Section 1 Commands Cheat Sheet
Purpose of this Cheat Sheet.
This cheat sheet provides quick reference information for bash shell commands and security tools used throughout the labs in this textbook. Use it to look up command syntax, options, and practical examples while completing cybersecurity exercises.
Help Commands.
-
man <command-name>
-
Use the built-in manual.
-
e.g.
man cd
retrieves the manual for the change directory command.
-
-
<command-name> --help
-
Request the help page (when it exists) for the specified command. Note that not every command supports
--help
.-
e.g.
cd --help
retrieves help for the change directory command.
-
File and Directory Commands.
-
pwd
-
Print working directory displays the path of the current working directory.
-
e.g.
pwd
prints the path of the current working directory.
-
-
whoami
-
The whoami prints the userid of the current user.
-
e.g.
whoami
prints the userid.
-
-
ls
-
List displays basic information about files and directories.
-
touch <file-name>
-
The touch command is commonly used for file creation. Its intended primary function is to update its timestamp, by "touching" it. See
man touch
for more information on the intended use.-
e.g.
touch newfile.txt
creates an empty file named newfile.txt.
-
-
cd <dir-name>
-
cp <source> <dest>
-
Copy files or directories from one location to another.
-
e.g.
cp config.txt backup.txt
creates a copy of config.txt named backup.txt. -
e.g.
cp -r /home/alice /backup/
recursively copies alice’s entire home directory to the backup folder.
-
-
mv <old> <new>
-
Move (or rename) files or directories.
-
e.g.
mv old.txt new.txt
changes the name of old.txt to new.txt.
-
-
rm <file-name>
-
Remove deletes a file or directory.
-
e.g.
rm junk.txt
removes the file named junk.txt.
-
-
mkdir <dir-name>
-
rmdir <dir-name>
-
find <path> <criteria>
-
The find command searches for files and directories within a specified path based on various criteria.
-
e.g.
find /var/log -name "*.log"
finds all files ending in .log in the /var/log directory. -
e.g.
find /home -perm 777
finds all files and directories with world-writable permissions.
-
File Archiving and File Permissions.
-
chown <name> <file>
-
The
chown
command is used to change the file owner and/or group.-
e.g.
chown pearcej file.txt
changes the owner of file.txt to pearcej. -
e.g.
chown :friends file.txt
changes the group of file.txt to friends.
-
-
chmod <flags> <file>
-
The
chmod
command is used to change permissions. The following symbols are the most commonly used:+
change by adding permission-
change by removing permissionr
which permission: readw
which permission: writex
which permission: execute-
e.g.
chmod +x helloworld.sh
adds execute permission for all users to the helloworld.sh file.
-
-
gzip <file>
-
The gzip command compresses files using the GNU zip compression algorithm, reducing file size for storage or transmission.
-
e.g.
gzip logfile.txt
compresses logfile.txt into logfile.txt.gz. -
e.g.
gzip -d backup.gz
decompresses backup.gz back to its original form.
-
-
tar <archive> <files>
-
The tar command creates, extracts, and manipulates tape archive files. It is commonly used for bundling multiple files and directories into a single archive file.
-
e.g.
tar -czf backup.tar.gz /home/alice
creates a compressed archive of alice’s home directory. -
e.g.
tar -xzf archive.tar.gz
extracts files from a compressed tar archive.
-
-
unzip <archive>
-
The unzip command extracts files from ZIP archives, which are commonly used for file compression and distribution across different operating systems.
-
e.g.
unzip lab-files.zip
extracts all files from the lab-files.zip archive. -
e.g.
unzip -d /tmp malicious.zip
extracts files from malicious.zip into the /tmp directory.
-
-
zip <archive> <files>
-
The zip command creates ZIP archives by compressing files and directories into a single archive file. ZIP format is widely supported across different operating systems.
-
e.g.
zip evidence.zip logfile.txt config.txt
creates a ZIP archive containing the specified files. -
e.g.
zip -r project.zip /home/alice/project/
recursively creates a ZIP archive of the entire project directory.
-
The Basics: Reading, Writing, Counting, etc.
-
awk <pattern> <file>
-
The awk command is a pattern-scanning and data extraction language that processes text files field by field. It is particularly useful for analyzing structured data, log files, and generating reports from columnar data.
-
e.g.
awk '{print $1, $3}' /etc/passwd
prints the first and third fields (username and UID) from the passwd file. -
e.g.
ps aux | awk '$3 > 5.0 {print $2, $11}'
displays the process ID and command name for processes using more than 5% CPU.
