Show Menu

Command Line Kung Fu Commands Cheat Sheet by

Disclaimer & Notes

I am not the author of this content. I simply, or not so simply, pulled out the commands and paraph­rased from the discus­sions of the authors of Command Line Kung Fu. Every episode should be linked.

In some cases, I may have updated their commands if I noticed they were outdated.

I plan on continuing to add all episodes. Let me know what my errors are.

C:\> Windows
PS C:\> Windows Powershell
# Unix
$ OS X

Episodes #1-10

Episode #1
Convert Dos To UNIX
# dos2unix file.txt

# sed 's/\r$//' file.txt >newfile.txt

Episode #2
Looking at the Config of Built-In Firewall
C:\> netsh firewall show portop­ening
 show all ports allowed
C:\> netsh firewall show config
 show all config options
C:\> netsh firewall show allowedprogram
 show all programs allowed
# for type in nat mangle filter raw; do iptables -t $type -nL; done
 list all iptables rules in all chains
Episode #3
Watching the File Count in a Direct­ory
C:\> for /L %i in (1,0,2) do @dir /b /a | find /c /v "­" & ping -n 6­>nul

# watch -n 5 'ls | wc -l'

Episode #4
Listing Files and Their Sizes
C:\> for /r c:\ %i in (*) do @echo %~zi, %i
 output to csv and sort in spreadsheet
# du | sort -nr | head -100
 show top 100 largest directories in descending order

# find / -type f -exec wc -c {} \; | sort -nr | head -100
 show top 100 largest files in descending order
Episode #5
Simple Text Manipu­lation - Reverse DNS Records
C:\> FOR /F "­tok­ens­=1-­5" %a in (looku­ps.txt) do @(@FOR /F "­tok­ens=1-4 delims­=." %i in ("%a­") do @echo %l.%k.%­j.%i %e)

# sed 's/\([­0-9­]*­\)\.\(­[0-­9]­*\)­\.­\([0­-9]­*­\)\.­\([­0-9­]*­\).i­n-­add­ domain name pointe­r\(.*­\)\./­\4.­\3.­\2.­\1\5/' lookup­s.txt
 lookups.txt format: 208.25­1.1­6.1­0.i­n-a­ domain name pointer server­2.s­rv.m­yd­oma­in.n­et.
Episode #6
Comman­d-Line Ping Sweeper
C:\> FOR /L %i in (1,1,255) do @ping -n 1 -w 100 10.10.1­0.%i | find "­Rep­ly"

# for i in `seq 1 255`; do ping -c 1 -w 1 10.10.1­0.$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done

Episode #7
Aborting a System Shutdown
C:\> shutdown /a
 abort shutdo­wn
# shutdown -c
 cancel scheduled shutdo­wn
C:\> shutdown /r /t [#_sec­onds]
 to try delaying shutdo­wn
# shutdown -r +<#­>
 reboot in # minute­(s)

