My Most Frequently Used Hacking Commands

A quick reference to my most-used hacking commands for cybersecurity and penetration testing.

PreviousMy Hacking Materials NextRickdiculouslyEasy: 1 VulnHub WriteUp

Last updated 1 month ago

My Most Frequently Used Hacking Commands

A quick reference to my most-used hacking commands for cybersecurity and penetration testing.

1. ping [Target IP]

Sends ICMP echo requests to the specified target address (e.g., 192.168.0.1) to test connectivity and measure response times. Commonly used in ethical hacking to confirm the target system's availability during initial reconnaissance.

The image shows a command-line interface where the user has executed the ping 192.168.70.132 command. This command sends ICMP echo requests to the IP address 192.168.70.132 to test connectivity and measure response times. The results indicate successful responses from the target IP, with round-trip times (time) and other details such as ttl (time to live) for each packet sent. It confirms that the target system is reachable and responsive.

2. ping -s 1300 [Target IP]

This command sends ICMP echo requests with a packet size of 1300 bytes to the specified target IP (e.g., 172.18.0.11). It is commonly used to test how a network or host handles larger packets, helping to identify potential misconfigurations or fragmentation-related vulnerabilities.

The image shows a ping command with the -s option used to specify the packet size. The command ping -s 1300 192.168.70.132 sends ICMP echo requests to the IP address 192.168.70.132 with a packet size of 1300 bytes. The output confirms successful responses from the target, with each packet size being 1308 bytes (including headers). It also provides the ttl (time to live) and the round-trip time (time) for each packet, which helps assess how the network handles larger packets and identifies potential issues like fragmentation.

3. ping -s 1300 -f [Target IP]

This command sends flood pings with large packets (1300 bytes) to the specified target IP (e.g., 172.18.0.11). The -f option ensures packets are sent as fast as possible, making it useful for stress-testing network components or identifying potential vulnerabilities related to Denial-of-Service (DoS) attacks.

The image shows the ping -s 1300 -f 192.168.70.132 command executed in a terminal.

Command: Sends flood pings with a packet size of 1300 bytes to the target IP 192.168.70.132.
Flood Mode (-f): Ensures packets are sent as fast as possible to stress-test the network or system.
Output: Displays transmission statistics:
- Packets transmitted: 72,941 packets were sent.
- Packets received: 72,940 packets were successfully received.
- Packet loss: 0.00137%, indicating minimal loss.
- Round Trip Time (RTT):
  - Min: 0.067 ms
  - Avg: 0.441 ms
  - Max: 20.458 ms
  - Mdev: 0.949 ms (deviation in RTT).
- These results show that the target handled the flood of packets effectively with negligible packet loss.

4. iftop

Displays real-time bandwidth usage on network interfaces, providing a clear view of incoming and outgoing traffic. Ethical hackers leverage this tool to monitor network activity, identify unusual patterns that may suggest malicious behavior, and evaluate the impact of penetration tests on network performance.

The image shows the output of the iftop command being used to monitor real-time network bandwidth usage on a system:

Top Section: Displays a graphical representation of bandwidth usage over time for different IP addresses or hosts.
Middle Section: Lists the network connections, showing source and destination IPs or hostnames (e.g., 192.168.70.132, dns.google, mdns.mcast.net), along with the amount of data transmitted in both directions.
Bottom Section:
- TX (Transmitted): Shows the total data sent (20.7MB) and the peak bandwidth usage (23.1Mb).
- RX (Received): Shows the total data received (20.7MB) and the peak bandwidth usage (23.1Mb).
- TOTAL: Combines both TX and RX for an overall view (41.4MB).
Purpose: Useful for identifying traffic patterns, detecting potential anomalies, and evaluating how much bandwidth is consumed by specific connections.

5. hping3 -S --flood -V -p 80 [Target IP]

This command sends high-speed SYN packets (-flood) to port 80 of the specified target IP (e.g., 192.168.70.132), simulating a SYN flood attack. The -S flag sets the SYN flag, -V enables verbose output for detailed information, and -p 80 designates the target port. It is typically used to test the resilience of the target system or network against SYN flood attacks, helping to identify potential vulnerabilities.

The image shows the output of the hping3 -S --flood -V -p 80 192.168.70.132 command:

Command Breakdown:
- -S: Sets the SYN flag in the TCP header, simulating a SYN packet.
- --flood: Sends packets as fast as possible, mimicking a SYN flood attack.
- -V: Enables verbose mode for detailed output.
- -p 80: Targets port 80 (commonly used for HTTP traffic) on the IP 192.168.70.132.
Output:
- Shows that packets are being sent in flood mode without waiting for replies (no replies will be shown).
- A total of 1,414,407 packets were transmitted, but no responses were received, indicating 100% packet loss. This could mean the target is either blocking the packets, is offline, or is overwhelmed by the traffic.
Purpose: This command is commonly used for stress testing or to simulate a SYN flood attack to identify weaknesses in a target's ability to handle such traffic.

