Skip to main content

Section 1 Commands Cheat Sheet

Purpose of this Cheat Sheet.

This cheat sheet provides quick reference information for bash shell commands and security tools used throughout the labs in this textbook. Use it to look up command syntax, options, and practical examples while completing cybersecurity exercises.

Help Commands.

man <command-name>
Use the built-in manual.
  • e.g. man cd retrieves the manual for the change directory command.
<command-name> --help
Request the help page (when it exists) for the specified command. Note that not every command supports --help.
  • e.g. cd --help retrieves help for the change directory command.

File and Directory Commands.

pwd
Print working directory displays the path of the current working directory.
  • e.g. pwd prints the path of the current working directory.
whoami
The whoami prints the userid of the current user.
  • e.g. whoami prints the userid.
ls
List displays basic information about files and directories.
  • e.g. ls lists directories and files in the current directory.
  • e.g. ls -l lists directories and files in the current directory using a long listing.
  • e.g. ls ~ lists directories and files in the user’s home directory.
touch <file-name>
The touch command is commonly used for file creation. Its intended primary function is to update its timestamp, by "touching" it. See man touch for more information on the intended use.
  • e.g. touch newfile.txt creates an empty file named newfile.txt.
cd <dir-name>
Change directory to <dir-name>.
  • e.g. cd / changes the current directory to the root directory.
  • e.g. cd ~ changes the current directory to the user’s home directory.
  • e.g. cd .. changes the directory to the immediate parent directory.
cp <source> <dest>
Copy files or directories from one location to another.
  • e.g. cp config.txt backup.txt creates a copy of config.txt named backup.txt.
  • e.g. cp -r /home/alice /backup/ recursively copies alice’s entire home directory to the backup folder.
mv <old> <new>
Move (or rename) files or directories.
  • e.g. mv old.txt new.txt changes the name of old.txt to new.txt.
rm <file-name>
Remove deletes a file or directory.
  • e.g. rm junk.txt removes the file named junk.txt.
mkdir <dir-name>
Make directory with name <dir-name>.
  • e.g. mkdir newdir makes a new directory with the name newdir.
rmdir <dir-name>
Remove directory with specified name <dir-name>
  • e.g. rmdir olddir removes (deletes) the directory with the name olddir.
find <path> <criteria>
The find command searches for files and directories within a specified path based on various criteria.
  • e.g. find /var/log -name "*.log" finds all files ending in .log in the /var/log directory.
  • e.g. find /home -perm 777 finds all files and directories with world-writable permissions.

File Archiving and File Permissions.

chown <name> <file>
The chown command is used to change the file owner and/or group.
  • e.g. chown pearcej file.txt changes the owner of file.txt to pearcej.
  • e.g. chown :friends file.txt changes the group of file.txt to friends.
chmod <flags> <file>
The chmod command is used to change permissions. The following symbols are the most commonly used:
+ change by adding permission
- change by removing permission
r which permission: read
w which permission: write
x which permission: execute
  • e.g. chmod +x helloworld.sh adds execute permission for all users to the helloworld.sh file.
gzip <file>
The gzip command compresses files using the GNU zip compression algorithm, reducing file size for storage or transmission.
  • e.g. gzip logfile.txt compresses logfile.txt into logfile.txt.gz.
  • e.g. gzip -d backup.gz decompresses backup.gz back to its original form.
tar <archive> <files>
The tar command creates, extracts, and manipulates tape archive files. It is commonly used for bundling multiple files and directories into a single archive file.
  • e.g. tar -czf backup.tar.gz /home/alice creates a compressed archive of alice’s home directory.
  • e.g. tar -xzf archive.tar.gz extracts files from a compressed tar archive.
unzip <archive>
The unzip command extracts files from ZIP archives, which are commonly used for file compression and distribution across different operating systems.
  • e.g. unzip lab-files.zip extracts all files from the lab-files.zip archive.
  • e.g. unzip -d /tmp malicious.zip extracts files from malicious.zip into the /tmp directory.
zip <archive> <files>
The zip command creates ZIP archives by compressing files and directories into a single archive file. ZIP format is widely supported across different operating systems.
  • e.g. zip evidence.zip logfile.txt config.txt creates a ZIP archive containing the specified files.
  • e.g. zip -r project.zip /home/alice/project/ recursively creates a ZIP archive of the entire project directory.

