Network-Servers-Penetration-Guides-and-Tools

HTTP RAT Trojan

HTTP/HTTPS Trojans can bypass any firewall, and work as kind of a straight HTTP tunnel, but one that works in reverse. They use web-based interfaces and port 80 to gain access. The execution of these trojans takes places on the internal host and spawns a “child” at a predetermined time. The child program appears to be a user to the firewall so it allows the program access to the internet. However, this child executes a local shell, connects to the web server that the attacker owns on the internet through a legitimate-looking HTTP request, and sends it a ready signal. The legitimate-looking answer from the attacker’s web server is in reality a series of commands that the child can execute on the machine’s local shell.

Auditing a network against HTTP RATs is generally more difficult as well as essential, as most firewalls and other perimeter security devices cannot detect traffic generated by a HTTP RAT Trojan.

Remote Access Trojans (RATs) are malicious programs that run invisibly on the host’s PC and permit an intruder remote access and control. A RAT can provide a backdoor for administrative control over the target computer. Upon compromising the target system, the attacker can use it to distribute RATs to other vulnerable computers and establish a botnet.

Objectives

• Create a server and Run HTTP Trojan on Windows Server 2012.
• Execute the Server from Windows 10 virtual machine.
• Control Windows 10 machine remotely from Windows Server 2012.

Requisites

• Windows Server 2012 virtual machine (Attacker).
• Windows 10 virtual machine (Target).

Create a Trojan on Windows Server

1. Log on to Windows Server 2012 and install the HTTP RAT TROJAN tool: https://anonfile.com/HaT8v9Jbn7/HTTP_RAT_TROJAN_zip

2. Double-click httprat.exe, the HTTP RAT main window appears as shown below:
   
   

3. Uncheck send notification with IP address to mail option, enter the server port to 84 and click Create.
   
   

4. Once the httpserver.exe file is created, a pop-up will be displayed, click OK and share the file with Windows 10 virtual machine.
   
   
   
   The file will be saved into HTTP RAT TROJAN folder as show below:
   
   

Execute the Trojan on Windows 10

1. Now log into Windows 10 and navigate to the place where you saved the httpserver.exe file. Double click to run the Trojan.
   
   

2. You will be able to see the Httpserver process in the task manager:
   
   

Analyze the Target Machine

1. Switch back to the Windows Server 2012 and launch the web browser.
2. Enter the IP address of Windows 10 in the address bar to access the machine.

Note: it is normal to get some errors on the first requests, the browser may fail to connect - just reload the webpage a couple times.

• If everything works, you should get this window:
  
  

• Click on the Running procesess link to list down processes running on the Windows 10. It is possible to kill any process from here.
  
  

• Click browse and then click Drive C to explore the contents in this drive.
  
  

• Click computer info to view information of the computer, users and hardware.
  
  

---

After you done, end the Httpserver.exe process in Windows 10.