 Good morning, and thank you for joining us for our talk on Ponecat which is a tool for automating Linux red team operations My name is Caleb Stewart and during my J job. I'm a lieutenant in the US Coast Guard I'm as currently assigned to US cybercom in my free time my off time I'm a CTF player and developer and I'm open source contributor Everyone my name is John Hammond and my day job during the work hours that I have to put up with I work as a Cyber training developer and a cyber security content creator. I also like to do a little bit of red teaming on the side For fun in the nighttime hours I like to play capture flag and I also like to develop and create some challenges host a couple competitions I also have a YouTube channel where I like to create videos and walk-throughs and guides for cyber security and capture flag write-ups Okay, so our talk what we're gonna be talking about today. We mentioned Ponecat What the heck is Ponecat, right? So this is a slide the obligatory introduction that goes over our agenda the roadmap the outline of what we're gonna be discussing So what is Ponecat, right? It's a project and we'll dive into more it later But why do we do this? Why do we go ahead and create this thing a little bit in the rationale the mindset behind it? And what can Ponecat do right? So it's a tool. It's a utility What are all the features and the functionality of Ponecat and how does it work? We want to do a little bit of a deep dive go into some of the code it does it the back end and Python as to what this is all written in and why and how and Who cares right? Where is this useful? Why is this useful? We want to showcase some examples or at least discuss some of them and we want to talk about what more could we do with it What else could be implemented and what we could do in the future. So that's that let's get into it Before we do I have a disclaimer right every talk every presentation has to have a disclaimer So there's a little bit of a naming conflict, right? We have our project Ponecat that lives in github It's public github.com slash Caleb Stewart slash Ponecat Interestingly enough there is another project under the same name. It's still called Ponecat It's github.com slash Cytopia slash Ponecat and one day I woke up. This is honestly kind of funny I woke up to like a LinkedIn notification and apparently this it's funny. It's like I felt like we made the LinkedIn news This individual who I do not know Jeff. Thank you for one thing He said hey our sensors are going off our product is finding there. There are two new adversarial red team Ops tools and utilities out there on the internet both based off netcat or working to make netcat Better or do more interesting things with it It found Ponecat one and Ponecat two hours in this case is Ponecat two. They mentioned Ponecat one Oh, excuse me. I have that backwards poll hours is Ponecat one in his example in the LinkedIn post and Cytopias is Ponecat number two Ponecat number two Is a little bit more network oriented, right? They're talking about some pivoting They're talking about working through specific firewalls doing other like bouncing back and forth information But it's also trying to stabilize a shell our Ponecat github.com slash Caleb Stewart slash Ponecat is More about red team operations. We want to be doing persistence privilege escalation enumeration cool stuff like that But to note these are two different projects They were created around the same time when we started development to completely different people We honestly don't know who this Cytopia fellow is Awesome that we kind of got started with the same project, but they are different things What we're gonna be talking about in this is the Caleb Stewart Ponecat So now we can kind of get now we get that out of the way. We can kind of get into what is Ponecat What is it used for? Why why we have it? So Ponecat is actually a command and control framework for after you get that initial access So it takes what we would normally have as a basic binder reverse shell And it kind of elevates that into something more on the line with a command and control framework So it takes where you would normally either connect to or receive a connection from a binder reverse shell It will do that for you instead of netcat and then it will give you a platform to do more things You kind of ease your path along those common things that you will do and maybe in some cases be able to automate some of Those things that you would normally do Ponecat is also agentless and what we mean by that is that instead of something like for example Meturpreter or something like that that maybe you will upload an agent onto that machine that communicates back over specific protocols Ponecat doesn't have that. Ponecat uses the shell that is running over that raw connection whether it be netcat Binder reverse shell and issues commands on that shell across the network. So it doesn't need any type of agent So why do we do this right? Why do we put this together? Well a lot of reasons but kind of first and foremost We're talking about what we've been doing right red teaming kind of adversary emulation pentasty stuff You get a initial access to a machine your target your victim whatever you want to call it And you do that with a basic bind shell or reverse shell and when you do that you get your connection you get your call back That kind of sucks. You probably know you've interacted with a couple reverse shells Maybe you're interacting with you got your netcat connection And you're trying to tab complete to cat out some of the files in the file system and you can't tap complete Maybe you try and move back in your command there You edit into your command prompt and using your left and