have you studied the posture of downloading files with powershell?

Posted by trammel at 2020-03-23

The author of this article: Wanfeng, according to the number of previous articles, will be rewarded 50 yuan to encourage, hoping to continue to refuel and make further efforts.

The biggest advantage of PowerShell is that it is based on the. Net framework. The. Net framework is almost omnipotent in the field of scripting, which is an advantage and may become a powerful convenience for hacker attacks.

In the penetration test, when the normal transmission channel is forbidden, we often use some special methods to transfer files. This article will describe three ways to download files using PowerShell and evaluate their advantages and disadvantages.

For other postures of uploading files through the command line under Windows system, please check the previous:

The posture of uploading files by windows command

testing environment

The purpose of this test is to show the difference between execution time and performance.

The test environment is mainly PowerShell 5 of windows 10 (x64) and wireless network connection with download speed of about 3MB / s.

Windows 10(x64) PowerShell 5

I will be from my own server

Download a test file password2.txt, the file size is 25.45mb, and the server public network bandwidth is 1Mbps. We will test the script 10 times and average the results.

Let's start!


When it comes to downloading files using PowerShell, the first thing that comes to mind is the invoke webrequest command. Maybe you are a little unfamiliar with this name. It has three aliases, namely "IWR", "WGet" and "curl".

Average time: 3 minutes and 28 seconds


This method is very easy to use. If you know the total size of the file, you can easily see the running progress of the script with the write progress command. Cookies can also be retained between multiple requests by using the - session and - websession parameters.

Write-Progress -Session -WebSession


Using this command to download files is slow. I have observed that the HTTP response flow is fully cached in memory. Once all files are transferred, the files will be transferred from memory to disk at once. If you want to download a large file, this method will cause huge performance problems and memory loss. If anyone knows the specific operation details of this command, please let me know! We can discuss it together.

Another potential serious disadvantage of this approach is its reliance on Internet Explorer. For example, this command cannot run on a Windows Server Core version of the server because it does not contain Internet Explorer binaries by default. In this case, you can use the - usebasicparsing parameter, but it doesn't work in all cases. In addition, here are two ways to speed up invoke webrequest.

-UseBasicParsing Invoke-WebResquest

First, use the $progresspreference ='silent continue 'statement to hide the scroll bar and reduce resource consumption.


Second, use the - usebasicparsing parameter mentioned above, so that when the invoke webrequest requests the data, it will not call ie to parse the DOM tree results, and the efficiency will be improved.

-UseBasicParsing Invoke-WebRequest


This command is useful when you need to keep cookies on multiple requests, such as HTTP form validation before downloading a file.

This is a good way to download small files, but if you have requirements for download speed, you will have a better choice. If the script is to run on a Windows Server Core version of the server, this command is not applicable.


The system. Net. Webclient class in the. Net framework is a. Net class for downloading files.


Average time: 3 minutes and 28 seconds


This method is also very simple to use. The download speed of this method keeps up with that of the other method. During the whole download process, the HTTP response flow is directly cached in the disk.

You can also use the function system. Net. Webclient. Downloadfileasync(). It is very convenient to continue to run scripts while downloading files in parallel.



There is no download progress bar (or anything that can query the download progress), which means you don't know how long it will take to complete the download or how many downloads it has at present. And this command is single thread, so it will cause thread blocking. Only one download task can be completed before the next task.


System. Net. Webclient is my best choice when I need to download files. This method is also fully compatible with the Windows Server Core version of the server.


3. Start-BitsTransfer

If you have not heard of the Background Intelligent Transfer Service (bits) reference document before:

Bits is mainly used for upgrading and automatic updating of windows system. The working mode is asynchronous download file, and it also has excellent performance when used for synchronous download file. Another bitsadmin tool uses the background intelligent transport service.

Average time: 3 minutes and 33 seconds


The integrated progress bar can let us clearly understand the download progress of the file. -The asynchronous parameter can be used for asynchronous transmission queues. Asynchrony means that you can execute the next task without waiting for the last task to complete, and multiple commands can be executed in parallel. Although it is slow in single task state, it can improve efficiency in multi task state.


Personally, the biggest advantage of using this method is the ability to retry in the event of failure and limit the amount of bandwidth available for transmission.


This method is the slowest method I have ever tested! But it's not much slower than the other two. In addition, although bits is available by default on many machines, you cannot guarantee that bits can be used on all machines unless you make sure that bits is turned on on on your machine. Also, because bits is mainly used for asynchronous transmission, if other bits tasks are running in the background, your tasks will be added to the queue or executed after a while, which will hinder the execution of your script.


This method is perfect when you want to limit the bandwidth of the file download or you don't think much about the download time. Thanks to this feature, I set up a strategy of downloading at full speed at night and half speed during the day. And bits is also easy to watch the progress of downloads.

Generally speaking

I recommend using the system. Net. Webclient method, because it is more general and faster to download. Bits is my second choice because of its flexibility and ease of management.


In penetration testing, it is a good method to attack with some tools of the system. PowerShell is a powerful tool, because it is too powerful, many system administrators will directly disable it, and in the windows system, the execution of *. PS1 script file is also prohibited by default. So we need to bypass this default policy when executing PS scripts. The easiest way is to execute powershell.exe to attach the command that needs to be executed, or copy the script to be executed directly into PowerShell's window.

When executing the PS1 script file, you can simply bypass it by adding a bypass parameter. For example:


PowerShell.exe -ExecutionPolicy Bypass -File .\t1.ps1

If you know any other way, please let me know.

Personal works exhibition

XSS learning notes [1]

XSS learning notes [2]

Discussion on session mechanism and CSRF attack and defense

[author's contribution] ten minutes to get to know xxE

Author brief introduction

The author is currently located in Hangzhou, the city of mobile payment. Studied in Zhejiang water conservancy and hydropower University. Before, Dongxu studio of the school did the front-end (FE) of the website. Later, he came out of the studio and founded Hongfeng Xin'an association with his small partners, embarking on the journey of information security. I like playing games occasionally, RNG and Uzi.

Now I would like to share with you my experience in Xin'an.

First of all, I was introduced to Dongxu studio, where I learned a lot of basic things. For example, the construction process and overall architecture of a website, and then the improvement of programming ability.

However, in the process of learning, we found some security problems. For example, on the Christmas celebration page of a studio, there is a message board. So I thought of the JS I just learned at that time, I wrote a paragraph of JS and submitted it, and then everyone's browser opened a window... I didn't know it was XSS until some time later Later, I came out of the studio and had a free time. After listening to my sister's recommendation, I went to take a soft test. After graduation, I found more certificates to find work. Then I took the test of intermediate Xin'an engineer.

During the exam preparation, I found that information security is very interesting. Sophisticated cryptography design, exciting man in the middle attack, complex and elegant authentication protocol There are a lot of interesting technologies.

Later, I came into contact with CTF competition. I went to play CTF with my little friend of Hongfeng Xin'an. It was very exciting and happy. Finally, I hope I can go further and further along the road of Xin'an with you who have the same hobbies. Want to be friends with the author? Then add the group!