The Basics: Reading, Writing, Counting, etc.

awk <pattern> <file>
The awk command is a pattern-scanning and data extraction language that processes text files field by field. It is particularly useful for analyzing structured data, log files, and generating reports from columnar data.
  • e.g. awk '{print $1, $3}' /etc/passwd prints the first and third fields (username and UID) from the passwd file.
  • e.g. ps aux | awk '$3 > 5.0 {print $2, $11}' displays the process ID and command name for processes using more than 5% CPU.
cat <file-name>
The concatenate prints file contents on the standard output after concatenation. Note that with a single file, it just prints that file. It is often used with output redirection.
  • e.g. cat file.txt prints the contents of file.txt on the standard output.
  • e.g. cat file1.txt file2.txt prints the contents of the concatenation of file1.txt and file2.txt on the standard output.
echo <text>
The echo command displays a line of text and/or requests the value of a variable from the shell and displays its value. Often used with output redirection.
  • e.g. echo "Hello World!" prints the text "Hello World!"" on the standard output.
  • e.g. echo "my string" >> ./myfile.txt uses the redirect to create or overwrite a file named myfile.txt containing "my string" as its contents.
  • e.g. echo $USER prints the value of the USER environment variable on the standard output.
exit
The exit command terminates the current shell session or container. It is essential for properly closing Docker containers, SSH sessions, and sub-shells.
  • e.g. exit closes the current shell session and returns to the parent shell.
  • e.g. exit 0 exits with a specific status code (0 indicates success).
head <file>
The head command displays the first few lines of a file (default is 10 lines). It is useful for quickly examining log files, configuration files, or large datasets without displaying the entire contents.
  • e.g. head /var/log/auth.log displays the first 10 lines of the authentication log file.
  • e.g. head -n 20 error.log displays the first 20 lines of the error.log file.
read <variable-name>
The read command reads a line or variable from the keyboard. It is often used with scripts or input redirection.
  • e.g. read MYVAR takes input from the keyboard and directs it into a variable called MYVAR.
sed <pattern> <file>
The stream editor or sed command performs text transformations on files or input streams. It is powerful for automating text editing tasks, replacing strings, and modifying configuration files.
  • e.g. sed 's/password/PASSWORD/g' config.txt replaces all occurrences of "password" with "PASSWORD" in config.txt.
  • e.g. sed -n '1,5p' /etc/passwd prints only lines 1 through 5 of the passwd file.
sort <file-name>
The sort command arranges lines of text in alphabetical, numerical, or custom order. It is essential for organizing data and preparing output for analysis or reporting.
  • e.g. sort userlist.txt sorts the lines in userlist.txt alphabetically.
  • e.g. ps aux | sort -k 3 -nr displays running processes sorted by CPU usage in descending order.
tail <file-name>
The tail command displays the last few lines of a file (default is 10 lines). It is especially useful for monitoring log files in real-time and examining recent system activity.
  • e.g. tail /var/log/messages displays the last 10 lines of the system messages log.
  • e.g. tail -f /var/log/auth.log continuously displays new lines as they are added to the authentication log (useful for real-time monitoring).
wc <file-name>
The word count command performs a count of lines, words, and bytes for each file.
  • e.g. wc file.txt reports the count of lines, words, and bytes in file.txt.
history
The history command displays a list of previously executed shell commands, allowing users to review their command history.
  • e.g. history could display:
    1  git init
    2  git add main.c
    3  git commit -m "Initial commit"
    4  git remote add origin https://github.com/username/repo.git
    5  git push -u origin master
    6  history
    
grep <pattern> <name>
The grep command searches for specified patterns or text within files and displays matching lines. It is essential for log analysis and searching through system files.
  • e.g. grep "error" /var/log/messages searches for lines containing "error" in the system log file.
  • e.g. grep -i "failed login" /var/log/auth.log searches for failed login attempts (case-insensitive) in the authentication log.

Input and Output Redirection.

Input redirection using <
Input redirection uses using <to allow the user to redirect the input from a file rather than the keyboard.
  • e.g. wc < info2count.txt performs the wc command on the information in the file info2count.txt.
Output redirection using > or >>
Output redirection allows the user to redirect the output from the standard output to a file using > for overwriting or >> for appending.
  • e.g. echo 'I love open source!' > file.txt writes the line ’I love open source!’ into the file file.txt replacing the current contents or making a new file if it doesn’t already exist.
Piping |
A pipe | in the bash shell allows you to redirect (pipe) the output of one command into the input of another command.
  • e.g. ls | wc runs the command ls>and uses the output of the ls command as the input into the wc command.