right arrow keys to move around and it just sends Horrible gross terminal escape characters and sequences and that just ruins it So you try to clear out your prompt and you hit control C and that completely kills your shell. So That sucks. It's not a stable shell So we wanted to put something together that would automatically give you a stable shell I put together some cheesy stupid thing back in the past my poor man's pen test framework And I had given a talk on that sort of thing where I would automate kind of the connection and getting it set up But we don't have the functionality when we do that because I'm automating keystrokes and just doing a dummy way to Kind of simulate it. We aren't actually getting a Scripting or automation and automated interaction on the target But with ponkat we do and that just changes the game. That's super duper cool So now we kind of want to look at how we're using ponkat How does it look when we actually type it into a shell? So ponkat as John mentioned briefly earlier is a Python Module that you can install it provides an actual entry point script called ponkat and you can evoke it in a few different ways So we've already mentioned a bind or reverse shell application to ponkat So those are are shown here as the connect or and the listen modes of ponkat So connect you would connect to a remote bind shell or listen where you will actually listen for an incoming reverse shell In those modes. They act a lot like netcat on a really basic sense in that as soon as you run that whether if it's a bind shell you're connecting to you will get presented with a shell a prompt on the remote machine or if it's a Reverse shell you're listening for it will wait and listen for a connection and once it you get a connection It will give you a shell in that machine the two other ways We have listed here to use ponkat are kind of interesting spin-off ways that we added later. They were really cool So one of them being ssh so ponkat can use the paramico module from pi in python to actually Create or actually instantiate ssh connections to a remote host Say, you know the password or you've somehow gotten your hands on a private key for a user on a remote host You can actually use ponkat to establish a ponkat session over an encrypted ssh tunnel Which is a super cool super useful thing to do The other thing that ponkat is able to do is it as we'll discuss later is able to keep track of persistence methods That you might have installed So if you have that kept track of you've already connected to to a specific host before you can tell ponkat Hey, I want to reconnect to this host and give it an IP address or a host identifier And it will then look up in its database and say oh, I have a Persistence method for that host as this user I'm gonna connect with that and actually open another session again with ponkat to that host however it knows how So once you're connected The initial output you'll see it does a few different things Here is an example of listening for a reverse shell and we see it say hey I got a connection from this IP address so you know where that connection is coming from You know, it's the right host the one you were expecting then we see that it calculates and says hey I I've never seen this host before it's not in my database So it calculates a unique host identifier. We call host hash within ponkat. That's calculated from So a few different unique identifiers within ponkat or within the remote host Including things like the host name or interface Mac addresses things like that That will be unique even if say you're behind a net So the IP address might be the same for multiple hosts on that network for you Then it tells you hey, I know that I can see that I'm running in this shell in this case bash And then it'll tell you hey, I'm ready. Here's your show. So that at that point you have a show This is just a basic bash shell on the remote host This show though while it is the basic shell is already set up right off the bat for it to be stable Ponkat has already figured out. This is how I need to start a pty. I'm gonna start that pty I'm gonna Unset history file make sure all of that is all set up for you and then give you the shell at this point You can use your arrow keys you have Command history within this session like I said it disables it for saving that later And you also have things like graphical Programs or at least terminal graphical applications things like Vim and nano and things like that will just work It synchronized the size of the terminal synchronize the type of the terminal all those types of things will just work right off the bat at this point The more interesting things that John mentioned earlier about scripting and doing things like that That all comes through the local ponkat terminal, which you can get to by pressing control D So at any point when you're just at a regular terminal prompt you press control D And you ponkat will say hey we restored a local terminal. Here's your local prompt That's where you're gonna be able to start entering some of the interesting automated parts of ponkat be able to get into that stuff Initially, we had used something like SSH does where in SSH if you press till the capital C You will get a local SSH prompt where you can change your port forwards and things like that At runtime we had used something like that But that's we found this kind of awkward when you're need to do that multiple times or over and over It's kind of awkward to press also control D is the added benefit of not allowing you to accidentally exit your shell Sometimes I'll come back to a shell on a regular on a regular version that I've stabilized manually I'll hit control D not thinking about it, and I just lost my shell