Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,583
- Points
- 113
Article content
What is RAT? This particular tool is written for Windows, but the main thing is that it is free and open source, which definitely adds to its advantages over other similar software. You can download Quasar RAT from the project's github page.
The program is written in C# and is positioned by developers as "an easy and convenient tool for remote administration, technical support and monitoring of employees." Quasar RAT has a traditional client-server architecture for the Remote Assistance Tool and, despite its compact size, has a fairly rich Arsenal of features, including:
INSTALLATION AND CONFIGURATION
The program is delivered as an archive, inside which all the necessary files are located for its operation. Before unpacking the content, you should disable antivirus programs, otherwise they will happily delete the exe and .bat file from the Quasar package. Also, to get started, you need to install .NET Framework 4.5.2 or later, if it is not already installed on your system.
In order not to be confused, we will immediately determine that in Quasar terminology, the server is the machine where data is transmitted from user computers, and the client is the PC that you are monitoring. The client is identified by the tag that you specify in the settings. It can be arbitrary. After installation on a remote machine, the client works offline, trying to connect to the server at specified intervals, either by IP address (IPv4 and IPv6 are supported), or by DNS name. The General algorithm of actions is as follows: you need to start the server, specify the necessary settings, reset the client application and upload it to the remote machine. It's simple.
Configuring the server
After starting the programQuasar.exe, we will be asked to create a certificate that will be used to establish a secure connection between the server and the client. If Quasar has already been used on your computer, you can import an existing certificate, otherwise the program will create a file quasar.p12that you should immediately hide in a hidden place. If you have to reinstall quasar, it will be impossible to connect to other machines running RAT without IT, which threatens to lose all clients.
When you first start Quasar, it prompts you to create or import a certificate
Click Create and then Save. Now feel free to launch Quasar.exe and click settings at the top of the window. By default, Quasar uses TCP port 4782 for communication, but you can choose any other free port instead by specifying it in the Port to listen on field. Then you will need to open this port in the firewall by configuring the appropriate rule.
Configuring The Quasar Server
All other parameters in the server settings window have the following values:
Buildim client
To create a client application, click Builder at the top of the program window. The Builder window contains five tabs, which we will now quickly run through.
Basic settings tab Builder settings
On the Basic Setting tab, you need to specify the Client Tag — this is a kind of ID that will be used to identify the client machine. It is better to give it a meaningful name so that you don't get confused about connections if there are several clients. The Mutex field displays a mutex that prevents multiple instances of the program from running on the client computer. You can leave it as it is. For greater secrecy, we recommend checking the Enable unattended mode checkbox. It will allow you to control the client machine without attracting the user's attention — in this case, they will not be shown any Windows, messages, etc. you will not see the Quasar icon in the system tray.
On the Connection settings tab, specify the IP address or network-visible name of the machine where the server is deployed, the port to connect to, and the interval in milliseconds after which the client machine will attempt to establish or resume a connection. All this data will be hardwired into the client program, and it will be impossible to change it later, so be careful.
Connection settings tab Builder settings
The Installation settings tab manages the client's installation and startup parameters. The Quasar client application can be installed in three folders: AppData \ Roaming current user \ Program File System - the last two will require local administrator privileges from the user account. Select the appropriate option by checking the Install client box.
Configuring client installation and startup parameters
Now you need to select the name of the folder to install the application (Install subdirectory) and the name of the program itself (Install name). The Set file attributes to hidden and Set subdir attributes to hidden check boxes allow you to assign the "hidden" attribute to this subdirectory and the client file after installation. To avoid inventing ways to automatically run the program on the client machine, select the Run Client when the computer starts checkbox and enter the client's display name in the Startup Name field. this name will be displayed in the autorun parameters and in the list of processes on the remote PC.
The Assembly Settings tab allows you to configure such parameters of the client program Assembly as the name of the application and its manufacturer, copyright, version number, and add a customized icon. All this, as you understand, is displayed in the properties of the installer, if someone curious wants to look there. That is, the client can be disguised as any other executable file - even a codec, even a Windows update, even a banal Adobe Flash Player.
Configuring the Keylogger
If you want the client to perform Keylogger functions in addition to everything else, go to the monitoring settings tab, check the Enable keyboard logging checkbox, enter the name of the folder where the Keylogger log will be saved, and make it hidden by checking the Set directory attributes to hidden checkbox.
Now you can click Build and enter a name for the client file. It remains only to install it on a remote machine: I have a very compact client executable file — only 502 Kbytes.
TESTING "QUASAR"
First, I tried to install the client on a test machine with Kaspersky anti-virus enabled. Of course, the trick did not work: he safely nailed the tool directly on the flash drive, not allowing it to be copied to the computer or run. Unfortunately, adding the program to exceptions didn't help either: Casper blocked the launch of the client even when active protection was disabled, and then deleted it, happily reporting that it had discovered an insidious and dangerous Trojan (and it catches it, apparently, with a heuristic).
