Lesson 3.2: Useful Commands and How to Employ Them: Part 1 Lesson Objectives ● ● Describe the useful security related functionality of 11 commands Reinforce the concept of using switches to customize the functionality and output of commands In order to take advantage of Linux’s command-line interface (CLI), you need to know the various commands and what they can do for you. The following commands are many of the fundamental commands along with the description of what they do. Please note, this list cannot cover all of the exhaustive numbers of switches, flags, or options one can use for each command. Therefore, I recommend you use -h, --help, or man <command> to learn more about what options are available to each command. Before we dive into the different commands there are a few terms and definitions you should know: Arguments generally refers to the file, directory, or service the command is being run on. Flags or switches are ways to customize a command. A single letter flag is preceded by a single hyphen (-v). If the flag uses a full word, then it is preceded by two hyphens (--verbose). In some cases, flags and switches can also include options (--color=always). There are some exceptions to this, so I recommend checking a command’s documentation before executing anything. Failure to do so could result in some ugly unintended results. ls ls is short for list structure. It is equivalent to the dir command in DOS and Windows. On its own, the command just provides a list of the files and directories within the current directory. Image 3.2.1 Linux uses colors to represent particular kinds of files. In the image above, the .tar.gz file is a compressed file and is displayed in red. The use of colors to indicate file types depends on how the terminal is configured. 1 If you use the -l flag, you will get the following output with file sizes, permissions and ownership of each file and directory. How to read permissions and ownership will be discussed in a future lesson. Image 3.2.2 Add -a (or a combined -la) and the list will show hidden files or files preceded by a period (.): Image 3.2.3 The directories are displayed in light blue and the apt entry demonstrates a symbolic link. More about these later. ls -R lists all the files in the directory structure. 2 Image 3.2.4 Note: Later in this lesson, we will examine permissions and it will explain why we get the “Permission denied” in this screenshot. tree tree is the equivalent of ls -R but it is not installed by default and the output is displayed differently from ls -R. Image 3.2.5 3 cd This command allows one to change directories. The command cd <path> will change the directory to the one represented by <path>. In the following example, the command changes the current path from ~ to /etc/nginx. Image 3.2.6 There are some special symbols that can also be used: ~ represents the user’s home directory . is the current directory and, in short, this really doesn’t change the directory .. is the parent of the current directory pwd pwd or Present Working Directory shows the full path of the current directory. Image 3.2.7 While the CLI above displays the current directory, not all shells are configured in this way, so it is a useful tool in helping you determine what directory you are in. cp <source> <destination> cp is short for copy and, as shown above, it requires you to include the <source> and <destination>. Image 3.2.8 4 Now if you want to copy a directory and its contents, you include the -R switch. With this switch, the copy command will traverse the entire directory structure. Without it, only the directory is copied, but none of its contents are. Image 3.2.9 mv <source> <destination> mv is short for move. Like copy, it requires a <source> and <destination> and these can either be directories or files. Keep in mind, unlike cp, mv does not require the -R switch when moving a directory to another path. Moving a directory includes all of the contents within itself and subordinate directories. Image 3.2.10 ln -s <source> <target_link> ln is a command for creating a symbolic link. Unlike a shortcut in Windows, Linux treats a symbolic link as if a file or directory exists where the symbolic link resides. Image 3.2.11 5 Looking at the file permissions you see an l in the first position and it signifies a link vs. a standard file (annotated by the hyphen (-)) or directory (annotated by the d). rm <filename> rm is short for remove. Just like del in Windows, it is used for deleting files and directories. When rm uses the -r, -R, or --recursive flag to tell rm to walk through the subordinate directories and delete the files with the filename. If you try to delete a directory that is not empty, you receive an error and the rm command fails. The -f or --force flag overrides this limitation and deletes the directory, regardless of if it is empty or not. Image 3.2.12 mkdir <directory_name> Short for make directory, mkdir is used to create a directory. If <directory_name> is a path, the command creates the last directory in the path. With the -p or --parents flag, mkdir will create all of the folders that do not currently exist in the path. Image 3.2.13 rmdir <directory_name> Short for remove directory, this command does the opposite of make directory. With the -p or --parents flag, the command will delete all of the directories in the path as long as your account has the necessary permissions to do so. 6 Image 3.2.14 touch <file_name> The touch command creates <file_name>. The file will be empty. This is useful for creating files that will receive output from other sources (i.e., log files). Image 3.2.15 chmod [-R] <permissions> <target> chmod is short for change mode. Mode refers to the permissions individuals have regarding the file or directory. There are three basic permissions and four classifications of users change mode can affect. The three permissions are read, write, and execute. Each of these permissions has a numeric value and a letter designation. Read is r or 4. Write is w or 2. Execute is x or 1. The different user classifications are user/owner (u), group (g), others (o), or all (a). When setting the mode of a file you can set it for all three classifications or an individual classification. For the former (also known as the octal mode), it is simply a matter of adding the values you want to set together for each classification. For the latter (also known as the symbolic mode), the following chart shows multiple examples of how this can be achieved. 