1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-12-01 04:44:14 +01:00
pwncat/docs/source/commands/connect.rst

137 lines
6.7 KiB
ReStructuredText
Raw Normal View History

Connect
=======
The ``connect`` command is used to connect to a remote victim. It can be used to catch a reverse shell, open a bind
shell, utilize legitimate SSH credentials, or reconnect via a previous persistence methood to a known host.
This command is also the command which is run if you pass arguments to the external ``pwncat`` script. All arguments
to ``pwncat`` are passed directly to the ``connect`` command at startup. If no connection is made during this command,
``pwncat`` will automatically exit after command completion.
The ``connect`` command is only accessible prior to an active connection. If you attempt to run this command after a
connection has been established, it will not attempt a new connection and will not load your configuration script.
Because the ``pwncat`` prompt is only accessible after a connection, this command is effectively only useful
when used as the arguments to the main ``pwncat`` application or in configuration scripts. Replacing ``connect``
with ``pwncat`` in any examples below will also function the same way at startup.
Catching a Reverse Shell
------------------------
Reverse shell listeners are started with the ``--listen`` parameter. This mode requires the ``--host`` and ``--port``
parameters as well. If ``--host`` is not specified, it is assumed to be ``0.0.0.0`` to bind to all interfaces. To
listen for incoming shell connections on port 4444, you could issue a command like:
.. code-block::
connect -l -H 0.0.0.0 -p 4444
Connecting to a Bind Shell
--------------------------
Making an outbound connection to a bind shell is accomplished through the ``--connect`` parameter. This mode requires
both the ``--host`` and ``--port`` parameters to be specified.
.. code-block::
connect -c -H 1.1.1.1 -p 4444
Connecting to an SSH Server
---------------------------
If you have valid credentials to a remote SSH server, but would like to utilize ``pwncat`` to manage your session, you
can use the ``--ssh`` option. This mode requires the ``--host``, ``--user``, and ``--port`` options. If no port is
specified, it will default to ``22``. Along with these options, you must specify either a ``--password`` or ``--identity``
for the remote password or private key identity file respectively. ``pwncat`` will use Paramiko to connect to the
victim and establish a PTY shell. It will then act normally and provide you access to this shell. All normal ``pwncat``
features are still available over the SSH transport!
.. code-block::
:caption: Connecting with a known password
connect -s -H 1.1.1.1 -u root -p "P@ssw0rd"
.. code-block::
:caption: Connection with a known private key
connect -s -H 1.1.1.1 -u root -i "./exfiled-privkey"
Listing Known Persistence Methods
---------------------------------
The ``connect`` command has the ability to query the database for all known remote hosts and list installed persistence
methods. It also provides the ability to leverage installed persistence methods to reconnect to a specific host. This
allows you to easily re-establish your session after disconnection if you installed some form of persistence.
In ``pwncat`` hosts are identified by a "host hash". This has is generated by combining some unique data taken from the
remote host the last time a session was established and should be unique across all hosts (unlike IP addresses). The
ideal way to reference a remote host is by it's host hash. With an open session, you can retrieve your host hash with
the ``sysinfo`` command. To retrieve known hosts with persistence methods after disconnection, you can use the
``--list`` option to the ``connect`` command:
.. code-block::
:caption: Retrieving a list of known hosts
$ pwncat -C data/pwncatrc --list
1.1.1.1 - debian - d87b9646813d250ac433decdee70112a
- pam as system
- authorized_keys as debian
When reconnecting to a host, you will need either the host hash or the IP address. While the host hash is preferred,
``pwncat`` will lookup a host by IP address in the database. In cases where multiple hosts are NAT'd behind a single
IP address, ``pwncat`` will choose the first host from the database with a matching IP address.
Reconnecting to a Victim
------------------------
Once you have your victim's IP address or host hash, you are ready to reconnect. Reconnecting is simple and automatic in
most cases. The simplest option is to supply the victim IP or host hash to the ``--host`` parameter and specify the
``--reconnect`` option. This will try each persistence method individually until one succeeds in a session:
.. code-block::
$ pwncat -C data/pwncatrc -r -H d87b9646813d250ac433decdee70112a
[+] setting terminal prompt
[+] running in /bin/bash
[+] terminal state synchronized
[+] pwncat is ready 🐈
(remote) debian@debian-s-1vcpu-1gb-nyc1-01:~$
If you have installed multiple persistence methods for multiple users, you can also specify a persistence method or user
to connect with. If only one of ``--method`` or ``--user`` is specified, all methods matching your search will be tried.
For example, specifying only ``method`` will cause ``pwncat`` to attempt each user for which that method is installed.
On the other hand, specifying only ``--user`` will cause ``pwncat`` to attempt connection with every method which
offers persistence as that user. When both are specified, only the exact matching persistence method will be attempted.
Automated Connection w/ Configuration Script
--------------------------------------------
Configuration scripts are expected to be used on an engagement basis. If you have made a connection to victim and have
installed persistence methods, you can add your connect command to your configuration script in order to simply
connection in the future. For example, if you have made a previous connection to the host ``1.1.1.1`` and would like
``pwncat`` to automatically reconnect to that host on startup, you could create a configuration script:
.. code-block:: bash
:caption: pwncatrc - configuration script
# Ensure pwncat knows about your database
set db "sqlite:///engagement.sqlite"
# Automatically attempt reconnection to your host via authorized_keys
# as the root user
connect --reconnnect --host 1.1.1.1 -m authorized_keys -u root
With this script, ``pwncat`` will attempt to connect to the specified host without any other parameters. This simplifies
the ``pwncat`` command if you intend to connect/reconnect multiple times.
.. code-block:: bash
:caption: Simplified Reconnection w/ Configuration Script
$ pwncat -C data/pwncatrc
[+] setting terminal prompt
[+] running in /usr/bin/bash
[+] terminal state synchronized
[+] pwncat is ready 🐈
(remote) root@pwncat-centos-testing:~#