git clone https://github.com/n1nj4sec/pupy.git pupy cd pupy git submodule init git submodule update pip install -r pupy/requirements.txt wget https://github.com/n1nj4sec/pupy/releases/download/latest/payload_templates.txz tar xvf payload_templates.txz && mv payload_templates/* pupy/payload_templates/ && rm payload_templates.txz && rm -r payload_templates
- Multi-platform (tested on windows xp, 7, 8, 10, kali linux, ubuntu, osx, android)
- On windows, the Pupy payload can be compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk 🙂
- pupy can also be packed into a single .py file and run without any dependencies other that the python standard library on all OS
- pycrypto gets replaced by pure python aes && rsa implementations when unavailable
- Pupy can reflectively migrate into other processes
- Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd, .so). The imported python modules do not touch the disk.
- Pupy is easily extensible, modules are quite simple to write, sorted by os and category.
- A lot of awesome modules are already implemented!
- Pupy uses rpyc and a module can directly access python objects on the remote client
- We can also access remote objects interactively from the pupy shell and you even get auto-completion of remote attributes!
- Communication transports are modular, stackable and awesome. You could exfiltrate data using HTTP over HTTP over AES over XOR. Or any combination of the available transports !
- Pupy can communicate using obfsproxy pluggable transports
- All the non interactive modules can be dispatched to multiple hosts in one command
- Commands and scripts running on remote hosts are interruptible
- Auto-completion for commands and arguments
- Custom config can be defined: command aliases, modules automatically run at connection, …
- Interactive python shells with auto-completion on the all in memory remote python interpreter can be opened
- Interactive shells (cmd.exe, /bin/bash, …) can be opened remotely. Remote shells on Unix & windows clients have a real tty with all keyboard signals working fine just like a ssh shell
- Pupy can execute PE exe remotely and from memory (cf. ex with mimikatz)
- Pupy can generate payloads in various formats : apk,lin_x86,lin_x64,so_x86,so_x64,exe_x86,exe_x64,dll_x86,dll_x64,py,pyinst,py_oneliner,ps1,ps1_oneliner,rubber_ducky
- Pupy can be deployed in memory, from a single command line using pupygen.py’s python or powershell one-liners.
- “scriptlets” can be embeded in generated payloads to perform some tasks “offline” without needing network connectivity (ex: start keylogger, add persistence, execute custom python script, check_vm …)
- tons of other features, check out the implemented modules
All transports in pupy are stackable. This mean that by creating a custom transport conf (pupy/network/transport/<transport_name>/conf.py), you can make you pupy session looks like anything. For example you could stack HTTP over HTTP over base64 over HTTP over AES over obfs3 :o)
- A layer with authentication & encryption using RSA and AES256, often stacked with other layers
- layer using a static AES256 key
- ssl (the default one)
- TCP transport wrapped with SSL
- same as ssl but stacked with a rsa layer
- layer making the traffic look like HTTP traffic. HTTP is stacked with a rsa layer
- A protocol to keep a third party from telling what protocol is in use based on message contents
- obfs3 is stacked with a rsa layer for a better security
- A Polymorphic Network Protocol to Circumvent Censorship
- scramblesuit is stacked with a rsa layer for a better security
- rsa layer but over UDP (could be buggy, it doesn’t handle packet loss yet)
- Other layers doesn’t really have any interest and are given for code examples : (dummy, base64, XOR, …)
Implemented Launchers (not up to date, cf. ./pupygen.py -h)
Launchers allow pupy to run custom actions before starting the reverse connection
- Just connect back
- Bind payload instead of reverse
- Retrieve a list of possible SOCKS/HTTP proxies and try each one of them. Proxy retrieval methods are: registry, WPAD requests, gnome settings, HTTP_PROXY env variable
Implemented Modules (not up to date)
- command execution
- interactive python shell with auto-completion
- interactive shell (cmd.exe, powershell.exe, /bin/sh, /bin/bash, …)
- tty allocation is well supported on both windows and *nix. Just looks like a ssh shell
- shellcode exec
- socks5 proxy
- local and remote port forwarding
- run the awesome credential gathering tool LaZagne from memory !
- sniff tools, netcreds
- process migration (windows & linux, not osx yet)
- a lot of other tools (upnp client, various recon/pivot tools using impacket remotely, …)
Windows specific :
- inter process architecture injection also works (x86->x64 and x64->x86)
- in memory execution of PE exe both x86 and x64!
- works very well with mimitakz 🙂
- webcam snapshot
- microphone recorder
- takes small screenshots around the mouse at each click and send them back to the server
- token manipulation
- tons of useful powershell scripts
- Text to speech for Android to say stuff out loud
- webcam snapshots (front cam & back cam)
- GPS tracker !
Refer to the wiki
Some screenshots (not up to date)
Screenshot section on the wiki