RATdriving Development

[o7-machinehum]

RATdriving combines RAT (remote access trojan) deployment and wardriving. The device should...

• Scan for open APs nearby, like a public network
• Join the network
• Portscan all the devices on the network
• Vuln scan all open ports
• Exploit improperly set up SSH, FTP, Telnet, etc...
• Deploy a RAT on the device
• RAT contacts a C2 server
• The RAT should also worm. There is only one application, the RAT itself. This runs on the target and the host (Flipper Blackhat)

Tasks

1. Develop the RAT. I think either Rust or Go are ideal.
2. Find an adequate vuln scanner, Python based seems reasonable.
3. Figure out how to embed the vuln scanner into the RAT?

[Michel666-def]

Great idea — agree that Go or Rust would be ideal for building a portable and cross-compilable RAT.

Go is better suited for easy cross-compilation (Windows/Linux/MIPS/ARM) and network-heavy applications, so that’s the direction I’m currently exploring.

For vuln scanning, I'm testing a lightweight Python-based method using python-nmap with the vulners NSE script. It’s quick enough for Blackhat hardware and returns CVEs via subprocess.

The current setup wraps this scanner into a Go RAT using os/exec, launching targeted scans after ARP/port enumeration. Native Go integration or Nuclei support could be a next step, but this hybrid approach works reliably for now.

Output is pushed to a Telegram bot for logging and remote awareness, which works nicely in low-connectivity setups (e.g. LTE fallback or open Wi-Fi).

[o7-machinehum]

For vuln scanning, I'm testing a lightweight Python-based method using python-nmap with the vulners NSE script. It’s quick enough for Blackhat hardware and returns CVEs via subprocess.

There's an update on this, port_scan.py script here This does quite a bit of the first part, I would suggest ether appending to this script or creating a new script that reads the nmap reports and does something malicious.

FYI for vuln scanning, routerspoit is installed and has been tested. I think this is the most reasonable scanner as we would mostly be looking at routers and other IOT devices poorly configured on these networks.

[Michel666-def]

That makes sense — thanks for clarifying!

I’ll take a closer look at port_scan.py and start by building an add-on script that parses the Nmap Vulners output and ties it to action logic (Telegram alerts or light payloads).

Great to hear RouterSploit is already installed — makes total sense for targeting routers and IoT.
I’ll explore automating specific modules based on detected service banners or CVEs, and hook it into the flow as a post-scan optional attack step.

Will test a few flows over the weekend and follow up with results or a small PR if it fits.

[o7-machinehum]

Awesome! Thanks

…

On Thu, Jun 12, 2025, 11:32 Michel666-def ***@***.***> wrote: *Michel666-def* left a comment (o7-machinehum/flipper-blackhat-os#3) <#3 (comment)> That makes sense — thanks for clarifying! I’ll take a closer look at port_scan.py and start by building an add-on script that parses the Nmap Vulners output and ties it to action logic (Telegram alerts or light payloads). Great to hear RouterSploit is already installed — makes total sense for targeting routers and IoT. I’ll explore automating specific modules based on detected service banners or CVEs, and hook it into the flow as a post-scan optional attack step. Will test a few flows over the weekend and follow up with results or a small PR if it fits. — Reply to this email directly, view it on GitHub <#3 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEAR7G2SLOLMCXV3WB7FTW33DFCLFAVCNFSM6AAAAAB2N727WOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDSNRVHA3DEMBVGI> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[Michel666-def]

rat_full_protocol_env_ready.zip

Hi Ryan,

I've developed a prototype Go-based RAT that matches the port_scan.py script flow and extends it with active exploitation logic.

Features:

• Bruteforce login attempts on SSH, FTP, Telnet (all default root:root)
• Telegram reporting (via config or env)
• One single Go file: rat.go
• Targets read from targets.txt
• Optional config.json for private Telegram setup
• Fully offline capable (no external dependencies)

Download ZIP: [rat_full_protocol_env_ready.zip]
Optional: happy to create a PR if you'd like it integrated or want a version embedded as .fab command for Blackhat.

Let me know if you want it adapted to /package/blackhat/scripts/.

Thanks for all your work — this project keeps getting better

[o7-machinehum]

This looks great, exactly the type of collaboration I was hoping for when I built the hardware.

I added you as a collaborator, if you want to create a new branch I can PR my changes into this an we can get it merged.