-
-
cat <file-name>
- The concatenate prints file contents on the standard output after concatenation. Note that with a single file, it just prints that file. It is often used with output redirection.
-
e.g.
cat file.txt
prints the contents of file.txt on the standard output. -
e.g.
cat file1.txt file2.txt
prints the contents of the concatenation of file1.txt and file2.txt on the standard output.
-
-
echo <text>
- The echo command displays a line of text and/or requests the value of a variable from the shell and displays its value. Often used with output redirection.
-
e.g.
echo "Hello World!"
prints the text "Hello World!"" on the standard output. -
e.g.
echo "my string" >> ./myfile.txt
uses the redirect to create or overwrite a file namedmyfile.txt
containing "my string" as its contents. -
e.g.
echo $USER
prints the value of the USER environment variable on the standard output.
-
-
exit
-
The exit command terminates the current shell session or container. It is essential for properly closing Docker containers, SSH sessions, and sub-shells.
-
e.g.
exit
closes the current shell session and returns to the parent shell. -
e.g.
exit 0
exits with a specific status code (0 indicates success).
-
-
head <file>
-
The head command displays the first few lines of a file (default is 10 lines). It is useful for quickly examining log files, configuration files, or large datasets without displaying the entire contents.
-
e.g.
head /var/log/auth.log
displays the first 10 lines of the authentication log file. -
e.g.
head -n 20 error.log
displays the first 20 lines of the error.log file.
-
-
read <variable-name>
-
sed <pattern> <file>
-
The stream editor or sed command performs text transformations on files or input streams. It is powerful for automating text editing tasks, replacing strings, and modifying configuration files.
-
e.g.
sed 's/password/PASSWORD/g' config.txt
replaces all occurrences of "password" with "PASSWORD" in config.txt. -
e.g.
sed -n '1,5p' /etc/passwd
prints only lines 1 through 5 of the passwd file.
-
-
sort <file-name>
-
The sort command arranges lines of text in alphabetical, numerical, or custom order. It is essential for organizing data and preparing output for analysis or reporting.
-
e.g.
sort userlist.txt
sorts the lines in userlist.txt alphabetically. -
e.g.
ps aux | sort -k 3 -nr
displays running processes sorted by CPU usage in descending order.
-
-
tail <file-name>
-
The tail command displays the last few lines of a file (default is 10 lines). It is especially useful for monitoring log files in real-time and examining recent system activity.
-
e.g.
tail /var/log/messages
displays the last 10 lines of the system messages log. -
e.g.
tail -f /var/log/auth.log
continuously displays new lines as they are added to the authentication log (useful for real-time monitoring).
-
-
wc <file-name>
-
history
- The history command displays a list of previously executed shell commands, allowing users to review their command history.
-
e.g.
history
could display:1 git init 2 git add main.c 3 git commit -m "Initial commit" 4 git remote add origin https://github.com/username/repo.git 5 git push -u origin master 6 history
-
-
grep <pattern> <name>
- The grep command searches for specified patterns or text within files and displays matching lines. It is essential for log analysis and searching through system files.
-
e.g.
grep "error" /var/log/messages
searches for lines containing "error" in the system log file. -
e.g.
grep -i "failed login" /var/log/auth.log
searches for failed login attempts (case-insensitive) in the authentication log.
-
Input and Output Redirection.
- Input redirection using
<
- Output redirection using
>
or>>
- Output redirection allows the user to redirect the output from the standard output to a file using
>
for overwriting or>>
for appending.-
e.g.
echo 'I love open source!' > file.txt
writes the line ’I love open source!’ into the file file.txt replacing the current contents or making a new file if it doesn’t already exist.
-
- Piping
|
Networking Commands.
-
ftp <host>
-
The ftp command starts an interactive File Transfer Protocol session for transferring files between hosts. Note that FTP transmits passwords in plaintext and should be avoided in favor of SFTP when possible.
-
e.g.
ftp 192.168.1.50
opens an FTP connection to the specified IP address. -
e.g.
ftp anonymous@fileserver.example.com
connects using anonymous FTP login.
-
-
ip <options>
-
The ip command is used to display and configure network interfaces, routing tables, and network settings. It is the modern replacement for older commands like ifconfig.
-
e.g.
ip addr
displays all network interfaces and their IP addresses. -
e.g.
ip addr add 172.20.0.5 dev eth0
adds an additional IP address to the eth0 interface for MitM attacks.
