Listen to this Post
Introduction:
In the ever-evolving landscape of cybersecurity, the command line interface (CLI) remains the undisputed control center for both defenders and adversaries. Mastering a core set of commands across Linux and Windows is not just a skill; it’s a fundamental prerequisite for effective system hardening, threat hunting, and incident response. This article provides a curated arsenal of verified commands to elevate your technical prowess from beginner to vigilant guardian.
Learning Objectives:
- Acquire proficiency in essential system reconnaissance and network diagnostics commands.
- Understand and apply critical security hardening techniques for both Linux and Windows environments.
- Develop foundational skills for log analysis, process management, and vulnerability identification.
You Should Know:
1. System Reconnaissance and Footprinting
Before securing a system, you must understand it. These commands provide a deep dive into the system’s configuration and network posture.
Linux:
Display all system information uname -a List all logged-in users and their activities who -a Show the system's hostname and DNS domain hostnamectl Display the current IP configuration for all interfaces ip addr show Show the routing table ip route List all open TCP/UDP ports and the processes using them ss -tulnpe Display a list of all installed packages (Debian/Ubuntu) dpkg -l Show the last 10 login events last -n 10
Windows:
:: Display detailed system information systeminfo :: Show network configuration ipconfig /all :: Display the ARP cache, showing IP to MAC address mappings arp -a :: Show the routing table route print :: List all active network connections and listening ports netstat -ano :: Query the local Windows event log for recent logon events wevtutil qe Security /f:text /rd:true /c:10 /q:"[System[(EventID=4624)]]"
Step-by-step guide:
Start by running `systeminfo` on Windows or `uname -a` on Linux to get a system overview. Follow this with a network survey using `ipconfig /all` or `ip addr show` to understand the network context. Crucially, use `netstat -ano` or `ss -tulnpe` to identify every service listening for connections, as these are potential entry points for attackers. Correlate the Process ID (PID) from these commands with running processes to identify any unauthorized services.
2. Process and Service Management
Malicious actors often hide their activities within legitimate processes or create new ones. Controlling and inspecting running processes is a core defensive skill.
Linux:
Display a dynamic, real-time view of running processes top A more modern and colorful alternative to top htop List all processes in a customizable tree format ps auxf Search for a specific process by name pgrep -f "process_name" Terminate a process by its Process ID (PID) kill -9 <PID> Terminate all processes matching a name pkill -f "process_name" List all services and their status (systemd) systemctl list-units --type=service
Windows:
:: Display a list of currently running processes tasklist :: Terminate a process by its name taskkill /IM "malware.exe" /F :: Terminate a process by its Process ID (PID) taskkill /PID <PID> /F :: List all running services net start :: Stop a specific service net stop "Service Name" :: Query the configuration of a specific service sc query "Service Name"
Step-by-step guide:
Use `tasklist` or `ps aux` to get a baseline of all running processes. Look for anomalies like unusual process names, high CPU/memory consumption by unknown processes, or processes running under unexpected user accounts. If you identify a malicious process, note its PID and use `taskkill /PID
3. File System Integrity and Analysis
The file system is where malware, backdoors, and configuration changes reside. Detecting unauthorized modifications is key.
Linux:
Find all files with the SUID bit set, a common privilege escalation vector find / -perm -4000 2>/dev/null Find all files modified in the last 24 hours find / -mtime -1 2>/dev/null Calculate the MD5 checksum of a file to verify its integrity md5sum /usr/bin/bash Calculate the SHA256 checksum for a stronger verification sha256sum /usr/bin/bash Search for files containing a specific text string (e.g., a password) grep -r "password" /etc/ 2>/dev/null Compare two files line by line diff file1 file2
Windows:
:: Calculate the SHA256 hash of a file certutil -hashfile C:\Windows\System32\notepad.exe SHA256 :: Search for a string inside files in the current directory findstr /s "password" .config :: Display access control lists for a file, showing permissions icacls "C:\Program Files\Suspicious App.exe" :: A powerful tool from Sysinternals for file and directory monitoring Process Monitor (Procmon)
Step-by-step guide:
To hunt for rootkits or backdoors, start by finding all SUID files on Linux with find / -perm -4000. Research any that are unfamiliar. Use `find / -mtime -1` to see all files modified in the last day, which is critical after a suspected breach. To verify the integrity of a critical system binary, compute its hash with `sha256sum` and compare it to a known good value from a trusted source. On Windows, use `certutil -hashfile` for the same purpose.
