[DISCUSSION] RAT Programming Basics

[ZeroBoy]

Nothing better to discuss such things than here.

Last period, i became more curious about RATs programming and how RATs works, and to understand this better, i want to code a simple one, just want to have two PCs connected to each other and do some lame stuff.

What i concluded about RATs basics:

RAT consists of client and server applications that allows a remote user to control a remote machine via sockets. The server is placed in the target machine, and the client on the user machine.
in socket programming, a server is usually linked to the bind(), listen() and accept() socket functions. and the client side is the one who connect()s to the server.

While in RATs, the roles are reversed, the client uses the bind(), listen() and accept() socket functions and waits for incoming connection from the server side. and the server should links to the client machine using connect()
and that's because the server on the remote machine knows my the client's IP address but the client don't  HOW?!

Everybody worked with RATs before, The first problem we had faced is the static  IP address, everyone knows that his IP address changes everytime he reset his router. So basicly how can a server and a client connects with each other while no one of them doesn't know the other IP address. In this part, DNS services comes to hand, we can make and IP address linked to a domain name using no-ip (for example)  and use the no-ip program to assign my IP address to the domain name everytime the IP changes.

this way, we can make the server side know the client's IP address and accesses it using it's static domain name.

[Kulverstukas]

The first problem we had faced is the static  IP address, everyone knows that his IP address changes everytime he reset his router.

Everyone... except you. Static IP's don't change, that's why they are static in the first place.

Client doesn't need to know any IP's, it's a client. It listens for connections... the server has to know your IP and port to connect.

All this direct-connecting kinda sounds outdated and insecure. However since RAT's are not meant for mass-infection, it didn't utilize a centralized architecture. Nowadays it's all about getting more and more, so it just becomes like a botnet, and a RAT from a Botnet doesn't differ that much, just that RAT's are for direct and more targeted attacks while botnets are for mass infection.

[techb]

The infected needs to connect to the controller. If it was the other way around and the attacker connects to the victim, firewalls and other anti-crap kick in.

If the victim, however, makes an outbound connection fewer flags go up and things like NAT are useless. So the victim should be the client. The only thing the victim needs to do is ask the attacker what to do.

Treat it like any other web activity. The client connects to the server, requests some things and acts on it. The only diff here is, you don't drop or kill the connection. Well, pending on the target and if their might be an IT guy seeing a pc staying connected to some remote server. But that is another story, I'm talking for simplicity sake.

[ZeroBoy]

The first problem we had faced is the static  IP address, everyone knows that his IP address changes everytime he reset his router.

Everyone... except you. Static IP's don't change, that's why they are static in the first place.

I suggest you to open your eyes wider when reading especially my words...
I'm not going to explain this again because everybody got it except you of course...

Client doesn't need to know any IP's, it's a client. It listens for connections... the server has to know your IP and port to connect.

I already said this and explained why. So you came with nothing new...

All this direct-connecting kinda sounds outdated and insecure

Not going to comment about "kinda sounds outdate"  , but "insecure"!!!!  can you explain this?

Nowadays it's all about getting more and more, so it just becomes like a botnet

There is no peice of software called botnet, maybe you're confused with RATs based on HTTP C&C Panels 

[lucid]

I suggest you to open your eyes wider when reading especially my words...
I'm not going to explain this again because everybody got it except you of course...I already said this and explained why. So you came with nothing new...Not going to comment about "kinda sounds outdate"  , but "insecure"!!!!  can you explain this?There is no peice of software called botnet, maybe you're confused with RATs based on HTTP C&C Panels 

Yeah that's a good idea, be a sarcastic prick to the staff of the forum you are asking information from. Also, are you really trying to say that botnets don't exist? Because I assure you they most certainly do.

EDIT: Also, there's a modify button for a reason. Use it instead of double posting.

[ZeroBoy]

Yeah that's a good idea, be a sarcastic prick to the staff of the forum you are asking information from. Also, are you really trying to say that botnets don't exist? Because I assure you they most certainly do.

EDIT: Also, there's a modify button for a reason. Use it instead of double posting.

he misunderstand something i said, and i guess what i said about the static IP is clear for everyone but him, i never meant that the static IP is changeable. I meant that The first problem we faced is how to get my IP address kinda static.
Plus, i didn't said that botnets doesn't exist, and i clearly said that there is no peace of software called botnet (didn't I ?). the name say it all, botnet (bot network) which is not a kind of software. its a bunch of bots (which is a software) connected to each other under an homogeneous C&C software. that's exactly what i said.

@Kulverstukas:you made me feel dumb with your misunderstand, and i've been offensive for that. anyway,  i'm mistaken,and i do apologize.

-- Use the edit button

[Kulverstukas]

No problem-o, ZeroBoy, I didn't really misread you, because what you wrote was confusing. Anyway, I refer to the botnet as a piece of software, because that is what makes it different from a RAT.
By outdated and insecure, I meant exactly that. Direct-connection has been used since the dawn of man. And you can't possibly say that it's a "secure" method of control, when a victim connects straight to you... what if I sniff the traffic, see the commands and where it connects to receive them? I am not such a heavy RAT user, so I might not know all the techniques though.

Having a RAT connect to a centralized CnC server and being able to control them through some HTTP or something Webpanel is much better, however that way a RAT simply becomes a Bot and both are only different by their name, because definition becomes the same.

[ZeroBoy]

Direct-connection has been used since the dawn of man. And you can't possibly say that it's a "secure" method of control, when a victim connects straight to you... what if I sniff the traffic, see the commands and where it connects to receive them?

let's assume that it is sent in plain text, we can also sniff a bot traffic too, hijack it and own it. so encrypting commands and data is a necessity.

Having a RAT connect to a centralized CnC server and being able to control them through some HTTP or something Webpanel is much better

I do agree with that, having a HTTP server always alive to receive data from bot is better for sure. BUT it might be risky, because conversation between bot and C&C Panel based on HTTP which is a plain text protocol. Every technique have Advantages and disadvantages