What is your most c...
 
Notifications
Clear all

What is your most common command line syntax you use

5 Posts
5 Users
0 Likes
585 Views
zoltandfw
(@zoltandfw)
Posts: 27
Eminent Member
Topic starter
 

I'd like to compile basic commands that you use every day. I'm interested in command-line examples with or without explanation just to see what level of command-line knowledge is expected these days. It can be any tool and operating system.

Here is a simple list to get it started and see what we come up with at the end. It should be interesting.

Acquire image
dcfldd if=\\.\PhysicalDrive0 of=d\imagefile.raw conv=noerror,notrunc hash=md5,sha1 haslog=d\imagefile.hash
ftkimager.exe \\.\physicaldrive1 c\temp\image-encrypted –verify –print-info –e01 –outcert pub-cer.cer
ftkimager.exe \\.\physicaldrive1 c\temp\image-encrypted-fragmented –frag 640M –e01 –outcert c\temp\public.cer
ftkimager.exe c\temp\image-ftkimager.E01 –verify
dd if=\\?\Device\Harddisk1\Partition0 of=c\temp\usb2.img bs=1M –size –progress
dd if=\\.\Volume{c18588c0-02e9-11d8-853f-00902758442b} of=c\temp\usb1.img bs=1M
dd if=\\?\Device\CdRom0 of=c\temp\disc1.iso bs=1M

Verify image
dcfldd if=\\.\PhysicalDrive0 vf=d\imagefile.raw
type image1.001 image1.002 image1.003 image1.004|md5sum
cat image1.*|md5sum

Acquire memory
dd.exe if=\\.\PhysicalMemory of="\\path\mem.dd" conv=noerror –md5sum –verifymd5 –md5out="\\path\mem.dd.md5" –log="\\path\mem.dd_audit.log"

Remote acquisition
dcfldd if=\\.\PhysicalDrive0 conv=noerror,notrunc |nc <IP> <PORT>

Turn on/off hibernation
powercfg.exe -h off
powercfg.exe -h on

List available drives
ftkimager.exe –list-drives
wmic diskdrive get name, size, model

Wipe drive with FAU
wipe -w 00 \\.\physicaldrive1

Remotely determine logged in user

wmic /noderemotecomputer computersystem get username

List running processes
wmic process list brief
tasklist /svc

Kill a process
wmic process where name="cmd.exe" delete

Determine open shares
net share
wmic share list brief

Determine IP address
ipconfig
ifconfig

Get a new IP address
ipconfig /release
ipconfig /renew

Remotely display machine’s MAC address
wmic /nodemachinename nic get macaddress

Remotely list running processes every second
wmic /nodemachinename process list brief /every1

Remotely display System Info
wmic /nodemachinename computersystem list full

Disk drive information
wmic diskdrive list full
wmic partition list full

Bios info
wmic bios list full

List all patches
wmic qfe

Look for a particular patch
wmic qfe where hotfixid="KB958644" list full

Remotely List Local Enabled Accounts
wmic /nodemachinename USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name

Start a service remotely
wmic /nodemachinename 4 service lanmanserver CALL Startservice
sc \\machinename start lanmanserver

List services
wmic service list brief
sc \\machinename query

Disable startup service
sc config example disabled

List user accounts
wmic useraccount list brief

Enable RDP remotely
wmic /node"machinename 4" path Win32_TerminalServiceSetting where AllowTSConnections=“0” call SetAllowTSConnections “1”

List number of times a user logged on
wmic netlogin where (name like "%adm%") get numberoflogons

Query active RDP sessions
qwinsta /server192.168.1.1

Remove active RDP session ID 2
rwinsta /server192.168.1.1 2

Remotely query registry for last logged in user
reg query "\\computername\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName

List all computers in domain “blah”
dsquery computer "OU=example,DC=blah" -o rdn -limit 6000 > output.txt

Reboot

shutdown /r /t 0
Shutdown
shutdown /s /t 0

Remotely reboot machine
shutdown /m \\192.168.1.1 /r /t 0 /f

Copy entire folder and its contents from a remote source to local machine
xcopy /s \\remotecomputer\directory c\local
robocopy %SOURCEDRV% %DESTDRV% /E /XO /R1 /W3 /V /purge /loglogfile.txt

Find location of file with string “blah” in file name
dir c\ /s /b | find "blah"

Spawn a new command prompt
start cmd

Determine name of a machine with known IP

nbtstat -A 192.168.1.1

Find directory named blah
dir c\ /s /b /ad | find "blah"

Command line history
F7
doskey /h>logfile.txt

Display ADS with dir
dir /s /r

Performance measures
in pwershell - Measure-Command {Start-Process ProcessName -wait}

 
Posted : 20/10/2013 6:13 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If I may

Find location of file with string “blah” in file name
dir c\ /s /b | find "blah"

….

Find directory named blah
dir c\ /s /b /ad | find "blah"

dir c\ /s /b | find /i "blah"

dir c\ /s /b /ad | find /i "blah"

jaclaz

 
Posted : 20/10/2013 4:45 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

dir f\blahblah.* /s/p

Linux I have to look up each time I use it (which is fairly rare).

 
Posted : 20/10/2013 9:24 pm
(@bithead)
Posts: 1206
Noble Member
 

Get-ChildItem -Recurse -Force $filePath -ErrorAction SilentlyContinue | Where-Object { ($_.PSIsContainer -eq $true) -and ( $_.Name -like "blahblah") }

This should (<- operative word) work for Powershell.

 
Posted : 20/10/2013 9:58 pm
(@sgware)
Posts: 42
Eminent Member
 

Didn't see this for working with OS X

To prevent auto mount of a device

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist

Toggle unload/load

 
Posted : 20/10/2013 11:26 pm
Share: