mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-11-30 20:34:15 +01:00
Merge pull request #220 from calebstewart/fix/216/remove-busybox-bruteforce
Removed busybox and bruteforce commands from docs
This commit is contained in:
Caleb Stewart
GitHub
commit
54a46521c1
@ -38,6 +38,7 @@ and simply didn't have the time to go back and retroactively create one.
|
|||||||
- Changed some 'red' warning message color to 'yellow'
|
- Changed some 'red' warning message color to 'yellow'
|
||||||
- Leak private keys for all users w/ file-read ability as UID=0 ([#181](https://github.com/calebstewart/pwncat/issues/181))
|
- Leak private keys for all users w/ file-read ability as UID=0 ([#181](https://github.com/calebstewart/pwncat/issues/181))
|
||||||
- Raise `PermissionError` when underlying processes terminate unsuccessfully for `LinuxReader` and `LinuxWriter`
|
- Raise `PermissionError` when underlying processes terminate unsuccessfully for `LinuxReader` and `LinuxWriter`
|
||||||
|
- Removed `busybox` and `bruteforce` commands from documentation.
|
||||||
|
|
||||||
## [0.4.3] - 2021-06-18
|
## [0.4.3] - 2021-06-18
|
||||||
Patch fix release. Major fixes are the correction of file IO for LinuxWriters and
|
Patch fix release. Major fixes are the correction of file IO for LinuxWriters and
|
||||||
|
|||||||
@ -1,35 +0,0 @@
|
|||||||
Bruteforce
|
|
||||||
==========
|
|
||||||
|
|
||||||
The ``bruteforce`` command is used to bruteforce authentication of a user locally. It will use the ``su`` command to
|
|
||||||
iteratively try every password for a given user. This is very slow, but does technically work. If no wordlist is
|
|
||||||
specified, the default location of ``rockyou.txt`` in Kali Linux is chosen. This may or may not exist for your system.
|
|
||||||
|
|
||||||
.. warning::
|
|
||||||
This command is very noisy in log files. Each failed authentication is normally logged by any modern
|
|
||||||
linux distribution. Further, if account lockout is enabled, this will almost certainly lockout the
|
|
||||||
targeted account!
|
|
||||||
|
|
||||||
Selecting a User
|
|
||||||
----------------
|
|
||||||
|
|
||||||
Individual users are selected with the ``--user`` argument. This argument can be passed multiple times to test multiple
|
|
||||||
users in one go. To use the default dictionary to test the root and bob users, you would issue a command like:
|
|
||||||
|
|
||||||
.. code-block:: bash
|
|
||||||
|
|
||||||
bruteforce -u root -u bob
|
|
||||||
|
|
||||||
User names are automatically tab-completed at the pwncat prompt for your victim host.
|
|
||||||
|
|
||||||
Selecting a Wordlist
|
|
||||||
--------------------
|
|
||||||
|
|
||||||
Word lists are specified with the ``--dictionary`` parameter. This parameter is a path to a file on your attacking
|
|
||||||
host which contains a list of passwords to attempt for the selected users. If a correct password is found, it is stored
|
|
||||||
in the databaase, and the search is aborted for that user. To select a custom database, you would issue a command like:
|
|
||||||
|
|
||||||
.. code-block:: bash
|
|
||||||
|
|
||||||
bruteforce -d /opt/my-favorite-repo/my-favorite-wordlist.txt -u root
|
|
||||||
|
|
||||||
@ -1,79 +0,0 @@
|
|||||||
Busybox
|
|
||||||
=======
|
|
||||||
|
|
||||||
pwncat works by try as much as possible not to depend on specific binaries on the remote system. It does this
|
|
||||||
most of the time by selecting an unidentified existing binary from the GTFOBins database in order to perform a
|
|
||||||
generic capability (e.g. file read, file write or shell). However, sometimes a critical binary is missing on the
|
|
||||||
target host which has been removed (either maliciously or never installed). In these situations, obtaining a stable
|
|
||||||
version of all basic binaries is very helpful. To this end, pwncat has the capability to automatically upload a
|
|
||||||
copy of the ``busybox`` program to the remote host.
