2020-05-10 22:08:50 +02:00
|
|
|
# pwncat
|
2020-05-07 04:01:08 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
pwncat is a raw bind and reverse shell handler. It streamlines common red team
|
2020-05-11 01:55:47 +02:00
|
|
|
operations and all staging code is from your own attacker machine, not the target.
|
2020-05-07 04:01:08 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
After receiving a connection, **pwncat** will setup some
|
|
|
|
common configurations when working with remote shells.
|
|
|
|
|
|
|
|
- Unset the `HISTFILE` environment variable to disable command history
|
2020-05-07 04:01:08 +02:00
|
|
|
- Normalize shell prompt
|
|
|
|
- Locate useful binaries (using `which`)
|
|
|
|
- Attempt to spawn a pseudoterminal (pty) for a full interactive session
|
|
|
|
|
|
|
|
`pwncat` knows how to spawn pty's with a few different methods and will
|
|
|
|
cross-reference the methods with the executables previously enumerated. After
|
|
|
|
spawning a pty, it will setup the controlling terminal in raw mode, so you can
|
|
|
|
interact in a similar fashion to `ssh`.
|
|
|
|
|
|
|
|
`pwncat` will also synchronize the remote pty settings (such as rows, columns,
|
|
|
|
`TERM` environment variable) with your local settings to ensure the shell
|
|
|
|
behaves correctly.
|
|
|
|
|
2020-05-12 19:53:28 +02:00
|
|
|
To showcase a little bit of the cool functionality, I have recorded a short
|
|
|
|
[asciinema cast](https://asciinema.org/a/YFF84YCJfp9tQHhTuGkA2PJ4T).
|
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
## Install
|
|
|
|
|
|
|
|
To install **pwncat** into its own python virtual environment:
|
|
|
|
|
|
|
|
``` bash
|
|
|
|
git clone https://github.com/calebstewart/pwncat/ # get pwncat
|
2020-05-07 04:01:08 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
cd pwncat
|
|
|
|
sudo apt-get install python3-devel # install dependencies
|
|
|
|
python3 -m venv .venv
|
|
|
|
.venv/bin/pip install -r requirements.txt
|
|
|
|
.venv/bin/python3 setup.py install
|
|
|
|
|
|
|
|
. .venv/bin/activate # activate the virtual environment
|
|
|
|
```
|
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
|
|
|
```bash
|
|
|
|
# start a reverse shell listener on port 9999
|
|
|
|
python -m pwncat -r -p 9999
|
|
|
|
```
|
|
|
|
|
|
|
|
```bash
|
|
|
|
# access a bind shell on a given host and port
|
|
|
|
python -m pwncat -b -H 127.0.0.1 -p 9999
|
|
|
|
```
|
|
|
|
|
|
|
|
## Features and Functionality
|
|
|
|
|
|
|
|
**pwncat** allows you to local command interpreter at any time by getting to a blank
|
2020-05-07 04:12:39 +02:00
|
|
|
line and pressing the sequence `~C` (that's ``Shift+` `` then `Shift+c`). This new
|
2020-05-07 04:01:08 +02:00
|
|
|
prompt provides some basic interaction between your local host and the remote
|
|
|
|
host.
|
|
|
|
|
|
|
|
When at this prompt, you can return to your shell at any time with `C-d` or the
|
|
|
|
"back" command. To get a list of available commands, you can use `help`. At the
|
|
|
|
time of writing the following commands are supported:
|
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
```
|
|
|
|
(local) pwncat$ help
|
|
|
|
back Exit command mode
|
|
|
|
download Download a file from the remote host
|
|
|
|
help View help for local commands
|
|
|
|
privesc Attempt privilege escalation
|
|
|
|
reset Reset the remote terminal (calls sync, reset, and sets PS1)
|
|
|
|
set Set or view the currently assigned variables
|
|
|
|
sync Synchronize the remote PTY with the local terminal settings
|
|
|
|
upload Upload a file to the remote host
|
|
|
|
```
|
|
|
|
|
|
|
|
### Transfering Files
|
2020-05-07 04:01:08 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
Within the local prompt, you have the capability to `upload` and
|
|
|
|
`download` files to and from the target. **pwncat** will attempt to
|
|
|
|
determine a `lhost` IP address to refer to your attacker machine, but if you
|
|
|
|
need to change this, you can modify the variable like so:
|
2020-05-07 04:01:08 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
```bash
|
|
|
|
# change local host IP address if you need to
|
|
|
|
(local) pwncat$ set lhost "8.8.8.8"
|
|
|
|
```
|
2020-05-07 04:01:08 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
The logic to transfer files is defined in `pwncat/uploaders` and
|
|
|
|
`pwncat/downloaders` respectively. **pwncat** will smartly determine a usable
|
|
|
|
method to transfer files, but you can choose a specific one with the
|
|
|
|
`--method` option.
