| # dos2unix file.txt
# sed 's/\r$//' file.txt >newfile.txt
|
Episode #2 Looking at the Config of Built-In Firewall | C:\> netsh firewall show portopening show all ports allowed
C:\> netsh firewall show config show all config options
| C:\> netsh firewall show allowedprogram show all programs allowed
# for type in nat mangle filter raw; do iptables -t $type -nL; done list all iptables rules in all chains
|
Episode #3 Watching the File Count in a Directory | C:\> for /L %i in (1,0,2) do @dir /b /a | find /c /v "" & ping -n 6 127.0.0.1>nul
# watch -n 5 'ls | wc -l'
|
| C:\> for /r c:\ %i in (*) do @echo %~zi, %i output to csv and sort in spreadsheet
# du | sort -nr | head -100 show top 100 largest directories in descending order
|
# find / -type f -exec wc -c {} \; | sort -nr | head -100 show top 100 largest files in descending order
|
Episode #5 Simple Text Manipulation - Reverse DNS Records | C:\> FOR /F "tokens=1-5" %a in (lookups.txt) do @(@FOR /F "tokens=1-4 delims=." %i in ("%a") do @echo %l.%k.%j.%i %e)
# sed 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\).in-addr.arpa domain name pointer\(.*\)\./\4.\3.\2.\1\5/' lookups.txt lookups.txt format: 208.251.16.10.in-addr.arpa domain name pointer server2.srv.mydomain.net.
|
| C:\> FOR /L %i in (1,1,255) do @ping -n 1 -w 100 10.10.10.%i | find "Reply" # for i in `seq 1 255`; do ping -c 1 -w 1 10.10.10.$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done
|
| C:\> shutdown /a abort shutdown
# shutdown -c cancel scheduled shutdown
| C:\> shutdown /r /t [#_seconds] to try delaying shutdown
# shutdown -r +<#> reboot in # minute(s)
|
# shutdown -r hh:mm:ss reboot at hh:mm.ss (24 hr clock)
|
| C:\> netstat -s all protocols
# netstat -s all protocols
| C:\> netstat -s -p tcp all tcp
# netstat -s | awk '/:/ { p = $1 }; (p ~ /^[Tt]cp/) { print }' all tcp (works for OS X too)
|
| C:\> find /v /n "" <file> | findstr /b /L [<#>] will prepend line numbers to output
# awk 'FNR = <#>' <file>
| C:\> for /F "delims=[] tokens=2" %i in (tmp.txt) do @echo %i & del tmp.txt used to remove line numbers in output (save output of previous cmd to temp.txt)
# head -<#> <file> | tail -1 alternative command
|
Episode #10 Display Filenames Containing String Within the File | C:\> findstr /s /d:<dir>s /m <string> *.<filetype> dir=absolute|relative, filetype=file extension
# find <dir> -type f -exec grep -l <string> {} + more flexible, allows for multiple -exec predicates
# grep -irl <string> <dir> slow for larger searches, easy to remember
| C:\> findstr /s /m <string> <dir>*<filetype> alternative format # find <dir> -type f -print0 | xargs -0 grep -l <string> alternative safer command (except on Solaris =P) Additional Research Links xargs vs exec uses & xargs vs exec efficiency |
Episode #11Listing Files by Inode as a Proxy for Create Time | C:\> dir /tc /od oldest first (/o-d will show newest first) # ls -li <dir> | sort -n relative times from clustered inodes
|
| PS C:\> sls spammer@example.com -list -path qf* | rm -path {$_.Path -replace "\\qf","\[qd]f"} Note, this is PowerShell C:\> cmd.exe /v:on /c "for /f %i in ('findstr /m spammer@example.com qf*') do @set stuff=%i & del qf!stuff:~2! & del df!stuff:~2!" # grep -l spammer@example.com qf* | cut -c3- | xargs -I {} rm qf{} df{} |
| DEPRECATED Nessus format, no longer necessary
C:\> for /F "delims=:| tokens=2" %i in ('findstr CVE-2008-4250 *.nsr') do @echo %i # awk -F'|' '/CVE-2008-4250/ {print $1}' | sort -u funnel those IP addresses through to Metasploit's msfcli and get shell on all of them |
| C:\> doskey /history up to 50 commands stored by default
# CTRL+r find & run cmd containing string (ENTER | CTRL+g)
# !<string>:p only display cmd, then !! to run
# !! run previous cmd
# <cmd> !$ run a cmd with last argument of prev cmd (ALT+. also works)
# <cmd> !* run a cmd with all arguments of prev cmd
# ^foo^bar run prev cmd replacing 1st instance of foo with bar
# ^<string> run prev cmd removing 1st instance of string
| C:\> F7 bring up prompt with history
# CTRL+p | CTRL+n previous or next command in history (up & down)
# !<string> run last cmd that starts with string
# !-<#> run # previous cmd
# <cmd> !-<#>$ run a cmd with last argument of # prev cmd
# <cmd> !-<#>* run a cmd with all arguments of # prev cmd
# !:gs/foo/bar/ run prev cmd replacing all instances of foo with bar
|
| C:\> net user <user> last time password was set
#awk -F: '/^<user>:/ {print $3 * 86400}' /etc/shadow last time password was set (Epoch time)
| C:\> dir /tc "C:\Documents and Settings\" first logged in (before Vista)
# ls -ltd /home/<user>/.[^.]* | tail -1 first logged in
| C:\> dir /tc C:\Users\ first logged in (Vista+)
|
| C:\> cscript c:\windows\system32\eventquery.vbs /L security /FI "id eq 642" using “audit account management” event log (XP & 03)
C:\> wevtutil qe security /f:text "/q:*[System[(EventID=4720)]]" | more using “audit account management” event log (Vista+)
# grep <user> /var/log/secure* | tail limited history (may be in /var/log/auth.log)
|
| C:\> wmic qfe where hotfixid="KB958644" list full whether MS08-067 patch was installed and when
# apt-show-versions -u Debian based (/var/cache/apt/archives may have install dates)
| # rpm -qa --qf "%-30{NAME} %-15{VERSION} %{INSTALLTIME:date}\n" RHEL report for all packages
$ ls -l com.apple.pkg.update.* OS X packages and timestamps
|
| C:\> for /F %i in (names.txt) do @echo %i & nslookup -norecurse %i [DNSserver] | find "answer" & echo. names.txt contains names to check, DNSserver is optional chosen DNS server
# for i in `cat names.txt`; do host -r $i [nameserver]; done names.txt contains names to check, DNSserver is optional chosen DNS server
# rndc dumpdb -cache if you are the server
# lsof -a -c named -d cwd find the current working directory of the named process
|
| C:\> ipconfig /flushdns
# nscd -i hosts linux flush
$ dscacheutil -flushcache OS X flush
| C:\> ipconfig /displaydns
# netstat -rCn linux recent communication
$ dscacheutil -cachedump -entries Host OS X display cache
|
| C:\> type nul > my_file
# cat /dev/null > my_file
| C:\> copy nul my_file shorter command
# cp /dev/null my_file shorter command
|
| C:\> for /L %i in (1,0,2) do @(ping -n 1 HostIPaddr > nul || echo ^G) & ping -n 2 127.0.0.1 > nul not ^ and G, actually CTRL+g
# ping x.x.x.x 2>&1 | awk -F: '/sendto:/ {print $3}' | say
$ ping -A 192.168.1.1
|
Created By
Metadata
Favourited By
Comments
No comments yet. Add yours below!
Add a Comment
Related Cheat Sheets