That might make you think well, what if I need to send control D to the remote process? What if I run some long running process that I need to send control D to exit? So to do that you can actually there ponkat has the idea of a prefix key Which you can bind other key shortcuts to you later a default binding is control D So if you press the prefix and then control D you will actually send that control D directly to the remote process So if you need to send control D you can in that way the control K is configurable to different things if you would like it to be later and Enter the configuration file right so as Caleb was mentioning, okay We're going to talk about that prefix key kind of like how Tmux or screen has that when you actually want to send keystrokes to the Running program that you're working is in this case ponkat will have that exact same setup by default We set a prefix key of control K that was honestly just because it's like on the other side of the keyboard as opposed to control D So it's a little bit more natural with your fingertips and your hands, but that way you won't Accidentally kill your shell with the real control D keystroke only unless you really really mean to you really really want to you Purposefully want to close that connection with that you can use the prefix command and make sure that's going through We also have the configuration file set up so you can determine specific things that will be used throughout ponkat We talked about some of the persistence or the privilege escalation stuff that we do in ever the case We need to create a backdoor to get our access back We could set hey a configurable variable Let's say the backdoor username or backdoor password by default We just set that to ponkat and of course a database that we're going to store stuff in that we'll touch upon later One of the really really cool things you can do with this configuration file is that you can specify Commands or things that you want to happen Immediately once you get that connection. So you can see that syntax here just in the displayed code We've got set on load We will run privsk tack L and what that means is we'll look for all those different privilege escalation routes or Opportunities and we'll touch on that more but the really really cool power here is that you can specify you can determine Once you get your connection, what's going to automatically happen? Are you going to run some enumeration scripts? Are you going to upload a specific tool or a file that you need? Ponkat will handle that all for you and you can define that we also allow you to create some Keybindings or aliases or maybe nicknames or shortcuts to other commands Maybe you say hey, I want the functionality for just one keystroke Let me run a remote command or a local command depending on what prompt I'm in etc So that can all be configured within the configuration file that you can give to Ponkat at one time from the command line So that's cool So the next thing after you have that stable shell is that you are going to want to be able to upload and download files So you're going to go through you're saying well, maybe I want to upload a Enumeration script or maybe I want to upload an exploit script or even download one of those configuration files Or some source code to analyze locally that so it's really important, but it's normally kind of a pain You normally either have to open a another listener on another port or start an SMB server or start an HTTP server You need to know your IP address from the point of view of the other host if that even exists All those things are a bunch of ifs ands and buts that you need to figure out before you can even transfer a file Well, Ponkat makes it really easy. You just have these upload and download commands Well on top of the fact that you get local and remote file Tab completion with these upload and download commands. It doesn't need another connection It doesn't need to know what your IP address is it doesn't need an HTTP server an SMB server It is shuttling the data through your already open command and control connections so that more connections don't actually have to open It does that by literally taking the data and saying I want to put it in this file And then that remote process listens for the data and the data gets sent through That's kind of akin to if you were to open your script or something and copy and paste the file and then paste it into your terminal That would be a really gross way to upload a file But for Ponkat it's super easy and it's great and it's fast and It's great so Not only can we upload and download files, right? But we've got this connection. We've got our initial access on the target on the remote How can we keep this right? How can we maintain that access in case something goes wrong in case that goes away? So we want to be able to establish persistence on the target That's a common thing that we kind of want to do in our in our adversary emulation So in Ponkat we create all these different commands that you can run and what they could do is they could be a specific thing And it'd be bundled with a certain amount of functionality or features and we created the persist command That will open up all the avenues and routes you could do to run a specific Persistence method and that's why we can see that tack em there because we're specifying a method that we might install or actually put On the target and there are a couple ways we can do this, right? There's a lot of different avenues around sort of how we're actually going to accomplish Establishing this persistence in this case. Maybe you want to clobber some SSH file Authorized keys so we can put in our own public keys so that okay authorized keys will authenticate