6. hping3 --traceroute -V -1 [Target Domain]

This command performs a traceroute to the specified domain (e.g., loliteam.net) using ICMP packets (-1) and provides verbose output (-V). It is commonly used to map the path packets take to reach the target, helping to identify intermediate firewalls, routers, and other network devices along the route.

The image shows the execution of the hping3 --traceroute -V -1 loliteam.net command, specifically analyzing the results as the trace reaches the IP address ending in .42:

Command Details:
- The --traceroute flag maps the route packets take to reach the target (loliteam.net).
- The -1 flag uses ICMP packets.
- The -V flag provides detailed output.
Analysis of IP .42:
- The final destination IP address is 172.67.157.42.
- Packets successfully reach the target:
  - ICMP packets with a TTL of 56 confirm the packets were received at .42.
  - RTT (Round-Trip Time): Each packet's RTT is recorded, showing values such as 28.9 ms, 29.6 ms, and so on. This indicates the time taken for packets to reach the target and return.
- Packet Statistics:
  - 18 packets transmitted: A total of 18 ICMP packets were sent.
  - 14 packets received: Only 14 responses were received, indicating a 23% packet loss.
  - Round-trip times:
    Minimum RTT: 1.2 ms.
    Average RTT: 21 ms.
    Maximum RTT: 43.8 ms.
Conclusion: The traceroute successfully identifies the target at IP .42 with some packet loss, possibly due to network congestion or filtering along the path. The RTT values indicate relatively good latency, though packet loss could suggest intermediate network issues.

7. ptunnel

Creates a tunnel that encapsulates data within ICMP echo requests and replies. This tool is often utilized by ethical hackers to bypass network restrictions or enable covert communication during penetration testing, ensuring data transmission remains undetected by conventional monitoring systems.

Scenario: You want to use ptunnel to tunnel TCP traffic (e.g., SSH) through a restrictive network that blocks regular ports but allows ICMP packets.

Install ptunnel Make sure ptunnel is installed on both the client and the server (the target machine you want to communicate with).
Run ptunnel on the Server (Relay Machine): On the machine that will act as a relay (e.g., with an open ICMP port), run:
```
sudo ptunnel -x secretpassword
```
- -x secretpassword: Sets a password to secure the tunnel.
Run ptunnel on the Client Machine: On your local machine, set up a tunnel to forward traffic through the server using:
```
sudo ptunnel -p [relay_server_IP] -lp 8000 -da [destination_IP] -dp 22 -x secretpassword
```
- -p [relay_server_IP]: The IP address of the relay server.
- -lp 8000: The local port on your client machine.
- -da [destination_IP]: The final destination IP you want to connect to (e.g., SSH server).
- -dp 22: The destination port (e.g., port 22 for SSH).
- -x secretpassword: The password set on the server to authenticate the tunnel.
Use the Tunnel: Now you can connect to the SSH server through the ICMP tunnel:
```
ssh -p 8000 localhost
```

8. tcpdump -i any icmp

This command captures all ICMP packets on every network interface of the system. It's an invaluable tool for monitoring and analyzing ICMP traffic, allowing you to detect suspicious activities such as ping sweeps, network mapping attempts, or other reconnaissance efforts. Network administrators and ethical hackers use this command to gain insights into network behavior and enhance security measures.

The image shows the execution of the tcpdump -i any icmp command, which captures ICMP traffic across all network interfaces.:

Command:
- tcpdump: A packet capture tool.
- -i any: Captures traffic on all available network interfaces.
- icmp: Filters only ICMP (Internet Control Message Protocol) packets.
Warnings:
- "Promiscuous mode not supported on the 'any' device": Indicates that promiscuous mode cannot be enabled when capturing on the "any" interface, but this does not affect functionality.
Captured Traffic:
- ICMP Echo Request and Reply:
  - In: Incoming ICMP packets, e.g., Shiina.local > Eopi: ICMP echo request.
  - Out: Outgoing ICMP packets, e.g., Eopi > Shiina.local: ICMP echo reply.
- Each packet includes details such as:
  - Sequence Number (seq): Shows the packet sequence (e.g., seq 44, seq 45).
  - Length: Indicates the size of the ICMP packet (e.g., length 40).
- Communication between IPs (e.g., 192.168.70.132 > Eopi) suggests ping activity or similar traffic.
Use Case:
- Monitoring ICMP traffic to detect network activity such as ping sweeps, network diagnostics, or reconnaissance attempts.

9. grep -Hnri 'tree' | vim -

This command performs a case-insensitive recursive search (-r and -i) for the term "tree" across all files in the current directory. It displays the file names (-H) and line numbers (-n) for matches. The results are then piped into vim, allowing you to view and edit the matching lines directly within the editor. This is particularly useful for quickly locating and editing references to specific terms, such as vulnerabilities or configuration details in code or configuration files.