I just have a few small things.

[Michel666-def]

Uploaded rat_protocol_impl.zip to the branch for reference:

• Contains initial structure for Go RAT
• Configurable JSON for Telegram
• build.sh for cross-compilation
• README with goals & instructions

This is just the starting point

[Michel666-def]

Lightweight SD version released – field-tested and fully operational in extended setup

Over the past week we've built and validated a complete field version of the SuperRAT SD module for the Flipper Blackhat OS project. The version released here (superrat_sd_public.zip) is a lightweight variant, carefully stripped of private tokens and configs — ready for public sharing.

🔧 Behind the scenes, the full tested setup includes:

🔁 init.sh handles fallback LTE routing when WiFi fails (ZTE dongle integration confirmed)

💬 Telegram messages are sent automatically via telegram_ping.py and status_writer.py at startup and during key RAT events

🕵️ HTML dashboard (superrat_dashboard.html) serves as visual control panel, loaded via local lighttpd or CGI

🐍 Core Python modules:

    superrat.py, rat_control.py, wifi_scan.py, port_scan.py, update_status.py

⚙️ Go-based worm module embedded (go/rat/superrat.go) with ARM binary compiled

📡 All scripts are routed through SD to keep image modular and easily updatable

This setup was manually tested and confirmed boot-stable from SD card via Blackhat’s A33-based Linux core.
🔐 What’s not in the ZIP (for safety):

No real settings.json with Telegram tokens or chat_id

No .fab or personal automation triggers

No raw /userfs logs or backups — only /sd structure included

[o7-machinehum]

Lightweight SD version released – field-tested and fully operational in extended setup

Over the past week we've built and validated a complete field version of the SuperRAT SD module for the Flipper Blackhat OS project. The version released here (superrat_sd_public.zip) is a lightweight variant, carefully stripped of private tokens and configs — ready for public sharing.

🔧 Behind the scenes, the full tested setup includes:

🔁 init.sh handles fallback LTE routing when WiFi fails (ZTE dongle integration confirmed)

💬 Telegram messages are sent automatically via telegram_ping.py and status_writer.py at startup and during key RAT events

🕵️ HTML dashboard (superrat_dashboard.html) serves as visual control panel, loaded via local lighttpd or CGI

🐍 Core Python modules:

    superrat.py, rat_control.py, wifi_scan.py, port_scan.py, update_status.py

⚙️ Go-based worm module embedded (go/rat/superrat.go) with ARM binary compiled

📡 All scripts are routed through SD to keep image modular and easily updatable

This setup was manually tested and confirmed boot-stable from SD card via Blackhat’s A33-based Linux core. 🔐 What’s not in the ZIP (for safety):

No real settings.json with Telegram tokens or chat_id

No .fab or personal automation triggers

No raw /userfs logs or backups — only /sd structure included

Hey! Thanks for your help. Unfortunately, I can't have a binary image release uploaded where the code isn't available in the main build (it's a security risk)

If you have the source, I can help you integrate this all into the main build, then we have documentation of how all this works and integrate it with the larger platform.

[Michel666-def]

Hi Ryan,

Thanks again for your quick replies and your help so far.

Just to give you an update from our side:
We're currently performing extensive real-world testing on our custom Blackhat OS setup. We’ve added several core modules including:

• Live status.json telemetry, updated via status_writer.py

• Modules for: telegram, scanner, worm, wifi, wifi_scan, lan_scan, autoworm, flipper

• Fully working HTML dashboard (status.html) that fetches and displays live JSON data

• Custom init.sh boot script to launch everything automatically

• Verified LTE fallback, telegram_ping.py, and wifi_scan.py

• AP-mode tested with fallback recovery script (repair_ap.sh)

• New /mnt/sd/ folder structure for scripts/, www/, config/

We’re not yet done—still running stability tests, checking for race conditions, validating interface compatibility (wlo1 vs wlan1), and ensuring webserver/API responses stay consistent.

💡 So before this goes into your main build, we think it’s wise to finalize testing and harden the system.
Once we have everything running stable (including fallback and watchdog behavior), I’ll push a full ZIP with:

Clean source
Blackhat-defconfig
post-image.sh, init.sh, genimage.cfg
Rootfs-overlay with CGI+HTML portals
All Python modules and daemons

Thanks again and keep you posted.

Cheers,
Michel