us when we use a private key to log in with SSH That's one option, right? There are a lot of others and we could check out what status do we have for the? Persistence methods that we've installed what have what could we do? We have a couple persistence mechanisms and we can obviously extend this or add more to it But maybe we could do a Pam degradation attack, right? So that every single user could log in with one specific password that we specify Or maybe we could just simply change the password for a user or go ahead and make something a pseudo or user or pseudo user So we could get back to that account if necessary or even if it's a stupid netcat callback in a bash RC there are tons of options and one of the cool things is is that Sure, we'll go ahead and install implement this persistence mechanism But we also want to be able to cleanly remove it in case. Hey, we just want to cover our tracks We're kind of wiping our fingerprints here So you can see that syntax down below persist tack tack clean and we can remove everything that Polk at has Automated the process of putting it together for us and that's one of the really cool things Right is that we can specify any of these methods that we want to use But in the back of our mind, we don't have to care about how it's done We just want to make sure that it's done and Polk will be able to figure out and actually go ahead and do Go about that in any way that's necessary and we'll touch on that more, but for now No, okay, because conceptually we've got this abstract idea Let's implement and install whatever persistence method and mechanism that we want and clean up as necessary Okay, now that we're kind of talking at this point about modifying the remote system We're talking about uploading files. We're talking about adding persistence All these things make individual small modifications to the remote coast all those things in the content in the context of red team operations or of Doing this type of work you need to be able to track that information. You know, I modified this file I added these lines. I created this file So on and so forth I created this user whatever it might be so tamper does that for you as Polk at in all of the back-end things that are happening as it's creating files or modifying files It will register these different tamper's or these modifications of the remote coast and these tamper's could be anything They could be as you see on the screen a modified file a created file the actual persistence method You install our track to your as well for the persistence. You can see it says persistence authorized keys We also in this case have installed a PAM backdoor All of these things are tracked by the tamper module itself, which is accessed through the tamper command What's cool about that is that you can then revert them So we talked about cleaning up persistence specifically, but what if you've done a lot of different things with Polk at you've done You've done maybe persistence. You've uploaded some files You've maybe installed a few different things all of this stuff was tracked by Polk at and now You can say how I want to revert it all I want to go back to what it was before as if none of that happened It can do that because it's tracked all those changes and it remembers them in between sessions and it knows Which is super cool and very helpful during an actual operation One thing that I kind of got into while I was playing with Polk at more and interacting with it in different scenarios and different environments is that Maybe I wanted to use some commands or do some tricks that I know in my head are really cool and are fun to use But that specific command or functionality wasn't available on that remote target Like maybe I want to just chatter or you know use the Chatter command the change attributes and maybe making a mutable bit set on some files because I'm doing some silly tricks But that remote target doesn't have the chatter binary. Well, I want it, right? So we had this idea. Maybe we could actually pull in Busy box which would package with it busy box as a standalone binary with a lot of different commands It could be ran at the shell level right as if they are commands and Polk at will be able to keep track of them and know that they exist So we did that right? Here's the idea. We could Automatically determine here's what the remote systems architecture is Here's what's necessary for it to actually run on the system and we'll pull down from the internet that Necessary package of busy box set it up so that all the different commands and applets Applets is what busy box will call those commands for it to actually run those and use those on the target system Kind of cool because if we didn't have that command that I wanted to use Suddenly we've got it and Polk at will know that it exists And they'll actually know all of these other commands that maybe busy box brought with it because all of that Functionality is now unlocked by Polk and it could say hey if we didn't have that command before We'll know that it exists and any other commands that might be necessary We'll go ahead and use them through busy box because we have proof We can trust that those commands are now on the box and we can use those for our advantage doing the live off the land stuff So now that we have a stable shell. We're able to upload files. We have persistence We know we'll be able to get back in the next step now is to enumerate that remote coast We need to know what's installed what's there How can we possibly pivot to something else all of this information that we just need to enumerate from that machine? So with that mind we have the enumerate module which we are going to face through the enum command This