Getting and sending files over the network
When we have accessed a system during a penetration test, we may want to pull files onto the system in order to load additional tools locally, or send information off the system in order to exfiltrate data.We can use PowerShell to perform several types of network activity with relative ease. On a Linux system, one of the most useful tools that we have to pull data down from a Web server is wget. Handily, we can replicate its more basic features with a quick PowerShell script and a little .NET magic. As long as we can write to the download location, we should be able to execute this script with the permissions of a normal user.
$src = “http://nmap.org/dist/nmap-5.51-setup.exe”
$dest = “c:\temp\nmap-5.51-setup.exe”
$web = New-Object System.Net.WebClient
Let’s take a quick look at what we’ve done here. We first take in the argument containing the URL that we want to download, which came from the argument that we passed in at the command line. Here we are also using param to handle the
arguments, as we looked at earlier in the chapter, a slightly different method from
what we looked at in Chapter 1. In the $path variable, we place the location of our
current directory, which is where our downloaded file will be saved. In order to make
the script more flexible, we might want to take in the path from an argument also,
and this would be an easy change to make.
Here we instantiate our object to interface with theWeb, System.Net.WebClient, using $web as a handle for it. Lastly, we call the DownloadFile method on the handle for our object, passing the URL that we will be downloading and where we want to store it, as in $web.DownloadFile($url, $path). This is a fairly simple piece of code for handling Web traffic on a Windows machine. There are a number of very handy objects and methods that we can use to handle other types of transactions and traffic. With System.Net.WebClient, we can also make use of the UploadFile method to send files in the other direction, which may or may not be very handy for us when we look at Web transactions but we can also use System.Net.WebClient to do FTP, with no major changes required.
$src = “ftp://ftp.fr.netbsd.org/pub/pkgsrc/distfiles/netcat-
$dest = “c:\temp\netcat.tar.gz”
$ftp = New-Object System.Net.WebClient
#$ftp.UploadFile($src, $dest) #a quick change makes this an upload
This is, of course, very similar code towhat we just looked at for ourWeb download, which makes sense as we’re using the same object and the same methods. Since we’re doing very much the same transaction, the only real difference is in the source and/or destination of the file being on a different protocol. The System.Net.WebClient is handling all the protocol differences internally and transparently for us.
As we discussed in previous post, we have access to a huge number of objects in .NET, many of which are network-related. We can find, in many cases, existing objects and methods for most of the common tasks we might want to carry out for shipping files around on the network. For the oddball situations where we can’t make one of these fit, there are large amounts of user-generated code floating around the Internet for us to use and build on. Additionally, we can access most any other functionality available through the operating system or installed applications that have a command-line interface.Given tools such as Netcat, which we can download for Windows operating systems and easily control through PowerShell, we can move files over the network, open shells or reverse shells, and perform a broad variety of similar tasks.