Linux File Transfer Methods
Last updated
Last updated
Related Sites:
Linux is a versatile operating system, which commonly has many different tools we can use to perform file transfers. Understanding file transfer methods in Linux can help attackers and defenders improve their skills to attack networks and prevent sophisticated attacks.
A few years ago, we were contacted to perform incident response on some web servers. We found multiple threat actors in six out of the nine web servers we investigated. The threat actor found a SQL Injection vulnerability. They used a Bash script that, when executed, attempted to download another piece of malware that connected to the threat actor's command and control server.
The Bash script they used tried three download methods to get the other piece of malware that connected to the command and control server. Its first attempt was to use cURL. If that failed, it attempted to use wget, and if that failed, it used Python. All three methods use HTTP to communicate.
Although Linux can communicate via FTP, SMB like Windows, most malware on all different operating systems uses HTTP and HTTPS for communication.
This section will review multiple ways to transfer files on Linux, including HTTP, Bash, SSH, etc.
We have access to the machine NIX04, and we need to download a file from our Pwnbox machine. Let's see how we can accomplish this using multiple file download methods.
Depending on the file size we want to transfer, we can use a method that does not require network communication. If we have access to a terminal, we can encode a file to a base64 string, copy its content into the terminal and perform the reverse operation. Let's see how we can do this with Bash.
We use cat to print the file content, and base64 encode the output using a pipe |. We used the option -w 0 to create only one line and ended up with the command with a semi-colon (;) and echo keyword to start a new line and make it easier to copy.
-w 0: This specifies that the output should not be wrapped at all. That means the encoded Base64 output will be a continuous string without any line breaks.
We copy this content, paste it onto our Linux target machine, and use base64 with the option `-d' to decode it.
echo -n, the output will not end with a newline
Finally, we can confirm if the file was transferred successfully using the md5sum command.
You can also upload files using the reverse operation. From your compromised target cat and base64 encode a file and decode it in your attack box
Two of the most common utilities in Linux distributions to interact with web applications are wget and curl. These tools are installed on many Linux distributions.
To download a file using wget, we need to specify the URL and the option `-O' to set the output filename.
cURL is very similar to wget, but the output filename option is lowercase `-o'.
Breakdown of options:
-r (or --recursive): Download files and directories recursively.
-np (or --no-parent): Don’t follow links to parent directories.
-nH (or --no-host-directories): Avoid creating a directory named after the host.
--cut-dirs=1: Skip the first directory level in the path when saving files.
-R "index.html*": Exclude files named index.html to avoid downloading unnecessary index files.
Some payloads such as mkfifo write files to disk. Keep in mind that while the execution of the payload may be fileless when you use a pipe, depending on the payload chosen it may create temporary files on the OS.
Let's take the cURL command we used, and instead of downloading LinEnum.sh, let's execute it directly using a pipe.
Similarly, we can download a Python script file from a web server and pipe it into the Python binary. Let's do that, this time using wget.
-q stands for quiet mode, which means no output will be printed to the terminal (silent mode).
-O- specifies that the output should be directed to standard output (usually the terminal).
There may also be situations where none of the well-known file transfer tools are available. As long as Bash version 2.04 or greater is installed (compiled with --enable-net-redirections), the built-in /dev/TCP device file can be used for simple file downloads.
The exec command with 3<> is setting up a new file descriptor (3) that will be used to communicate over a TCP connection.
/dev/tcp/10.10.10.32/80 is a feature provided by some Unix shells (like Bash) to access TCP sockets directly as if they were files.
-e: This option enables interpretation of backslash escapes. In this case, will be interpreted as a newline character.
"GET /LinEnum.sh HTTP/1.1\n\n": This is the string that echo will print. It forms a basic HTTP GET request:
GET is the HTTP method used to request a resource.
/LinEnum.sh is the path to the resource (in this case, a file named LinEnum.sh).
HTTP/1.1 is the HTTP version.
\n are two newline characters. In HTTP, two newlines signify the end of the request headers.
>&3: This redirects the output of echo (which generates the HTTP request) to file descriptor 3. file descriptor 3 is typically used when you're scripting and want to send the output of a command directly to another process or a network socket.
SSH (or Secure Shell) is a protocol that allows secure access to remote computers. SSH implementation comes with an SCP utility for remote file transfer that, by default, uses the SSH protocol.
SCP (secure copy) is a command-line utility that allows you to copy files and directories between two hosts securely. We can copy our files from local to remote servers and from remote servers to our local machine.
SCP is very similar to copy or cp, but instead of providing a local path, we need to specify a username, the remote IP address or DNS name, and the user's credentials.
Before we begin downloading files from our target Linux machine to our Pwnbox, let's set up an SSH server in our Pwnbox.
Now we can begin transferring files. We need to specify the IP address of our Pwnbox and the username and password.
You can create a temporary user account for file transfers and avoid using your primary credentials or keys on a remote computer.
There are also situations such as binary exploitation and packet capture analysis, where we must upload files from our target machine onto our attack host. The methods we used for downloads will also work for uploads. Let's see how we can upload files in various ways.
The first thing we need to do is to install the uploadserver module.
Now we need to create a certificate. In this example, we are using a self-signed certificate.
The webserver should not host the certificate. We recommend creating a new directory to host the file for our webserver.
Now from our compromised machine, let's upload the /etc/passwd and /etc/shadow files.
We used the option --insecure because we used a self-signed certificate that we trust.
Since Linux distributions usually have Python or php installed, starting a web server to transfer files is straightforward. Also, if the server we compromised is a web server, we can move the files we want to transfer to the web server directory and access them from the web page, which means that we are downloading the file from our Pwnbox.
It is possible to stand up a web server using various languages. A compromised Linux machine may not have a web server installed. In such cases, we can use a mini web server. What they perhaps lack in security, they make up for flexibility, as the webroot location and listening ports can quickly be changed.
Linux - Creating a Web Server with Ruby
When we start a new web server using Python or PHP, it's important to consider that inbound traffic may be blocked. We are transferring a file from our target onto our attack host, but we are not uploading the file.
We may find some companies that allow the SSH protocol (TCP/22) for outbound connections, and if that's the case, we can use an SSH server with the scp utility to upload files. Let's attempt to upload a file to the target machine using the SSH protocol.
Remember that scp syntax is similar to cp or copy.
Because of the way Linux works and how , most of the tools we use in Linux can be used to replicate fileless operations, which means that we don't have to download a file to execute it.
As mentioned in the Windows File Transfer Methods section, we can use , an extended module of the Python HTTP.Server module, which includes a file upload page. For this Linux example, let's see how we can configure the uploadserver module to use HTTPS for secure communication.
