Howto Install the Pupy Post Exploitation Kit on Kali Linux

May 21, 2020


Pupy is a Remote Access/Post Exploitation tool.

Here are some of my favorite features:

  • All-in-memory execution
  • A windows payload that can load the entire Python interpreter from memory using a reflective DLL
  • Execute non-interactive commands on multiple hosts at once.
  • Reflectively migrate into other processes.
  • Interactive shells (cmd.exe, /bin/bash, etc) can be opened remotely and have a real tty (with all keyboard signals working just like an SSH shell).
  • Remote Desktop session via your local browser
  • Customizable command line aliases

Full project details and source code can be found here:

Installation Instructions

I found the install instructions on Pupy’s github page confusing. Once I figured out how to install it I though I’d share what I learned with folks. These instruction are for Kali 2020 Rolling.

Docker Setup

curl -fsSL | sudo apt-key add -
echo 'deb [arch=amd64] buster stable' | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt-get remove docker docker-engine
sudo apt-get install docker-ce
docker run hello-world
systemctl start docker
systemctl enable docker
sudo usermod -aG docker kali
# you must open a new terminal window for the user kali to be part of the group docker

Grub Setup

Please take a backup of your grub before modifying it

cp /etc/default/grub /root/grub_backup

## Replace GRUB_CMDLINE_LINUX_DEFAULT with the line below

## now run update-grup

Install Prerequisites

apt-get install git libssl1.0-dev libffi-dev python-dev \
	python-pip build-essential python-openssl swig tcpdump

pip install virtualenv==16.7.10
pip install flake8==3.6.0

Download pupy and install

git clone --recursive
cd pupy
./ -E virtualenv pupyws

Modify Config to Listen on Correct IP

You will need to modify pupy.conf to ensure it listens on the right IP address. If you are using a vpn this would be the IP of tun0.

In the [pupyd] section of pupy.conf, Modify "external=IP"

transport = ec4
port = 8080
ipv6 = false
igd = false
httpd = false
webserver = true
dnscnc = localhost:5454
use_gnome_keyring = false
external = YOUR_IP_GOES_HERE
allow_requests_to_external_services = false