7 In order to … The Octal Value is The Symbolic Value is Assign full access 7 +wrx Assign read and write 6 +wr Assign read and execute 5 +rx Assign read only 4 +r Assign write and execute 3 +wx Assign write only 2 +w Assign execute only 1 +x Revoke permissions 0 -rwx Image 3.2.16 A few things to keep in mind: ● ● ● ● If you want to change a permission of all files in a directory, use the -R flag and the target is the directory. All folders must have the execute permission, for otherwise their contents cannot be explored. When assigning different symbolic values, separate them with commas (i.e., o+wr, g-w, o-wrx) Watch the short video below this next section to see some examples. chown [-R] <owner>[:<group>] <target> Short for change owner, this command allows you to change the owner (and group owner) of a file or directory. The -R flag will make the change recursively to all files and directories subordinate to the directory you target. 8 Image 3.2.17 Video 3.2 in course chgrp [-R] <group> <target> Short for change group, this command allows you to change the group owner of a file or directory. The -R flag will make the change recursively to all files and directories subordinate to the directory you target. 9 Image 3.2.18 cat <target>, zcat <target> Short for concatenate, this command displays the contents of the target file. Image 3.2.19 You can display multiple files with one command. Image 3.2.20 zcat performs the same function as cat but with compressed files. less <target>, zless <target> Similar to cat, less lets you control how you scroll through a document you are viewing. It also affords you the ability to search forward using the forward slash (/) or search backwards with question mark (?). zless, like zcat, lets you look at a compressed file and provides all of the functionality of less. 10 head The head command displays the top few lines of a document. It is similar to cat but it just dumps those 10 lines to the screen and exits. Image 3.2.21 The -n n or --lines=n displays n number of lines different from the default. Instead of determining the number of lines you can specify the n number of bytes to display -c n or --bytes=n. tail The reverse of head is tail. It shows the last 10 lines of the file. You can use the same switches I mentioned for the head command. Another useful flag to use with tail is -f. This flag keeps an open connection to the file and continues refreshing what appears in the terminal as content is added to the file. This is a very useful feature when you want to continuously monitor a log file particularly when one is trying to troubleshoot why a script fails or what errors are generated when interacting with a service. Diff <file1> <file2> Short for difference, diff compares to files and displays differences between two files. Image 3.2.22 Zdiff <file1.gz> <file2.gz> Performs the same function as diff but it compares two compressed files. 11 echo <string> echo displays a string in the terminal. This can be the value of a variable or a string. You can also redirect the string to a file with the greater than symbol (>) followed by a file name replacing its current content. If you use a double greater than (>>) the echo is appended to the contents of the target file. Be careful when using this functionality because of the overwrite nature of the first option. Image 3.2.23 wc <target> Short for word count, this command counts and reports back the number of lines, words, and characters in the document. Image 3.2.24 clear Serves the same function as windows cls. It simply refreshes the terminal screen bringing the command line up to the top of the terminal. 12 history As the name implies, it displays a series of the most recent commands entered. The default is 150 lines. Image 3.2.25 man <command> Short for manual, this command displays a formatted help file for the command specified. The contents of the file will generally include the flags, switches, and options you can include on the command line. Depending on the command developer, it will go into detail about the role of the command and how it can interact with the host. How much detail the manual file contains will depend on the details the developer believes is useful for the user. 13 Image 3.2.26 14 Lesson 3.3: Useful Commands and How to Employ Them: Part 2 which <command> This is a tool for locating commands. which <command> returns the full path to <command>. Image 3.3.1 Note: which only searches for commands in the computer’s PATH. find find is a very versatile tool when searching for files. Its versatility comes from the switches and options one can use to find files. One of the simplest options is the ability to specify the path to search. Using the -name switch one can specify the <filename> with or without wildcards (*, ?, etc.). Another switch allows you to filter the search by type with -type f for files, and -type d for directories. One of the best options is the -exec switch where you can search inside the document with grep or perform an action on the document (i.e., copy it to another location). Video 3.3A in course 15 file <file_name> The file command analyzes the specified file and reports back the file’s type to the user. This is based on the contents of the file not extension of the file. Image 3.3.2 grep grep is a tool for finding text inside a document. It can be a literal string or one with wildcards or a regular expression. The -l switch suppresses displaying the line within the document and instead displays the name of the file if it contains the term searched for. Note: The demo of find also employs grep for advanced searches. Image 3.3.3 df This utility displays a report of the different volumes on the host’s hard drives. To make the command more useful, the -h or --human-readable changes the storage information that is more easily understood. Image 3.3.4 16 du Short for disk usage, this command reports back the disk space used by the individual files in a tree of directories. The report also includes summaries of each of the directories and the total overall. The -h or --human-readable switches work here as with df. The -s flag provides just the total space used in the tree. The -P or --no-dereference tells du not to follow symbolic links. Image 3.3.5 Image 3.3.6 tar tar is a utility for bundling files into and extracting them from files referred to as tarballs. There are numerous flags and switches you need to use to perform the bundling and extractions. -c or --create tells tar