1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-30 20:34:15 +01:00
pwncat/README.md
2020-05-06 22:12:39 -04:00

3.3 KiB

pwncat - fancy reverse and bind shell handler

This is a little tool to make interacting with raw reverse and bind shells a little nicer. pwncat can either connect to a remote bind shell or listen for an incoming reverse shell. After receiving a connection, it will setup some common configurations when working with remote shells. For example:

  • Unset the HIST_FILE macro to disable bash history
  • Normalize shell prompt
  • Locate useful binaries (using which)
  • Attempt to spawn a pseudoterminal (pty) for a full interactive session

pwncat knows how to spawn pty's with a few different methods and will cross-reference the methods with the executables previously enumerated. After spawning a pty, it will setup the controlling terminal in raw mode, so you can interact in a similar fashion to ssh.

pwncat will also synchronize the remote pty settings (such as rows, columns, TERM environment variable) with your local settings to ensure the shell behaves correctly.

Command and Control Features

pwncat has a few useful features baked in for interacting with a remote shell. You can access a local command interpreter at any time by getting to a blank line and pressing the sequence ~C (that's Shift+` then Shift+c). This new prompt provides some basic interaction between your local host and the remote host.

When at this prompt, you can return to your shell at any time with C-d or the "back" command. To get a list of available commands, you can use help. At the time of writing the following commands are supported:

  • sync: synchronize rows/columns and TERM environment.
  • set: set local variables (such as lhost).
  • upload: upload files to the remote host

Uploading Files

The upload command in the local shell allows you to upload files quickly and easily. pwncat can use a variety of methods to transfer the files, and will use the best one given the executables it was able to find. If none of the required executables were found, pwncat will transfer the file in chunks of base64, and decode them on the other end. This is slower, but will work in a pinch.

The usage is simple, but you must set the lhost variable first with te set command so that pwncat knows how to instruct the remote host to connect to us.

localhost$ set lhost "8.8.8.8"

Once that is set up, you can upload files but specifying a local file name:

localhost$ upload /opt/tools/linpeas.sh

By default, the file will be written to the current working directory of your remote shell. You can use the --output/-o option to direct the output to a directory/file of your choosing. You can also select a specific method, if you would like, however that shouldn't be necessary. The default method is to automatically select the best available. pwncat even gives you a nice progress bar while it uploads!

More to come!

I wrote this in the last few days, and there's bound to be bugs or edge-cases. Further, I want to build out the local prompt commands more. Obviously, a download option would be ideal, but since the interaction with the remote terminal is scriptable, the sky is the limit.

Another feature that I plan to implement soon is tab completions for the local prompt (remote tab completions work already thanks to the pty ;). I'll be working on that ASAP.