Networking Commands.

ftp <host>
The ftp command starts an interactive File Transfer Protocol session for transferring files between hosts. Note that FTP transmits passwords in plaintext and should be avoided in favor of SFTP when possible.
  • e.g. ftp 192.168.1.50 opens an FTP connection to the specified IP address.
  • e.g. ftp anonymous@fileserver.example.com connects using anonymous FTP login.
ip <options>
The ip command is used to display and configure network interfaces, routing tables, and network settings. It is the modern replacement for older commands like ifconfig.
  • e.g. ip addr displays all network interfaces and their IP addresses.
  • e.g. ip addr add 172.20.0.5 dev eth0 adds an additional IP address to the eth0 interface for MitM attacks.
ping <host>
The ping command sends ICMP echo requests to test network connectivity and measure response time to a host.
  • e.g. ping 8.8.8.8 tests connectivity to Google’s DNS server.
  • e.g. ping victim tests connectivity to a host named victim in your lab environment.
ssh <user>@<host>
The ssh command establishes a secure encrypted connection to a remote host, allowing secure remote administration and file transfer.
  • e.g. ssh server connects to a host named server using your current username.
  • e.g. ssh root@192.168.1.100 connects to the remote host at 192.168.1.100 as the root user.
telnet <host> <port>
The telnet command establishes an unencrypted connection to a remote host. While insecure for remote administration, it is useful for testing network services and connectivity to specific ports.
  • e.g. telnet example.com 80 tests if HTTP service is running on port 80.
  • e.g. telnet mail.example.com 25 tests connectivity to an SMTP server on port 25.
traceroute <host>
The traceroute command traces the route packets take to reach a destination, showing each hop along the path and response times.
  • e.g. traceroute 8.8.8.8 shows the network path to Google’s DNS server.
  • e.g. traceroute njit.edu displays the route to NJIT’s web server.

System Administration and Security.

apt <package>
The advanced package tool or apt command is a simplified package management interface for Debian and Ubuntu systems. It provides an easy-to-use frontend for installing, updating, and removing software packages.
  • e.g. apt update updates the package list from repositories.
  • e.g. apt install nmap installs the nmap network scanning tool.
apt-get <package>
The apt-get command is the traditional advanced package tool package management tool for Debian and Ubuntu systems. It handles the installation, updating, and removal of software packages and their dependencies.
  • e.g. apt-get update updates the list of available packages from repositories.
  • e.g. apt-get install acl installs the Access Control List tools used in file permissions labs.
crypt <password> <salt>
The crypt command generates password hashes using the system’s crypt function. It is used to create encrypted passwords compatible with the system’s password storage format.
  • e.g. crypt password '$y$j9T$oR2ZofMTuH3dpEGbw6c/y.' creates a hash using the specified password and salt.
  • e.g. crypt mypassword '$6$randomsalt$' generates a SHA-512 hash with the given salt.
date
The date command displays or sets the system date and time. Accurate time synchronization is critical for security protocols, log analysis, and certificate validation.
  • e.g. date displays the current system date and time.
  • e.g. date +"%Y-%m-%d %H:%M:%S" displays the date and time in a specific format for log entries.
getfacl <file>
The getfacl command displays the Access Control Lists (ACLs) for files and directories, showing detailed permission information beyond standard Unix permissions.
  • e.g. getfacl alice displays the ACL permissions for alice’s directory.
  • e.g. getfacl alice bob carol shows ACL information for multiple directories at once.
hostname
The hostname command displays or sets the system’s network name. Knowing the hostname is important for network identification and security monitoring.
  • e.g. hostname displays the current system hostname.
  • e.g. hostname -I displays the IP addresses associated with the hostname.
kill <process-id>
The kill command terminates processes by sending signals to them. By default, it sends the TERM signal, but other signals can be specified for different termination behaviors.
  • e.g. kill 1234 sends a termination signal to the process with ID 1234.
  • e.g. kill -9 5678 forcefully terminates the process with ID 5678 using the kill signal.
passwd <username>
The passwd command changes a user’s password. When run without a username, it changes the current user’s password. Administrative privileges are required to change other users’ passwords.
  • e.g. passwd changes the password for the currently logged-in user.
  • e.g. passwd alice changes the password for user alice (requires administrative privileges).
ps <options>
The process status or ps command displays status information about currently running processes. It is crucial for monitoring system activity and identifying running services.
  • e.g. ps aux shows all running processes with detailed information including user, CPU usage, and memory usage.
  • e.g. ps -ef | grep ssh displays all processes related to SSH services.
setfacl <file>
The setfacl command sets Access Control Lists (ACLs) on files and directories, providing more granular permission control than traditional Unix file permissions.
  • e.g. setfacl -m u:http:rx alice grants read and execute permissions to the http user for alice’s directory.
  • e.g. setfacl -m u:alice:rw file.txt gives alice read and write access to file.txt.
su <username>
The substitute user or su command allows you to switch to another user account. When used without a username, it defaults to switching to the root super user. Unlike sudo, su starts a new shell session as the target user.
  • e.g. su switches to the root super user account after prompting for the root password.
  • e.g. su dave switches to the user account named dave after prompting for dave’s password.
sudo <command>
The substitute user do or sudo command allows a permitted user to execute a command as another user, typically as the superuser (root). The sudo command is essential for performing administrative tasks securely.
  • e.g. sudo cat /etc/shadow displays the shadow password file using administrator privileges.
  • e.g. sudo useradd alice creates a new user account named alice with administrative privileges.
top
The top command displays real-time information about running processes, including CPU usage, memory consumption, and system load. It provides a dynamic view of system activity and resource utilization.
  • e.g. top displays a live view of all running processes sorted by CPU usage.
  • e.g. top -u alice shows only processes running under the user alice.
uname <options>
The uname command displays system information including the operating system name, version, and hardware architecture. This information is useful for vulnerability assessment and system inventory.
  • e.g. uname -a displays all available system information including kernel version and architecture.
  • e.g. uname -r displays only the kernel release version.
uptime
The uptime command shows how long the system has been running, the number of users currently logged in, and the system load averages. This information helps assess system stability and performance.
  • e.g. uptime displays system uptime, user count, and load averages.
  • e.g. uptime -p displays uptime in a human-readable format (e.g., "up 2 days, 3 hours").
useradd <username>
The useradd command creates a new user account on the system. It adds an entry to the system account files and can create the user’s home directory.
  • e.g. useradd alice creates a new user account named alice. Since this is a system-level command, it requires administrative privileges, so can be executed either from the system-level root account or by using sudo as in sudo useradd alice.
which <command>
The which command locates and displays the full path of executable commands. It is useful for troubleshooting command availability and verifying which version of a program will be executed.
  • e.g. which python displays the full path to the python executable.
  • e.g. which nmap shows the location of the nmap security scanner, useful for verifying installation.

