Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android), multi-function RAT (Remote Administration Tool) and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint.
- Multi-platform (tested on windows xp, 7, 8, 10, kali linux, ubuntu, osx, android)
- On windows, the Pupy payload can be compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk
- pupy can also be packed into a single .py file and run without any dependencies other that the python standard library on all OS. pycrypto gets replaced by pure python aes && rsa implementations when unavailable
- Pupy can reflectively migrate into other processes
- Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd, .so). The imported python modules do not touch the disk.
- Pupy is easily extensible, modules are quite simple to write, sorted by os and category.
- A lot of awesome modules are already implemented!
- Pupy uses rpyc and a module can directly access python objects on the remote client. We can also access remote objects interactively from the pupy shell and you even get auto-completion of remote attributes!
- Communication transports are modular, stackable and awesome. You could exfiltrate data using HTTP over HTTP over AES over XOR. Or any combination of the available transports!
- Pupy can communicate using obfsproxy pluggable transports
- All the non-interactive modules can be dispatched to multiple hosts in one command
- Commands and scripts running on remote hosts are interruptible
- Auto-completion for commands and arguments
- Custom config can be defined: command aliases, modules automatically run at connection, …
- Interactive python shells with auto-completion on the all in memory remote python interpreter can be opened
- Interactive shells (cmd.exe, /bin/bash, …) can be opened remotely. Remote shells on Unix & windows clients have a real tty with all keyboard signals working fine just like an ssh shell
- Pupy can execute PE exe remotely and from memory (cf. ex with mimikatz)
- Pupy can generate payloads in various formats: apk, lin_x86, lin_x64, so_x86, so_x64, exe_x86, exe_x64, dll_x86,dll_x64,py, pyinst,py_oneliner, ps1, ps1_oneliner, rubber_ducky
- Pupy can be deployed in memory, from a single command line using pupygen.py’s python or powershell one-liners.
- “scriptlets” can be embedded in generated payloads to perform some tasks “offline” without needing network connectivity (ex: start keylogger, add persistence, execute custom python script, check_vm …)
- tons of other features…
All transports in pupy are stackable. This means that by creating a custom transport conf (pupy/network/transport/<transport_name>/conf.py), you can make you pupy session looks like anything. For example, you could stack HTTP over HTTP over base64 over HTTP over AES over obfs3:
A layer with authentication & encryption using RSA and AES256, often stacked with other layers
layer using a static AES256 key
- ssl (the default one)
TCP transport wrapped with SSL
same as ssl but stacked with an rsa layer
layer making the traffic look like HTTP traffic. HTTP is stacked with a rsa layer
A Polymorphic Network Protocol to Circumvent Censorship. The scramblesuit is stacked with an rsa layer for a better security
The rsa layer but over UDP (could be buggy, it doesn’t handle packet loss yet)
Other layers don’t really have any interest and are given for code examples : (dummy, base64, XOR, …)
Just connect back
Bind payload instead of reverse
- command execution
- interactive python shell with auto-completion
- interactive shell (cmd.exe, powershell.exe, /bin/sh, /bin/bash, …)
- tty allocation is well supported on both windows and *nix. Just looks like a ssh shell
- shellcode exec
- socks5 proxy
- local and remote port forwarding
- run the awesome credential gathering tool LaZagne from memory !
- sniff tools, netcreds
- process migration (windows & linux, not osx yet)
- a lot of other tools (upnp client, various recon/pivot tools using impacket remotely, …)
- inter process architecture injection also works (x86->x64 and x64->x86)
- in memory execution of PE exe both x86 and x64!
- works very well with mimitakz
- webcam snapshot
- microphone recorder
- takes small screenshots around the mouse at each click and send them back to the server
- token manipulation
- tons of useful powershell scripts
- Text to speech for Android to say stuff out loud
- webcam snapshots (front cam & back cam)
- GPS tracker!