to create a tarball while -x or --extract extracts the files. You can also compress and uncompress the tarball with a flag for the particular compression algorithm. Two standards are gzip (-z or --gzip) and bzip (-j or --bzip2). You can also verify proper 17 extraction or compression with the -v flag. The last flag is -f or --flag for specifying the file. Watch the following video to see tar in action. Image 3.3.7 Video 3.3B in course 18 top The top command displays real-time data about the resources in use by the host. It regularly refreshes to provide up to the second information regarding the performance of the host. Image 3.3.8 htop An application similar to top but htop provides greater functionality including searches, filtering, and a tree view to find parent and child processes. htop also provides resource bars and the ability to use a mouse for interacting with the application. Video 3.3 C in course 19 free free displays the resources available on the server at the time the user enters the command. Image 3.3.9 ps ps lists a snapshot of the running processes. By default, it only shows processes owned by the user executing the command. The -a flag shows all processes with the terminal regardless of the owner. The -u flag provides a more detailed report. The -x flag includes processes beyond the terminal (i.e. automated services started by the host). Image 3.3.10 The -U <username> flag lists processes owned by a particular user. systemctl [stop|start|restart|status|enable|disable] <service_name> The systemctl command is an administrator’s best friend when it comes to managing services. The action options function as their names imply. start, and stop, run or stop the service gracefully (see kill below for how to terminate the process). restart is a graceful way to stop and start a process with one command. This is used when an administrator wants to enable a configuration change to the named service. status produces a concise status of a service regardless of whether or not it is currently running. Use enable and disable to determine whether or not the service will start when the host reboots. 20 Image 3.3.11 kill The kill command is used to stop processes that cannot be shut down cleanly. It is always better to shut processes down with their own integrated utility. Sometimes kill won’t do it alone. It requires the use of switches to make sure the processes are properly terminated. In some cases, a process generates sub-processes to handle tasks. In these situations killing the main process may not terminate the subordinate tasks. This is when the -9 flag is used. Image 3.3.12 21 netscan -tulpn, ss -tulpn The deprecated netscan command or its replacement ss lists services running on the host. Image 3.3.13 nmap nmap scans hosts for ports in a listening state. A listening service is one awaiting a connection from a remote host. Image 3.3.14 lsof Another tool for finding a local machine’s open files, ports, directories, and sockets. lsof takes the -i <port> option to filter for results on the specified port. 22 Image 3.3.15 ping <hostname|ip_address> The ping command sends a packet of data to the specified hostname or ip address and waits for the response. Image 3.3.16 23 wget <url> The wget command downloads the file at the URL of the argument provided. Image 3.3.17 hostname The hostname command returns the host’s name as configured in the /etc/hostname file. Image 3.3.18 useradd -d <home_dir> -p <password> -m <username> The useradd command creates a new user on the host. Standard user accounts should not be able to create a new account by default. But as a security professional, you must be aware of this command and its syntax. Administrators use the sudo command to execute a useradd command as the root account. More on sudo later. The -d or --home-directory lets you specify a special home directory in place of the default (/home/<username>). The -m flag instructs useradd to create the home directory. The -p <password> or --password <password> allows the administrator to set the initial password. There are flags for adding the user account to special groups as well as many others. I recommend checking the documentation when you need to customize this command. 24 Image 3.3.19 userdel <username> The userdel command deletes a user account from the host. Image 3.3.20 usermod This command allows you to update or change the settings of the user account. One of the typical uses of usermod is to add the user to a new group or groups. The syntax for this is usermod -a -G <group_name|group_id>,<group_name|group_id> <username>. In this case, the -a switch tells usermod to append the new groups to the user account. Otherwise, -G will replace current groups with the new groups. 25 Image 3.3.21 passwd The passwd command lets a user reset their own password. An administrator can reset any user’s password by specifying a username with passwd <username>. Image 3.3.22 Note: If you are updating another user’s password, as an admin, you do not need to provide their current one. sudo <command and arguments> Super User Do or sudo is a very powerful and potentially dangerous command. It allows authorized users to execute commands as the root user or other user with the -u <username> 26 flag. To use sudo you must belong to a designated user group. This is a preconfigured security measure. Learn more about sudo in the following video and more about securing sudo in Cybrary’s Linux Hardening course. Video 3.3D in course ssh [user@]host_ip|server_name] Secure Shell or ssh is a secure means for connecting to remote hosts. At a minimum, you must specify either the ip address or hostname of the remote host. I will show you how to connect with ssh and a PKI certificate in a later lesson. Use the -i <file_path/file_name> option when you want to use a PKI key to log into the server. The private key (id_rsa) needs to be in the user’s .ssh directory on the local host and the public key (authorized_keys) needs to be in the user’s .ssh directory on the remote host. apt [update|upgrade|autoclean|autoremove|install|purge] [package_name] Aptitude or apt is the means for updating Ubuntu. There are multiple facets of apt. The update option runs an update apt’s database of packages. Running the upgrade option updates any out of date packages.The autoremove option removes outdated dependencies previously installed. The install option installs the specified package(s) and purge uninstalls them. 27 Image 3.3.23 Video 3.3E in course 28