pupy/README.md

157 lines
8.8 KiB
Markdown
Raw Normal View History

2017-04-17 19:37:52 +00:00
[![Build Status](https://travis-ci.org/n1nj4sec/pupy.svg?branch=master)](https://travis-ci.org/n1nj4sec/pupy)
2015-09-21 20:24:27 +00:00
# Pupy
2017-02-10 22:53:52 +00:00
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android), multi function RAT (Remote Administration Tool) and post-exploitation tool mainly written in python. It features a all-in-memory execution guideline and leaves very low footprint. Pupy can communicate using various transports, migrate into processes (reflective injection), load remote python code, python packages and python C-extensions from memory.
2016-05-07 20:35:47 +00:00
Pupy modules can transparently access remote python objects using rpyc to perform various interactive tasks.
2016-06-19 18:35:49 +00:00
Pupy can generate payloads in multiple formats like PE executables, reflective DLLs, pure python files, powershell, apk, ...
2017-02-10 22:39:51 +00:00
When you package a payload, you can choose a launcher (connect, bind, ...), a transport (ssl, http, rsa, obfs3, scramblesuit, ...) and a number of "scriptlets". Scriptlets are python scripts meant to be embedded to perform various tasks offline (without requiring a session), like starting a background script, adding persistence, starting a keylogger, detecting a sandbox, ...
2015-09-21 20:15:05 +00:00
## Features
2017-02-10 22:39:51 +00:00
- Multi-platform (tested on windows xp, 7, 8, 10, kali linux, ubuntu, osx, android)
- On windows, the Pupy payload can be compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
- pupy can also be packed into a single .py file and run without any dependencies other that the python standard library on all OS
- pycrypto gets replaced by pure python aes && rsa implementations when unavailable
2015-09-21 20:15:05 +00:00
- Pupy can reflectively migrate into other processes
2017-02-10 22:39:51 +00:00
- Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd, .so). The imported python modules do not touch the disk.
2016-05-03 15:39:04 +00:00
- Pupy is easily extensible, modules are quite simple to write, sorted by os and category.
- A lot of awesome modules are already implemented!
- Pupy uses [rpyc](https://github.com/tomerfiliba/rpyc) and a module can directly access python objects on the remote client
- We can also access remote objects interactively from the pupy shell and you even get auto-completion of remote attributes!
2016-06-19 18:35:49 +00:00
- Communication transports are modular, stackable and awesome. You could exfiltrate data using HTTP over HTTP over AES over XOR. Or any combination of the available transports !
- Pupy can communicate using obfsproxy [pluggable transports](https://www.torproject.org/docs/pluggable-transports.html.en)
- All the non interactive modules can be dispatched to multiple hosts in one command
2015-10-30 22:34:08 +00:00
- Commands and scripts running on remote hosts are interruptible
- Auto-completion for commands and arguments
2016-05-03 15:39:04 +00:00
- Custom config can be defined: command aliases, modules automatically run at connection, ...
2016-01-19 19:14:39 +00:00
- Interactive python shells with auto-completion on the all in memory remote python interpreter can be opened
2017-02-10 22:39:51 +00:00
- Interactive shells (cmd.exe, /bin/bash, ...) can be opened remotely. Remote shells on Unix & windows clients have a real tty with all keyboard signals working fine just like a ssh shell
2016-01-19 19:14:39 +00:00
- Pupy can execute PE exe remotely and from memory (cf. ex with mimikatz)
2017-02-10 22:39:51 +00:00
- Pupy can generate payloads in various formats : apk,lin_x86,lin_x64,so_x86,so_x64,exe_x86,exe_x64,dll_x86,dll_x64,py,pyinst,py_oneliner,ps1,ps1_oneliner,rubber_ducky
2016-06-19 18:35:49 +00:00
- Pupy can be deployed in memory, from a single command line using pupygen.py's python or powershell one-liners.
2017-02-10 22:39:51 +00:00
- "scriptlets" can be embeded in generated payloads to perform some tasks "offline" without needing network connectivity (ex: start keylogger, add persistence, execute custom python script, check_vm ...)
2016-01-19 19:14:39 +00:00
- tons of other features, check out the implemented modules
2015-10-30 22:20:37 +00:00
## Implemented Transports
2016-06-19 18:35:49 +00:00
All transports in pupy are stackable. This mean that by creating a custom transport conf (pupy/network/transport/<transport_name>/conf.py), you can make you pupy session looks like anything. For example you could stack HTTP over HTTP over base64 over HTTP over AES over obfs3 :o)
- rsa
- A layer with authentication & encryption using RSA and AES256, often stacked with other layers
- aes
- layer using a static AES256 key
- ssl (the default one)
- TCP transport wrapped with SSL
- ssl_rsa
- same as ssl but stacked with a rsa layer
- http
- layer making the traffic look like HTTP traffic. HTTP is stacked with a rsa layer
2015-10-30 22:20:37 +00:00
- obfs3
- [A protocol to keep a third party from telling what protocol is in use based on message contents](https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/tree/doc/obfs3/obfs3-protocol-spec.txt)
2016-06-19 18:35:49 +00:00
- obfs3 is stacked with a rsa layer for a better security
2015-10-30 22:20:37 +00:00
- scramblesuit
- [A Polymorphic Network Protocol to Circumvent Censorship](http://www.cs.kau.se/philwint/scramblesuit/)
2016-06-19 18:35:49 +00:00
- scramblesuit is stacked with a rsa layer for a better security
- udp
- rsa layer but over UDP (could be buggy, it doesn't handle packet loss yet)
- other
- Other layers doesn't really have any interest and are given for code examples : (dummy, base64, XOR, ...)