You can, of course, cover the executable file with some kind of protector, but I was too lazy to mess around, so the only available option for me was to completely remove the antivirus on the client machine, which, in General, is not difficult if you have direct access to it. It is noteworthy that when launching the client installation file, nothing happens at all: no Windows or warnings appear on the screen, but the client is successfully copied to the folder specified during its build.
After rebooting the remote machine, we start on the server Quasar.exe, click settings at the top of the window and click on the Start Listening button. A window will appear on the screen asking you to add the port selected in the settings to the firewall rules. We agree and we see our target machine in the list of remote hosts. The remote computer may disappear from the list if the user has turned it off or disconnected from the network, and automatically reappears when the connection is turned on or resumed.
Incoming connection completed successfully.
All operations on a remote machine are performed by right-clicking on its ID in the Quasar Server window.
Remote administration
All the main functions of remote administration are concentrated in the context menu Administration. Here you can find the following ways to interact with the client machine:
The Quasar file Manager is very similar to the regular Windows Explorer
Monitoring and working with a remote host
One of the most interesting features of Quasar RAT is remote desktop browsing. This feature is available in monitoring → Remote Desktop or User Support → Remote Desktop. In the upper part of the remote desktop window, there is a control that allows you to set the image quality (the higher it is, the more traffic there will be), and two buttons that allow you to enable or disable the transmission of control signals from your mouse and keyboard to the client machine. Click Start to connect to the remote desktop, and Stop if you want to end the session.
The monitoring → Password Recovery function allows you to retrieve all passwords stored in the user's browser. The information is presented in the form of a sign with the site address and the saved password. you can copy it to a separate file, to the clipboard, or erase it on a remote computer.
The monitoring → Keylogger section stores Quasar RAT Keylogger logs. Tool saves logs as HTML files. each of them contains information about the application where the input was performed, and a record of the keys pressed. The list of available logs is updated by clicking on the Get Logs button in the upper-left corner of the window.
Quasar RAT Keylogger log
The user Support context menu, in addition to another button for calling the remote desktop, contains the Show Messagebox items, which you can use to show the user a dialog box with any text, and Send to Website-the URL you entered will open on the remote machine in the browser configured by default. And if you check the Visit hidden checkbox, the user will not see anything, but the site will open in a hidden window, and their visit will remain in History.
Before sending the dialog box to the final recipient, you can test it on your own machine
Finally, the client management context menu provides the remote administrator with the following options:
CONCLUSION
Quasar is a very powerful and multi-functional tool for remote management, tracking user actions, and collecting information of interest to the administrator on a remote machine. The client executable file is only a couple hundred kilobytes long, so it can be delivered to the target system in many different ways. As practice has shown, the app works quite quickly and stably.
The client part lives in the user's Windows quietly and imperceptibly, practically without consuming resources. The only serious drawback of this tool is that the client is burned by antivirus programs (at least Kaspersky Lab antivirus), which will require either disabling protection or shamming with packers and protectors. And their use does not guarantee that the utility is "invisible" to heuristic analyzers that track suspicious applications by their behavior. And the behavior of Quasar RAT, I must say, is very suspicious!
In other words, quasar is a pretty good alternative to other remote administration utilities like TeamViewer, especially if you need to use it without causing unnecessary questions from the user. But how exactly this tool is used will remain on the conscience of the user. The main thing - do not forget about the responsibility that our legislation provides for the distribution of bad programs and pranks with unauthorized access to other people's computers.
- Installation and configuration
- Configuring the server
- Buildim client
- Testing " Quasar»
- Remote administration
- Monitoring and working with a remote host
- Conclusion
What is RAT? This particular tool is written for Windows, but the main thing is that it is free and open source, which definitely adds to its advantages over other similar software. You can download Quasar RAT from the project's github page.
The program is written in C# and is positioned by developers as "an easy and convenient tool for remote administration, technical support and monitoring of employees." Quasar RAT has a traditional client-server architecture for the Remote Assistance Tool and, despite its compact size, has a fairly rich Arsenal of features, including:
- connecting to a remote desktop;
- remote shell and run executable files by command;
- remote editing of the registry;
- launch the file Manager, task Manager, and download Manager;
- remote execution of shutdown and reboot commands;
- keylogging (with Unicode support);
- interception of passwords in browsers, FTP clients, and other programs;
- running Reverse Proxy (SOCKS5).
INSTALLATION AND CONFIGURATION
The program is delivered as an archive, inside which all the necessary files are located for its operation. Before unpacking the content, you should disable antivirus programs, otherwise they will happily delete the exe and .bat file from the Quasar package. Also, to get started, you need to install .NET Framework 4.5.2 or later, if it is not already installed on your system.
