Block 4: CLI commands

Chmod

"Change Mode" of a file system object; r=read, w=write, x=execute

traceroute/tracert

A TCP/IP troubleshooting utility that uses ICMP to trace the path from one networked node to another, identifying all intermediate hops between the two nodes. Traceroute is useful for determining router or subnet connectivity problems. On Windows-based systems, the utility is known as ___________.

Netstat

A TCP/IP utility that shows the status of each active connection. -a: show ACTIVE connections -b: show BINARIES -n: does not resolve NAMES

pathping

A Windows utility that combines the functionality of the tracert and ping utilities to provide deeper information about network issues along a route; similar to UNIX's mtr command.

Memdump

A command line utility used to dump system memory to the standard output stream by skipping over holes in memory maps

ESI

Electronically Stored Information

FTK Imager

FTK imager is a windows executable that allows you to mount and image drives, and you can use these images in other third-party analysis tools

Wireshark

Graphical and text-based packet analyzer (allows you to get into the details of packets). It gathers frames on the network or in the air; is sometimes built into the device, and allows you to view traffic patterns as well as verify packet filtering and security controls. Wireshark also allows you to extensively decode the application traffic on your network.

Protocol Analyzer/Sniffer

Hardware or software that captures packets to decode and analyze the contents.

Head

Head: view the first part of a file (head [option] ... [file] ...). Allows you to customize how many lines of the file you can view (head -n 5 syslog would allow you to view the first 5 lines of the file).

Nessus

Industry leader in vulnerability scanning; extensive support with free and commercial options. Nessus can ID known vulnerabilities and can find systems before they can be exploited. It allows for extensive reporting, including a checklist of issues that allows users to filter out some of the false positives from their scans.

Tcpdump

Linux command that allows you to capture packets from the command line; displays the packets on the screen; writes packets to a file that you can later look at.

Nmap

Network mapper; allows you to find and learn more info about network devices. Can port scan, OS, service scan, vulnerability scan through additional scripts, and has the ability to run additional scripts.

sFlow (Sampled Flow)

Only staples a portion of the actual network traffic (so technically, not a flow); sFlow is usually embedded in the infrastructure (switches and routers) and has relatively accurate statistics with useful information regarding video streaming and high-traffic applications

Winhex

A universal hexadecimal editor; allows you to edit disks, files, RAM (includes data recovery features); disk cloning and drive replication, as well as secure wiping of hard drives (for hard drive cleaning) are available as well.

Logger

Adds entries to the system log. Useful for including information in a local or remote syslog file

Grep

Allows you to find text in a file (can search through many files at a time); "grep failed auth.log" allows you to find the word "failed" in the file "auth.log"

hping

An enhanced Ping utility for crafting TCP and UDP packets to be used in port-scanning activities. Essentially a ping that can scan almost anything.

theHarvester

An open source OSINT tool that gathers several different types of background information on a target

Dd

Data Definition; creates a bit-by-bit copy of a drive.

Netcat

Used for banner grabbing which provides info on OS, Services, and applications used by the server

dnsenum

Utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization

Scanless

Utility that runs port scans through third-party websites to evade detection. Essentially a port scan proxy that supports many different services (you can choose which proxy you'd like to use).

Cat

Short for concatenate; allows you to see the contents of a file or link multiple files together for a larger file. Essentially, you can copy files to the screen to view their contents, or copy files together into a larger file.

Sn1per

Software utility designed for penetration testing reporting and evidence gathering that can also run automated test suites. It allows you to have both non-intrusive and very intrusive scanning options - you choose the volume. As a result, it can create service and DoS issues due to brute force, server scanning, etc. Make sure you know what you're doing.

Tail

Tail command allows you to view the tail/end of the file, and the command works the same as the head command. Allows you to customize how many lines of the file you can view (tail -n 5 syslog would allow you to view the last 5 lines of the file)

SOAR (Security, Orchestration, Automation, and Response)

The process of integrating 3rd-party tools and data sources to make security teams more effective. Based around runbooks - a linear checklist of steps to perform; these runbooks can be gathered together into a playbook, a series of different steps that need to occur in order to respond to a scenario.

ipconfig/ifconfig

The utility used to display TCP/IP addressing and domain name information; a command-line tool used on Linux systems to show and manipulate settings on a network interface card (NIC).

Nslookup

a tool used to query the DNS system to find the IP addresses for domain names, and vice versa

Cuckoo

A sandbox for malware that allows you to test a file in a safe environment.

Tcpreplay

A suite of packet replay utilities. Allows you to replay and edit packet captures; open source. Great way to test security devices; check IPS signatures and firewall rules. Also good for testing and tuning IP Flow/NetFlow devices

NetFlow

A tool used to gather information about data flowing through a network

OpenSSL

A toolkit and crypto library for SSL/TLS. Allows you to build certs, manage certs, and manage SSL/TLS comms. X.509 certs can be managed from here, including revocation lists and signing requests. OpenSSL has message digests with support for many hashing protocols, and allows for encryption and decryption using SSL/TLS for services.

curl

client URL; retrieve data using a URL; you can grab the raw HTML from a web server. Makes it very easy to begin automating based on what's in the HTML of a site

dig

give you more advanced information than Nslookup; a tool used to query the DNS system to find the IP addresses for domain names, and vice versa

ping

send a message from one computer to another to check whether it is reachable and active (uses ICMP)