2015-09-21 20:15:05 +00:00
2016-05-03 15:39:04 +00:00
## Implemented Launchers (not up to date, cf. ./pupygen.py -h)
Launchers allow pupy to run custom actions before starting the reverse connection
2016-06-19 18:38:14 +00:00
- connect
- Just connect back
2016-06-19 18:38:14 +00:00
- bind
- Bind payload instead of reverse
- auto_proxy
2016-06-19 18:38:14 +00:00
- Retrieve a list of possible SOCKS/HTTP proxies and try each one of them. Proxy retrieval methods are: registry, WPAD requests, gnome settings, HTTP_PROXY env variable
2016-05-03 15:39:04 +00:00
## Implemented Modules (not up to date)
### All platforms:
- command execution
2015-10-30 22:05:36 +00:00
- download
- upload
2017-02-10 22:39:51 +00:00
- interactive python shell with auto-completion
- interactive shell (cmd.exe, powershell.exe, /bin/sh, /bin/bash, ...)
- tty allocation is well supported on both windows and \*nix. Just looks like a ssh shell
- shellcode exec
2015-10-08 17:36:37 +00:00
- persistence
2015-09-21 20:15:05 +00:00
- socks5 proxy
2016-01-19 19:14:39 +00:00
- local and remote port forwarding
2017-02-10 22:39:51 +00:00
- screenshot
- keylogger
- run the awesome credential gathering tool [LaZagne](https://github.com/AlessandroZ/LaZagne) from memory !
- sniff tools, netcreds
- process migration (windows & linux, not osx yet)
- ...
- a lot of other tools (upnp client, various recon/pivot tools using impacket remotely, ...)
2016-05-03 15:39:04 +00:00
### Windows specific :
- migrate
- inter process architecture injection also works (x86->x64 and x64->x86)
- in memory execution of PE exe both x86 and x64!
- works very well with [mimitakz](https://github.com/gentilkiwi/mimikatz) :-)
- webcam snapshot
2016-05-07 20:35:47 +00:00
- microphone recorder
2015-10-30 22:05:36 +00:00
- mouselogger:
2017-02-10 22:39:51 +00:00
- takes small screenshots around the mouse at each click and send them back to the server
2016-05-03 23:26:53 +00:00
- token manipulation
- getsystem
2017-02-10 22:39:51 +00:00
- creddump
- tons of useful powershell scripts
- ...
2015-09-21 20:15:05 +00:00
2016-05-03 15:39:04 +00:00
### Android specific
2016-06-01 15:27:11 +00:00
- Text to speech for Android to say stuff out loud
2017-02-10 22:39:51 +00:00
- webcam snapshots (front cam & back cam)
- GPS tracker !
2016-05-03 15:39:04 +00:00
2017-04-19 15:19:09 +00:00
## Installation
2016-01-24 12:57:46 +00:00
[Refer to the wiki](https://github.com/n1nj4sec/pupy/wiki/Installation)
2017-04-19 15:19:09 +00:00
## Documentation
2016-01-24 12:57:46 +00:00
[Refer to the wiki](https://github.com/n1nj4sec/pupy/wiki)
2015-09-21 20:50:01 +00:00
2016-05-03 15:39:04 +00:00
### Some screenshots (not up to date)
[Screenshot section on the wiki](https://github.com/n1nj4sec/pupy/wiki)
2015-09-21 20:50:01 +00:00
2016-01-19 19:18:27 +00:00
## FAQ
> Does the server work on windows?
Pupy server works best on linux. The server on windows has not been really tested and there is probably a lot of bugs. I try my best to code in a portable way but I don't always find the time to fix everything. If you find the courage to patch non-portable code, I will gladly accept pull requests! :)
> I can't install it, how does it work?
Have a look at the Installation section in the wiki
2016-12-30 21:47:03 +00:00
> I have the following error when starting pupy.sh: ImportError: No module named creddump.win32.domcachedump
Follow the Installations steps in the wiki, you missed the git submodules initialisation/updates
> I have the following error when using pupygen : IOError: [Errno 2] No such file or directory: '/full-path/pupy-master/pupy/payload_templates/pupyx86.exe'
Follow the Installations steps in the wiki, you missed the git submodules initialisation/updates
> I have another error at installation
2017-02-10 22:39:51 +00:00
Follow the Installations steps in the wiki (yes I know)
2016-12-30 21:47:03 +00:00
2016-05-03 15:39:04 +00:00
> Hey, I love pupy and I was wondering if I could offer you a beer !
2016-01-19 19:18:27 +00:00
2016-05-03 15:39:04 +00:00
Sure ! thank you !
Via pledgie :<a href='https://pledgie.com/campaigns/31614'><img alt='Click here to lend your support to: opensource security projects https://github.com/n1nj4sec and make a donation at pledgie.com !' src='https://pledgie.com/campaigns/31614.png?skin_name=chrome' border='0' ></a>
Via BTC: 12BKKN81RodiG9vxJn34Me9ky19ArqNQxC
2016-01-19 19:18:27 +00:00
> hey c4n y0u add a DDOS module plzz?
No.
## Contact
by mail: contact@n1nj4.eu
on Twitter: [Follow me on twitter](https://twitter.com/n1nj4sec)
2016-05-03 23:31:47 +00:00
If some of you want to participate to pupy development, don't hesitate ! All help is greatly appreciated and I will review every pull request.
2016-05-03 15:39:04 +00:00
This project is a [personal development](https://en.wikipedia.org/wiki/Personal_development), please respect its philosophy and don't use it for evil purposes!
2016-01-19 19:18:27 +00:00
2017-03-25 12:18:55 +00:00
## Special thanks
2017-02-10 22:39:51 +00:00
Special thanks to all contributors that helps me improve pupy and make it an even better tool ! :)