Summary: Showcases advanced techniques and creative ways to use pwnity beyond the standard workflow.

Advanced Examples & Creative Uses

This page showcases advanced techniques and creative ways to use pwnity beyond the standard workflow. These examples demonstrate how to leverage the framework's flexibility for complex automation and out-of-the-box tasks.

Using Standard Linux Commands as Tools

You can wrap any command-line utility, not just security tools. This is useful for quick diagnostics or integrating system commands into your workflow.

Example: Wrapping ping and curl

# Create a simple 'ping' tool
tool add ping
tool update ping command check
tool update ping check param "-c 4 $target.ip"

# Run it
target load my-server
tool load ping
pwn check now

# Create a 'curl' tool to grab HTTP headers
tool add curl
tool update curl command get-headers
tool update curl get-headers param "-I -s $target.url"

# Run it
tool load curl
pwn get-headers now

Dynamic Wordlist Generation with crunch

A wordlist object doesn't have to point to a file. You can use it to store parameters for a wordlist generator like crunch.

Example: Generating an 8-digit numeric list

# 1. Create a 'wordlist' to hold the parameters
wordlist add 8-digit-numeric
wordlist update 8-digit-numeric min 8
wordlist update 8-digit-numeric max 8
wordlist update 8-digit-numeric charset "0123456789"

# 2. Create a 'crunch' tool that uses these parameters
tool add crunch
tool update crunch command generate
tool update crunch generate param "$wordlist.min $wordlist.max $wordlist.charset"

# 3. Load the parameter-wordlist and run the generator
wordlist load 8-digit-numeric
tool load crunch
pwn generate now # This will run 'crunch 8 8 0123456789'

Using pwnity as a Dynamic Checklist Manager

By wrapping the echo command, you can turn a tool into a dynamic checklist generator that uses placeholders from your target.

Example: A web-app recon checklist

# Use /bin/echo as the tool's executable
tool add checklist
tool update checklist path /bin/echo

# Create a command with each step as a parameter
tool update checklist command web-recon
tool update checklist web-recon execute_per_param true # Set to run 'echo' for each param
tool update checklist web-recon param "== Recon Checklist for $target.name =="
tool update checklist web-recon param "1. Check robots.txt -> $target.base_url/robots.txt"
tool update checklist web-recon param "2. Check for sitemap -> $target.base_url/sitemap.xml"
tool update checklist web-recon param "3. Review HTTP headers for $target.hostname"

# Load a target and run the 'pwn' command to display the checklist
target load my-webapp
tool load checklist
pwn web-recon now

API Integration via the Global Profile

The profile is perfect for storing API keys that can be used by tools.

Example: Integrating whatweb with an API key

# 1. Store your API key in the global profile
profile update whatweb_apikey YOUR_API_KEY_HERE

# 2. Create a 'whatweb' tool that uses the key
tool add whatweb
tool update whatweb command deep-scan
tool update whatweb deep-scan param "-a 3"
tool update whatweb deep-scan param "--api-key=$profile.whatweb_apikey"
tool update whatweb deep-scan param "$target.url"

# 3. Run the scan
target load my-webapp
tool load whatweb
pwn deep-scan now

Chaining Tools for Automated Target Discovery

You can use one tool to discover assets and then pipe the results into pwnity to create new targets automatically.

Example: Using subfinder to create new targets

# 1. In pwnity, configure a subfinder tool
tool add subfinder
tool update subfinder command find
tool update subfinder find param "-d $target.domain -o /tmp/subs.txt"
target load example.com
pwn find now

# 2. Use the built-in 'shell' command to process the output file without leaving pwnity
# This command reads each subdomain from the file and creates a pwnity script.
shell "while read sub; do echo \"target add $sub; target update $sub url https://$sub\"; done < /tmp/subs.txt > create_targets.pwn"

# 3. Back in pwnity, run the generated script
run_script create_targets.pwn
target list # You will now see all the discovered subdomains as new targets

Using Placeholder Functions for Data Transformation

The placeholder system supports functions to encode, decode, or hash data on the fly. This is extremely powerful for preparing payloads.

Example: Base64-encoding a value for a curl header

# Suppose a target requires a Base64-encoded 'Authorization' header.
# The value is composed of a username from the profile and a static string.
profile update username pentester

tool add curl
tool update curl command auth-test
tool update curl auth-test param "-H 'Authorization: Basic b64encode($profile.username:secret-token)'"
tool update curl auth-test param "$target.url"

# The 'pwn' command will resolve this to:
# curl -H 'Authorization: Basic cGVudGVzdGVyOnNlY3JldC10b2tlbg==' http://...

Example: Testing the functions with the print command

print b64encode($target.name)
print md5('test-string')