penelope
Penelope is a shell handler designed to be easy to use and intended to replace netcat when exploiting RCE vulnerabilities. It is compatible with Linux and macOS and requires Python 3.6 or higher. It is a standalone script that does not require any installation or external dependencies, and it is intended to remain this way.
Among the main features are:
- Auto-upgrade shells to PTY (realtime resize included)
- Logging interaction with the targets
- Download files/folders from targets
- Upload local/remote files/folders to targets
- Run scripts on targets and get output on a local file in real time.
- Spawn shells on multiple tabs and/or hosts
- Maintain X amount of active shells per host no matter what
- Multiple sessions
- Multiple listeners
- Can be imported by python3 exploits and get shell on the same terminal (see Extras)
Penelope can work in conjunction with metasploit exploits by disabling the default handler with set DisablePayloadHandler True
Currently only Unix shells are fully supported. There is only basic support for Windows shells (netcat-like interaction + logging) and the rest of the features are under way.
Usage
Sample Typical Usage
./penelope.py # Listening for reverse shells on 0.0.0.0:4444
./penelope.py -a # Listening for reverse shells on 0.0.0.0:4444 and show reverse shell payloads based on the current Listeners
./penelope.py 5555 # Listening for reverse shells on 0.0.0.0:5555
./penelope.py 5555 -i eth0 # Listening for reverse shells on eth0:5555
./penelope.py 1111 2222 3333 # Listening for reverse shells on 0.0.0.0:1111, 0.0.0.0:2222, 0.0.0.0:3333
./penelope.py -c target 3333 # Connect to a bind shell on target:3333
Demonstrating Random Usage
As shown in the below video, within only a few seconds we have easily:
- A fully functional auto-resizable PTY shell while logging every interaction with the target
- Execute the lastest version of Linpeas on the target without touching the disk and get the output on a local file in realtime
- One more PTY shell in another tab
- Uploaded the latest versions of LinPEAS and linux-smart-enumeration
- Uploaded a local folder with custom scripts
- Uploaded an exploit-db exploit directly from URL
- Downloaded and opened locally a remote file
- Downloaded the remote /etc directory
- For every shell that may be killed for some reason, automatically a new one is spawned. This gives us a kind of persistence with the target
penelope_sample_usage.mp4
Main Menu Commands
Some Notes:
- By default you need to press
F12
to detach the PTY shell and go to the Main Menu. If the upgrade was not possible the you ended up with a basic shell, you can detach it withCtrl+C
. This also prevents the accidental killing of the shell. - The Main Menu supports TAB completion and also short commands. For example instead of
interact 1
you can just typei 1
. - You can add more scripts and modify default behaviours by using a configuration file (See extras/penelope.conf). This file can be speficied with -r in the command line or can be placed in ~/.penelope/penelope.conf
Command Line Options
positional arguments:
ports Ports to listen/connect to, depending on -i/-c options. Default: 4444
Reverse or Bind shell?:
-i , --interface Interface or IP address to listen on. Default: 0.0.0.0
-c , --connect Bind shell Host
Hints:
-a, --hints Show sample payloads for reverse shell based on the registered Listeners
-l, --interfaces Show the available network interfaces
-h, --help show this help message and exit
Verbosity:
-Q, --silent Be a bit less verbose
-d, --debug Show debug messages
Session Logging:
-L, --no-log Do not create session log files
-T, --no-timestamps Do not include timestamps in session logs
Misc:
-r , --configfile Configuration file location
-m , --maintain Maintain NUM total shells per target
-H, --no-history Disable shell history on target
-P, --plain Just land to the main menu
-S, --single-session Accommodate only the first created session
-C, --no-attach Disable auto attaching sessions upon creation
-U, --no-upgrade Do not upgrade shells
Debug:
-N , --no-bins Simulate binary absence on target (comma separated list)
-v, --version Show Penelope version
Extras
There are also included two sample exploit simulation scripts in the extras folder to demonstrate how penelope can be imported and get shell on the same terminal. The illustration below shows how Penelope is imported in a python3 exploit for the Quick machine of Hack The Box.
Furthermore, a bash script is included which automatically upgrades Unix shells to PTY using the xdotool.
Contribution
If you want to contribute to this project please report bugs, unexpected program behaviours and/or new ideas.
TODO
Features
- remote and local port forwarding
- socks & http proxy
- persistence modules
- edit command: open the remote file locally, make changes and upon saving, upload it to the target
- currently download/upload/spawn/upgrade commands are supported only on Unix shells. Will implement those commands for Windows shells too.
- spawn meterpreter sessions
- an option switch for disable all logging, not only sessions.
- main menu autocompletion for short commands
- download/upload autocompletion
- IPv6 support
- encryption
- UDP support
Known Issues
- Main menu: Ctrl-C on main menu has not the expected behavior yet.
- Session logging: when executing commands on the target that feature alternate buffers like nano and they are abnormally terminated, then when 'catting' the logfile it seems corrupted. However the data are still there. Also for example when resetting the remote terminal, these escape sequences are reflected in the logs. I will need to filter specific escape sequences so as to ensure that when 'catting' the logfile, a smooth log is presented.
Limitations
- For the emojis to be shown correctly, the fonts-noto-color-emoji package should be installed. It is installed by default on many distros but not on parrot OS. May consider removing emojis altogether.
- When downloading files via the download menu command, clickable links with the downloaded files are presented. However the links are not clickable on the qterminal (Kali Linux).
Trivia
Penelope was the wife of Odysseus and she is known for her fidelity for him by waiting years. Since a characteristic of reverse shell handlers is waiting, this tool is named after her.
Thanks to
- Cristian Grigoriu - @crgr for inspiring me to automate the PTY upgrade process. This is how this project was born.
- Paul Taylor - @bao7uo for the idea to support bind shells.
- Longlone - @WAY29 for indicating the need for compatibility with previous versions of Python (3.6).
- Carlos Polop - @carlospolop for the idea to spawn shells on listeners on other systems.
- @darrenmartyn for indicating an alternative method to upgrade the shell to PTY using the script command.
- @robertstrom and @RamadhanAmizudin for bug reporting.