In order not to be confused, we will immediately determine that in Quasar terminology, the server is the machine where data is transmitted from user computers, and the client is the PC that you are monitoring. The client is identified by the tag that you specify in the settings. It can be arbitrary. After installation on a remote machine, the client works offline, trying to connect to the server at specified intervals, either by IP address (IPv4 and IPv6 are supported), or by DNS name. The General algorithm of actions is as follows: you need to start the server, specify the necessary settings, reset the client application and upload it to the remote machine. It's simple.
Configuring the server
After starting the programQuasar.exe, we will be asked to create a certificate that will be used to establish a secure connection between the server and the client. If Quasar has already been used on your computer, you can import an existing certificate, otherwise the program will create a file quasar.p12that you should immediately hide in a hidden place. If you have to reinstall quasar, it will be impossible to connect to other machines running RAT without IT, which threatens to lose all clients.
When you first start Quasar, it prompts you to create or import a certificate
Click Create and then Save. Now feel free to launch Quasar.exe and click settings at the top of the window. By default, Quasar uses TCP port 4782 for communication, but you can choose any other free port instead by specifying it in the Port to listen on field. Then you will need to open this port in the firewall by configuring the appropriate rule.
Configuring The Quasar Server
All other parameters in the server settings window have the following values:
- Enable IPv6 Support-enable IPv6 Protocol support if it is used on your network;
- Listen for new connections on startup-automatically start listening for new incoming connections from clients when the server starts up;
- Show popup notification on new connection-display a popup message on a new connection;
- Try to automatically forward the port (UPnP) - try to automatically forward the port to support UPnP;
- Show tooltip on client with system information - show a tooltip with system information on remote client machines (to ensure secrecy, it is better not to use this function).
Buildim client
To create a client application, click Builder at the top of the program window. The Builder window contains five tabs, which we will now quickly run through.
Basic settings tab Builder settings
On the Basic Setting tab, you need to specify the Client Tag — this is a kind of ID that will be used to identify the client machine. It is better to give it a meaningful name so that you don't get confused about connections if there are several clients. The Mutex field displays a mutex that prevents multiple instances of the program from running on the client computer. You can leave it as it is. For greater secrecy, we recommend checking the Enable unattended mode checkbox. It will allow you to control the client machine without attracting the user's attention — in this case, they will not be shown any Windows, messages, etc. you will not see the Quasar icon in the system tray.
On the Connection settings tab, specify the IP address or network-visible name of the machine where the server is deployed, the port to connect to, and the interval in milliseconds after which the client machine will attempt to establish or resume a connection. All this data will be hardwired into the client program, and it will be impossible to change it later, so be careful.
Connection settings tab Builder settings
The Installation settings tab manages the client's installation and startup parameters. The Quasar client application can be installed in three folders: AppData \ Roaming current user \ Program File System - the last two will require local administrator privileges from the user account. Select the appropriate option by checking the Install client box.
Configuring client installation and startup parameters
Now you need to select the name of the folder to install the application (Install subdirectory) and the name of the program itself (Install name). The Set file attributes to hidden and Set subdir attributes to hidden check boxes allow you to assign the "hidden" attribute to this subdirectory and the client file after installation. To avoid inventing ways to automatically run the program on the client machine, select the Run Client when the computer starts checkbox and enter the client's display name in the Startup Name field. this name will be displayed in the autorun parameters and in the list of processes on the remote PC.
The Assembly Settings tab allows you to configure such parameters of the client program Assembly as the name of the application and its manufacturer, copyright, version number, and add a customized icon. All this, as you understand, is displayed in the properties of the installer, if someone curious wants to look there. That is, the client can be disguised as any other executable file - even a codec, even a Windows update, even a banal Adobe Flash Player.
Configuring the Keylogger
If you want the client to perform Keylogger functions in addition to everything else, go to the monitoring settings tab, check the Enable keyboard logging checkbox, enter the name of the folder where the Keylogger log will be saved, and make it hidden by checking the Set directory attributes to hidden checkbox.
Now you can click Build and enter a name for the client file. It remains only to install it on a remote machine: I have a very compact client executable file — only 502 Kbytes.
TESTING "QUASAR"
First, I tried to install the client on a test machine with Kaspersky anti-virus enabled. Of course, the trick did not work: he safely nailed the tool directly on the flash drive, not allowing it to be copied to the computer or run. Unfortunately, adding the program to exceptions didn't help either: Casper blocked the launch of the client even when active protection was disabled, and then deleted it, happily reporting that it had discovered an insidious and dangerous Trojan (and it catches it, apparently, with a heuristic).
