Lesson 3.2: Useful Commands and How to Employ Them: Part 1
Lesson Objectives
●
●
Describe the useful security related functionality of 11 commands
Reinforce the concept of using switches to customize the functionality and output of
commands
In order to take advantage of Linux’s command-line interface (CLI), you need to know the
various commands and what they can do for you. The following commands are many of the
fundamental commands along with the description of what they do. Please note, this list cannot
cover all of the exhaustive numbers of switches, flags, or options one can use for each
command. Therefore, I recommend you use -h, --help, or man <command> to learn more
about what options are available to each command.
Before we dive into the different commands there are a few terms and definitions you should
know:
Arguments generally refers to the file, directory, or service the command is being run on.
Flags or switches are ways to customize a command. A single letter flag is preceded by a
single hyphen (-v). If the flag uses a full word, then it is preceded by two hyphens
(--verbose). In some cases, flags and switches can also include options (--color=always).
There are some exceptions to this, so I recommend checking a command’s documentation
before executing anything. Failure to do so could result in some ugly unintended results.
ls
ls is short for list structure. It is equivalent to the dir command in DOS and Windows. On its
own, the command just provides a list of the files and directories within the current directory.
Image 3.2.1
Linux uses colors to represent particular kinds of files. In the image above, the .tar.gz file is
a compressed file and is displayed in red. The use of colors to indicate file types depends on
how the terminal is configured.
1
If you use the -l flag, you will get the following output with file sizes, permissions and
ownership of each file and directory. How to read permissions and ownership will be discussed
in a future lesson.
Image 3.2.2
Add -a (or a combined -la) and the list will show hidden files or files preceded by a period (.):
Image 3.2.3
The directories are displayed in light blue and the apt entry demonstrates a symbolic link. More
about these later.
ls -R lists all the files in the directory structure.
2
Image 3.2.4
Note: Later in this lesson, we will examine permissions and it will explain why we get the
“Permission denied” in this screenshot.
tree
tree is the equivalent of ls -R but it is not installed by default and the output is displayed
differently from ls -R.
Image 3.2.5
3
cd
This command allows one to change directories. The command cd <path> will change the
directory to the one represented by <path>. In the following example, the command changes
the current path from ~ to /etc/nginx.
Image 3.2.6
There are some special symbols that can also be used:
~
represents the user’s home directory
.
is the current directory and, in short, this really doesn’t change the directory
..
is the parent of the current directory
pwd
pwd or Present Working Directory shows the full path of the current directory.
Image 3.2.7
While the CLI above displays the current directory, not all shells are configured in this way, so it
is a useful tool in helping you determine what directory you are in.
cp <source> <destination>
cp is short for copy and, as shown above, it requires you to include the <source> and
<destination>.
Image 3.2.8
4
Now if you want to copy a directory and its contents, you include the -R switch. With this switch,
the copy command will traverse the entire directory structure. Without it, only the directory is
copied, but none of its contents are.
Image 3.2.9
mv <source> <destination>
mv is short for move. Like copy, it requires a <source> and <destination> and these can
either be directories or files. Keep in mind, unlike cp, mv does not require the -R switch when
moving a directory to another path. Moving a directory includes all of the contents within itself
and subordinate directories.
Image 3.2.10
ln -s <source> <target_link>
ln is a command for creating a symbolic link. Unlike a shortcut in Windows, Linux treats a
symbolic link as if a file or directory exists where the symbolic link resides.
Image 3.2.11
5
Looking at the file permissions you see an l in the first position and it signifies a link vs. a
standard file (annotated by the hyphen (-)) or directory (annotated by the d).
rm <filename>
rm is short for remove. Just like del in Windows, it is used for deleting files and directories.
When rm uses the -r, -R, or --recursive flag to tell rm to walk through the subordinate
directories and delete the files with the filename. If you try to delete a directory that is not empty,
you receive an error and the rm command fails. The -f or --force flag overrides this limitation
and deletes the directory, regardless of if it is empty or not.