|
|
||||||
|
|
||||||
The ``busybox`` command manages the installation, status, and removal of the installed busybox. Installing busybox lets
|
|
||||||
pwncat know that it has a list of standard binaries with known good interfaces easily accessible. The ``busybox``
|
|
||||||
command also understands how to locate a ``busybox`` binary precompiled for the victim architecture and upload it
|
|
||||||
through the existing C2 channel. The new busybox installation will be installed in a temporary directory, and any
|
|
||||||
further automated tools within pwncat will use it's implementation of common unix tools.
|
|
||||||
|
|
||||||
Installation
|
|
||||||
------------
|
|
||||||
|
|
||||||
To install busybox on the remote victim, you can use the ``--install`` option to the ``busybox`` command. This will
|
|
||||||
first check for an existing, distribution specific, installation on the remote host. If the ``busybox`` command exists,
|
|
||||||
it will utilize that vice installing a new copy. If it doesn't, it will begin proxying a connection to the official
|
|
||||||
busybox servers to upload a busybox binary specific to the victim architecture.
|
|
||||||
|
|
||||||
After installation, pwncat will examine the endpoints provided by busybox, and remove any that are provided SUID by
|
|
||||||
the remote system. This prevents pwncat from replacing the real ``su`` binary with ``busybox su`` in it's database.
|
|
||||||
|
|
||||||
.. code-block::
|
|
||||||
|
|
||||||
(local) pwncat$ busybox --install
|
|
||||||
uploading busybox for x86_64
|
|
||||||
100.0% [==================================================>] 1066640/1066640 eta [00:00]
|
|
||||||
[+] uploaded busybox to /tmp/busyboxIu1gu
|
|
||||||
[+] pruned 164 setuid entries
|
|
||||||
(local) pwncat$
|
|
||||||
|
|
||||||
Status and Applet List
|
|
||||||
----------------------
|
|
||||||
|
|
||||||
To check if busybox has been installed and is known by pwncat (for example from a previous session), you can use the
|
|
||||||
``--status`` option. This is the default action, and can be accessed by passing no parameters to ``busybox``:
|
|
||||||
|
|
||||||
.. code-block:: bash
|
|
||||||
|
|
||||||
(local) pwncat$ busybox
|
|
||||||
[+] busybox is installed to: /tmp/busyboxIu1gu
|
|
||||||
[+] busybox provides 232 applets
|
|
||||||
(local) pwncat$
|
|
||||||
|
|
||||||
If you would like to see a list of binaries which busybox is currently providing for pwncat, you can use the ``--list``
|
|
||||||
option. This is normally a large list (232 lines in this case), but it is provided for completeness sake.
|
|
||||||
|
|
||||||
.. code-block:: bash
|
|
||||||
|
|
||||||
(local) pwncat$ busybox --list
|
|
||||||
[+] binaries which the remote busybox provides:
|
|
||||||
* [
|
|
||||||
* [[
|
|
||||||
* acpid
|
|
||||||
* add-shell
|
|
||||||
* addgroup
|
|
||||||
* adduser
|
|
||||||
* adjtimex
|
|
||||||
... removed for brevity ...
|
|
||||||
|
|
||||||
Removing Busybox
|
|
||||||
----------------
|
|
||||||
|
|
||||||
Busybox is tracked by pwncat as a remote tamper. This means that the ``tamper`` command will show that you have
|
|
||||||
installed busybox, and ``busybox`` can be uninstalled using the ``tamper`` command:
|
|
||||||
|
|
||||||
.. code-block::
|
|
||||||
|
|
||||||
(local) pwncat$ tamper
|
|
||||||
0 - installed busybox to /tmp/busyboxIu1gu
|
|
||||||
(local) pwncat$ tamper -r -t 0
|
|
||||||
(local) pwncat$ busybox --status
|
|
||||||
[!] busybox hasn't been installed yet
|
|
||||||
(local) pwncat$
|
|
||||||
@ -7,8 +7,6 @@ Command index
|
|||||||
alias.rst
|
alias.rst
|
||||||
back.rst
|
back.rst
|
||||||
bind.rst
|
bind.rst
|
||||||
bruteforce.rst
|
|
||||||
busybox.rst
|
|
||||||
connect.rst
|
connect.rst
|
||||||
download.rst
|
download.rst
|
||||||
escalate.rst
|
escalate.rst
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user