├── .gitignore
├── LICENSE
├── README.md
└── netmog.py
/.gitignore:
--------------------------------------------------------------------------------
1 | # Byte-compiled / optimized / DLL files
2 | __pycache__/
3 | *.py[cod]
4 | *$py.class
5 |
6 | # C extensions
7 | *.so
8 |
9 | # Distribution / packaging
10 | .Python
11 | env/
12 | build/
13 | develop-eggs/
14 | dist/
15 | downloads/
16 | eggs/
17 | .eggs/
18 | lib/
19 | lib64/
20 | parts/
21 | sdist/
22 | var/
23 | wheels/
24 | *.egg-info/
25 | .installed.cfg
26 | *.egg
27 |
28 | # PyInstaller
29 | # Usually these files are written by a python script from a template
30 | # before PyInstaller builds the exe, so as to inject date/other infos into it.
31 | *.manifest
32 | *.spec
33 |
34 | # Installer logs
35 | pip-log.txt
36 | pip-delete-this-directory.txt
37 |
38 | # Unit test / coverage reports
39 | htmlcov/
40 | .tox/
41 | .coverage
42 | .coverage.*
43 | .cache
44 | nosetests.xml
45 | coverage.xml
46 | *.cover
47 | .hypothesis/
48 |
49 | # Translations
50 | *.mo
51 | *.pot
52 |
53 | # Django stuff:
54 | *.log
55 | local_settings.py
56 |
57 | # Flask stuff:
58 | instance/
59 | .webassets-cache
60 |
61 | # Scrapy stuff:
62 | .scrapy
63 |
64 | # Sphinx documentation
65 | docs/_build/
66 |
67 | # PyBuilder
68 | target/
69 |
70 | # Jupyter Notebook
71 | .ipynb_checkpoints
72 |
73 | # pyenv
74 | .python-version
75 |
76 | # celery beat schedule file
77 | celerybeat-schedule
78 |
79 | # SageMath parsed files
80 | *.sage.py
81 |
82 | # dotenv
83 | .env
84 |
85 | # virtualenv
86 | .venv
87 | venv/
88 | ENV/
89 |
90 | # Spyder project settings
91 | .spyderproject
92 | .spyproject
93 |
94 | # Rope project settings
95 | .ropeproject
96 |
97 | # mkdocs documentation
98 | /site
99 |
100 | # mypy
101 | .mypy_cache/
102 |
103 | # IDE files
104 | .idea/
105 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2017 Sumit Ghosh
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # netmog
2 | A `netcat` alternative with remote code execution.
3 |
4 | # Usage
5 |
6 | ```console
7 | sumit@HAL9000:~/Coding/netmog$ python3 netmog.py -h
8 | usage: netmog.py [-h] {client,server} ...
9 |
10 | optional arguments:
11 | -h, --help show this help message and exit
12 |
13 | mode:
14 |
15 | {client,server}
16 | client client mode: for sending commands to a remote server
17 | server server mode: for executing commands from remote client
18 |
19 | ```
20 |
21 | As you can see above, `netmog` has two modes — _client_ and _server_.
22 |
23 | ## Client mode
24 |
25 | ```console
26 | sumit@HAL9000:~/Coding/netmog$ python3 netmog.py client -h
27 | usage: netmog.py client [-h] -t HOST -p PORT [-s]
28 |
29 | optional arguments:
30 | -h, --help show this help message and exit
31 | -t HOST, --host HOST target host
32 | -p PORT, --port PORT the port on which the target host is listening on
33 | -s, --shell shell mode, to use with a remote netmog server
34 | ```
35 |
36 | If you're using `netmog` to send commands to a remote `netmog` server, use the `--shell` flag to use it in shell mode. For example, the following connects to the remote `netmog` server at `localhost:5050` ::
37 |
38 | ### Shell mode
39 | ```console
40 | sumit@HAL9000:~/Coding/netmog$ python3 netmog.py client -t localhost -p 5050 --shell
41 | [*] Connected to localhost:5050
42 | [ netmog ] $ ls
43 | LICENSE
44 | netmog.py
45 | README.md
46 |
47 | [ netmog ] $
48 | ```
49 | Of course, for this to work, you'll have to run a `netmog` server at `localhost:5050`. Get the instructions for that [here](#server-mode).
50 |
51 | ### Netcat mode
52 |
53 | You can also use `netmog` as a standard `netcat`-like utility, which is the actually default mode for the `netmog` client. Only thing you have to keep in mind is
54 |
55 | __Note__ — In this mode, pressing `Enter`// newline doesn't send the request; `Ctrl+D`// `EOF` does. This is done so that the request body can contain newlines.
56 |
57 | In the following example, `netmog` is used to send an HTTP `GET` request to `google.com`.
58 | ```console
59 | sumit@HAL9000:~/Coding/netmog$ python3 netmog.py client -t google.com -p 80
60 | GET / HTTP/1.1
61 | Host: google.com
62 |
63 | HTTP/1.1 301 Moved Permanently
64 | Location: http://www.google.com/
65 | Content-Type: text/html; charset=UTF-8
66 | Date: Tue, 14 Apr 2020 17:47:57 GMT
67 | Expires: Thu, 14 May 2020 17:47:57 GMT
68 | Cache-Control: public, max-age=2592000
69 | Server: gws
70 | Content-Length: 219
71 | X-XSS-Protection: 0
72 | X-Frame-Options: SAMEORIGIN
73 |
74 |
75 | 301 Moved
76 | 301 Moved
77 | The document has moved
78 | here.
