstall server deletes the persistence file
No wipeForensics restoration possible
![Page 31: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/31.jpg)
Scary feature - Alternate data stream
![Page 32: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/32.jpg)
Scary feature 3 - Anti AV
![Page 33: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/33.jpg)
Scary feature 4 – Anti VM, Anti sandbox
![Page 34: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/34.jpg)
Private/elite version
Downloading and running binaries from people like this is a bad idea!hxxp://www.theatregelap.com/2012/06/xtremerat-v-36-private.html
![Page 35: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/35.jpg)
JRATMultiplatformEvade some software firewalls (java.exe allowed)Easier to obfuscateScreenshots ©Symantec
![Page 36: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/36.jpg)
AndroRAT
© VRT Snort blog
![Page 37: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/37.jpg)
Cryptor
![Page 38: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/38.jpg)
High profile attacks
![Page 39: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/39.jpg)
High profile attacks
![Page 40: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/40.jpg)
![Page 41: Hacking with Remote Admin Tools (RAT)](https://reader035.vdocument.in/reader035/viewer/2022062319/55756c06d8b42a2e248b4d69/html5/thumbnails/41.jpg)