# shutdown -r hh:mm:ss
 reboot at (24 hr clock)
Episode #8
Netstat Protocol Stats
C:\> netstat -s
 all protoc­ols
# netstat -s
 all protoc­ols
C:\> netstat -s -p tcp
 all tcp
# netstat -s | awk '/:/ { p = $1 }; (p ~ /^[Tt­]cp/) { print }'
 all tcp (works for OS X too)
Episode #9
Display the Nth Line
C:\> find /v /n "­" <fi­le> | findstr /b /L [<#­>]
 will prepend line numbers to output
# awk 'FNR = <#>' <fi­le>
C:\> for /F "delims=[] tokens=2" %i in (tmp.txt) do @echo %i & del tmp.txt
 used to remove line numbers in output (save output of previous cmd to temp.txt)
# head -<#> <file> | tail -1
 alternative command
Episode #10
Display Filenames Containing String Within the File
C:\> findstr /s /d:<dir>s /m <string> *.<filetype>
 dir=absolute|relative, filetype=file extension
# find <dir> -type f -exec grep -l <string> {} +
 more flexible, allows for multiple -exec predicates
# grep -irl <string> <dir>
 slow for larger searches, easy to remember
C:\> findstr /s /m <st­rin­g> <di­r>­*<f­ile­typ­e>
 alternative format
# find <di­r> -type f -print0 | xargs -0 grep -l <st­rin­g>
 alternative safer command (except on Solaris =P)
Additional Research Links
 xargs vs exec uses & xargs vs exec efficiency
Episode #11
Listing Files by Inode as a Proxy for Create Time
C:\> dir /tc /od
  oldest first (/o-d will show newest first)
# ls -li <di­r> | sort -n
  rel­ative times from clustered inodes
Episode #12
Deleting Related Files
PS C:\> sls -list -path qf* | rm -path {$_.Path -replace "\\qf","\[qd]f"}
  Note, this is PowerShell
C:\> cmd.exe /v:on /c "for /f %i in ('findstr /m qf*') do @set stuff=%i & del qf!stuff:~2! & del df!stuff:~2!"
# grep -l qf* | cut -c3- | xargs -I {} rm qf{} df{}
Episode #13
Find Vulnerable Systems In A Nessus Export
DEPRE­CATED Nessus format, no longer necessary
C:\> for /F "­del­ims=:| tokens­=2" %i in ('findstr CVE-20­08-4250 *.nsr') do @echo %i
# awk -F'|' '/CVE-­200­8-4250/ {print $1}' | sort -u
  funnel those IP addresses through to Metasp­loit's msfcli and get shell on all of them
Episode #14
Command Line (History) Shortc­uts
C:\> doskey /history
 up to 50 commands stored by default
# CTRL+r
 find & run cmd containing string (ENTER | CTRL+g)
# !<string>:p
 only display cmd, then !! to run
# !!
 run previous cmd
# <cmd> !$
 run a cmd with last argument of prev cmd (ALT+. also works)
# <cmd> !*
 run a cmd with all arguments of prev cmd
# ^foo^bar
 run prev cmd replacing 1st instance of foo with bar
# ^<string>
 run prev cmd removing 1st instance of string
C:\> F7
 bring up prompt with history
# CTRL+p | CTRL+n
 previous or next command in history (up & down)
# !<string>
 run last cmd that starts with string
# !-<#>
 run # previous cmd
# <cmd> !-<#>$
 run a cmd with last argument of # prev cmd
# <cmd> !-<#>*
 run a cmd with all arguments of # prev cmd
# !:gs/foo/bar/
 run prev cmd replacing all instances of foo with bar
Episode #15.1
New User Created When?
C:\> net user <user>
 last time password was set
#awk -F: '/^<user>:/ {print $3 * 86400}' /etc/shadow
 last time password was set (Epoch time)
C:\> dir /tc "C:\Documents and Settings\"
 first logged in (before Vista)
# ls -ltd /home/<user>/.[^.]* | tail -1
 first logged in
C:\> dir /tc C:\Users\
 first logged in (Vista­+)
Episode #15.2
New User Created When? Cont.
C:\> cscript c:\windows\system32\eventquery.vbs /L security /FI "id eq 642"
 using “audit account management” event log (XP & 03)
C:\> wevtutil qe security /f:text "/q:*[System[(EventID=4720)]]" | more
 using “audit account management” event log (Vista+)
# grep <user> /var/log/secure* | tail
 limited history (may be in /var/log/auth.log)
Episode #16
Got That Patch?
C:\> wmic qfe where hotfix­id=­"­KB9­586­44" list full
 whether MS08-067 patch was installed and when
# apt-sh­ow-­ver­sions -u
 Debian based (/var/­cac­he/­apt­/ar­chives may have install dates)
# rpm -qa --qf "­%-3­0{NAME} %-15{V­ERSION} %{INST­ALL­TIM­E:d­ate­}\n­"
 RHEL report for all packag­es
$ ls -l com.ap­­g.u­pda­te.*
 OS X packages and timest­amps
Episode #17
DNS Cache Snooping in a Single Command
C:\> for /F %i in (names.txt) do @echo %i & nslookup -norecurse %i [DNSserver] | find "answer" & echo.
 names.txt contains names to check, DNSserver is optional chosen DNS server
# for i in `cat names.txt`; do host -r $i [nameserver]; done
 names.txt contains names to check, DNSserver is optional chosen DNS server
# rndc dumpdb -cache
 if you are the server
# lsof -a -c named -d cwd
 find the current working directory of the named process
Episode #18
Clearing The System DNS Lookup Cache
C:\> ipconfig /flushdns
# nscd -i hosts
 linux flush
$ dscach­eutil -flush­cache
 OS X flush
C:\> ipconfig /displ­aydns
# netstat -rCn
 linux recent commun­ica­tion
$ dscach­eutil -cachedump -entries Host
 OS X display cache
Episode #19
Clearing The Contents Of A File
C:\> type nul > my_file

# cat /dev/null > my_file
C:\> copy nul my_file
 shorter command
# cp /dev/null my_file
 shorter command
Episode #20
Ping Beep of Death
C:\> for /L %i in (1,0,2) do @(ping -n 1 HostIPaddr > nul || echo ^G) & ping -n 2 > nul
 not ^ and G, actually CTRL+g
# ping x.x.x.x 2>&1 | awk -F: '/sendto:/ {print $3}' | say
$ ping -A 192.16­8.1.1

Help Us Go Positive!

We offset our carbon usage with Ecologi. Click the link below to help us!

We offset our carbon footprint via Ecologi


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          bash Shortcuts Cheat Sheet