By Charles Joseph | Cybersecurity Researcher
Published on
January 22nd, 2024
This post was updated on February 29th, 2024
Table of Contents
show
User Accounts
| Linux Command | Windows Command | Description |
|---|---|---|
cat /etc/passwd | net user | List user accounts |
passwd -S [user_name] | net user [username] | Check password status for a user |
lastlog | quser | Show the most recent logins |
last | quser | Show last logged-in users |
who | query user | Show who is logged on |
w | query user | Show who is logged on and what they are doing |
Log Entries
| Linux Command | Windows Command | Description |
|---|---|---|
cat /var/log/messages | Get-EventLog System | Show system messages |
cat /var/log/auth.log | Get-EventLog Security | Show user authentication logs |
cat /var/log/secure | Get-EventLog Security | Show authentication log for Red Hat-based systems |
cat /var/log/boot.log | Get-WinEvent -LogName System | Show system boot log |
cat /var/log/dmesg | Get-WinEvent -LogName System | Show kernel ring buffer log |
cat /var/log/kern.log | Get-WinEvent -LogName System | Show kernel log |
System Resources
| Linux Command | Windows Command | Description |
|---|---|---|
top | tasklist | Display Linux tasks |
htop | tasklist | Interactive process viewer |
uptime | systeminfo | Show system uptime |
ps aux | tasklist /v | Show currently running processes |
pstree | tasklist /FI "STATUS eq RUNNING" | Show running processes as a tree |
free -m | systeminfo | Show memory usage in MB |
Processes
| Linux Command | Windows Command | Description |
|---|---|---|
ps -ef | tasklist /v | Display all currently running processes |
pstree -p | tasklist /FI "STATUS eq RUNNING" | Display processes in a tree format with PIDs |
top -n 1 | tasklist | Display top processes |
ps -eo pid,tt,user,fname,rsz | tasklist /fo LIST | Show processes in custom format |
lsof -i | netstat -ano | List open files associated with network connections |
Services
| Linux Command | Windows Command | Description |
|---|---|---|
chkconfig --list | sc query | List all services and their states |
service --status-all | sc queryex type= service | Show status of all services |
systemctl list-units --type=service | Get-Service | List running services (systemd) |
Files
| Linux Command | Windows Command | Description |
|---|---|---|
ls -alh | dir /a | Show all files in human-readable format |
find / -name [filename] | dir /s [filename] | Find a specific file |
find / -mtime -[N] | forfiles /P directory /S /D -[N] | Find files modified in the last N days |
find / -atime -[N] | forfiles /P directory /S /D -[N] | Find files accessed in the last N days |
find / -size +[N]c | forfiles /P directory /S /M * /C "cmd /c if @fsize gtr [N] echo @path" | Find files larger than N bytes |
Network Settings
| Linux Command | Windows Command | Description |
|---|---|---|
ifconfig -a | ipconfig /all | Show all network interfaces |
netstat -antup | netstat -ano | Show active network connections |
iptables -L -n -v | netsh advfirewall firewall show rule name=all | Show all iptables rules |
route -n | route print | Show routing table |
ss -tuln | netstat -an | Show listening ports and established connections |
Additional Commands
| Linux Command | Windows Command | Description |
|---|---|---|
grep :0: /etc/passwd | net localgroup administrators | Find root accounts |
find / -nouser -print | dir /s /q C:\ | findstr /i "no owner" | Find files with no user |
cat /etc/shadow | N/A | View encrypted passwords and account expiration info |
cat /etc/group | net localgroup | View group information |
cat /etc/sudoers | N/A | View sudoers file |
tail /var/log/auth.log | Get-EventLog Security -Newest 10 | View the last few entries in the authentication log |
history | less | doskey /history | View command history |
cat /proc/meminfo | systeminfo | Display memory information |
cat /proc/mounts | mountvol | Display mounted filesystems |
lsof -p [pid] | tasklist /fi "pid eq [pid]" | List open files for a process (specific PID) |
service --status-all | sc queryex type= service | List all services and their status |
cat /etc/crontab | schtasks | View the cron table for scheduled tasks |
more /etc/resolv.conf | ipconfig /displaydns | View DNS settings |
more /etc/hosts | type C:\Windows\System32\drivers\etc\hosts | View host file entries |
iptables -L -n | netsh advfirewall firewall show rule name=all | List all iptables rules without resolving IP addresses |
find /home/ -type f -size +512k -exec ls -lh {} \; | forfiles /P C:\Users /S /M * /C "cmd /c if @fsize gtr 524288 echo @path" | Find files larger than 512KB in home directories |
find /etc/ -readable -type f 2>/dev/null | icacls C:\Windows\System32\drivers\etc\* /grant %username%:R | Find readable files in the etc directory |
find / -mtime -2 -ls | forfiles /P C:\ /S /D -2 | Find files modified in the last 2 days |
netstat -nap | netstat -ano | Show network connections and associated programs |
arp -a | arp -a | View the ARP table |
echo $PATH | echo %PATH% | Display the PATH environment variable |
QUOTE:
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