Key Programs Used in this Text.

docker
Docker is a platform for developing, shipping, and running applications in containers. It lets you package software with all needed dependencies into a single unit called a container, which ensures the application runs reliably regardless of the environment. Containers are lightweight and less resource-intensive than virtual machines because they run on the host kernel.
  • e.g. docker build -t malicious . builds a container image with the name "malicious" from the current directory.
  • e.g. docker-compose down stops the running containers.
  • e.g. docker-compose run scanner bash runs a bash shell in the scanner container.
  • e.g. docker-compose up starts multi-container applications as defined in docker-compose.yml.
  • e.g. docker run -it ubuntu bash runs an interactive Ubuntu container with a bash shell. Here -it is just the -i and -t flags put together, which are short for --interactive and --tty which allocates a pseudo-TTY session.
  • e.g. docker run -p 8080:80 malicious runs a container named malicious, mapping host port 8080 to container port 80.
john
John the Ripper is a password cracking tool that tests password strength by attempting to crack encrypted passwords using word lists and brute force methods.
  • e.g. john --wordlist=password.lst /etc/shadow attempts to crack passwords using the wordlist called password.lst against the standard shadow password file.
  • e.g. john --show /etc/shadow displays previously cracked passwords.
md5sum
The md5sum program calculates and verifies 128-bit MD5 hashes, producing a compact digital fingerprint of a file.
  • e.g. md5sum <file-name> computes the MD5 hash of the specified <file-name> file.
nmap
The network mapping program called nmap is a network discovery and security auditing tool used to scan networks and identify open ports, services, and operating systems.
  • e.g. nmap <IP> scans <IP>for 1000 well-known ports which are used by popular services like SQL, SNTP, apache, and others.
  • e.g. nmap -sP <IP> performs a ping scan to discover live hosts on <IP>.
  • e.g. nmap -A <IP> performs an aggressive scan with OS detection and version identification on <IP>.
scapy
Scapy is an interactive packet manipulation program that allows users to create, send, and analyze network packets for security testing and analysis. Scapy mainly does two things: sends packets and receives answers, matching requests with answers and returning a list of packet couples (request, answer) and a list of unmatched packets. To use it you need to install it using something like pip install scapy. The following are some examples of how to use it:
  • e.g. ping = Ether()/IP(dst="192.168.1.1")/ICMP() creates an ICMP ping packet.
  • e.g. srp1(packet) stands for (Send Response Packet 1) sends a packet and receives only 1 response at Layer 2.

Need more detail?

For more information on any of these commands, use the --help flag or the man pages.