data | ||
pwncat | ||
.byebug_history | ||
.gitignore | ||
README.md | ||
requirements.txt | ||
setup.py |
pwncat - fancy reverse and bind shell handler
This is a little tool to make interacting with raw reverse and bind shells a
little nicer. pwncat
can either connect to a remote bind shell or listen for
an incoming reverse shell. After receiving a connection, it will setup some
common configurations when working with remote shells. For example:
- Unset the
HIST_FILE
macro to disable bash history - Normalize shell prompt
- Locate useful binaries (using
which
) - Attempt to spawn a pseudoterminal (pty) for a full interactive session
pwncat
knows how to spawn pty's with a few different methods and will
cross-reference the methods with the executables previously enumerated. After
spawning a pty, it will setup the controlling terminal in raw mode, so you can
interact in a similar fashion to ssh
.
pwncat
will also synchronize the remote pty settings (such as rows, columns,
TERM
environment variable) with your local settings to ensure the shell
behaves correctly.
Command and Control Features
pwncat
has a few useful features baked in for interacting with a remote shell.
You can access a local command interpreter at any time by getting to a blank
line and pressing the sequence ~C
(that's Shift+`
then Shift+c
). This new
prompt provides some basic interaction between your local host and the remote
host.
When at this prompt, you can return to your shell at any time with C-d
or the
"back" command. To get a list of available commands, you can use help
. At the
time of writing the following commands are supported:
sync
: synchronize rows/columns and TERM environment.set
: set local variables (such aslhost
).upload
: upload files to the remote host
Uploading Files
The upload
command in the local shell allows you to upload files quickly and
easily. pwncat
can use a variety of methods to transfer the files, and will
use the best one given the executables it was able to find. If none of the
required executables were found, pwncat
will transfer the file in chunks of
base64, and decode them on the other end. This is slower, but will work in a
pinch.
The usage is simple, but you must set the lhost
variable first with te set
command so that pwncat
knows how to instruct the remote host to connect to us.
localhost$ set lhost "8.8.8.8"
Once that is set up, you can upload files but specifying a local file name:
localhost$ upload /opt/tools/linpeas.sh
By default, the file will be written to the current working directory of your
remote shell. You can use the --output/-o
option to direct the output to a
directory/file of your choosing. You can also select a specific method, if you
would like, however that shouldn't be necessary. The default method is to
automatically select the best available. pwncat
even gives you a nice progress
bar while it uploads!
More to come!
I wrote this in the last few days, and there's bound to be bugs or edge-cases. Further, I want to build out the local prompt commands more. Obviously, a download option would be ideal, but since the interaction with the remote terminal is scriptable, the sky is the limit.
Another feature that I plan to implement soon is tab completions for the local prompt (remote tab completions work already thanks to the pty ;). I'll be working on that ASAP.