1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-30 12:24:14 +01:00

Merge pull request #220 from calebstewart/fix/216/remove-busybox-bruteforce

Removed busybox and bruteforce commands from docs
This commit is contained in:
Caleb Stewart 2021-11-28 16:02:40 -05:00 committed by GitHub
commit 54a46521c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 1 additions and 116 deletions

View File

@ -38,6 +38,7 @@ and simply didn't have the time to go back and retroactively create one.
- Changed some 'red' warning message color to 'yellow'
- Leak private keys for all users w/ file-read ability as UID=0 ([#181](https://github.com/calebstewart/pwncat/issues/181))
- Raise `PermissionError` when underlying processes terminate unsuccessfully for `LinuxReader` and `LinuxWriter`
- Removed `busybox` and `bruteforce` commands from documentation.
## [0.4.3] - 2021-06-18
Patch fix release. Major fixes are the correction of file IO for LinuxWriters and

View File

@ -1,35 +0,0 @@
Bruteforce
==========
The ``bruteforce`` command is used to bruteforce authentication of a user locally. It will use the ``su`` command to
iteratively try every password for a given user. This is very slow, but does technically work. If no wordlist is
specified, the default location of ``rockyou.txt`` in Kali Linux is chosen. This may or may not exist for your system.
.. warning::
This command is very noisy in log files. Each failed authentication is normally logged by any modern
linux distribution. Further, if account lockout is enabled, this will almost certainly lockout the
targeted account!
Selecting a User
----------------
Individual users are selected with the ``--user`` argument. This argument can be passed multiple times to test multiple
users in one go. To use the default dictionary to test the root and bob users, you would issue a command like:
.. code-block:: bash
bruteforce -u root -u bob
User names are automatically tab-completed at the pwncat prompt for your victim host.
Selecting a Wordlist
--------------------
Word lists are specified with the ``--dictionary`` parameter. This parameter is a path to a file on your attacking
host which contains a list of passwords to attempt for the selected users. If a correct password is found, it is stored
in the databaase, and the search is aborted for that user. To select a custom database, you would issue a command like:
.. code-block:: bash
bruteforce -d /opt/my-favorite-repo/my-favorite-wordlist.txt -u root

View File

@ -1,79 +0,0 @@
Busybox
=======
pwncat works by try as much as possible not to depend on specific binaries on the remote system. It does this
most of the time by selecting an unidentified existing binary from the GTFOBins database in order to perform a
generic capability (e.g. file read, file write or shell). However, sometimes a critical binary is missing on the
target host which has been removed (either maliciously or never installed). In these situations, obtaining a stable
version of all basic binaries is very helpful. To this end, pwncat has the capability to automatically upload a
copy of the ``busybox`` program to the remote host.
The ``busybox`` command manages the installation, status, and removal of the installed busybox. Installing busybox lets
pwncat know that it has a list of standard binaries with known good interfaces easily accessible. The ``busybox``
command also understands how to locate a ``busybox`` binary precompiled for the victim architecture and upload it
through the existing C2 channel. The new busybox installation will be installed in a temporary directory, and any
further automated tools within pwncat will use it's implementation of common unix tools.
Installation
------------
To install busybox on the remote victim, you can use the ``--install`` option to the ``busybox`` command. This will
first check for an existing, distribution specific, installation on the remote host. If the ``busybox`` command exists,
it will utilize that vice installing a new copy. If it doesn't, it will begin proxying a connection to the official
busybox servers to upload a busybox binary specific to the victim architecture.
After installation, pwncat will examine the endpoints provided by busybox, and remove any that are provided SUID by
the remote system. This prevents pwncat from replacing the real ``su`` binary with ``busybox su`` in it's database.
.. code-block::
(local) pwncat$ busybox --install
uploading busybox for x86_64
100.0% [==================================================>] 1066640/1066640 eta [00:00]
[+] uploaded busybox to /tmp/busyboxIu1gu
[+] pruned 164 setuid entries
(local) pwncat$
Status and Applet List
----------------------
To check if busybox has been installed and is known by pwncat (for example from a previous session), you can use the
``--status`` option. This is the default action, and can be accessed by passing no parameters to ``busybox``:
.. code-block:: bash
(local) pwncat$ busybox
[+] busybox is installed to: /tmp/busyboxIu1gu
[+] busybox provides 232 applets
(local) pwncat$
If you would like to see a list of binaries which busybox is currently providing for pwncat, you can use the ``--list``
option. This is normally a large list (232 lines in this case), but it is provided for completeness sake.
.. code-block:: bash
(local) pwncat$ busybox --list
[+] binaries which the remote busybox provides:
* [
* [[
* acpid
* add-shell
* addgroup
* adduser
* adjtimex
... removed for brevity ...
Removing Busybox
----------------
Busybox is tracked by pwncat as a remote tamper. This means that the ``tamper`` command will show that you have
installed busybox, and ``busybox`` can be uninstalled using the ``tamper`` command:
.. code-block::
(local) pwncat$ tamper
0 - installed busybox to /tmp/busyboxIu1gu
(local) pwncat$ tamper -r -t 0
(local) pwncat$ busybox --status
[!] busybox hasn't been installed yet
(local) pwncat$

View File

@ -7,8 +7,6 @@ Command index
alias.rst
back.rst
bind.rst
bruteforce.rst
busybox.rst
connect.rst
download.rst
escalate.rst