command allows us to quickly and easily enumerate a lot of different types of information It not only presents that information to you in a user interface way But on the back end that we'll talk about later It allows you the actual other pieces of poem cat to reuse that information It also is stateful in that it knows hey I've already done that for this user or this needs to be done per user And I haven't for this user yet, and it will do that and won't Redo things if you say hey, I want to enumerate all the stuff and then you run it again It won't go back and run those commands learn about host again It'll say hey already know this information here. It is there's no reason to go back to the host Another really cool thing that it's able to do is that sometimes when you're enumerating information Some lady output might be really big might be super long and be hard to read Maybe you enumerated a bunch of private keys for every center You found a private key and you need that that doesn't really display very well in terminal hard to copy out those types of things So there's actually a report option to the enum command And it allows you to generate a report of all the different facts that home cat was able to find and these are Those facts could be something as simple like it shows as a pseudo capability It could be a password. It thinks it found in a configuration file. It could be the se linux status There's a lot of different enumeration methods that are implemented right now I mentioned a few of them some other things are things like kernel version Versions of different binaries like screen that might be vulnerable Just a ton of things users and groups and set you ID files and then executable capabilities Everything you would expect that of a Linux enumeration script are the things that we've been trying to implement into these enumeration methods And so that's the goal is to kind of replace all of those different enumeration scripts with this one simple command That allows you to generate a nice report and and also on the flip side reuse that information for automated privilege escalation or persistence And so on and so forth So, yeah, we mentioned privsk and that was honestly in my mind Well, like one of the coolest things we could do with this when Caleb was kind of putting this project together And he was fixing some of the bells and whistles to give it more features and make it pretty I was just kind of off the races because I wanted to let's let's try and automate an actual privilege escalation technique Which is one command privsk and it would just do it I thought that was the coolest thing in the world So what I want to do was I wanted to have like let's give punk at the ability to Survey the scenes and see what's out there. What can you see? Do you have pseudo privileges as this user? Do you see any set you ID binaries that you could abuse and kind of reach out to another layer of privilege? Could we run dirty cow some cheesy the kernel exploit that will take a long time? And it's not always effective and applicable or maybe we could find some passwords Or there's an old one of the CVEs for screen all these different things that we wanted to do And we thought let's put it together in a way that ponkat can find and reach for All the binaries and the things that are on the this actual system It's going to live off the land with the binaries and files that it can find and it will do that with some Capabilities, what can it find that has read access or write access or can grant me a shell? And we'll kind of deep dive on that a little bit more But I want to drive the point home that ponkat was able to figure out How to escalate to a specific user and any user that you wanted to right you say, okay Maybe I want root get me the keys the kingdom make me the king or any other kind of middle like average privilege User or starting from dub dub dub data get me to whatever I want to be and That was really cool and that was able to do that and it's even cooler and that once ponkat Gets from one user to another maybe we went from user one to user two and now that we're in user two We can see more that user one wasn't able to maybe he didn't have the read access in some directories that had some set UID binaries or maybe that user previously didn't have pseudo privileges But this one does and it can do something else so we could move from user to user to user to user and chain these together And that was super duper cool It will recursively look for the footholds and the misconfigurations on a user by user basis And one thing that we notice is while we're maybe trying some of these set UID binaries If you notice when you do that to get to another account if you get a shell you're noticing your Effective user ID is what's giving you the privileges of that new user, but it doesn't match your real user ID So there's an EU ID and you ID mismatch well Sometimes that gets annoying because maybe you can't write to the pseudoras file And you can't put some specific file and some directory whatever the case may be We wanted to account for that mismatch and automatically be able to correct it So that's where you see those backdoor user comes in Let's put in maybe a poncat user that we can just su into or specify a password and authorize keys to reconnect in and Get that full user capability make it my real user ID Not just my effective user ID and that's something that poncat knows how to do Super duper cool. Just one command privsk and now your root very very cool The way that we do this This is the deep dive, right? This is kind of where we get into some abstract thinking because We thought about let's let's look for those set you ID binaries Let's look for those specific pseudo commands