πWindows File Transfer Methods
Introduction
The Windows operating system has evolved over the past few years, and new versions come with different utilities for file transfer operations. Understanding file transfer in Windows can help both attackers and defenders. Attackers can use various file transfer methods to operate and avoid being caught. Defenders can learn how these methods work to monitor and create the corresponding policies to avoid being compromised.
The term "fileless" suggests that a threat doesn't come in a file, they use legitimate tools built into a system to execute an attack. This doesn't mean that there's not a file transfer operation. The file is not "present" on the system but runs in memory.
Download Operations
PowerShell Base64 Encode & Decode
Depending on the file size we want to transfer, we can use different methods that do not require network communication. If we have access to a terminal, we can encode a file to a base64 string, copy its contents from the terminal and perform the reverse operation, decoding the file in the original content.
Check MD5 Hash on Linux:
md5sum id_rsa
# Output: 4e301756a07ded0a2dd6953abf015278 id_rsaEncode File to Base64 on Linux:
cat id_rsa | base64 -w 0; echo
# Output: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K...Decode Base64 on Windows:
[IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K..."))Verify MD5 Hash on Windows:
β οΈ Note: Windows Command Line utility (cmd.exe) has a maximum string length of 8,191 characters. Also, a web shell may error if you attempt to send extremely large strings.
PowerShell Web Downloads
Most companies allow HTTP and HTTPS outbound traffic through the firewall. PowerShell offers many file transfer options using the System.Net.WebClient class.
WebClient Methods:
OpenRead- Returns data from resource as StreamOpenReadAsync- Returns data without blocking calling threadDownloadData- Downloads data and returns Byte arrayDownloadDataAsync- Downloads data without blocking calling threadDownloadFile- Downloads data to local fileDownloadFileAsync- Downloads data to local file without blockingDownloadString- Downloads String from resourceDownloadStringAsync- Downloads String without blocking calling thread
PowerShell DownloadFile Method:
PowerShell DownloadString - Fileless Method:
PowerShell Invoke-WebRequest:
Common Errors and Solutions:
Internet Explorer Configuration Error:
SSL/TLS Certificate Error:
SMB Downloads
The Server Message Block protocol (SMB) runs on port TCP/445 and is common in enterprise networks.
Create SMB Server on Linux:
Download from SMB Server:
For newer Windows versions (authenticated SMB):
FTP Downloads
FTP uses ports TCP/21 and TCP/20 for file transfers.
Setup FTP Server on Linux:
Download via PowerShell:
Download via FTP Client (non-interactive):
Upload Operations
PowerShell Base64 Encode & Decode
Encode File on Windows:
Get MD5 Hash on Windows:
Decode Base64 on Linux:
PowerShell Web Uploads
PowerShell doesn't have a built-in upload function, but we can use Invoke-WebRequest or Invoke-RestMethod.
Setup Upload Server on Linux:
Upload via PowerShell Script:
Base64 Web Upload:
Catch with Netcat:
SMB Uploads
Companies usually allow outbound HTTP/HTTPS but block SMB (TCP/445). Alternative is to run SMB over HTTP with WebDAV.
WebDAV Setup:
Connect to WebDAV Share:
β οΈ Note: DavWWWRoot is a special keyword recognized by Windows Shell for WebDAV root connection.
FTP Uploads
Setup FTP Server with Write Access:
Upload via PowerShell:
Upload via FTP Client:
Key Takeaways
PowerShell is the most versatile tool for file transfers on Windows
Base64 encoding is useful for small files and bypassing restrictions
SMB is fast but often blocked by firewalls
HTTP/HTTPS methods are most likely to work due to firewall policies
WebDAV provides SMB-like functionality over HTTP
FTP is reliable but may require firewall configuration
Always verify file integrity with hash comparisons
Consider "fileless" methods that execute directly in memory
References
Last updated