79 |
80 | ```
81 |
82 | ## Server mode
83 | ```console
84 | sumit@HAL9000:~/Coding/netmog$ python3 netmog.py server -h
85 | usage: netmog.py server [-h] [-t HOST] -p PORT
86 |
87 | optional arguments:
88 | -h, --help show this help message and exit
89 | -t HOST, --host HOST hostname to bind to
90 | -p PORT, --port PORT the port to listen on
91 | ```
92 |
93 | The `netmog` server binds to a mentioned `host:port` and keeps listening for incoming connections. Once it receives a message, it executes that as a `shell` command and returns the resulting output, i.e. `stdout` and `stderr` combined.
94 |
95 | One thing to note is that here the `--host` argument is optional, by default it takes the value of `0.0.0.0`. See the following example to see it in action ::
96 |
97 | ```console
98 | sumit@HAL9000:~/Coding/netmog$ python3 netmog.py server -p 5050
99 | [*] Listening on 0.0.0.0:5050
100 | [*] Accepted connection from: 127.0.0.1:41784
101 | [*] Executing command: ls
102 | ```
103 |
--------------------------------------------------------------------------------
/netmog.py:
--------------------------------------------------------------------------------
1 | import argparse
2 | import socket
3 | import subprocess
4 | import sys
5 | import threading
6 |
7 |
8 | class Client:
9 | def __init__(self, host, port):
10 | self.host = host
11 | self.port = port
12 | self.client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
13 | self.client.connect((host, port))
14 |
15 | def receive(self):
16 | response = b''
17 | while True:
18 | chunk = self.client.recv(4096)
19 | response = response + chunk
20 | if len(chunk) < 4096:
21 | break
22 | return response
23 |
24 | def send(self, data):
25 | self.client.send(data)
26 |
27 | def run_once(self, data):
28 | self.client.send(data.encode('UTF-8'))
29 | received = self.receive()
30 | print(received.decode('UTF-8'))
31 |
32 | def run(self, shell=False):
33 | while True:
34 | if shell:
35 | data = input('[ netmog ] $ ')
36 | else:
37 | data = sys.stdin.read()
38 | self.run_once(data)
39 |
40 |
41 | class Server:
42 | def __init__(self, host, port, banner=None):
43 | self.host = host
44 | self.port = port
45 | self.banner = banner
46 |
47 | self.server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
48 | self.server.bind((self.host, self.port))
49 | self.server.listen(5)
50 |
51 | def run(self):
52 | while True:
53 | conn, addr = self.server.accept()
54 | print(f'[*] Accepted connection from: {addr[0]}:{addr[1]}')
55 |
56 | handler_thread = threading.Thread(target=self.connection_handler, args=(conn, addr))
57 | handler_thread.start()
58 |
59 | def connection_handler(self, conn, addr):
60 | if self.banner:
61 | conn.send(self.banner.encode('UTF-8'))
62 |
63 | while True:
64 | command = self.receive(conn)
65 | command = command.splitlines()[0]
66 | command = command.decode('UTF-8')
67 |
68 | if command == '!quit':
69 | print(f'[*] Closing connection from {addr[0]}:{addr[1]}')
70 | conn.send(b'remote says :: connection closed')
71 | conn.close()
72 | return
73 |
74 | print(f'[*] Executing command: {command}')
75 | process = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
76 | conn.send(process.stdout)
77 |
78 | def receive(self, conn):
79 | response = b''
80 | while True:
81 | chunk = conn.recv(4096)
82 | response = response + chunk
83 | if len(chunk) < 4096:
84 | break
85 | return response
86 |
87 |
88 | def main():
89 | parser = argparse.ArgumentParser()
90 | subparser = parser.add_subparsers(title='mode', description='')
91 | client_parser = subparser.add_parser('client', help='client mode: for sending commands to a remote server')
92 | client_parser.add_argument('-t', '--host', required=True, help='target host')
93 | client_parser.add_argument('-p', '--port', required=True, type=int,
94 | help='the port on which the target host is listening on')
95 | client_parser.add_argument('-s', '--shell', action='store_true',
96 | help='shell mode, to use with a remote netmog server')
97 | client_parser.set_defaults(mode='client')
98 | server_parser = subparser.add_parser('server', help='server mode: for executing commands from remote client')
99 | server_parser.add_argument('-t', '--host', default='0.0.0.0', help='hostname to bind to')
100 | server_parser.add_argument('-p', '--port', required=True, type=int, help='the port to listen on')
101 | server_parser.set_defaults(mode='server')
102 | args = parser.parse_args()
103 |
104 | try:
105 | mode = args.mode
106 | except AttributeError:
107 | parser.print_usage()
108 | return
109 |
110 | if mode == 'client':
111 | client = Client(args.host, args.port)
112 | if args.shell:
113 | print(f'[*] Connected to {args.host}:{args.port}')
114 | client.run(shell=args.shell)
115 |
116 | else:
117 | server = Server(args.host, args.port)
118 | print(f'[*] Listening on {args.host}:{args.port}')
119 | server.run()
120 |
121 |
122 | if __name__ == '__main__':
123 | main()
124 |
--------------------------------------------------------------------------------