Show Menu
Cheatography

Command Line Kung Fu Commands Cheat Sheet by

Disclaimer & Notes

I am not the author of this content. I simply, or not so simply, pulled out the commands and paraph­rased from the discus­sions of the authors of Command Line Kung Fu. Every episode should be linked.

In some cases, I may have updated their commands if I noticed they were outdated.

I plan on continuing to add all episodes. Let me know what my errors are.

C:\> Windows
PS C:\> Windows Powershell
# Unix
$ OS X

Episodes #1-10

Episode #1
Convert Dos To UNIX
# dos2unix file.txt


# sed 's/\r$//' file.txt >newfile.txt


Episode #2
Looking at the Config of Built-In Firewall
C:\> netsh firewall show portop­ening

 
show all ports allowed

C:\> netsh firewall show config

 
show all config options
C:\> netsh firewall show allowedprogram

 
show all programs allowed

# for type in nat mangle filter raw; do iptables -t $type -nL; done

 
list all iptables rules in all chains
Episode #3
Watching the File Count in a Directory
C:\> for /L %i in (1,0,2) do @dir /b /a | find /c /v "­" & ping -n 6 127.0.0.1­>nul


# watch -n 5 'ls | wc -l'


Episode #4
Listing Files and Their Sizes
C:\> for /r c:\ %i in (*) do @echo %~zi, %i

 
output to csv and sort in spreadsheet 

# du | sort -nr | head -100

 
show top 100 largest directories in descending order


# find / -type f -exec wc -c {} \; | sort -nr | head -100

 
show top 100 largest files in descending order
Episode #5
Simple Text Manipu­lation - Reverse DNS Records
C:\> FOR /F "­tok­ens­=1-­5" %a in (looku­ps.txt) do @(@FOR /F "­tok­ens=1-4 delims­=." %i in ("%a­") do @echo %l.%k.%­j.%i %e)


# sed 's/\([­0-9­]*­\)\.­\([­0-9­]*­\)\.­\([­0-9­]*­\)\.­\([­0-9­]*­\).i­n-a­ddr.arpa domain name pointe­r\(.*­\)\./­\4.\3.\2.\1\5/' lookup­s.txt

 
lookup­s.txt format: 208.25­1.1­6.1­0.i­n-a­ddr.arpa domain name pointer server­2.s­rv.m­yd­oma­in.net.
Episode #6
Comman­d-Line Ping Sweeper
C:\> FOR /L %i in (1,1,255) do @ping -n 1 -w 100 10.10.1­0.%i | find "­Rep­ly"


# for i in `seq 1 255`; do ping -c 1 -w 1 10.10.1­0.$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done


Episode #7
Aborting a System Shutdown
C:\> shutdown /a

 
abort shutdown

# shutdown -c

 
cancel scheduled shutdown
C:\> shutdown /r /t [#_sec­onds]

 
to try delaying shutdown

# shutdown -r +<#>

 
reboot in # minute(s)


# shutdown -r hh:mm:ss

 
reboot at hh:mm.ss (24 hr clock)
Episode #8
Netstat Protocol Stats
C:\> netstat -s

 
all protocols

# netstat -s

 
all protocols
C:\> netstat -s -p tcp

 
all tcp

# netstat -s | awk '/:/ { p = $1 }; (p ~ /^[Tt]cp/) { print }'

 
all tcp (works for OS X too)
Episode #9
Display the Nth Line
C:\> find /v /n "­" <fi­le> | findstr /b /L [<#­>]

 
will prepend line numbers to output

# awk 'FNR = <#>' <fi­le>

 
C:\> for /F "delims=[] tokens=2" %i in (tmp.txt) do @echo %i & del tmp.txt

 
used to remove line numbers in output (save output of previous cmd to temp.txt)

# head -<#> <file> | tail -1

 
alternative command
Episode #10
Display Filenames Containing String Within the File
C:\> findstr /s /d:<dir>s /m <string> *.<filetype>

 
dir=absolute|relative, filetype=file extension

# find <dir> -type f -exec grep -l <string> {} +

 
more flexible, allows for multiple -exec predicates

# grep -irl <string> <dir>

 
slow for larger searches, easy to remember
C:\> findstr /s /m <st­rin­g> <di­r>*­<fi­let­ype>

 
altern­ative format

# find <di­r> -type f -print0 | xargs -0 grep -l <st­rin­g>

 
altern­ative safer command (except on Solaris =P)

Additional Research Links

 
xargs vs exec uses
 & 
xargs vs exec efficiency
Episode #11
Listing Files by Inode as a Proxy for Create Time
C:\> dir /tc /od

 
oldest first (/o-d will show newest first)

# ls -li <di­r> | sort -n

 
relative times from clustered inodes
Episode #12
Deleting Related Files
PS C:\> sls spammer@example.com -list -path qf* | rm -path {$_.Path -replace "\\qf","\[qd]f"}

 
Note, this is PowerShell

C:\> cmd.exe /v:on /c "for /f %i in ('findstr /m spammer@example.com qf*') do @set stuff=%i & del qf!stuff:2! & del df!stuff:2!"

