Open Source Python Post-Exploitation Frameworks

Pacu (named after a type of Piranha in the Amazon) is a comprehensive AWS security-testing toolkit designed for offensive security practitioners. While several AWS security scanners currently serve as the proverbial “Nessus” of the cloud, Pacu is designed to be the Metasploit equivalent. Written in Python 3 with a modular architecture, Pacu has tools for every step of the pen testing process, covering the full cyber kill chain. Pacu is the aggregation of all of the exploitation experience and research from our countless prior AWS red team engagements. Automating components of the assessment not only improves efficiency but also allows our assessment team to be much more thorough in large environments. What used to take days to manually enumerate can be now be achieved in minutes. There are currently over 35 modules that range from reconnaissance, persistence, privilege escalation, enumeration, data exfiltration, log manipulation, and miscellaneous general exploitation.

Black Mamba is a Command and Control (C2) that works with multiple connections at same time. It was developed with Python and with Qt Framework and have multiple features for a post-exploitation step.

Post-exploitation framework written in Python. Aims to assist penetration testers in building scripts and automating many post-exploitation, information gathering and data exfiltration tasks.

Motinha is a Simple Information Gathering and Network Exploitation Framework coded in Python. Here we have a bridge between the final user and the most futurists’ tools on the Internet to find juice info around any network, website, domain, company or persons and in some cases exploit some features to have fun , now let’s Shut Up And Hack!

PivotSuite is a portable, platform-independent and powerful network pivoting toolkit, Which helps Red Teamers / Penetration Testers to use a compromised system to move around inside a network. It is a Standalone Utility, Which can use as a Server or as a Client. If the compromised host is directly accessible (Forward Connection) from Our pentest machine, Then we can run pivotsuite as a server on the compromised machine and access the different subnet hosts from our pentest machine, Which was only accessible from the compromised machine. If the compromised host is behind a Firewall / NAT and isn't directly accessible from our pentest machine, Then we can run pivotsuite as a server on pentest machine and pivotsuite as a client on the compromised machine for creating a reverse tunnel (Reverse Connection). Using this we can reach different subnet hosts from our pentest machine, which was only accessible from the compromised machine.

PyExfil was born as a PoC and kind of a playground and grew to be something a bit more. In my eyes it’s still a messy PoC that needs a lot more work and testing to become stable. The purpose of PyExfil is to set as many exfiltrations, and now also communication, techniques that CAN be used by various threat actors/malware around to bypass various detection and mitigation tools and techniques. You can track changes at the official GitHub page. Putting it simply, it’s meant to be used as a testing tool rather than an actual Red Teaming tool. Although most techniques and methods should be easily ported and compiled to various operating systems, some stable some experimental, the transmission mechanism should be stable on all techniques. Clone it, deploy on a node in your organization and see which systems can catch which techniques.

SharPyShell is a tiny and obfuscated ASP.NET web shell that executes commands received by an encrypted channel compiling them in memory at runtime. SharPyShell supports only C# web applications that run on .NET Framework >= 2.0. SharPyShell is a post-exploitation framework written in Python. The main aim of this framework is to provide the penetration tester with a series of tools to ease the post-exploitation phase once exploitation has been successful against an IIS webserver. This tool is not intended as a replacement for the frameworks for C2 Server (i.e. Meterpreter, Empire, etc..) but this should be used when you land on a fully restricted server where inbound and outbound connections are very limited. In this framework, you will have all the tools needed to privesc, net discovery, and lateral movement as you are typing behind the cmd of the target server.

Shennina is an automated host exploitation framework. The mission of the project is to fully automate the scanning, vulnerability scanning/analysis, and exploitation using Artificial Intelligence. Shennina is integrated with Metasploit and Nmap for performing the attacks, as well as being integrated with an in-house Command-and-Control Server for exfiltrating data from compromised machines automatically. Shennina scans a set of input targets for available network services, uses its AI engine to identify recommended exploits for the attacks, and then attempts to test and attack the targets. If the attack succeeds, Shennina proceeds with the post-exploitation phase. The AI engine is initially trained against live targets to learn reliable exploits against remote services. Shennina also supports a "Heuristics" mode for identfying recommended exploits.

mssqlproxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse. The client requires impacket and sysadmin privileges on the SQL server. The first step is to execute code in the SQL Server process context. As extended stored procedures are going to be deprecated in future versions of MSSQL, we pay attention to Microsoft recommendations and thus, use CLR assemblies instead.

Full-featured C2 framework which silently persists on webserver via polymorphic PHP oneliner. The obfuscated communication is accomplished using HTTP headers under standard client requests and web server's relative responses, tunneled through a tiny polymorphic backdoor. Detailed help for any option (help command) Cross-platform on both client and server. CLI supports auto-completion & multi-command. Session saving/loading feature & persistent history. Multi-request support for large payloads (such as uploads) Provides a powerful, highly configurable settings engine. Each setting, such as user-agent has a polymorphic mode. Customizable environment variables for plugin interaction. Provides a complete plugin development API.