Pupy is an opensource, cross-platform, multi function Remote Administration and post-exploitation tool written in Python. It’s very modular and supports a wide range of operating systems, payload formats and network transports.
Pupy: Opensource, Cross-platform Remote Administration & Post-exploitation Tool
Pupy has an embedded Python interpreter, which allows its modules to load remote python code, python packages and python C-extensions from memory. It can communicate using different transports and has a lot of awesome modules and features. Pupy can generate payloads in multiple formats such as:
- PE executables, reflective DLLs, pure python files, powershell, apk, etc.
With Pupy Scriptlets, embedded python scripts which can perform various tasks offline, you can for e.g. start a background script, add persistence, start a keylogger, detect a sandbox, etc.
- Windows, Linux, OSX, Android.
- Cross-platform: tested on Windows XP, 7, 8, 10, Kali Linux, Ubuntu, OSX, Android).
- On Windows: you can compile Pupy payload as a reflective DLL and the whole python interpreter will load from memory.
- It can also be packed into a single
.pyfile and run without any dependencies (except standard python libraries).
- Pupy can reflectively migrate into other processes.
- Pupy can remotely import pure python packages (
.pyc) and compiled python C extensions (
.so) from memory, without touching the disk.
- It’s easily extensible, modules are quite simple to write, sorted by OS and category.
- A lot of awesome modules are already there.
- Pupy uses rpyc and a module can directly access python objects on the remote client. We can also access remote objects interactively from the pupy shell with remote attributes auto-completion.
- Modular, stackable and cool communication transports. You could exfiltrate data using HTTP over HTTP over AES over XOR, or with any other combination of the available transports.
- Pupy can communicate using obfsproxy pluggable transports.
- You can dispatch all non interactive modules to multiple hosts in one command.
- Scripts and commands during running on remote hosts are interruptible.
- Commands and arguments auto-completion.
- You can define custom config : command aliases, modules automatically run at connection, etc.
- You’re able to open interactive python shells with auto-completion on the all in memory remote python interpreter.
- Interactive shells (
/bin/bash, etc.) can be opened remotely. Remote shells on Unix & Windows clients have a real
ttywith all keyboard signals working fine just like a
- Pupy can execute PE exe remotely and from memory.
- Pupy can generate payloads in various formats :
- It can be deployed in memory, from a single command line using
pupygen.py‘s python or powershell one-liners.
- “Scriptlets” can be embeded in generated payloads to perform some offline tasks without needing network connectivity (ex: start keylogger, add persistence, execute custom python script,
rsa: A layer with authentication & encryption using RSA and AES256, often stacked with other layers
aes: layer using a static AES256 key
ssl(the default one): TCP transport wrapped with SSL
ssl_rsa: same as ssl but stacked with a rsa layer
http: layer making the traffic look like HTTP traffic. HTTP is stacked with a rsa layer
- A protocol to keep a third party from telling what protocol is in use based on message contents
- obfs3 is stacked with a rsa layer for a better security
- A Polymorphic Network Protocol to Circumvent Censorship
- scramblesuit is stacked with a rsa layer for a better security
udp: rsa layer but over UDP (could be buggy, it doesn’t handle packet loss yet)
other: other layers doesn’t really have any interest and are given for code examples :
- connect: just connect back.
- bind: bind payload instead of reverse.
- auto_proxy: retrieve a list of possible SOCKS/HTTP proxies and try each one of them. Proxy retrieval methods are: registry, WPAD requests, gnome settings, HTTP_PROXY env variable.
- migrate (windows only): inter process architecture injection also works
- keylogger (windows only)
- persistence (windows only)
- screenshot (windows only)
- webcam snapshot (windows only)
- command execution
- socks5 proxy
- local port forwarding
- interactive shell (
- interactive python shell
- shellcode exec
- Management software (server side):
- Agent software (client side):
- Python libraries for various OS/CPU combinations:
If you want simple installation in a virtualenv with pre-built binaries, run the following:
$ apt-get install git libssl1.0-dev libffi-dev python-dev python-pip tcpdump python-virtualenv
Clone the Pupy from git repo. The script
pupy/create-workspace.py will create a Python virutalenv in the selected folder and symlinks to pupysh at
$ git clone --recursive https://github.com/n1nj4sec/pupy $cd pupy && ./create-workspace.py pupyws
Now you can use pupy, as follows:
$ export PATH=$PATH:~/.local/bin
Install via Docker Compose:
You can install pupy via Docker Compose. Docker-supported platform:
- Windows 10, Mac, CentOS, Debian, Fedora, Ubuntu.
Clone the repository, then install all dependencies and configure:
To start Pupy, run:
Pupy Shell Usage
To see available commands, just type your command followed by
sessions -h jobs -h run -h
It’s the same for modules, for example
>> run pyexec -h usage: pyexec [-h] [--file <path>] [-c <code string>] execute python code on a remote system optional arguments: -h, --help show this help message and exit --file <path> execute code from .py file -c <code string>, --code <code string> execute python oneliner code. ex : 'import platform;print platform.uname()'