We can run but all those are really really unique and really really specific as to how they're actually going to Do this technique or go ahead and perform this method of privilege escalation So we essentially made our own copy of the GTFO bins resource Which I'm sure you guys know is out there. Okay, some of the live off the land binaries and commands you can run in Linux to Escalate your privileges so we'd set up a JSON file this ginormous JSON file that I port a lot of time and effort into You can see like the the sublime text mini map over on the left-hand side It's like 3,000 lines, but for as many commands as we could find we would specify What can this command do can it read a file with some specific syntax or can it write to a file or get a shell Do we need to specify some specific arguments to maybe run with set you ID privileges? And how is this file going to take in or put out information is it going to be? Like printable characters that are safe to be displayed on terminal ASCII letters English stuff Or is it raw bytes or like raw data our terminal needs to be in a different mode to be able to read and interpret like raw Mode or can we just maybe mask it and hide it within base 64? Which gives us a lot more flexibility in the data that we put in because okay? Some of those special characters maybe new lines if it's sensitive or whatever the case may be Don't get clobbered and eaten and completely destroy the state of our terminal because we're trying to automate this but Anyway, all that the coolest thing is that it doesn't matter How to do something let's say you're you're in the situation You want to read it set repassword Okay, you could do that with cat or you could do it with grep or you could do it with more You could do it with less so you could do it with awk you could do it with and it doesn't matter It could poem cat will be able to determine you want something that has read capability and That any gtf-obin will do if we can find it if it's on the system or you want to write to a specific file Maybe it doesn't matter how you do it We'll find one gtf-obin that's on the system live off the land and you can Authoritatively say just give me this access and poem cat will find a way and that's really really cool So now as long kind of mentioned we're kind of stepping into that deep dive side So we talked about that front end we talked about how you interact interface with poem cat And now we're kind of getting into how does this work in the back end? because all of these things we talked about up to now have an Easy way to add things to it the whole point of poem cat was hey I want to be able to have a nice little interface I want to be able to type download, but also I want to say hey There's a new privest that I think I could automate really easily Let me go write that real quick in Python and there it is it works So with that in mind I tried to take this object we call victim and Abstract some of the really common operations you would want to do on the remote coast One of the coolest things that I thought think and it kind of blew my mind when I thought I could get this to work And it was even crazier when it actually did work Was taking the built-in open function in Python But creating a version of that for the victim object to open a remote file and not just open it But return a file like object in Python that you can interact with like any other file So here in this little example we have John mentioned trying to read Etsy password, and that's great You can you can use victim dot gtfo inter methods find a GTF opens method on your own and and run that command read the file, and that's great. That's fantastically that works I went one step further, and I implemented a an abstraction on top of that So open will actually use those methods those GTF opens methods to open the file and return to you an abstract file Like object that you can simply use dot read or dot read lines or iterate over it like you see in this example To get all the lines from the file and that's it That's all you have to do you have the contents of Etsy password at that point, and it also supports write as well You can't do read and write that doesn't work over one because C2 channel However, you can do read or write in binary or text mode. It all works all the methods of a normal file like objects There's some other useful file system type abstractions in there another example We have here is access when I say hey, do we have read access to the Etsy shadow file? That's useful, right? We want to read everyone's hashes Other things that access returns, you know, obviously whether or not a file exists whether or not you have read or write access to the parent Directory that kind of thing it returns a bunch of useful information about that actual file There's some other file system abstractions things like list directory changing directory all of those are abstracted within the victim object So your as you're implementing these whether it be a persistence module a regular command a prevask module An enumeration module whatever it is you can just interact with it like it's your local host almost It's simple With that aside from just interacting with the file system you can interact with processes So you can say I want to run this process on the remote host and I want a pipe that actually gives me read and write access Simultaneous in this case you can have read and write access to the standard IO of the remote process So that's what sub process will do It will give you a actual file like object that you can read and write from in this case We're reading a list of groups from the NS switch Get get at command The other options you can do are for example a run which is a little bit simpler