pwncat: raw bind and reverse shell handler
pwncat is a raw bind and reverse shell handler. It streamlines common red team operations and all staging code is from your own attacker machine, not the target.
After receiving a connection, pwncat will setup some common configurations when working with remote shells.
- Unset the HISTFILE environment variable to disable command history
- Normalize shell prompt
- Locate useful binaries (using which)
- Attempt to spawn a pseudoterminal (pty) for a fully interactive session
pwncat knows how to spawn pty’s with a few different methods and will cross-reference the methods with the executables previously enumerated. After spawning a pty, it will setup the controlling terminal in raw mode, so you can interact in a similar fashion to ssh.
Features and Functionality
pwncat provides two main features. At its core, it’s goal is to automatically set up a remote PseudoTerminal (pty) which allows interaction with the remote host much like a full SSH session. When operating in a pty, you can use common features of your remote shell such as history, line editing, and graphical terminal applications.
The other half of pwncat is a framework which utilizes your remote shell to perform automated enumeration, persistence, and privilege escalation tasks. The local pwncat prompt provides a number of useful features for standard penetration tests including:
- File upload and download
- Automated privilege escalation enumeration
- Automated privilege escalation execution
- Automated persistence installation/removal
- Automated tracking of modified/created files
- pwncat also offers the ability to revert these remote “tampers” automatically
The underlying framework for interacting with the remote host aims to abstract away the underlying shell and connection method as much as possible, allowing commands and plugins to interact seamlessly with the remote host.
Copyright 2020, Caleb Stewart