Image 3.2.12
mkdir <directory_name>
Short for make directory, mkdir is used to create a directory. If <directory_name> is a path,
the command creates the last directory in the path. With the -p or --parents flag, mkdir will
create all of the folders that do not currently exist in the path.
Image 3.2.13
rmdir <directory_name>
Short for remove directory, this command does the opposite of make directory. With the -p or
--parents flag, the command will delete all of the directories in the path as long as your
account has the necessary permissions to do so.
6
Image 3.2.14
touch <file_name>
The touch command creates <file_name>. The file will be empty. This is useful for creating
files that will receive output from other sources (i.e., log files).
Image 3.2.15
chmod [-R] <permissions> <target>
chmod is short for change mode. Mode refers to the permissions individuals have regarding the
file or directory. There are three basic permissions and four classifications of users change
mode can affect. The three permissions are read, write, and execute. Each of these permissions
has a numeric value and a letter designation. Read is r or 4. Write is w or 2. Execute is x or 1.
The different user classifications are user/owner (u), group (g), others (o), or all (a).
When setting the mode of a file you can set it for all three classifications or an individual
classification. For the former (also known as the octal mode), it is simply a matter of adding the
values you want to set together for each classification. For the latter (also known as the
symbolic mode), the following chart shows multiple examples of how this can be achieved.
7
In order to …
The Octal Value is
The Symbolic Value is
Assign full access
7
+wrx
Assign read and write
6
+wr
Assign read and execute
5
+rx
Assign read only
4
+r
Assign write and execute
3
+wx
Assign write only
2
+w
Assign execute only
1
+x
Revoke permissions
0
-rwx
Image 3.2.16
A few things to keep in mind:
●
●
●
●
If you want to change a permission of all files in a directory, use the -R flag and the
target is the directory.
All folders must have the execute permission, for otherwise their contents cannot be
explored.
When assigning different symbolic values, separate them with commas (i.e., o+wr, g-w,
o-wrx)
Watch the short video below this next section to see some examples.
chown [-R] <owner>[:<group>] <target>
Short for change owner, this command allows you to change the owner (and group owner) of a
file or directory. The -R flag will make the change recursively to all files and directories
subordinate to the directory you target.
8
Image 3.2.17
Video 3.2 in course
chgrp [-R] <group> <target>
Short for change group, this command allows you to change the group owner of a file or
directory. The -R flag will make the change recursively to all files and directories subordinate to
the directory you target.
9
Image 3.2.18
cat <target>, zcat <target>
Short for concatenate, this command displays the contents of the target file.
Image 3.2.19
You can display multiple files with one command.
Image 3.2.20
zcat performs the same function as cat but with compressed files.
less <target>, zless <target>
Similar to cat, less lets you control how you scroll through a document you are viewing. It also
affords you the ability to search forward using the forward slash (/) or search backwards with
question mark (?). zless, like zcat, lets you look at a compressed file and provides all of the
functionality of less.
10
head
The head command displays the top few lines of a document. It is similar to cat but it just
dumps those 10 lines to the screen and exits.
Image 3.2.21
The -n n or --lines=n displays n number of lines different from the default. Instead of
determining the number of lines you can specify the n number of bytes to display -c n or
--bytes=n.
tail
The reverse of head is tail. It shows the last 10 lines of the file. You can use the same
switches I mentioned for the head command. Another useful flag to use with tail is -f. This flag
keeps an open connection to the file and continues refreshing what appears in the terminal as
content is added to the file. This is a very useful feature when you want to continuously monitor
a log file particularly when one is trying to troubleshoot why a script fails or what errors are
generated when interacting with a service.
Diff <file1> <file2>
Short for difference, diff compares to files and displays differences between two files.
Image 3.2.22
Zdiff <file1.gz> <file2.gz>
Performs the same function as diff but it compares two compressed files.
11
echo <string>
echo displays a string in the terminal. This can be the value of a variable or a string. You can
also redirect the string to a file with the greater than symbol (>) followed by a file name replacing
its current content. If you use a double greater than (>>) the echo is appended to the contents of
the target file. Be careful when using this functionality because of the overwrite nature of the first
option.
