I'd like to compile basic commands that you use every day. I'm interested in command-line examples with or without explanation just to see what level of command-line knowledge is expected these days. It can be any tool and operating system.
Here is a simple list to get it started and see what we come up with at the end. It should be interesting.
Acquire image
dcfldd if=\\.\PhysicalDrive0 of=d\imagefile.raw conv=noerror,notrunc hash=md5,sha1 haslog=d\imagefile.hash
ftkimager.exe \\.\physicaldrive1 c\temp\image-encrypted –verify –print-info –e01 –outcert pub-cer.cer
ftkimager.exe \\.\physicaldrive1 c\temp\image-encrypted-fragmented –frag 640M –e01 –outcert c\temp\public.cer
ftkimager.exe c\temp\image-ftkimager.E01 –verify
dd if=\\?\Device\Harddisk1\Partition0 of=c\temp\usb2.img bs=1M –size –progress
dd if=\\.\Volume{c18588c0-02e9-11d8-853f-00902758442b} of=c\temp\usb1.img bs=1M
dd if=\\?\Device\CdRom0 of=c\temp\disc1.iso bs=1M
Verify image
dcfldd if=\\.\PhysicalDrive0 vf=d\imagefile.raw
type image1.001 image1.002 image1.003 image1.004|md5sum
cat image1.*|md5sum
Acquire memory
dd.exe if=\\.\PhysicalMemory of="\\path\mem.dd" conv=noerror –md5sum –verifymd5 –md5out="\\path\mem.dd.md5" –log="\\path\mem.dd_audit.log"
Remote acquisition
dcfldd if=\\.\PhysicalDrive0 conv=noerror,notrunc |nc <IP> <PORT>
Turn on/off hibernation
powercfg.exe -h off
powercfg.exe -h on
List available drives
ftkimager.exe –list-drives
wmic diskdrive get name, size, model
Wipe drive with FAU
wipe -w 00 \\.\physicaldrive1
Remotely determine logged in user
wmic /noderemotecomputer computersystem get username
List running processes
wmic process list brief
tasklist /svc
Kill a process
wmic process where name="cmd.exe" delete
Determine open shares
net share
wmic share list brief
Determine IP address
ipconfig
ifconfig
Get a new IP address
ipconfig /release
ipconfig /renew
Remotely display machine’s MAC address
wmic /nodemachinename nic get macaddress
Remotely list running processes every second
wmic /nodemachinename process list brief /every1
Remotely display System Info
wmic /nodemachinename computersystem list full
Disk drive information
wmic diskdrive list full
wmic partition list full
Bios info
wmic bios list full
List all patches
wmic qfe
Look for a particular patch
wmic qfe where hotfixid="KB958644" list full
Remotely List Local Enabled Accounts
wmic /nodemachinename USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name
Start a service remotely
wmic /nodemachinename 4 service lanmanserver CALL Startservice
sc \\machinename start lanmanserver
List services
wmic service list brief
sc \\machinename query
Disable startup service
sc config example disabled
List user accounts
wmic useraccount list brief
Enable RDP remotely
wmic /node"machinename 4" path Win32_TerminalServiceSetting where AllowTSConnections=“0” call SetAllowTSConnections “1”
List number of times a user logged on
wmic netlogin where (name like "%adm%") get numberoflogons
Query active RDP sessions
qwinsta /server192.168.1.1
Remove active RDP session ID 2
rwinsta /server192.168.1.1 2
Remotely query registry for last logged in user
reg query "\\computername\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName
List all computers in domain “blah”
dsquery computer "OU=example,DC=blah" -o rdn -limit 6000 > output.txt
Reboot
shutdown /r /t 0
Shutdown
shutdown /s /t 0
Remotely reboot machine
shutdown /m \\192.168.1.1 /r /t 0 /f
Copy entire folder and its contents from a remote source to local machine
xcopy /s \\remotecomputer\directory c\local
robocopy %SOURCEDRV% %DESTDRV% /E /XO /R1 /W3 /V /purge /loglogfile.txt
Find location of file with string “blah” in file name
dir c\ /s /b | find "blah"
Spawn a new command prompt
start cmd
Determine name of a machine with known IP
nbtstat -A 192.168.1.1
Find directory named blah
dir c\ /s /b /ad | find "blah"
Command line history
F7
doskey /h>logfile.txt
Display ADS with dir
dir /s /r
Performance measures
in pwershell - Measure-Command {Start-Process ProcessName -wait}
If I may
Find location of file with string “blah” in file name
dir c\ /s /b | find "blah"….
Find directory named blah
dir c\ /s /b /ad | find "blah"
dir c\ /s /b | find /i "blah"
dir c\ /s /b /ad | find /i "blah"
jaclaz
dir f\blahblah.* /s/p
Linux I have to look up each time I use it (which is fairly rare).
Get-ChildItem -Recurse -Force $filePath -ErrorAction SilentlyContinue | Where-Object { ($_.PSIsContainer -eq $true) -and ( $_.Name -like "blahblah") }
This should (<- operative word) work for Powershell.
Didn't see this for working with OS X
To prevent auto mount of a device
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist
Toggle unload/load