|
2020-05-07 04:01:08 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
```bash
|
|
|
|
usage: upload [-h] [--method {nc,curl,shell,bashtcp,wget}] [--output OUTPUT] path
|
2020-05-07 04:01:08 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
positional arguments:
|
|
|
|
path path to the file to upload
|
|
|
|
|
|
|
|
optional arguments:
|
|
|
|
-h, --help show this help message and exit
|
|
|
|
--method, -m {nc,curl,shell,bashtcp,wget}
|
|
|
|
set the download method (default: auto)
|
|
|
|
--output OUTPUT, -o OUTPUT
|
|
|
|
path to the output file (default: basename of input)
|
2020-05-07 04:01:08 +02:00
|
|
|
```
|
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
```bash
|
|
|
|
usage: download [-h] [--method {nc,curl,shell,bashtcp,raw}] [--output OUTPUT] path
|
2020-05-07 04:01:08 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
positional arguments:
|
|
|
|
path path to the file to download
|
2020-05-07 04:01:08 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
optional arguments:
|
|
|
|
-h, --help show this help message and exit
|
|
|
|
--method, -m {nc,curl,shell,bashtcp,raw}
|
|
|
|
set the download method (default: auto)
|
|
|
|
--output OUTPUT, -o OUTPUT
|
|
|
|
path to the output file (default: basename of input)
|
|
|
|
```
|
2020-05-07 04:01:08 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
The methods that **pwncat** can transfer files with are as follows:
|
2020-05-10 16:59:19 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
```
|
|
|
|
Both:
|
|
|
|
nc netcat socket with random port -- requires port to be accessible
|
|
|
|
curl HTTP request with port 80 -- requires curl on the target
|
|
|
|
shell send echo and base64 -- no requirements, but can be slow
|
|
|
|
bashtcp reuse the current socket -- no requirements
|
|
|
|
Upload specific:
|
|
|
|
wget HTTP request with port 80 -- requires wget on the target
|
|
|
|
|
|
|
|
Download specific:
|
|
|
|
raw read file contents and save to attacker -- no requirements
|
|
|
|
```
|
2020-05-10 16:59:19 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
### Privilege Escalation
|
|
|
|
|
|
|
|
**pwncat** can attempt to perform privilege escalation with known techniques.
|
|
|
|
It will look for binaries on the target system that have known GTFOBins
|
|
|
|
capabilities, and perform different methods to try and reach new users and
|
|
|
|
ultimately root.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
usage: privesc [-h] [--list] [--all]
|
|
|
|
[--user {root,caleb,john,sean,etc}]
|
|
|
|
[--max-depth MAX_DEPTH] [--read READ] [--write WRITE] [--data DATA] [--text]
|
|
|
|
|
|
|
|
optional arguments:
|
|
|
|
-h, --help show this help message and exit
|
|
|
|
--list, -l do not perform escalation. list potential escalation methods
|
|
|
|
--all, -a when listing methods, list for all users. when escalating, escalate to
|
|
|
|
root.
|
|
|
|
--user {root,caleb,john,sean,etc}
|
|
|
|
the target user
|
|
|
|
--max-depth MAX_DEPTH, -m MAX_DEPTH
|
|
|
|
Maximum depth for the privesc search (default: no maximum)
|
|
|
|
--read READ, -r READ remote filename to try and read
|
|
|
|
--write WRITE, -w WRITE
|
|
|
|
attempt to write to a remote file as the specified user
|
|
|
|
--data DATA, -d DATA the data to write a file. ignored if not write mode
|
|
|
|
--text, -t whether to use safe readers/writers
|
|
|
|
```
|
2020-05-10 16:59:19 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
**pwncat** will try and run all known privilege escalation techniques.
|
|
|
|
The current methods that are supported by `privesc` are:
|
2020-05-10 16:59:19 +02:00
|
|
|
|
|
|
|
```
|
2020-05-10 22:08:50 +02:00
|
|
|
sudo Run available sudo commands with GTFOBins techniques
|
|
|
|
setuid Run available setuid binaries with GTFOBins techniques
|
|
|
|
screen Abuse screen-4.5.0 (CVE-2017-5618)
|
|
|
|
dirtycow Run DirtyCow exploit (CVE-2016-5195)
|
|
|
|
```
|
|
|
|
|
|
|
|
### BusyBox
|
2020-05-10 16:59:19 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
If the target system does not have many useful "live-off-the-land" binaries,
|
|
|
|
**pwncat** can upload an appropriate copy of `busybox` in order to access more
|
|
|
|
commands.
|
2020-05-10 16:59:19 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
## Planned Features
|
2020-05-07 04:01:08 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
**pwncat** would like to be come a red team swiss army knife. Hopefully soon,
|
|
|
|
more features will be added.
|
2020-05-07 04:01:08 +02:00
|
|
|
|
2020-05-10 22:08:50 +02:00
|
|
|
* More privilege escalation methods (sudo -u#-1 CVE, LXD containers, etc.)
|
|
|
|
* More transfer file methods (FTP, SMB, DNS, ICMP, etc. )
|
|
|
|
* Persistence methods (bind shell, cronjobs, SSH access, PAM abuse, etc.)
|
|
|
|
* Aggression methods (spam randomness to terminals, flush firewall, etc.)
|
|
|
|
* Meme methods (terminal-parrot, cowsay, wall, etc.)
|
2020-05-12 19:53:28 +02:00
|
|
|
* Network methods (port forward, internet access through host, etc.)
|