Image 3.2.23
wc <target>
Short for word count, this command counts and reports back the number of lines, words, and
characters in the document.
Image 3.2.24
clear
Serves the same function as windows cls. It simply refreshes the terminal screen bringing the
command line up to the top of the terminal.
12
history
As the name implies, it displays a series of the most recent commands entered. The default is
150 lines.
Image 3.2.25
man <command>
Short for manual, this command displays a formatted help file for the command specified. The
contents of the file will generally include the flags, switches, and options you can include on the
command line. Depending on the command developer, it will go into detail about the role of the
command and how it can interact with the host. How much detail the manual file contains will
depend on the details the developer believes is useful for the user.
13
Image 3.2.26
14
Lesson 3.3: Useful Commands and How to Employ Them: Part 2
which <command>
This is a tool for locating commands. which <command> returns the full path to <command>.
Image 3.3.1
Note: which only searches for commands in the computer’s PATH.
find
find is a very versatile tool when searching for files. Its versatility comes from the switches and
options one can use to find files. One of the simplest options is the ability to specify the path to
search. Using the -name switch one can specify the <filename> with or without wildcards (*,
?, etc.). Another switch allows you to filter the search by type with -type f for files, and -type
d for directories. One of the best options is the -exec switch where you can search inside the
document with grep or perform an action on the document (i.e., copy it to another location).
Video 3.3A in course
15
file <file_name>
The file command analyzes the specified file and reports back the file’s type to the user. This
is based on the contents of the file not extension of the file.
Image 3.3.2
grep
grep is a tool for finding text inside a document. It can be a literal string or one with wildcards or
a regular expression. The -l switch suppresses displaying the line within the document and
instead displays the name of the file if it contains the term searched for. Note: The demo of
find also employs grep for advanced searches.
Image 3.3.3
df
This utility displays a report of the different volumes on the host’s hard drives. To make the
command more useful, the -h or --human-readable changes the storage information that is
more easily understood.
Image 3.3.4
16
du
Short for disk usage, this command reports back the disk space used by the individual files in a
tree of directories. The report also includes summaries of each of the directories and the total
overall. The -h or --human-readable switches work here as with df. The -s flag provides
just the total space used in the tree. The -P or --no-dereference tells du not to follow
symbolic links.
Image 3.3.5
Image 3.3.6
tar
tar is a utility for bundling files into and extracting them from files referred to as tarballs. There
are numerous flags and switches you need to use to perform the bundling and extractions. -c or
--create tells tar to create a tarball while -x or --extract extracts the files. You can also
compress and uncompress the tarball with a flag for the particular compression algorithm. Two
standards are gzip (-z or --gzip) and bzip (-j or --bzip2). You can also verify proper
17
extraction or compression with the -v flag. The last flag is -f or --flag for specifying the file.
Watch the following video to see tar in action.
Image 3.3.7
Video 3.3B in course
18
top
The top command displays real-time data about the resources in use by the host. It regularly
refreshes to provide up to the second information regarding the performance of the host.
Image 3.3.8
htop
An application similar to top but htop provides greater functionality including searches, filtering,
and a tree view to find parent and child processes. htop also provides resource bars and the
ability to use a mouse for interacting with the application.
Video 3.3 C in course
19
free
free displays the resources available on the server at the time the user enters the command.
Image 3.3.9
ps
ps lists a snapshot of the running processes. By default, it only shows processes owned by the
user executing the command. The -a flag shows all processes with the terminal regardless of
the owner. The -u flag provides a more detailed report. The -x flag includes processes beyond
the terminal (i.e. automated services started by the host).
Image 3.3.10
The -U <username> flag lists processes owned by a particular user.
systemctl [stop|start|restart|status|enable|disable]
<service_name>
The systemctl command is an administrator’s best friend when it comes to managing
services. The action options function as their names imply. start, and stop, run or stop the
service gracefully (see kill below for how to terminate the process). restart is a graceful
way to stop and start a process with one command. This is used when an administrator wants to
enable a configuration change to the named service. status produces a concise status of a
service regardless of whether or not it is currently running. Use enable and disable to
determine whether or not the service will start when the host reboots.
