Show Menu

Command Line Kung Fu Commands Cheat Sheet by

Disclaimer & Notes

I am not the author of this content. I simply, or not so simply, pulled out the commands and paraph­rased from the discus­sions of the authors of Command Line Kung Fu. Every episode should be linked.

In some cases, I may have updated their commands if I noticed they were outdated.

I plan on continuing to add all episodes. Let me know what my errors are.

C:\> Windows
PS C:\> Windows Powershell
# Unix
$ OS X

Episodes #1-10

Episode #1
Convert Dos To UNIX
# dos2unix file.txt

# sed 's/\r$//' file.txt >newfile.txt

Episode #2
Looking at the Config of Built-In Firewall
C:\> netsh firewall show portop­ening
 show all ports allowed
C:\> netsh firewall show config
 show all config options
C:\> netsh firewall show allowedprogram
 show all programs allowed
# for type in nat mangle filter raw; do iptables -t $type -nL; done
 list all iptables rules in all chains
Episode #3
Watching the File Count in a Direct­ory
C:\> for /L %i in (1,0,2) do @dir /b /a | find /c /v "­" & ping -n 6­>nul

# watch -n 5 'ls | wc -l'

Episode #4
Listing Files and Their Sizes
C:\> for /r c:\ %i in (*) do @echo %~zi, %i
 output to csv and sort in spreadsheet
# du | sort -nr | head -100
 show top 100 largest directories in descending order

# find / -type f -exec wc -c {} \; | sort -nr | head -100
 show top 100 largest files in descending order
Episode #5
Simple Text Manipu­lation - Reverse DNS Records
C:\> FOR /F "­tok­ens­=1-­5" %a in (looku­ps.txt) do @(@FOR /F "­tok­ens=1-4 delims­=." %i in ("%a­") do @echo %l.%k.%­j.%i %e)

# sed 's/\([­0-9­]*­\)\.\(­[0-­9]­*\)­\.­\([0­-9]­*­\)\.­\([­0-9­]*­\).i­n-­add­ domain name pointe­r\(.*­\)\./­\4.­\3.­\2.­\1\5/' lookup­s.txt
 lookups.txt format: 208.25­1.1­6.1­0.i­n-a­ domain name pointer server­2.s­rv.m­yd­oma­in.n­et.
Episode #6
Comman­d-Line Ping Sweeper
C:\> FOR /L %i in (1,1,255) do @ping -n 1 -w 100 10.10.1­0.%i | find "­Rep­ly"

# for i in `seq 1 255`; do ping -c 1 -w 1 10.10.1­0.$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done

Episode #7
Aborting a System Shutdown
C:\> shutdown /a
 abort shutdo­wn
# shutdown -c
 cancel scheduled shutdo­wn
C:\> shutdown /r /t [#_sec­onds]
 to try delaying shutdo­wn
# shutdown -r +<#­>
 reboot in # minute­(s)

