Pwnbrew is a persistence management framework which integrates with Paterva’s Maltego to provide a tool that encompasses all phases of a red team engagement. Maltego provides an unparalleled solution for gathering and visualizing open source intelligence during the data collection phase of a security assessment.

By leveraging Maltego’s API, data from inside networks managed by Pwnbrew can also be visualized and manipulated inside the Maltego interface by way of custom Pwnbrew entities. In addition to data visualization, Pwnbrew also offers operational capabilities directly from the Maltego interface via custom local transforms.



Pwnbrew is written entirely in Java. It provides an operator the ability to covertly administer systems that have been compromised during a security assessment. Presently, the Pwnbrew clients provide remote file browsing, remote command execution, and the ability to pivot commands to internal clients. In order to supplement existing pentesting technologies, Pwnbrew uses Paterva’s Maltego as the frontend GUI for managing Pwnbrew clients. It does this by way of Maltego’s API, in particular, local transforms. Pwnbrew consists of three key components to include:


Pwnbrew Server:    The main backbone for all network communication and client management.

Pwnbrew Client:     The remote access tool installed on compromised systems.

Maltego API Stub:   The class files responsible for sending and receiving data to Maltego.


pwnbrewServer Manages the connected hosts and arbitrates commands from Maltego to the hosts.


The “Modules” tab provides an interface for managing the module library.


The “Networking” tab in the configuration dialog displays the Pwnbrew server’s self signed PKI certificate used for SSL communication between the server and the host agent and provides the capability to edit any of the fields.

A custom SSL certificate can be also be imported from this tab. Pwnbrew accepts PFX format. Example command for converting a LetsEncrypt certificate to PFX.

openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

The port that the Pwnbrew server listens for incoming connections from hosts can also be changed from this tab.

Lists all hosts that are either connected or disconnected from the Pwnbrew server.

The Session Manager displays the connection logs for each host that has connected to a Pwnbrew server. It also provides a wizard for setting up a connection schedule so an operator can put certain hosts to sleep when they are not actively performing tasks on those hosts..

computer_small A host that is connected to a Pwnbrew Server and can be actively managed.
Transfers the host to be managed by another Pwnbrew server.
Reloads the agent on a host system to allow for re-initialization or upgrade of the host agent.

The file browser provides an operator with the ability to navigate through a host’s file system. Files can be both uploaded and downloaded with progress for each operation being displayed in the lower status panel. Toggling the ZIP button will cause all uploads and downloads to be compressed before transfer.  The dialog also has a search input box in the top right corner to assist in locating files by name.

The search input box accepts the * wildcard when trying to locate files without specifying the entire name.

Creates a listening port on the host that will relay data for any host that connects, to the next node the host is connected to. (Typically, this is the Pwnbrew server)

The shell dialog allows an operator to open an interactive shell on the host system. For systems running windows, the shell dialog currently supports the native command shell and powershell. The default shell for unix based systems is a bash shell wrapped in a python pseudo-terminal.


Creates a socks proxy server locally and all incoming connections are tunneled through the selected host.

Terminates the host agent and removes all data on the resident system.
dis_computer_small A host that is disconnected from a Pwnbrew Server.
relay A host that is disconnected from a Pwnbrew Server.
Lists all hosts that are either connected to or disconnected from the relay.
Stops the hosts from listening for incoming host connections. (Requires manual removal of relay entity)




Import the certificate generated during the install into each of the Pwnbrew servers you wish Maltego to connect to.

    • Run Pwnbrew server: java -jar Server.jar -rmp=8443
    • At the prompt, > , enter “i” for Import SSL Certificate
    • Enter the path to the *.der maltego certificate that is located in the install directory.


Pwnbrew Server

Windows:C:\Program Files\Pwnbrew

Maltego Stub

<Maltego Installation Path>/pwnbrew