It doesn't give you a file like object You just get the standard output of the process Back after it's finished completing so that's super useful in some cases like I don't need all those features of a pipe I just need the output of the command so that will give you that bare bones command access and then kind of more Abstract as we step away is another feature that kind of was amazing It was super useful and amazing to me once I got it working was this idea of compiling So a lot of exploits that we do you might need to compile actual C code for that remote host And there's a couple different ways you can do that namely There's mostly only two right you're either going to compile that on the remote host if they have a compiler Or you need to use a cross compiler and upload the compiled binary But you don't want to have to do that logic every single time you implement an exploit that needs a compiled binary Either it's an exploit or I've even had to implement a persistence module for example that needed to compile a binary You don't have to do that every time. That's an annoying comparison after make and you have to upload files and download files and so on and so forth Instead I abstracted that away You can now simply run compile and it will check and see. Hey, do I have a compiler in the remote system? Yes Okay, cool. Let me automatically upload these files Let me compile the binary to a temporary Random path on the remote host. Let me clean up any extra files that were created in the process and Return to you just the path that that new binary is going to be yet. Maybe You don't have a compiler in the remote host But the user may be set cross which is an actual configuration item you've been set in Poincat and that's going to be set to an actual cross compiler that compiles code for the target for that victim So that means Poincat now instead of even looking for compile on the remote host It's going to say oh, well I can compile code for that target directly So it's going to compile it locally and just upload the compiled binary to that remote host Another useful thing when you're writing these persistence modules or your previous modules Is that this actual compile command can either take file names relative? Obviously to whatever your current directory is it can also take file like objects So maybe you have a string IO object with a short C file just right there You can send that directly there and it will work as well It doesn't care which thing you pass to it and then also now that we've kind of talked about the The actual victim abstraction we can move on to the actual enumeration modules. So now that we can Adequately abstract the victim now we can implement better enumeration modules instead of having to manually say oh Do I have cat? Okay? I've got cat. Let me cat this file. Let me see if this exists All of that type of things that's just going to slow you down implementing these enumeration modules You can now use those abstractions and implement them and on top of implementing better enumeration modules You can use that enumeration data throughout poem cat So the enum command is using this victim dot enumerate module to abstractly show you those things in a user in a Human readable way, but you can also get to the raw data in this example We grab kernel exploit data, which is going to go through and say hey Does this kernel version that we're running on the remote host match any known Cve's for kernel vulnerabilities? If so, let's return the Cve identifier the name a link to the implementation all that useful information it'll also implement or It or enumerate all of the pseudo information as well, and that's not just a user readable string That's actually the raw data the user the command that you're allowed to run the run as user run as group Any options hosts? hashes all of those pieces that parses out of the pseudo or's information and gives it to you in a usable way all of the things we've talked about so far are all tracked within poem cat So we've talked about tampers. We talked about persistence. We talked about privilege escalation We've talked about enumeration all of these things that you do or enumerate on the remote host are tracked within a database We touched on it briefly in the configuration file You can set that connection string which is any valid sequel alchemy connection string We use sequel light a lot You could use a full-fledged postgres or my sequel whatever whatever you prefer And it will actually build out that database so that as you Connect during different sessions all of that information is still there We mentioned running enum multiple times and not having to rerun commands that applies between sessions as well Because it saves all those facts it saves that information We mentioned reconnecting at the very beginning of a presentation that works because the guest poem cat actually keeps track of what? Persistence modules are installed on that remote host and it can look through that database and say oh I've got an authorized keys for that host There's no need. I can just reconnect It does that as we mentioned at the beginning by creating a custom host hash is what we call it So that it knows what that host is even if it's not it and we I have multiple hosts behind a single IP address It has a unique host hash that it will identify each host with specifically All right, we've thrown a lot at you right so Who cares why is this useful? Where is this useful? Well? Obviously right we we kebabs you'd say your mileage may vary great We don't know we can't promise that this will work in every situation always all the time forever But we think it's really cool, and we've had a lot of fun with it We've gone ahead and tested it we play with