The image displays the output of the command grep -Hnri 'tree' | vim -, which searches for the term "tree" recursively in all files starting from the current directory, then opens the results in the vim editor for further analysis. Here’s the detailed explanation:

Result Breakdown:

Command Output:
- File Names: Each result includes the file where the match was found, such as .zsh_history or wpscan/db/dynamic_finders.yml.
- Line Numbers: The line numbers where the match occurred are displayed (e.g., 2063, 22754).
- Matched Content: The specific content containing the term "tree" is shown, such as admin-category-tree, cms-tree-page-view.
Purpose of the Results:
- It helps locate all references to the keyword "tree" within a large codebase or configuration files.
- Useful in scenarios like finding relevant configurations, understanding file structures, or tracking down vulnerabilities or misconfigurations.

Why Use in Hacking:

Reconnaissance:
- Ethical hackers can use this command to search for sensitive information, such as passwords, API keys, or system configurations, in the target directory.
- Example: Searching for terms like "password" or "key" instead of "tree" can reveal credentials or encryption keys.
Vulnerability Analysis:
- Identifying misconfigurations in configuration files or parameters related to web applications, plugins, or frameworks.
Post-Exploitation:
- After gaining access to a system, this command allows hackers to navigate through directories and search for valuable information quickly.

How to Optimize the Command:

Search Specific File Types: Use --include to focus on particular file extensions, e.g., configuration or YAML files:
```
grep -Hnri --include="*.yml" 'tree' | vim -
```
Exclude Unnecessary Directories: Skip directories that are irrelevant or too large, e.g., node_modules:
```
grep -Hnri --exclude-dir="node_modules" 'tree' | vim -
```
Highlight Matches: Add --color to highlight the matching text for better visibility:
```
grep -Hnri --color 'tree' | vim -
```
Add Context Lines: Use -C to display lines before and after the match to understand the context:
```
grep -Hnri -C 3 'tree' | vim -
```
Change Search Term: Replace 'tree' with other terms like:
- 'password' to locate credentials.
- 'config' to find configuration files.
- 'secret' for sensitive entries.
Switch to Faster Tools: For large directories, use more efficient tools like ripgrep (rg) or ag:
```
rg 'tree' | vim -
```

10. :%!sort

This command, used within the vim text editor, sorts all lines in the currently open file alphabetically or numerically, depending on the content. It is particularly useful for organizing data during ethical hacking, such as arranging IP addresses, URLs, or configuration entries for easier analysis and identification of duplicates or patterns.

Scenario:

You are analyzing a log file with mixed content, including IP addresses, timestamps, and user agents. The file is messy, and you need to:

Extract and sort only the IP addresses for pattern analysis.
Remove duplicate entries.
Save the sorted results for further investigation.

Unsorted Log File Example (logs.txt):

Steps to Process the File Using `:%!sort`:

Step 1: Open the File in vim:

vim logs.txt

Step 2: Extract Only IP Addresses:

Use grep inside vim to extract lines containing "IP:" and process them. In vim, type:

:g/IP:/s/^.*IP: \([0-9.]*\).*$/\1/

g/IP:/: Finds all lines containing "IP:".
s/^.*IP: $[0-9.]*$.*$/\1/: Extracts only the IP addresses and replaces the line content with the matched IP.

Result After Extraction:

Step 3: Sort the IP Addresses Alphabetically:

Sort the extracted IP addresses using :%!sort:

:%!sort

Result After Sorting:

Step 4: Remove Duplicate IP Addresses:

Use the -u option with sort to remove duplicates:

:%!sort -u

Result After Removing Duplicates

Why This Is Useful in Ethical Hacking:

Log Analysis: Extracting and sorting IP addresses helps identify suspicious patterns, such as repeated connections or irregular access from certain ranges.
Reconnaissance: Organizing IPs allows hackers or security researchers to identify network subnets, prioritize targets, or detect outliers in a dataset.
Efficient Data Processing: Using :%!sort with options like -u (unique), -n (numerical sort), or -r (reverse order) streamlines the analysis of large datasets.

Example Commands for Advanced Use in Ethical Hacking:

Reverse Sorting: Sort the IPs in descending order:
```
:%!sort -r
```
Numerical Sorting: Ensure proper numerical sorting of IP addresses:
```
:%!sort -n
```
Sort and Save Unique Lines: Combine sorting and deduplication:
```
:%!sort -u
```
Custom Filters: Extract and sort lines containing specific keywords, such as "Error" or "Failed":
```
:g/Error/s/^.*Error: $.*$$/\1/ | %!sort
```

11. :%!grep -v .git

This vim command removes all lines containing the term .git from the currently open file by leveraging the grep -v option, which inverts the match to exclude specific lines. It is particularly useful for excluding references to version control directories or files, streamlining search results and improving readability in configuration or documentation files.