# grep -l spammer@example.com qf* | cut -c3- | xargs -I {} rm qf{} df{}
Episode #13
Find Vulnerable Systems In A Nessus Export
DEPRECATED Nessus format, no longer necessary
C:\> for /F "­del­ims=:| tokens­=2" %i in ('findstr CVE-20­08-4250 *.nsr') do @echo %i

# awk -F'|' '/CVE-­200­8-4250/ {print $1}' | sort -u

 
funnel those IP addresses through to Metasp­loit's msfcli and get shell on all of them 
Episode #14
Command Line (History) Shortcuts
C:\> doskey /history

 
up to 50 commands stored by default

# CTRL+r

 
find & run cmd containing string (ENTER | CTRL+g)

# !<string>:p

 
only display cmd, then !! to run

# !!

 
run previous cmd 

# <cmd> !$

 
run a cmd with last argument of prev cmd (ALT+. also works)

# <cmd> !*

 
run a cmd with all arguments of prev cmd

# ^foo^bar

 
run prev cmd replacing 1st instance of foo with bar

# ^<string>

 
run prev cmd removing 1st instance of string
C:\> F7

 
bring up prompt with history

# CTRL+p
|
CTRL+n

 
previous or next command in history (up & down)

# !<string>

 
run last cmd that starts with string

# !-<#>

 
run # previous cmd

# <cmd> !-<#>$

 
run a cmd with last argument of # prev cmd

# <cmd> !-<#>*

 
run a cmd with all arguments of # prev cmd

# !:gs/foo/bar/

 
run prev cmd replacing all instances of foo with bar
Episode #15.1
New User Created When?
C:\> net user <user>

 
last time password was set

#awk -F: '/^<user>:/ {print $3 * 86400}' /etc/shadow

 
last time password was set (Epoch time)
C:\> dir /tc "C:\Documents and Settings\"

 
first logged in (before Vista)

# ls -ltd /home/<user>/.[^.]* | tail -1

 
first logged in
C:\> dir /tc C:\Users\ 

 
first logged in (Vista+)
Episode #15.2
New User Created When? Cont.
C:\> cscript c:\windows\system32\eventquery.vbs /L security /FI "id eq 642"

 
using “audit account management” event log (XP & 03)

C:\> wevtutil qe security /f:text "/q:*[System[(EventID=4720)]]" | more

 
using “audit account management” event log (Vista+)

# grep <user> /var/log/secure* | tail

 
limited history  (may be in /var/log/auth.log)
Episode #16
Got That Patch?
C:\> wmic qfe where hotfix­id=­"­KB9­586­44" list full

 
whether MS08-067 patch was installed and when

# apt-sh­ow-­ver­sions -u

 
Debian based (/var/­cac­he/­apt­/ar­chives may have install dates)
# rpm -qa --qf "­%-3­0{NAME} %-15{V­ERSION} %{INST­ALL­TIM­E:d­ate­}\n­"

 
RHEL report for all packages

$ ls -l  com.ap­ple.pk­g.u­pdate.*

 
OS X packages and timestamps
Episode #17
DNS Cache Snooping in a Single Command
C:\> for /F %i in (names.txt) do @echo %i & nslookup -norecurse %i [DNSserver] | find "answer" & echo.

 
names.txt contains names to check, DNSserver is optional chosen DNS server

# for i in `cat names.txt`; do host -r $i [nameserver]; done

 
names.txt contains names to check, DNSserver is optional chosen DNS server

# rndc dumpdb -cache

 
if you are the server

# lsof -a -c named -d cwd

 
find the current working directory of the named process
Episode #18
Clearing The System DNS Lookup Cache
C:\> ipconfig /flushdns

# nscd -i hosts

 
linux flush

$ dscach­eutil -flush­cache

 
OS X flush
C:\> ipconfig /displ­aydns

# netstat -rCn

 
linux recent commun­ication

$ dscach­eutil -cachedump -entries Host

 
OS X display cache
Episode #19
Clearing The Contents Of A File
C:\> type nul > my_file


# cat /dev/null > my_file

C:\> copy nul my_file

 
shorter command

# cp /dev/null my_file

 
shorter command
Episode #20
Ping Beep of Death
C:\> for /L %i in (1,0,2) do @(ping -n 1 HostIPaddr > nul || echo ^G) & ping -n 2 127.0.0.1 > nul

 
not ^ and G, actually CTRL+g

# ping x.x.x.x 2>&1 | awk -F: '/sendto:/ {print $3}' | say

$ ping -A 192.16­8.1.1
                                       
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          bash Shortcuts Cheat Sheet