20
Image 3.3.11
kill
The kill command is used to stop processes that cannot be shut down cleanly. It is always
better to shut processes down with their own integrated utility. Sometimes kill won’t do it
alone. It requires the use of switches to make sure the processes are properly terminated. In
some cases, a process generates sub-processes to handle tasks. In these situations killing the
main process may not terminate the subordinate tasks. This is when the -9 flag is used.
Image 3.3.12
21
netscan -tulpn, ss -tulpn
The deprecated netscan command or its replacement ss lists services running on the host.
Image 3.3.13
nmap
nmap scans hosts for ports in a listening state. A listening service is one awaiting a connection
from a remote host.
Image 3.3.14
lsof
Another tool for finding a local machine’s open files, ports, directories, and sockets. lsof takes
the -i <port> option to filter for results on the specified port.
22
Image 3.3.15
ping <hostname|ip_address>
The ping command sends a packet of data to the specified hostname or ip address and waits
for the response.
Image 3.3.16
23
wget <url>
The wget command downloads the file at the URL of the argument provided.
Image 3.3.17
hostname
The hostname command returns the host’s name as configured in the /etc/hostname file.
Image 3.3.18
useradd -d <home_dir> -p <password> -m <username>
The useradd command creates a new user on the host. Standard user accounts should not be
able to create a new account by default. But as a security professional, you must be aware of
this command and its syntax. Administrators use the sudo command to execute a useradd
command as the root account. More on sudo later.
The -d or --home-directory lets you specify a special home directory in place of the default
(/home/<username>). The -m flag instructs useradd to create the home directory. The -p
<password> or --password <password> allows the administrator to set the initial
password. There are flags for adding the user account to special groups as well as many others.
I recommend checking the documentation when you need to customize this command.
24
Image 3.3.19
userdel <username>
The userdel command deletes a user account from the host.
Image 3.3.20
usermod
This command allows you to update or change the settings of the user account. One of the
typical uses of usermod is to add the user to a new group or groups. The syntax for this is
usermod -a -G <group_name|group_id>,<group_name|group_id> <username>. In
this case, the -a switch tells usermod to append the new groups to the user account.
Otherwise, -G will replace current groups with the new groups.
25
Image 3.3.21
passwd
The passwd command lets a user reset their own password. An administrator can reset any
user’s password by specifying a username with passwd <username>.
Image 3.3.22
Note: If you are updating another user’s password, as an admin, you do not need to provide
their current one.
sudo <command and arguments>
Super User Do or sudo is a very powerful and potentially dangerous command. It allows
authorized users to execute commands as the root user or other user with the -u <username>
26
flag. To use sudo you must belong to a designated user group. This is a preconfigured security
measure. Learn more about sudo in the following video and more about securing sudo in
Cybrary’s Linux Hardening course.
Video 3.3D in course
ssh [user@]host_ip|server_name]
Secure Shell or ssh is a secure means for connecting to remote hosts. At a minimum, you must
specify either the ip address or hostname of the remote host. I will show you how to connect
with ssh and a PKI certificate in a later lesson.
Use the -i <file_path/file_name> option when you want to use a PKI key to log into the
server. The private key (id_rsa) needs to be in the user’s .ssh directory on the local host and
the public key (authorized_keys) needs to be in the user’s .ssh directory on the remote
host.
apt [update|upgrade|autoclean|autoremove|install|purge]
[package_name]
Aptitude or apt is the means for updating Ubuntu. There are multiple facets of apt. The update
option runs an update apt’s database of packages. Running the upgrade option updates any
out of date packages.The autoremove option removes outdated dependencies previously
installed. The install option installs the specified package(s) and purge uninstalls them.
27
Image 3.3.23
Video 3.3E in course
28