You can, of course, cover the executable file with some kind of protector, but I was too lazy to mess around, so the only available option for me was to completely remove the antivirus on the client machine, which, in General, is not difficult if you have direct access to it. It is noteworthy that when launching the client installation file, nothing happens at all: no Windows or warnings appear on the screen, but the client is successfully copied to the folder specified during its build.
After rebooting the remote machine, we start on the server Quasar.exe, click settings at the top of the window and click on the Start Listening button. A window will appear on the screen asking you to add the port selected in the settings to the firewall rules. We agree and we see our target machine in the list of remote hosts. The remote computer may disappear from the list if the user has turned it off or disconnected from the network, and automatically reappears when the connection is turned on or resumed.
Incoming connection completed successfully.
All operations on a remote machine are performed by right-clicking on its ID in the Quasar Server window.
Remote administration
All the main functions of remote administration are concentrated in the context menu Administration. Here you can find the following ways to interact with the client machine:
- System Information-displays detailed information about the hardware and software configuration of the remote computer;
- File Manager is a convenient windowed file Manager, similar to Windows Explorer: it allows you to navigate through the disks of a remote computer, download and upload files, run them if they are executable, rename them, delete them, and add them to startup;
- Startup manager-startup management utility: shows the current objects in startup and the registry branches responsible for them. To add a new object, right-click in the Manager window and select Add Entry;
- Task Manager-opens a window with a list of tasks running on the remote machine. Allows you to kill any of the running processes or start a new one;
- Remote Shell - remote execution of commands in the shellcmd.exe;
- TCP Connections-shows a list of TCP connections opened on the remote host. You can use the context menu to update the connection or close it;
- Reverse Proxy-raises a reverse proxy on the client machine;
- Registry Editor-opens the remote registry editor window;
- Remote execute-runs a local file or a file from the Internet on the client PC, the URL OF which you specify in the window that opens;
- Actions - command to shut down, reboot, or hibernate the remote machine.
The Quasar file Manager is very similar to the regular Windows Explorer
Monitoring and working with a remote host
One of the most interesting features of Quasar RAT is remote desktop browsing. This feature is available in monitoring → Remote Desktop or User Support → Remote Desktop. In the upper part of the remote desktop window, there is a control that allows you to set the image quality (the higher it is, the more traffic there will be), and two buttons that allow you to enable or disable the transmission of control signals from your mouse and keyboard to the client machine. Click Start to connect to the remote desktop, and Stop if you want to end the session.
The monitoring → Password Recovery function allows you to retrieve all passwords stored in the user's browser. The information is presented in the form of a sign with the site address and the saved password. you can copy it to a separate file, to the clipboard, or erase it on a remote computer.
The monitoring → Keylogger section stores Quasar RAT Keylogger logs. Tool saves logs as HTML files. each of them contains information about the application where the input was performed, and a record of the keys pressed. The list of available logs is updated by clicking on the Get Logs button in the upper-left corner of the window.
Quasar RAT Keylogger log
The user Support context menu, in addition to another button for calling the remote desktop, contains the Show Messagebox items, which you can use to show the user a dialog box with any text, and Send to Website-the URL you entered will open on the remote machine in the browser configured by default. And if you check the Visit hidden checkbox, the user will not see anything, but the site will open in a hidden window, and their visit will remain in History.
Before sending the dialog box to the final recipient, you can test it on your own machine
Finally, the client management context menu provides the remote administrator with the following options:
- Elevate Client Permissions-Quasar will attempt to elevate the system privileges of the client application on the remote machine (it will trigger UAC asking you to confirm running the script on the command line, so be careful);
- Update - command to update the client: select the client file on the local machine or specify the URL of its location on the Internet, select the client in the list and click Execute Remotely;
- Reconnect - reconnect to the remote machine;
- Disconnect - disconnect the connection;
- Reinstall - remove the client from the user's computer.
CONCLUSION
Quasar is a very powerful and multi-functional tool for remote management, tracking user actions, and collecting information of interest to the administrator on a remote machine. The client executable file is only a couple hundred kilobytes long, so it can be delivered to the target system in many different ways. As practice has shown, the app works quite quickly and stably.
The client part lives in the user's Windows quietly and imperceptibly, practically without consuming resources. The only serious drawback of this tool is that the client is burned by antivirus programs (at least Kaspersky Lab antivirus), which will require either disabling protection or shamming with packers and protectors. And their use does not guarantee that the utility is "invisible" to heuristic analyzers that track suspicious applications by their behavior. And the behavior of Quasar RAT, I must say, is very suspicious!
In other words, quasar is a pretty good alternative to other remote administration utilities like TeamViewer, especially if you need to use it without causing unnecessary questions from the user. But how exactly this tool is used will remain on the conscience of the user. The main thing - do not forget about the responsibility that our legislation provides for the distribution of bad programs and pranks with unauthorized access to other people's computers.
