Remora provides a simple way to manage remote Windows systems. It uses the Go programming language to maintain a connection between your computer and a remote host. Security teams use this tool to test system defenses and learn about network traffic.
Remora works on most modern Windows systems. Ensure your machine meets these specifications:
- Windows 10 or Windows 11.
- A stable network connection.
- Administrative permissions on the host machine.
- The Windows Defender or third-party antivirus software might flag the application as a security tool. You may need to create an exclusion for the folder where you save the file.
You can retrieve the latest version of the software from the official project page. Follow these steps to obtain the files:
- Visit this page to download.
- Look for the "Assets" section at the bottom of the latest release.
- Select the file ending in
.exethat matches your Windows architecture, usuallyremora-windows-amd64.exe. - Save the file to a folder you can easily find, such as your Downloads or Documents folder.
Before you run the tool, verify your network settings. Remora establishes a reverse connection. This means the remote machine waits for a command from a central server. You must configure your firewall to allow traffic on the specific port you choose for communication.
If you test this in a home lab, ensure both the target machine and your management machine belong to the same virtual network. Disable any deep packet inspection tools during initial testing to avoid connection drops.
Once you download the executable file, you must run it through the Windows Command Prompt or PowerShell. The tool does not use a graphic interface.
- Open the folder containing the
remora.exefile. - Hold the Shift key and right-click inside the folder.
- Select "Open PowerShell window here" or "Open in Terminal".
- Type the following command to see the available options:
.\remora.exe --help - To start a basic listener, use the command:
.\remora.exe listen --port 8080.
The application will report that it waits for an incoming connection. At this stage, the tool monitors the specified port for a handshake from the remote agent.
Remora includes several built-in functions designed for security professionals and researchers.
- Reverse Shell: Establishes a command-line connection back to the operator.
- TLS Encryption: Encrypts all data sent between the two machines to keep your traffic private.
- Persistence: Allows the tool to restart automatically if the computer reboots.
- Asset Inventory: Gathers basic system information from the target machine upon successful connection.
Use this tool only on systems you own or have explicit permission to test. Unauthorized access remains illegal in many jurisdictions.
Follow these steps to maintain safety:
- Always operate within a controlled network environment.
- Keep logs of your testing activity to track changes made to the target system.
- Use strong passwords for any administrative accounts accessed through the shell.
- Verify the file hash after downloading to ensure the integrity of the binary.
If the connection fails to establish, check these common points of failure:
- Firewall Rules: Ensure both the outbound and inbound rules permit traffic on your selected port.
- Antivirus Interference: Confirm that your security software did not quarantine the file. Check the protection history in Windows Security.
- Network Path: Verify that the target machine reaches the IP address of your listener. You can test this using the
pingcommand. - Port Conflicts: Another service might use the port you selected. Try changing the port to a different number, such as 9090.
- Does this tool work over the internet? Yes, provided you have a public IP address or use a port-forwarding service on your router.
- Can I detect this traffic? Yes, security monitoring tools often identify common patterns in reverse-tcp traffic. Use this for education on how to improve your own security posture.
- Does it work on older versions of Windows? The tool targets Windows 10 and 11, but it may function on Windows Server 2016 or newer variants.
- Is the source code available? The project relies on open-source principles. You can inspect the Go code located in the repository folders to understand how the network packets work.
You can customize the behavior of Remora using flags. View the full list of options by entering the command .\remora.exe --help. Common flags include:
--host: Defines the listener IP address.--port: Sets the network port for communication.--interval: Changes how often the agent checks in with the listener.--tls-cert: Points to a custom certificate file for encrypted connections.
Each flag changes how the agent behaves once it runs on the target system. Use these settings to tailor the tool for your specific learning goals in cybersecurity labs.