mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-11-30 12:24:14 +01:00
Merge pull request #220 from calebstewart/fix/216/remove-busybox-bruteforce
Removed busybox and bruteforce commands from docs
This commit is contained in:
commit
54a46521c1
@ -38,6 +38,7 @@ and simply didn't have the time to go back and retroactively create one.
|
||||
- Changed some 'red' warning message color to 'yellow'
|
||||
- Leak private keys for all users w/ file-read ability as UID=0 ([#181](https://github.com/calebstewart/pwncat/issues/181))
|
||||
- Raise `PermissionError` when underlying processes terminate unsuccessfully for `LinuxReader` and `LinuxWriter`
|
||||
- Removed `busybox` and `bruteforce` commands from documentation.
|
||||
|
||||
## [0.4.3] - 2021-06-18
|
||||
Patch fix release. Major fixes are the correction of file IO for LinuxWriters and
|
||||
|
@ -1,35 +0,0 @@
|
||||
Bruteforce
|
||||
==========
|
||||
|
||||
The ``bruteforce`` command is used to bruteforce authentication of a user locally. It will use the ``su`` command to
|
||||
iteratively try every password for a given user. This is very slow, but does technically work. If no wordlist is
|
||||
specified, the default location of ``rockyou.txt`` in Kali Linux is chosen. This may or may not exist for your system.
|
||||
|
||||
.. warning::
|
||||
This command is very noisy in log files. Each failed authentication is normally logged by any modern
|
||||
linux distribution. Further, if account lockout is enabled, this will almost certainly lockout the
|
||||
targeted account!
|
||||
|
||||
Selecting a User
|
||||
----------------
|
||||
|
||||
Individual users are selected with the ``--user`` argument. This argument can be passed multiple times to test multiple
|
||||
users in one go. To use the default dictionary to test the root and bob users, you would issue a command like:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
bruteforce -u root -u bob
|
||||
|
||||
User names are automatically tab-completed at the pwncat prompt for your victim host.
|
||||
|
||||
Selecting a Wordlist
|
||||
--------------------
|
||||
|
||||
Word lists are specified with the ``--dictionary`` parameter. This parameter is a path to a file on your attacking
|
||||
host which contains a list of passwords to attempt for the selected users. If a correct password is found, it is stored
|
||||
in the databaase, and the search is aborted for that user. To select a custom database, you would issue a command like:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
bruteforce -d /opt/my-favorite-repo/my-favorite-wordlist.txt -u root
|
||||
|
@ -1,79 +0,0 @@
|
||||
Busybox
|
||||
=======
|
||||
|
||||
pwncat works by try as much as possible not to depend on specific binaries on the remote system. It does this
|
||||
most of the time by selecting an unidentified existing binary from the GTFOBins database in order to perform a
|
||||
generic capability (e.g. file read, file write or shell). However, sometimes a critical binary is missing on the
|
||||
target host which has been removed (either maliciously or never installed). In these situations, obtaining a stable
|
||||
version of all basic binaries is very helpful. To this end, pwncat has the capability to automatically upload a
|
||||
copy of the ``busybox`` program to the remote host.
|
||||
|
||||
The ``busybox`` command manages the installation, status, and removal of the installed busybox. Installing busybox lets
|
||||
pwncat know that it has a list of standard binaries with known good interfaces easily accessible. The ``busybox``
|
||||
command also understands how to locate a ``busybox`` binary precompiled for the victim architecture and upload it
|
||||
through the existing C2 channel. The new busybox installation will be installed in a temporary directory, and any
|
||||
further automated tools within pwncat will use it's implementation of common unix tools.
|
||||
|
||||
Installation
|
||||
------------
|
||||
|
||||
To install busybox on the remote victim, you can use the ``--install`` option to the ``busybox`` command. This will
|
||||
first check for an existing, distribution specific, installation on the remote host. If the ``busybox`` command exists,
|
||||
it will utilize that vice installing a new copy. If it doesn't, it will begin proxying a connection to the official
|
||||
busybox servers to upload a busybox binary specific to the victim architecture.
|
||||
|
||||
After installation, pwncat will examine the endpoints provided by busybox, and remove any that are provided SUID by
|
||||
the remote system. This prevents pwncat from replacing the real ``su`` binary with ``busybox su`` in it's database.
|
||||
|
||||
.. code-block::
|
||||
|
||||
(local) pwncat$ busybox --install
|
||||
uploading busybox for x86_64
|
||||
100.0% [==================================================>] 1066640/1066640 eta [00:00]
|
||||
[+] uploaded busybox to /tmp/busyboxIu1gu
|
||||
[+] pruned 164 setuid entries
|
||||
(local) pwncat$
|
||||
|
||||
Status and Applet List
|
||||
----------------------
|
||||
|
||||
To check if busybox has been installed and is known by pwncat (for example from a previous session), you can use the
|
||||
``--status`` option. This is the default action, and can be accessed by passing no parameters to ``busybox``:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
(local) pwncat$ busybox
|
||||
[+] busybox is installed to: /tmp/busyboxIu1gu
|
||||
[+] busybox provides 232 applets
|
||||
(local) pwncat$
|
||||
|
||||
If you would like to see a list of binaries which busybox is currently providing for pwncat, you can use the ``--list``
|
||||
option. This is normally a large list (232 lines in this case), but it is provided for completeness sake.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
(local) pwncat$ busybox --list
|
||||
[+] binaries which the remote busybox provides:
|
||||
* [
|
||||
* [[
|
||||
* acpid
|
||||
* add-shell
|
||||
* addgroup
|
||||
* adduser
|
||||
* adjtimex
|
||||
... removed for brevity ...
|
||||
|
||||
Removing Busybox
|
||||
----------------
|
||||
|
||||
Busybox is tracked by pwncat as a remote tamper. This means that the ``tamper`` command will show that you have
|
||||
installed busybox, and ``busybox`` can be uninstalled using the ``tamper`` command:
|
||||
|
||||
.. code-block::
|
||||
|
||||
(local) pwncat$ tamper
|
||||
0 - installed busybox to /tmp/busyboxIu1gu
|
||||
(local) pwncat$ tamper -r -t 0
|
||||
(local) pwncat$ busybox --status
|
||||
[!] busybox hasn't been installed yet
|
||||
(local) pwncat$
|
@ -7,8 +7,6 @@ Command index
|
||||
alias.rst
|
||||
back.rst
|
||||
bind.rst
|
||||
bruteforce.rst
|
||||
busybox.rst
|
||||
connect.rst
|
||||
download.rst
|
||||
escalate.rst
|
||||
|
Loading…
Reference in New Issue
Block a user