data | ||
docs | ||
pwncat | ||
tests | ||
.gitignore | ||
README.md | ||
requirements.txt | ||
setup.py |
pwncat
pwncat is a raw bind and reverse shell handler. It streamlines common red team operations and all staging code is from your own attacker machine, not the target.
After receiving a connection, pwncat will setup some common configurations when working with remote shells.
- Unset the
HISTFILE
environment variable to disable command history - Normalize shell prompt
- Locate useful binaries (using
which
) - Attempt to spawn a pseudoterminal (pty) for a full interactive session
pwncat
knows how to spawn pty's with a few different methods and will
cross-reference the methods with the executables previously enumerated. After
spawning a pty, it will setup the controlling terminal in raw mode, so you can
interact in a similar fashion to ssh
.
pwncat
will also synchronize the remote pty settings (such as rows, columns,
TERM
environment variable) with your local settings to ensure the shell
behaves correctly.
To showcase a little bit of the cool functionality, I have recorded a short asciinema cast.
pwncat documentation is being built out on Read the Docs. Head there for the latest usage and development documentation!
Install
Dependencies
The python3 development files are required for building python dependencies. All of the dependencies are managed through pip
.
To install pwncat into its own python virtual environment:
git clone https://github.com/calebstewart/pwncat/ # get pwncat
cd pwncat
$ sudo apt-get install python3-devel # install dependencies
$ python3 -m venv .venv
$ . .venv/bin/activate
$ pip install -r requirements.txt
$ python setup.py install
## Usage
```bash
# start a reverse shell listener on port 9999
python -m pwncat -r -p 9999
# access a bind shell on a given host and port
python -m pwncat -b -H 127.0.0.1 -p 9999
Features and Functionality
pwncat allows you to local command interpreter at any time by getting to a blank
line and pressing the sequence ~C
(that's Shift+`
then Shift+c
). This new
prompt provides some basic interaction between your local host and the remote
host.
When at this prompt, you can return to your shell at any time with C-d
or the
"back" command. To get a list of available commands, you can use help
. At the
time of writing the following commands are supported:
(local) pwncat$ help
back Exit command mode
download Download a file from the remote host
help View help for local commands
privesc Attempt privilege escalation
reset Reset the remote terminal (calls sync, reset, and sets PS1)
set Set or view the currently assigned variables
sync Synchronize the remote PTY with the local terminal settings
upload Upload a file to the remote host
Transfering Files
Within the local prompt, you have the capability to upload
and
download
files to and from the target. pwncat will attempt to
determine a lhost
IP address to refer to your attacker machine, but if you
need to change this, you can modify the variable like so:
# change local host IP address if you need to
(local) pwncat$ set lhost "8.8.8.8"
The logic to transfer files is defined in pwncat/uploaders
and
pwncat/downloaders
respectively. pwncat will smartly determine a usable
method to transfer files, but you can choose a specific one with the
--method
option.
usage: upload [-h] [--method {nc,curl,shell,bashtcp,wget}] [--output OUTPUT] path
positional arguments:
path path to the file to upload
optional arguments:
-h, --help show this help message and exit
--method, -m {nc,curl,shell,bashtcp,wget}
set the download method (default: auto)
--output OUTPUT, -o OUTPUT
path to the output file (default: basename of input)
usage: download [-h] [--method {nc,curl,shell,bashtcp,raw}] [--output OUTPUT] path
positional arguments:
path path to the file to download
optional arguments:
-h, --help show this help message and exit
--method, -m {nc,curl,shell,bashtcp,raw}
set the download method (default: auto)
--output OUTPUT, -o OUTPUT
path to the output file (default: basename of input)
The methods that pwncat can transfer files with are as follows:
Both:
nc netcat socket with random port -- requires port to be accessible
curl HTTP request with port 80 -- requires curl on the target
shell send echo and base64 -- no requirements, but can be slow
bashtcp reuse the current socket -- no requirements
Upload specific:
wget HTTP request with port 80 -- requires wget on the target
Download specific:
raw read file contents and save to attacker -- no requirements
Privilege Escalation
pwncat can attempt to perform privilege escalation with known techniques. It will look for binaries on the target system that have known GTFOBins capabilities, and perform different methods to try and reach new users and ultimately root.
usage: privesc [-h] [--list] [--all]
[--user {root,caleb,john,sean,etc}]
[--max-depth MAX_DEPTH] [--read READ] [--write WRITE] [--data DATA] [--text]
optional arguments:
-h, --help show this help message and exit
--list, -l do not perform escalation. list potential escalation methods
--all, -a when listing methods, list for all users. when escalating, escalate to
root.
--user {root,caleb,john,sean,etc}
the target user
--max-depth MAX_DEPTH, -m MAX_DEPTH
Maximum depth for the privesc search (default: no maximum)
--read READ, -r READ remote filename to try and read
--write WRITE, -w WRITE
attempt to write to a remote file as the specified user
--data DATA, -d DATA the data to write a file. ignored if not write mode
--text, -t whether to use safe readers/writers
pwncat will try and run all known privilege escalation techniques.
The current methods that are supported by privesc
are:
sudo Run available sudo commands with GTFOBins techniques
setuid Run available setuid binaries with GTFOBins techniques
screen Abuse screen-4.5.0 (CVE-2017-5618)
dirtycow Run DirtyCow exploit (CVE-2016-5195)
BusyBox
If the target system does not have many useful "live-off-the-land" binaries,
pwncat can upload an appropriate copy of busybox
in order to access more
commands.
Planned Features
pwncat would like to be come a red team swiss army knife. Hopefully soon, more features will be added.
- More privilege escalation methods (sudo -u#-1 CVE, LXD containers, etc.)
- More transfer file methods (FTP, SMB, DNS, ICMP, etc. )
- Persistence methods (bind shell, cronjobs, SSH access, PAM abuse, etc.)
- Aggression methods (spam randomness to terminals, flush firewall, etc.)
- Meme methods (terminal-parrot, cowsay, wall, etc.)
- Network methods (port forward, internet access through host, etc.)