2020-05-19 22:24:19 +02:00
|
|
|
Installation
|
|
|
|
============
|
|
|
|
|
|
|
|
.. toctree::
|
|
|
|
:maxdepth: -1
|
|
|
|
|
2021-06-03 01:19:25 +02:00
|
|
|
The only system dependency for pwncat is ``python3`` and ``pip``. For ``pip`` to install all Python dependencies,
|
2020-05-21 05:24:04 +02:00
|
|
|
you will likely need your distributions Python Development package (``python3-dev`` for Debian-based distributions).
|
2021-06-03 01:19:25 +02:00
|
|
|
Once you have a working ``pip`` installation, you can install pwncat with the provided setup script:
|
2020-05-19 22:24:19 +02:00
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
2021-06-02 04:24:18 +02:00
|
|
|
# A virtual environment is recommended
|
|
|
|
python -m venv /opt/pwncat
|
|
|
|
# Install pwncat within the virtual environment
|
|
|
|
/opt/pwncat/bin/pip install git+https://github.com/calebstewart/pwncat
|
|
|
|
# This allows you to use pwncat outside of the virtual environment
|
2021-06-12 23:38:30 +02:00
|
|
|
ln -s /opt/pwncat/bin/pwncat /usr/local/bin
|
2020-05-21 17:16:18 +02:00
|
|
|
|
2021-06-03 01:19:25 +02:00
|
|
|
After installation, you can use pwncat via the installed script:
|
2020-05-19 22:24:19 +02:00
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
$ pwncat --help
|
2021-06-02 04:24:18 +02:00
|
|
|
usage: pwncat [-h] [--config CONFIG] [--identity IDENTITY] [--listen]
|
|
|
|
[--platform PLATFORM] [--port PORT] [--list]
|
2020-10-03 04:28:47 +02:00
|
|
|
[[protocol://][user[:password]@][host][:port]] [port]
|
|
|
|
|
2021-06-02 04:24:18 +02:00
|
|
|
Start interactive pwncat session and optionally connect to existing victim
|
|
|
|
via a known platform and channel type. This entrypoint can also be used to
|
|
|
|
list known implants on previous targets.
|
2020-10-03 04:28:47 +02:00
|
|
|
|
|
|
|
positional arguments:
|
|
|
|
[protocol://][user[:password]@][host][:port]
|
2021-06-02 04:24:18 +02:00
|
|
|
Connection string describing victim
|
|
|
|
port Alternative port number to support netcat-style
|
|
|
|
syntax
|
2020-05-19 22:24:19 +02:00
|
|
|
|
|
|
|
optional arguments:
|
|
|
|
-h, --help show this help message and exit
|
|
|
|
--config CONFIG, -c CONFIG
|
2021-06-02 04:24:18 +02:00
|
|
|
Custom configuration file (default: ./pwncatrc)
|
2020-10-03 04:28:47 +02:00
|
|
|
--identity IDENTITY, -i IDENTITY
|
2021-06-02 04:24:18 +02:00
|
|
|
Private key for SSH authentication
|
|
|
|
--listen, -l Enable the `bind` protocol (supports netcat-style
|
|
|
|
syntax)
|
|
|
|
--platform PLATFORM, -m PLATFORM
|
|
|
|
Name of the platform to use (default: linux)
|
|
|
|
--port PORT, -p PORT Alternative way to specify port to support netcat-
|
|
|
|
style syntax
|
|
|
|
--list List installed implants with remote connection
|
|
|
|
capability
|
2020-05-19 22:24:19 +02:00
|
|
|
|
2021-06-12 23:38:30 +02:00
|
|
|
Windows Plugin Binaries
|
|
|
|
-----------------------
|
|
|
|
|
|
|
|
The Windows target utilizes .Net binaries to stabilize the connection and bypass
|
|
|
|
various defenses present on Windows targets. The base Windows C2 utilizes two DLLs
|
|
|
|
named ``stageone.dll`` and ``stagetwo.dll``. Stage One is a simple reflective loader.
|
|
|
|
It will read the encoded and compressed contents of Stage Two, and execute it
|
|
|
|
reflectively. Stage Two contains the actual meat of the C2 framework.
|
|
|
|
|
|
|
|
Further, the Stage Two C2 framework provides the ability to reflectively load other
|
|
|
|
.Net assemblies and execute their methods. The loaded assemblies must conform to the
|
|
|
|
pwncat plugin API. These APIs are not generally accessible from the interactive
|
|
|
|
session, and are created more for the Python API.
|
|
|
|
|
|
|
|
Plugins are stored at the path specified by the ``plugin_path`` configuration value.
|
|
|
|
By default, this configuration points to ``~/.local/share/pwncat``, but can be changed
|
|
|
|
by your configuration file. If a plugin does not exist when it is requested, the appropriate
|
|
|
|
version will be downloaded via a URL tracked within pwncat itself.
|
|
|
|
|
|
|
|
If your attacking machine will not have direct internet access, you can prestage the
|
|
|
|
plugin binaries in two ways. The easiest is to connect your attacking machine to
|
|
|
|
the internet, and use the ``--download-plugins`` argument:
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
pwncat --download-plugins
|
|
|
|
|
|
|
|
This command will place all built-in plugins in the plugin directory for you. Alternatively,
|
|
|
|
if you are using a release version pwncat, you can download a prepackaged tarball of all
|
|
|
|
builtin plugins from the GitHub releases page. You can then extract it into your plugin path:
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
# Replace {version} with your pwncat version
|
|
|
|
cd ~/.local/share/pwncat
|
|
|
|
wget https://github.com/calebstewart/pwncat/releases/download/{version}/pwncat-plugins-{version}.tar.gz
|
|
|
|
tar xvfs pwncat-plugins-{version}.tar.gz
|
|
|
|
rm pwncat-plugins-{version}.tar.gz
|
|
|
|
|
|
|
|
|
2020-05-19 22:24:19 +02:00
|
|
|
Development Environment
|
|
|
|
-----------------------
|
|
|
|
|
2021-06-03 01:19:25 +02:00
|
|
|
If you would like to develop modules for pwncat (such as privilege escalation or persistence module), you can use
|
|
|
|
the ``setuptools`` "develop" target instead of "install". This installs pwncat via symlinks, which means any
|
2020-05-19 22:24:19 +02:00
|
|
|
modifications of the local code will be reflected in the installed package:
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
2021-06-02 04:24:18 +02:00
|
|
|
git clone https://github.com/calebstewart/pwncat.git
|
|
|
|
cd pwncat
|
|
|
|
python -m venv env
|
|
|
|
. env/bin/activate
|
2020-05-19 22:24:19 +02:00
|
|
|
python setup.py develop
|
|
|
|
|