> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/post-exploitation/file-transfers/file-encryption.md).

# File Encryption

Use this page when you need to protect files before transfer.

In most exfil flows:

* Encrypt on the **compromised host** before you send the file.
* Decrypt on the **attacker** after you receive it.

If you are staging a file to the target, reverse that order.

{% hint style="info" %}
**Attacker** means your box, Pwnbox, or redirector.

**Compromised host** means the machine you already accessed.
{% endhint %}

### Why encrypt before transferring

During a pentest you may move password hashes, `NTDS.dit`, configs, or enumeration results.

If someone intercepts that transfer, plain files are immediately readable.

Encrypting first makes the content useless without the key.

> Important rule: Never exfiltrate real PII, credit card data, or trade secrets. If testing DLP controls, use dummy data that mimics the real thing.

### Windows — AES encryption with PowerShell

Use a script called `Invoke-AESEncryption.ps1`.

Transfer it first with any method you already trust, then import it.

Run the `Encrypt` examples on the **compromised host** before transfer.

Run the `Decrypt` examples on the **attacker** after you receive the file.

```powershell
# Import the script as a module
Import-Module .\Invoke-AESEncryption.ps1

# Encrypt a file — creates scan-results.txt.aes
Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Path .\scan-results.txt

# Decrypt a file
Invoke-AESEncryption -Mode Decrypt -Key "p4ssw0rd" -Path .\scan-results.txt.aes

# Encrypt a string
Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Text "Secret Text"

# Decrypt a string
Invoke-AESEncryption -Mode Decrypt -Key "p4ssw0rd" -Text "LtxcRelxrDLrDB9rBD6JrfX/czKjZ2CUJkrg++kAMfs="
```

Encrypted files get the `.aes` extension automatically.

This uses AES-256.

> Use a **different strong password for every engagement**. If one password leaks and gets cracked, it should not compromise other clients' data.

### Linux — OpenSSL encryption

OpenSSL is built into most Linux systems.

Run the `Encrypt` command on the **compromised host** before transfer.

Run the `Decrypt` command on the **attacker** after you receive the file.

```bash
# Encrypt
openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc

# Decrypt
openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd
```

Breaking down the flags:

* `enc` — encryption mode
* `-aes256` — use AES-256 cipher
* `-iter 100000` — run key derivation 100,000 times
* `-pbkdf2` — use PBKDF2 for key derivation
* `-in` — input file
* `-out` — output file
* `-d` — decrypt mode

OpenSSL prompts you for the password interactively.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/post-exploitation/file-transfers/file-encryption.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