it on a few different Honestly the easiest and most common thing for us to work with they're kind of the kind of well-known Online practice or war game like cyber range Environments and exercises so try hack me as a fine example I really love the stuff that they do so quick shout out to them But a lot of their exercises a lot of the machines that they put out we've been able to explore this and Try out PONKAT try out some of these techniques Permanent escalation persistence enumeration finding passwords etc etc and honestly it is just so cool to see it work Right, so here's just a few examples We list out just a couple of their machines or levels and boxes you could play with One there some that are labeled like hard or their their difficulty is set to like intermediate or easy or difficult Whatever the case may be, but it's so cool to just get once you have your initial access run privest and boom your root Game over you've won That's super duper cool as it doesn't matter what it is Hopefully we've got enough of an arsenal in a toolkit and inventory of these different commands the GTF open stuff that you're using to live off the land and pseudo set UID maybe some screen CVE all these different potential per vest techniques or things that we could do There's just a lot and it's it's kind of cool to see it in action But now what right? We feel like we've laid the groundwork We feel like we've got a good a little bit of a fundamental framework and everything We've got stuff put together, but there is always always more to do and we've got some crazy ideas, right? we've kind of mentioned PONKAT is all about being able to automate the end target being able to automate and interact with the Victim without ever being even on that machine before we can script on it any way that we want and that's crazy cool That just opens up all the doors Maybe we could write some specific commands or units or modules that could let us maybe do Aggression techniques if we're playing like a king of the hill game Maybe spam the terminal or the pts of our user would like dev you random or run terminal parent or wall everyone or fork bomb Who cares? Maybe you want to be a little bit more stealthy. Maybe you're using this for some actual op or who knows? Okay, you could clear log files. Maybe you're do some like time stop like commands like clobbering the time Stamping and with the touch command on Linux. Maybe hiding files with Unicode a homo glyphs or zero with space characters Who knows maybe we could add more to persistence, right? There are a lot of options We could use that chatter binary to do stuff We could backdoor crazy things like prompt command with a trap debug and maybe inject into a driver or backdoor Like apt and get so many things and privilege escalation, right? Container escapes with Docker. Maybe you're using that to privsk and LXD the pseudo CDE. We saw recently It'd be awesome to add into our Uploading download functionality being able to transfer and exfiltrate stuff. Maybe add some more protocols, right? We could do that with SMB. We do that with FTP Maybe even do something with like ping get ICMP in there. That'd be very very cool One idea that we've had that I think honestly sounds awesome And we tried a little bit of proof of concept with this would like squid as a proxy But maybe even use like a socks 5 proxy so that your target the remote hosts that you're interacting with Can have internet even if it's in an environment in a space where it wouldn't otherwise have internet It like it doesn't naturally so okay if busybox doesn't give you the commands that you want You just don't have that functionality already on the system. Well, you've got internet install whatever you want And that's crazy cool. Maybe port forward to other but other other machines in a local area network Who knows there's just so much we could do with it Maybe even install some kernel root kits right put in reptile or prism for some crazy cool persistence There's just so much and we're really excited about all these ideas and maybe you might have some really cool ideas, too So, yeah, I mean at this point like John mentioned this is an open-source project Please come contribute whether it's a pull request or an issue I always feel kind of awkward submitting issues and no pull request, but honestly, it's fantastic I've had some people that have just submitted issues. I'm like hey, I tested it on this machine It's running these things and it didn't work or I got this output and it's incredibly useful So please even if all you can offer is it broke Please help give me a screenshot. Tell me what you're doing and we can make it better. So thank you Please come help out All right, we're gonna wrap it up I think we're cutting away way way into our question and answer time But hey, we hope you guys love this stuff kind of just as much as we do If you guys any questions for us if you want to reach out if you want to contact us You can find me on github. You can find Caleb on github Twitter or LinkedIn Email of course my discord and YouTube if you're interested in that sort of thing But please please please go check out the github repository. Go check out the documentation We do this because we love it and we're here for you if you have any questions If you just want to chat you want to talk with us. We are here for you. That's why we're doing this presentation That's why we're doing this talk and we're just so so thankful that you guys We're wanting to come take a look at it and hang out with us. So that's all. Thank you Thank you. Thank you. Thank you for tuning in and listening to our talk. We hope you enjoy Pwncat We love it and thanks again for coming to our talk and enjoy the rest of GrimCon. Thanks. Thanks