# shutdown -r hh:mm:ss
 reboot at (24 hr clock)
Episode #8
Netstat Protocol Stats
C:\> netstat -s
 all protoc­ols
# netstat -s
 all protoc­ols
C:\> netstat -s -p tcp
 all tcp
# netstat -s | awk '/:/ { p = $1 }; (p ~ /^[Tt­]cp/) { print }'
 all tcp (works for OS X too)
Episode #9
Display the Nth Line
C:\> find /v /n "­" <fi­le> | findstr /b /L [<#­>]
 will prepend line numbers to output
# awk 'FNR = <#>' <fi­le>
C:\> for /F "delims=[] tokens=2" %i in (tmp.txt) do @echo %i & del tmp.txt
 used to remove line numbers in output (save output of previous cmd to temp.txt)
# head -<#> <file> | tail -1
 alternative command
Episode #10
Display Filenames Containing String Within the File
C:\> findstr /s /d:<dir>s /m <string> *.<filetype>
 dir=absolute|relative, filetype=file extension
# find <dir> -type f -exec grep -l <string> {} +
 more flexible, allows for multiple -exec predicates
# grep -irl <string> <dir>
 slow for larger searches, easy to remember
C:\> findstr /s /m <st­rin­g> <di­r>­*<f­ile­typ­e>
 alternative format
# find <di­r> -type f -print0 | xargs -0 grep -l <st­rin­g>
 alternative safer command (except on Solaris =P)
Additional Research Links
 xargs vs exec uses & xargs vs exec efficiency
Episode #11
Listing Files by Inode as a Proxy for Create Time
C:\> dir /tc /od
  oldest first (/o-d will show newest first)
# ls -li <di­r> | sort -n
  rel­ative times from clustered inodes
Episode #12
Deleting Related Files
PS C:\> sls -list -path qf* | rm -path {$_.Path -replace "\\qf","\[qd]f"}
  Note, this is PowerShell
C:\> cmd.exe /v:on /c "for /f %i in ('findstr /m qf*') do @set stuff=%i & del qf!stuff:~2! & del df!stuff:~2!"
# grep -l qf* | cut -c3- | xargs -I {} rm qf{} df{}
Episode #13
Find Vulnerable Systems In A Nessus Export
DEPRE­CATED Nessus format, no longer necessary
C:\> for /F "­del­ims=:| tokens­=2" %i in ('findstr CVE-20­08-4250 *.nsr') do @echo %i
# awk -F'|' '/CVE-­200­8-4250/ {print $1}' | sort -u
  funnel those IP addresses through to Metasp­loit's msfcli and get shell on all of them
Episode #14
Command Line (History) Shortc­uts
C:\> doskey /history
 up to 50 commands stored by default
# CTRL+r
 find & run cmd containing string (ENTER | CTRL+g)
# !<string>:p
 only display cmd, then !! to run
# !!
 run previous cmd
# <cmd> !$
 run a cmd with last argument of prev cmd (ALT+. also works)
# <cmd> !*
 run a cmd with all arguments of prev cmd
# ^foo^bar
 run prev cmd replacing 1st instance of foo with bar
# ^<string>
 run prev cmd removing 1st instance of string
C:\> F7
 bring up prompt with history
# CTRL+p | CTRL+n
 previous or next command in history (up & down)
# !<string>
 run last cmd that starts with string
# !-<#>
 run # previous cmd
# <cmd> !-<#>$
 run a cmd with last argument of # prev cmd
# <cmd> !-<#>*
 run a cmd with all arguments of # prev cmd
# !:gs/foo/bar/
 run prev cmd replacing all instances of foo with bar
Episode #15.1
New User Created When?
C:\> net user <user>
 last time password was set
#awk -F: '/^<user>:/ {print $3 * 86400}' /etc/shadow
 last time password was set (Epoch time)
C:\> dir /tc "C:\Documents and Settings\"
 first logged in (before Vista)
# ls -ltd /home/<user>/.[^.]* | tail -1
 first logged in
C:\> dir /tc C:\Users\
 first logged in (Vista­+)
Episode #15.2
New User Created When? Cont.
C:\> cscript c:\windows\system32\eventquery.vbs /L security /FI "id eq 642"
 using “audit account management” event log (XP & 03)
C:\> wevtutil qe security /f:text "/q:*[System[(EventID=4720)]]" | more
 using “audit account management” event log (Vista+)
# grep <user> /var/log/secure* | tail
 limited history (may be in /var/log/auth.log)
Episode #16
Got That Patch?
C:\> wmic qfe where hotfix­id=­"­KB9­586­44" list full
 whether MS08-067 patch was installed and when
# apt-sh­ow-­ver­sions -u
 Debian based (/var/­cac­he/­apt­/ar­chives may have install dates)
# rpm -qa --qf "­%-3­0{NAME} %-15{V­ERSION} %{INST­ALL­TIM­E:d­ate­}\n­"
 RHEL report for all packag­es
$ ls -l com.ap­­g.u­pda­te.*
 OS X packages and timest­amps
Episode #17
DNS Cache Snooping in a Single Command
C:\> for /F %i in (names.txt) do @echo %i & nslookup -norecurse %i [DNSserver] | find "answer" & echo.
 names.txt contains names to check, DNSserver is optional chosen DNS server
# for i in `cat names.txt`; do host -r $i [nameserver]; done
 names.txt contains names to check, DNSserver is optional chosen DNS server
# rndc dumpdb -cache
 if you are the server
# lsof -a -c named -d cwd
 find the current working directory of the named process
Episode #18
Clearing The System DNS Lookup Cache
C:\> ipconfig /flushdns
# nscd -i hosts
 linux flush
$ dscach­eutil -flush­cache
 OS X flush
C:\> ipconfig /displ­aydns
# netstat -rCn
 linux recent commun­ica­tion
$ dscach­eutil -cachedump -entries Host
 OS X display cache
Episode #19
Clearing The Contents Of A File
C:\> type nul > my_file

# cat /dev/null > my_file
C:\> copy nul my_file
 shorter command
# cp /dev/null my_file
 shorter command
Episode #20
Ping Beep of Death
C:\> for /L %i in (1,0,2) do @(ping -n 1 HostIPaddr > nul || echo ^G) & ping -n 2 > nul
 not ^ and G, actually CTRL+g
# ping x.x.x.x 2>&1 | awk -F: '/sendto:/ {print $3}' | say
$ ping -A 192.16­8.1.1


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          bash Shortcuts Cheat Sheet