outis: custom Remote Administration Tool (RAT)
outis is a custom Remote Administration Tool (RAT) or something like that. Think Meterpreter or Empire-Agent. However, the focus of this tool is neither an exploit toolkit (there are no exploits) nor persistent management of targets. The focus is to communicate between server and target system and to transfer files, share sockets, spawn shells and so on using various methods and platforms.
On the Name
The cyclops Polyphemus in Homer’s Odyssey had some issues with name resolution. When he asked for Odysseus’ name, the hacker told him it is “Outis” meaning “Nobody” in ancient Greek. Thus, when Polyphemus later shouted, that Nobody was about to kill him, strangly no help arrived.
My thanks to Marcel for remembering this marvelous piece of classic tale.
Dependencies for the Handler
Archlinux users can install the following packages:
- python3 # includes cmd, tempfile, …
- and maybe more…
In other distributions the names may differ, for instance, there is a module named crypto and a module named pycrypto. We need the latter.
Also, older versions might cause problems:
- pyopenssl needs to be version 16.1.0 or newer, check as follows:
$ python3 -c 'import OpenSSL; print(OpenSSL.version.__version__)'
You can set up a python virtual environment quite easily:
$ virtualenv outis-venv $ source ./outis-venv/bin/activate (outis-venv) $ pip install progressbar2 dnspython pycrypto pyopenssl
This results to the following package list, which seems to work for me:
$ pip freeze appdirs==1.4.3 asn1crypto==0.22.0 cffi==1.10.0 cryptography==1.8.1 dnspython==1.15.0 idna==2.5 packaging==16.8 progressbar2==3.18.1 pycparser==2.17 pycrypto==2.6.1 pyOpenSSL==16.2.0 pyparsing==2.2.0 python-utils==2.1.0 six==1.10.0
Clone this git with recursive flag to also clone its submodules in the thirdpartytools folder:
git clone --recursive ...
The handler runs on Python 3. Install its dependencies and run it. It will generate stagers, agents and everything else for you.
To bind low ports without needing root privileges, consider using a capability wrapper.
- agent: software, that runs on the victim system
- handler: software, that parses your commands and leads the agents (usually it runs on your server)
- stager: short script that downloads the agent (using the transport module) and runs it
- transport: communication channel between stager/agent and handler, e.g. ReverseTCP
- platform: victim architecture to use for stager/agent scripts, e.g. PowerShell
Currently Supported Plattforms
- PowerShell (partial)
Currently Supported Transports
- Reverse TCP
- DNS (types TXT or A for staging, and types TXT, CNAME, MX, AAAA or A for agent connection)
Currently Supported Cryptography
- Agent stages can be encoded (for obfuscation, not for security) using cyclic XOR
- Agent stages can be authenticated using RSA signatures and pinned certificates
- Transport connections can be encrypted / authenticated using TLS and pinned certificates
Currently Supported Commands and Controls
- ping requests to test the connection (partial)
- text message format (partial)
- upload and download of files
Currently Supported Extras
- When using DNS transport with stager and powershell, you can stage the tool dnscat2 / dnscat2-powershell from the thirdpartytools directory instead of the default outis agent. Set the platform option AGENTTYPE to DNSCAT2 (will take a while, but uses only DNS to stage) or DNSCAT2DOWNLOADER (tries to download using HTTPS).
Download of a file using staged DNS transport with POWERSHELL platform could look like this:
Or maybe we want to use dnscat2 for the real deal and just use outis to stage it: