Listen to this Post
Introduction:
In the dynamic field of cybersecurity, foundational command-line proficiency is non-negotiable. Mastering a core set of utilities across operating systems is the first critical step from theoretical knowledge to practical, impactful defense and analysis. This guide provides the essential toolkit for every aspiring security professional.
Learning Objectives:
- Identify and execute fundamental Linux commands for system reconnaissance and network analysis.
- Utilize key Windows command-line and PowerShell tools for security diagnostics.
- Apply command-line knowledge to analyze logs, detect anomalies, and understand basic exploit mechanisms.
You Should Know:
- Linux System Reconnaissance with
ls,find, and `ps`
Effective defense begins with understanding your own system. These commands provide a snapshot of running processes and critical files.
Commands:
ls -la /home/important_user/ find / -type f -name ".conf" -perm -o=w 2>/dev/null ps aux | grep -i "ssh|ftp|telnet" pstree -p systemctl list-units --type=service --state=running
Step-by-Step Guide:
The `ls -la` command lists all files, including hidden ones (.), in a long format, showing permissions. The `find` command here locates world-writable configuration files, a significant security risk. `ps aux` lists all running processes, which is then piped (|) into `grep` to filter for potentially risky remote access services. `pstree` shows the process hierarchy, making parent/child relationships clear, and `systemctl` lists all currently running services, which is crucial for identifying unauthorized background processes.
2. Network Analysis with `netstat`, `ss`, and `tcpdump`
Understanding active network connections is paramount for identifying unauthorized communications and exfiltration attempts.
Commands:
netstat -tulnpe ss -tuln tcpdump -i eth0 -nn 'tcp port 443' -w capture.pcap netstat -ano | findstr :443 lsof -i :22
Step-by-Step Guide:
`netstat -tulnpe` displays all listening (-l) TCP/UDP (-tu) ports, showing numerical addresses (-n) and extended information like the process ID and user (-pe). Its modern replacement, ss -tuln, is faster and provides similar data. `tcpdump` is a powerful packet analyzer; this command captures (-w) all TCP traffic on port 443 (HTTPS) on interface `eth0` without resolving hostnames (-nn). The Windows equivalent `netstat -ano` shows all connections and listening ports, displaying the owning Process ID (-o), which can be looked up in Task Manager.
3. Windows Security Diagnostics with PowerShell
PowerShell provides deep introspection into the Windows OS, far beyond traditional CMD.
Commands (PowerShell):
Get-Process | Where-Object { $<em>.CPU -gt 50 }
Get-NetTCPConnection -State Listen
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625} -MaxEvents 10 | Format-List
Get-Service | Where-Object { $</em>.Status -eq 'Running' }
Get-CimInstance -ClassName Win32_StartupCommand
Step-by-Step Guide:
These commands leverage PowerShell’s object-oriented pipeline. `Get-Process` fetches all processes, which are then filtered (Where-Object) for high CPU usage. `Get-NetTCPConnection` shows all listening ports. The `Get-WinEvent` cmdlet is crucial for log analysis; this example fetches the last 10 successful (4624) and failed (4625) login events from the Security log. `Get-Service` filters for running services, and `Get-CimInstance` queries for programs that run on startup, a common persistence mechanism for malware.
- File Integrity and Hashing with `sha256sum` and `fciv`
Verifying file integrity is essential to detect tampering or download malicious files.
Commands:
sha256sum sensitive_file.txt sha256sum sensitive_file.txt | grep -i "expected_hash_here" Get-FileHash -Path C:\Windows\System32\notepad.exe -Algorithm SHA256 Legacy Windows tool (may need download): fciv.exe -sha1 C:\important.dll
Step-by-Step Guide:
On Linux, `sha256sum` generates a cryptographic hash of a file. You should compare the output against a known-good hash provided by the software vendor. The second command automates this check by grepping for the expected value. In Windows PowerShell, `Get-FileHash` performs the same function, specifying the SHA256 algorithm. The File Checksum Integrity Verifier (fciv) is a legacy Microsoft tool for older systems.
5. User and Permission Auditing
Understanding who can do what on a system is a core tenet of security.
Commands:
cat /etc/passwd sudo grep -E '^sudo|^wheel' /etc/group getent group net user whoami /priv icacls "C:\Program Files\Sensitive Directory"
Step-by-Step Guide:
On Linux, `/etc/passwd` contains user account information. Checking the `sudo` or `wheel` group reveals who has administrative privileges. `getent group` lists all groups. On Windows, `net user` lists all local accounts. `whoami /priv` displays the privileges of the currently logged-in user, which is critical for understanding potential privilege escalation paths. `icacls` displays and modifies Access Control Lists (ACLs) for files and folders, showing detailed permission information.
6. Log Investigation for Incident Response
Logs are the primary record of activity on a system. Knowing how to query them quickly is an invaluable skill.
Commands:
sudo tail -f /var/log/auth.log
sudo journalctl -u ssh.service --since "10 minutes ago"
grep -i "failed" /var/log/secure
Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=(Get-Date).AddHours(-1)} | Where-Object {$_.LevelDisplayName -eq 'Error'}
Step-by-Step Guide:
`tail -f` follows a log file in real-time, excellent for monitoring active authentication attempts in `/var/log/auth.log` (Debian/Ubuntu) or `/var/log/secure` (RHEL/CentOS). `journalctl` is the modern tool for querying systemd logs; this command shows messages from the SSH service from the last 10 minutes. The PowerShell command retrieves all Error-level events from the System log in the last hour, helping to pinpoint system instability or malicious drivers.
7. Basic Vulnerability Scanning with `nmap` and `test-netconnection`
While dedicated tools exist, built-in commands can perform initial port and service discovery.
Commands:
nmap -sV -O -T4 192.168.1.1 nmap --script vuln 192.168.1.50 Test-NetConnection -ComputerName example.com -Port 80 tnc example.com -port 443 -informationlevel detailed
Step-by-Step Guide:
`nmap` is the industry-standard network mapper. `-sV` probes open ports to determine service/version info, and `-O` enables OS detection. The `–script vuln` flag runs a script suite that checks for known vulnerabilities against discovered services. On Windows, the `Test-NetConnection` (or tnc) PowerShell cmdlet is a native replacement for basic `telnet` or `ping` checks to see if a specific port is open and reachable.
What Undercode Say:
- Foundation is Everything: These commands are not advanced exploits; they are the fundamental building blocks of system literacy. True expertise is built on mastering these basics, not just knowing they exist.
- Context is King: A running process or an open port is not inherently malicious. The skill lies in correlating command output with knowledge of the system’s intended state to identify true anomalies.
Mastery of the command line is what separates a script kiddie from a serious analyst. It provides granular control and deep visibility that GUI tools often obscure. The future of security may be automated with AI, but the core logic of investigation, the ‘why’ behind the command, will always be a human skill. These commands are the vocabulary for that critical thinking. Professionals don’t just run them; they interpret their output within a broader tactical picture.
Prediction:
The increasing abstraction of IT infrastructure into cloud and serverless environments will make low-level command-line skills even more valuable. As GUIs change and cloud consoles evolve, the underlying protocols (TCP/IP), operating systems (Linux kernels, Windows NT core), and log formats remain consistent. The professional who understands these fundamentals with CLI tools will be able to diagnose issues and detect threats across any platform, while those reliant solely on graphical tools will be left behind as technology stacks evolve.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Michael Eru – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
