The lab tasks in this exercise demonstrate how easily hackers can gain access to the target systems in the organization and create a covert communication channel for transferring sensitive data.
Last updated
Was this helpful?
njRAT is a RAT with powerful data-stealing capabilities. In addition to logging keystrokes, it is capable of accessing a victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop.
Download and run the trojan software. A [Port Now] pop-up appears, leave the port number to default and click on OK.
The njRAT GUI appears; click the [Build] button located in the lower-left corner of the GUI to configure the exploit details.
The Builder dialog-box appears; enter the IP address of the Windows 11 (attacker machine) machine in the Host field, check the options Randomize Stub, USB Spread Nj8d, Protect Prosess [BSOD], leave the other settings to default, and click Build.
In this task, the IP address of the Windows 11 machine is 10.10.1.11.
The Save As window appears; specify a location to store the server, rename it, and click Save.
In this lab, the destination location chosen is Desktop, and the file is named Test.exe.
Once the server is created, the Done Successfully! pop-up appears; click OK.
A Server pop-up appears, click OK.
Now, use any technique to send this server to the intended target through email or any other source (in real-time, attackers send this server to the victim).
Here, you are acting both as an attacker who logs into the Windows 11 machine to create a malicious server, and as a victim who logs into the Windows Server 2022 machine and downloads the server.
Double-click the server (Test.exe) to run this malicious executable.
Click Windows 11 to switch back to the Windows 11 machine. Maximize njRAT GUI window. As soon as the victim (here, you) double-clicks the server, the executable starts running and the njRAT client (njRAT GUI) running in Windows 11 establishes a persistent connection with the victim machine, as shown in the screenshot.
Unless the attacker working on the Windows 11 machine disconnects the server on their own, the victim machine remains under their control.
The GUI displays the machine’s basic details such as the IP address, User name, and Type of Operating system.
Right-click on the detected victim name and hover the cursor over Manager and click File Manager from context menu.
The File Manager window appears. Double-click any directory in the left pane (here, ProgramData); all its associated files and directories are displayed in the right pane. You can right-click a selected directory and manipulate it using the contextual options. Close the File Manager window.
Right-click on the detected victim name and click hover the cursor over Manager and click Process Manager from context menu.
You will be redirected to the Process Manager, where you can click on a selected process and perform actions such as Suspend, Kill + Delete, Kill, and Refresh.
Close the Process Manager window.
Right-click on the detected victim name and click hover the cursor over Manager and click Registry from context menu.
Window showing the registries folders will be opened, choose a registry directory from the left pane, and right-click on its associated registry files.
A few options appear for the files; you can use these to manipulate them. Close the window displaying Registry folders.
Right-click on the detected victim name and hover the cursor over Manager and click Remote Shell from context menu.
This launches a remote command prompt for the victim machine (Windows Server 2022).
In the text field present in the lower section of the window, type the command ipconfig/all and press Enter.
This displays all interfaces related to the victim machine, as shown in the screenshot.
Similarly, you can issue all other commands that can be executed in the command prompt of the victim machine. Close the Remote Shell window.
Start server on victim and then use the client to connect to it.