4. Network Security and Hardening
A system’s network configuration is its first line of defense. Misconfigurations here can lead to direct compromise.
Linux:
Display iptables firewall rules for the INPUT chain iptables -L INPUT -v -n Drop all incoming traffic from a specific malicious IP iptables -A INPUT -s 192.168.1.100 -j DROP Check if a specific port is open locally netstat -tuln | grep :22 Perform a TCP SYN scan on a target with Nmap nmap -sS 192.168.1.1 Perform a comprehensive service version detection scan nmap -sV -sC 192.168.1.1
Windows:
View Windows Defender Firewall rules (PowerShell)
Get-NetFirewallRule | Where-Object {$_.Enabled -eq "True"}
Block an IP address using the built-in firewall
New-NetFirewallRule -DisplayName "Block Malicious IP" -Direction Inbound -RemoteAddress 192.168.1.100 -Action Block
Test network connectivity to a specific port (PowerShell)
Test-NetConnection -ComputerName 192.168.1.1 -Port 443
Step-by-step guide:
First, audit your existing firewall rules with `iptables -L` or Get-NetFirewallRule. Look for rules that are overly permissive, such as those allowing `ANY` to ANY. Use `nmap -sS` from an external perspective to see what ports are truly exposed. If you detect a brute-force attack from a specific IP, immediately block it using the `iptables` or `New-NetFirewallRule` commands provided. Regularly use `Test-NetConnection` to verify that only intended ports are accessible.
5. Log Interrogation for Incident Response
Logs are the digital forensics record of your system. Knowing how to parse them is essential for understanding an attack’s scope.
Linux:
View the last 20 lines of the authentication log for failed attempts
tail -20 /var/log/auth.log | grep "Failed password"
Search the entire auth log for successful root logins
grep "session opened for user root" /var/log/auth.log
Monitor the kernel log in real-time
tail -f /var/log/kern.log
Search for "error" messages in the system log, ignoring case
grep -i "error" /var/log/syslog
Count the number of failed login attempts per IP
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr
Windows (PowerShell):
Get the last 10 Error events from the System log Get-EventLog -LogName System -EntryType Error -Newest 10 Query the Security log for specific Event ID 4625 (logon failure) Get-EventLog -LogName Security -InstanceId 4625 -Newest 5 Search for the string "error" across all log files in a directory Get-ChildItem C:\Windows\Logs.log | Select-String "error"
Step-by-step guide:
When investigating a potential breach, start by checking for failed login attempts. On Linux, use the `grep “Failed password”` command and pipe it to `awk` and `sort` to identify the source IPs of brute-force attacks. On Windows, use PowerShell to query the Security log for Event ID 4625. For deeper analysis, search kernel or system logs for unusual driver loads or system errors that occurred around the time of the incident, using `tail -f` to monitor in real-time if an attack is ongoing.
What Undercode Say:
- The command line is the great equalizer, offering granular control that GUIs often obscure. Mastery is non-negotiable for serious security professionals.
- Automation of these commands through scripting is the logical next step, transforming reactive checks into proactive, continuous monitoring systems.
The persistent relevance of the CLI in a GUI-dominated world underscores a fundamental truth in cybersecurity: visibility equals control. While advanced tools are vital, they often build upon these foundational commands. An over-reliance on dashboards without understanding the underlying data they represent creates a critical knowledge gap. The future of defense lies not in replacing the command line, but in intelligently automating it, allowing human expertise to focus on analysis and response rather than manual data gathering. The professional who can both click and type holds the true advantage.
Prediction:
The increasing abstraction of IT infrastructure through cloud and containerization will make low-level command line skills even more valuable, not less. As attacks become more automated and sophisticated, the ability to rapidly script and deploy custom command-line-based countermeasures and diagnostics will be the differentiator between a slowed breach and a stopped one. The “hands-on-keyboard” defender, armed with a deep understanding of their system’s core components, will remain the most effective last line of defense against automated threats.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Sdalbera People – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