-
-
ping <host>
-
The ping command sends ICMP echo requests to test network connectivity and measure response time to a host.
-
e.g.
ping 8.8.8.8
tests connectivity to Google’s DNS server. -
e.g.
ping victim
tests connectivity to a host named victim in your lab environment.
-
-
ssh <user>@<host>
-
The ssh command establishes a secure encrypted connection to a remote host, allowing secure remote administration and file transfer.
-
e.g.
ssh server
connects to a host named server using your current username. -
e.g.
ssh root@192.168.1.100
connects to the remote host at 192.168.1.100 as the root user.
-
-
telnet <host> <port>
-
The telnet command establishes an unencrypted connection to a remote host. While insecure for remote administration, it is useful for testing network services and connectivity to specific ports.
-
e.g.
telnet example.com 80
tests if HTTP service is running on port 80. -
e.g.
telnet mail.example.com 25
tests connectivity to an SMTP server on port 25.
-
-
traceroute <host>
-
The traceroute command traces the route packets take to reach a destination, showing each hop along the path and response times.
-
e.g.
traceroute 8.8.8.8
shows the network path to Google’s DNS server. -
e.g.
traceroute njit.edu
displays the route to NJIT’s web server.
-
System Administration and Security.
-
apt <package>
-
The advanced package tool or apt command is a simplified package management interface for Debian and Ubuntu systems. It provides an easy-to-use frontend for installing, updating, and removing software packages.
-
e.g.
apt update
updates the package list from repositories. -
e.g.
apt install nmap
installs the nmap network scanning tool.
-
-
apt-get <package>
-
The apt-get command is the traditional advanced package tool package management tool for Debian and Ubuntu systems. It handles the installation, updating, and removal of software packages and their dependencies.
-
e.g.
apt-get update
updates the list of available packages from repositories. -
e.g.
apt-get install acl
installs the Access Control List tools used in file permissions labs.
-
-
crypt <password> <salt>
-
The crypt command generates password hashes using the system’s crypt function. It is used to create encrypted passwords compatible with the system’s password storage format.
-
e.g.
crypt password '$y$j9T$oR2ZofMTuH3dpEGbw6c/y.'
creates a hash using the specified password and salt. -
e.g.
crypt mypassword '$6$randomsalt$'
generates a SHA-512 hash with the given salt.
-
-
date
-
The date command displays or sets the system date and time. Accurate time synchronization is critical for security protocols, log analysis, and certificate validation.
-
e.g.
date
displays the current system date and time. -
e.g.
date +"%Y-%m-%d %H:%M:%S"
displays the date and time in a specific format for log entries.
-
-
getfacl <file>
-
The getfacl command displays the Access Control Lists (ACLs) for files and directories, showing detailed permission information beyond standard Unix permissions.
-
e.g.
getfacl alice
displays the ACL permissions for alice’s directory. -
e.g.
getfacl alice bob carol
shows ACL information for multiple directories at once.
-
-
hostname
-
The hostname command displays or sets the system’s network name. Knowing the hostname is important for network identification and security monitoring.
-
e.g.
hostname
displays the current system hostname. -
e.g.
hostname -I
displays the IP addresses associated with the hostname.
-
-
kill <process-id>
-
The kill command terminates processes by sending signals to them. By default, it sends the TERM signal, but other signals can be specified for different termination behaviors.
-
e.g.
kill 1234
sends a termination signal to the process with ID 1234.
-
-
passwd <username>
-
The passwd command changes a user’s password. When run without a username, it changes the current user’s password. Administrative privileges are required to change other users’ passwords.
-
e.g.
passwd
changes the password for the currently logged-in user. -
e.g.
passwd alice
changes the password for user alice (requires administrative privileges).
-
-
ps <options>
- The process status or ps command displays status information about currently running processes. It is crucial for monitoring system activity and identifying running services.
-
e.g.
ps aux
shows all running processes with detailed information including user, CPU usage, and memory usage. -
e.g.
ps -ef | grep ssh
displays all processes related to SSH services.
-
-
setfacl <file>
-
The setfacl command sets Access Control Lists (ACLs) on files and directories, providing more granular permission control than traditional Unix file permissions.
-
e.g.
setfacl -m u:http:rx alice
grants read and execute permissions to the http user for alice’s directory. -
e.g.
setfacl -m u:alice:rw file.txt
gives alice read and write access to file.txt.
