Skip to content

Commands Reference

m4n3dw0lf edited this page Mar 5, 2018 · 83 revisions

SECTION - CORE

help:

Print the help message.

exit/quit:

Leave the program.

set:

Set a variable's value.

arguments:

  • interface
  • gateway
  • target
  • file
  • domain
  • redirect
  • script
  • filter

examples:

   pythem> set interface
   [+] Enter the interface:
             or
   pythem> set interface wlan0

print:

Print a variable's value.

examples:

   pythem> print gateway

SECTION - NETWORK, MAN-IN-THE-MIDDLE AND DENIAL OF SERVICE (DOS)

scan:

Make a tcp(significant-ports)/manual(port)/arp(layer-2) scan.

Should be called after setting interface and target

Targets can be IP addresses or network ranges with CIDR

arguments:

  • tcp
  • arp
  • manual

examples:

   pythem> scan
   [*] Select one scan mode, options = tcp/arp/manual
   [+] Scan mode: arp
	   or
   pythem> scan tcp

   pythem> scan manual
   [+] Enter the port, ports (separated by commas): 21,22,25,80

webcrawl

Start to crawl an URL target finding links.

arguments:

  • start
  • help

examples:

  pythem> webcrawl start

arpspoof:

Start or stop an arpspoofing attack.

arguments:

  • start
  • stop
  • status
  • help

examples:

   pythem> arpspoof start
   pythem> arpspoof stop
   pythem> arpspoof status

dhcpspoof:

Start a DHCP ACK Injection spoofing attack.

If the real DHCP server ACK is faster than your host the spoofing will not work, check it with the sniffer

arguments:

  • start
  • stop
  • status
  • help

example:

   pythem> dhcpspoof start

dnsspoof:

Start a dnsspoofing attack.

Should be called after an arpspoofing attack has been started

arguments:

  • start
  • stop
  • status
  • help

examples:

   pythem> dnsspoof start
   pythem> dnsspoof stop
   pythem> dnsspoof status

redirect:

Start a web server with a script to inject then redirect to original destination

Should be used after a arpspoof has been started

arguments:

  • start
  • stop
  • status
  • help

examples:

   pythem> redirect start
   pythem> redirect stop

sniff:

Start sniffing packets.

Should be called after setting an interface

sniff custom filters:

  • http
  • dns
  • core | You need to try this!

All filters or none filter pass through the PytheM custom filter to minimize redundancy.

examples:

   pythem> sniff http
	  or
   pythem> sniff
   [+] Enter the filter: port 1337 and host 10.0.1.5  (tcpdump-like format)

dos:

Start a Denial of Service attack (DOS).

arguments:

  • dnsdrop > Start to drop DNS queries that pass through man-in-the-middle traffic.

ARP spoofing need to be initialized to block the network of the target IP address or Range.

  • synflood > Start a SYN flood attack on target host, default port = 80, set port to change.
  • udpflood > Start a UDP flood attack on target host, default port = 80, set port to change.
  • teardrop > Start a UDP teardrop fragmentation attack.
  • land > Start a LAND attack on target address, default port = 80, set port to change.
  • icmpflood > Start a ICMP flood attack on target host.
  • pingofdeath > Start a ping of death (P.O.D) attack on target address.
  • icmpsmurf > Start a ICMP smurf attack on target host. send echo-requests with target address as source.
  • dhcpstarvation > Start a DHCP starvation attack on network DHCP server. Multiple spoofed MAC dhcp discovers.
  • dnsamplification > Start a DNS amplification attack on target address with given DNS servers to amplificate.
  • httpflood > Start to flood HTTP requests on a target URL, *Only GET method supported by now.

examples:

   pythem> dos dnsdrop help

   pythem> dos synflood

pforensic:

Start a packet-analyzer

Should be called after setting file with a .pcap file

examples:

   pythem> pforensic
   pforensic> help

PFORENSIC COMMANDS REFERENCE

help:

Print the help message

clear:

Clean the screen, same as GNU/Linux OS "clear"

exit/quit:

Return to pythem

show:

Display all the packets and their index numbers.

conversations:

Display pictogram with conversations between hosts from the analyzed file.

packetdisplay [num]:

Display the full content of index selected packet.

filter [string/layer]:

Run a custom filter in the packets.

SECTION - EXPLOIT DEVELOPMENT AND REVERSE ENGINEERING

xploit:

Interactive stdin or tcp exploit development shell

The stdin argument should be called after setting file

The tcp argument should be called after setting target

arguments:

  • stdin
  • tcp

examples:

   pythem> set file exec

   pythem> xploit stdin
           or
   pythem> xploit
   [*] Select one xploit mode, options = stdin/tcp
   [+] Exploit mode:

   xploit> help

XPLOIT COMMANDS REFERENCE

help:

Print this help message.

clear:

Clean the screen, same as GNU/Linux OS "clear".

exit/quit:

Return to pythem.

set:

Set the variables values.

parameters:

  • offset > Number os 'A's to overwrite the instruction pointer.

  • addr1 > (Optional) Hexa(0xaddress) First address to overwrite after the offset.

  • addr2 > (Optional) Hexa(0xaddress) Second address to overwrite after the offset.

  • nops > (Optional) Number of NOPs after IP overwrite or after the addr1 and addr2 if they are set.

  • shellcode > (Optional) Shellcode (could be generated by msfvenom or any other).

  • lenght > Total lenght of the payload.

  • arch > Target system processor architecture.

  • print:Print a variable's value.

    example:

   xploit> print offset

decode/encode:

Decode or encode a string with a chosen pattern.

examples:

   xploit> decode hex
   xploit> encode hex

encoder:

Encode string as address / shellcode / little endian

examples:

  xploit> encoder
  [+] String to encode: abcd
  [?] Output, [A]Address/[S]Shellcode/[L]LittleEndian (A/S/L): s
  \x64\x63\x62\x61

decoder:

Decode address / shellcode / little endian into ASCII

examples:

  xploit> decoder 0x636261
  abc

shellcode:

Get the shellcode of executable file

examples:

   xploit> shellcode compiled_program

search:

Automatically search for instructions or opcode in the binary executable.

parameters:

  • instructions

  • opcode

examples:

   xploit> search
   [+] Search (instructions/opcode):
                 or
   xploit> search instructions			? - any character
   [+] Find: pop ?di				    % - any character

   xploit> search opcode
   [+] Find: ffe4

xploit:

Run the exploit after all the settings.

example:

   xploit> xploit

cheatsheet:

Display a GDB cheatsheet ;).

example:

   xploit> cheatsheet

fuzz:

Start fuzzing on subject.

If file is passed to xploit will fuzz stdin

If target is passed to xploit will fuzz tcp

The offset's value will be the number of 'A's to send.

[Default = 1]
will be increased in 1 by 1.
example:
 [offset = 10]
 will be increased in 10 by 10.

examples:

   xploit> fuzz

Anything else will be executed in GNU debugger shell with the target file

SECTION - BRUTE-FORCE

brute:

Start a brute-force attack.

Should be called after setting a target and a word-list file path

arguments:

  • ssh > ip address as target
  • url > url (with http:// or https://) as target
  • form > url (with http:// or https://) as target
  • hash > hash as target

examples:

   pythem> brute form
   pythem> brute ssh

SECTION - UTILS

decode/encode:

Decode or encode a string with a chosen pattern

examples:

   pythem> decode base64
   [*] String to be decoded:
            or
   pythem> encode hex
   [*] String to be encoded:

cookiedecode:

Decode a base64 url encoded cookie value.

example:

   pythem> cookiedecode

Anything else will be executed in the terminal like ls, nano, cat, etc.