diff --git a/CHANGELOG.md b/CHANGELOG.md index 04d690c..0f6320a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,6 +38,7 @@ and simply didn't have the time to go back and retroactively create one. - Changed some 'red' warning message color to 'yellow' - Leak private keys for all users w/ file-read ability as UID=0 ([#181](https://github.com/calebstewart/pwncat/issues/181)) - Raise `PermissionError` when underlying processes terminate unsuccessfully for `LinuxReader` and `LinuxWriter` +- Removed `busybox` and `bruteforce` commands from documentation. ## [0.4.3] - 2021-06-18 Patch fix release. Major fixes are the correction of file IO for LinuxWriters and diff --git a/docs/source/commands/bruteforce.rst b/docs/source/commands/bruteforce.rst deleted file mode 100644 index 30ae5cb..0000000 --- a/docs/source/commands/bruteforce.rst +++ /dev/null @@ -1,35 +0,0 @@ -Bruteforce -========== - -The ``bruteforce`` command is used to bruteforce authentication of a user locally. It will use the ``su`` command to -iteratively try every password for a given user. This is very slow, but does technically work. If no wordlist is -specified, the default location of ``rockyou.txt`` in Kali Linux is chosen. This may or may not exist for your system. - -.. warning:: - This command is very noisy in log files. Each failed authentication is normally logged by any modern - linux distribution. Further, if account lockout is enabled, this will almost certainly lockout the - targeted account! - -Selecting a User ----------------- - -Individual users are selected with the ``--user`` argument. This argument can be passed multiple times to test multiple -users in one go. To use the default dictionary to test the root and bob users, you would issue a command like: - -.. code-block:: bash - - bruteforce -u root -u bob - -User names are automatically tab-completed at the pwncat prompt for your victim host. - -Selecting a Wordlist --------------------- - -Word lists are specified with the ``--dictionary`` parameter. This parameter is a path to a file on your attacking -host which contains a list of passwords to attempt for the selected users. If a correct password is found, it is stored -in the databaase, and the search is aborted for that user. To select a custom database, you would issue a command like: - -.. code-block:: bash - - bruteforce -d /opt/my-favorite-repo/my-favorite-wordlist.txt -u root - diff --git a/docs/source/commands/busybox.rst b/docs/source/commands/busybox.rst deleted file mode 100644 index 4905461..0000000 --- a/docs/source/commands/busybox.rst +++ /dev/null @@ -1,79 +0,0 @@ -Busybox -======= - -pwncat works by try as much as possible not to depend on specific binaries on the remote system. It does this -most of the time by selecting an unidentified existing binary from the GTFOBins database in order to perform a -generic capability (e.g. file read, file write or shell). However, sometimes a critical binary is missing on the -target host which has been removed (either maliciously or never installed). In these situations, obtaining a stable -version of all basic binaries is very helpful. To this end, pwncat has the capability to automatically upload a -copy of the ``busybox`` program to the remote host. - -The ``busybox`` command manages the installation, status, and removal of the installed busybox. Installing busybox lets -pwncat know that it has a list of standard binaries with known good interfaces easily accessible. The ``busybox`` -command also understands how to locate a ``busybox`` binary precompiled for the victim architecture and upload it -through the existing C2 channel. The new busybox installation will be installed in a temporary directory, and any -further automated tools within pwncat will use it's implementation of common unix tools. - -Installation ------------- - -To install busybox on the remote victim, you can use the ``--install`` option to the ``busybox`` command. This will -first check for an existing, distribution specific, installation on the remote host. If the ``busybox`` command exists, -it will utilize that vice installing a new copy. If it doesn't, it will begin proxying a connection to the official -busybox servers to upload a busybox binary specific to the victim architecture. - -After installation, pwncat will examine the endpoints provided by busybox, and remove any that are provided SUID by -the remote system. This prevents pwncat from replacing the real ``su`` binary with ``busybox su`` in it's database. - -.. code-block:: - - (local) pwncat$ busybox --install - uploading busybox for x86_64 - 100.0% [==================================================>] 1066640/1066640 eta [00:00] - [+] uploaded busybox to /tmp/busyboxIu1gu - [+] pruned 164 setuid entries - (local) pwncat$ - -Status and Applet List ----------------------- - -To check if busybox has been installed and is known by pwncat (for example from a previous session), you can use the -``--status`` option. This is the default action, and can be accessed by passing no parameters to ``busybox``: - -.. code-block:: bash - - (local) pwncat$ busybox - [+] busybox is installed to: /tmp/busyboxIu1gu - [+] busybox provides 232 applets - (local) pwncat$ - -If you would like to see a list of binaries which busybox is currently providing for pwncat, you can use the ``--list`` -option. This is normally a large list (232 lines in this case), but it is provided for completeness sake. - -.. code-block:: bash - - (local) pwncat$ busybox --list - [+] binaries which the remote busybox provides: - * [ - * [[ - * acpid - * add-shell - * addgroup - * adduser - * adjtimex - ... removed for brevity ... - -Removing Busybox ----------------- - -Busybox is tracked by pwncat as a remote tamper. This means that the ``tamper`` command will show that you have -installed busybox, and ``busybox`` can be uninstalled using the ``tamper`` command: - -.. code-block:: - - (local) pwncat$ tamper - 0 - installed busybox to /tmp/busyboxIu1gu - (local) pwncat$ tamper -r -t 0 - (local) pwncat$ busybox --status - [!] busybox hasn't been installed yet - (local) pwncat$ diff --git a/docs/source/commands/index.rst b/docs/source/commands/index.rst index fd8930b..f3ab418 100644 --- a/docs/source/commands/index.rst +++ b/docs/source/commands/index.rst @@ -7,8 +7,6 @@ Command index alias.rst back.rst bind.rst - bruteforce.rst - busybox.rst connect.rst download.rst escalate.rst