-
-
su <username>
-
The substitute user or su command allows you to switch to another user account. When used without a username, it defaults to switching to the root super user. Unlike
sudo
,su
starts a new shell session as the target user.-
e.g.
su
switches to the root super user account after prompting for the root password. -
e.g.
su dave
switches to the user account named dave after prompting for dave’s password.
-
-
sudo <command>
- The substitute user do or sudo command allows a permitted user to execute a command as another user, typically as the superuser (root). The
sudo
command is essential for performing administrative tasks securely.-
e.g.
sudo cat /etc/shadow
displays the shadow password file using administrator privileges. -
e.g.
sudo useradd alice
creates a new user account named alice with administrative privileges.
-
-
top
-
The top command displays real-time information about running processes, including CPU usage, memory consumption, and system load. It provides a dynamic view of system activity and resource utilization.
-
e.g.
top
displays a live view of all running processes sorted by CPU usage. -
e.g.
top -u alice
shows only processes running under the user alice.
-
-
uname <options>
-
The uname command displays system information including the operating system name, version, and hardware architecture. This information is useful for vulnerability assessment and system inventory.
-
e.g.
uname -a
displays all available system information including kernel version and architecture. -
e.g.
uname -r
displays only the kernel release version.
-
-
uptime
-
The uptime command shows how long the system has been running, the number of users currently logged in, and the system load averages. This information helps assess system stability and performance.
-
e.g.
uptime
displays system uptime, user count, and load averages. -
e.g.
uptime -p
displays uptime in a human-readable format (e.g., "up 2 days, 3 hours").
-
-
useradd <username>
-
The useradd command creates a new user account on the system. It adds an entry to the system account files and can create the user’s home directory.
-
e.g.
useradd alice
creates a new user account named alice. Since this is a system-level command, it requires administrative privileges, so can be executed either from the system-level root account or by usingsudo
as insudo useradd alice
.
-
-
which <command>
-
The which command locates and displays the full path of executable commands. It is useful for troubleshooting command availability and verifying which version of a program will be executed.
-
e.g.
which python
displays the full path to the python executable. -
e.g.
which nmap
shows the location of the nmap security scanner, useful for verifying installation.
-
Key Programs Used in this Text.
-
docker
-
Docker is a platform for developing, shipping, and running applications in containers. It lets you package software with all needed dependencies into a single unit called a container, which ensures the application runs reliably regardless of the environment. Containers are lightweight and less resource-intensive than virtual machines because they run on the host kernel.
-
e.g.
docker build -t malicious .
builds a container image with the name "malicious" from the current directory. -
e.g.
docker-compose down
stops the running containers. -
e.g.
docker-compose run scanner bash
runs a bash shell in the scanner container. -
e.g.
docker-compose up
starts multi-container applications as defined in docker-compose.yml. -
e.g.
docker run -it ubuntu bash
runs an interactive Ubuntu container with a bash shell. Here-it
is just the-i
and-t
flags put together, which are short for--interactive
and--tty
which allocates a pseudo-TTY session. -
e.g.
docker run -p 8080:80 malicious
runs a container named malicious, mapping host port 8080 to container port 80.
-
-
john
-
John the Ripper is a password cracking tool that tests password strength by attempting to crack encrypted passwords using word lists and brute force methods.
-
e.g.
john --wordlist=password.lst /etc/shadow
attempts to crack passwords using the wordlist calledpassword.lst
against the standard shadow password file. -
e.g.
john --show /etc/shadow
displays previously cracked passwords.
-
-
md5sum
-
The
md5sum
program calculates and verifies 128-bit MD5 hashes, producing a compact digital fingerprint of a file. -
nmap
-
The network mapping program called
nmap
is a network discovery and security auditing tool used to scan networks and identify open ports, services, and operating systems.-
e.g.
nmap <IP>
scans<IP>
for 1000 well-known ports which are used by popular services like SQL, SNTP, apache, and others. -
e.g.
nmap -A <IP>
performs an aggressive scan with OS detection and version identification on<IP>
.
-
-
scapy
-
Scapy is an interactive packet manipulation program that allows users to create, send, and analyze network packets for security testing and analysis. Scapy mainly does two things: sends packets and receives answers, matching requests with answers and returning a list of packet couples (request, answer) and a list of unmatched packets. To use it you need to install it using something like
pip install scapy
. The following are some examples of how to use it:-
e.g.
ping = Ether()/IP(dst="192.168.1.1")/ICMP()
creates an ICMP ping packet. -
e.g.
srp1(packet)
stands for (Send Response Packet 1) sends a packet and receives only 1 response at Layer 2.
-