wget Cheat Sheet
Non-interactive downloader for mirroring sites, retrieving payloads, and recursive cloning during recon.
Overview
wget retrieves files over HTTP, HTTPS, and FTP. Useful for mirroring static sites, bulk downloading wordlists, and pulling tools on compromised Linux hosts when curl is unavailable.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
sudo apt install -y wgetwget --versionEssential commands
Simple download
wget https://releases.example.com/tool.tar.gzContinue interrupted download
wget -c https://example.com/large.isoBackground
wget -b https://example.com/file.zipCommon workflows
Mirror website (recon) —
wget --mirror -p -k -P ./mirror https://target.htb/-p page requisites, -k convert links, -P output dir
wget -r -l 2 --no-parent -e robots=off https://target.htb/docs/With custom User-Agent / headers —
wget --user-agent="Mozilla/5.0" https://target/wget --header="Cookie: session=abc" https://target/adminFTP / HTTP auth —
wget --user=USER --password=PASS ftp://target/file.txtwget http://user:pass@target/secret.zipLimit rate (stealth / polite) —
wget --limit-rate=200k https://target/bigfile.zipwget -w 2 -r -l 1 https://target/ # 2 sec between requestsDownload IP list / wordlists —
wget -O rockyou.txt.gz https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txtgunzip rockyou.txt.gzSpider without download —
wget --spider -r -l 1 https://target/ 2>&1 | grep -E '200|403'Flags reference
-r | Recursive |
|---|---|
-l DEPTH | Recursion depth |
--no-parent | Don't ascend to parent dirs |
-np | Same as --no-parent |
-k | Convert links for local viewing |
-p | Page requisites (images, css) |
-nc | No clobber (skip existing) |
-O FILE | Output filename |
-q | Quiet |
Tips
- Respect robots.txt policy per engagement ROE (-e robots=off only when allowed).
- Mirroring can be noisy — scope and rate-limit on production.
- For APIs use curl; wget excels at static asset grabs.
- Check integrity: sha256sum after pulling attack tools.