Cybersecurity Ops with bash

Attack, Defend, and Analyze from the Command Line

grep find file
Search the contents of files Search the system for files Identify file type by magic number

-c Count matching lines -exec Execute specified command -f Read list from specified file
-E Enable extended regex for each file found -k List all type matches
-i Ignore case -name Search by filename -z Look inside compressed files
-P Enable Perl regex -size Search by file size
-R Recursively search -type Search by file type cut

Regular Expressions Extract portions of data from a file

Character Meaning -c Character(s) to extract

. Single wildcard character -d Field delimiter
-f Field(s) to extract
? Preceding item is optional
* Match the preceding item zero or more times head
+ Match the preceding item one or more times
Output the first few lines/bytes of file
^ Anchor pattern to the beginning of the string
$ Anchor pattern to the end of the string -n Number of lines to output
-c Number of bytes to output
[ ] Character classes and ranges
( ) Group tail
{ } Quantifier
Output the last few lines of a file
uniq curl -f Continuously monitor end of file
Remove duplicate lines from a file Network data transfer -n Number of lines to output

-c Print number of times line is -A Specify user agent sort

repeated -d Send using HTTP POST Order the lines of a file
-f Ignore the specified number of -G Send using HTTP GET
fields -I Only fetch header -r Sort in descending order
-i Ignore case -L Follow redirects -f Ignore case
-s Do not show errors -n Use numerical ordering
join -k Sort based on key
vi commands -o Write output to file
Combine two files
b Back one word
-j Join using specified field cc Replace current line xxd
-t Field delimiter cw Replace current word
Display file in binary or hexadecimal
dw Delete current word
sdiff dd Delete current line
-b Display using binary rather than hex
w Forward one word
Compare two files :q! Quit without save -l Print specified number of bytes
:wq Quit with save -s Start printing at specified position
-a Treat files as text / Search forward
-i Ignore case
wevtutil
? Search backward
-s Suppress common lines n Find next occurrence View and manage Windows logs
-w Max characters to output per line
tr el Enumerate available logs
base64 qe Query a log’s events
Translate one character to another /c Specify max number of events
Encode/decode data using Base64 /f Format output as XML
-d Delete character /rd Read direction, if true read most
-d Decode -s Squeeze repeated characters recent first

Paul Troncone & Carl Albing, Ph.D. Command Quick Reference https://www.rapidcyberops.com
Cybersecurity Ops with bash
Attack, Defend, and Analyze from the Command Line
Output Variables While Loop
Writing to the screen Declaring a Variable i=0
while (( i < 1000 ))
echo 'Hello World' MYVAR='Hello' do
echo $i
printf 'Hello World\n' let i++
Referencing a Variable done
Format Strings echo $MYVAR
Format strings for printf
For Loop
echo "$MYVAR World" Numerical looping
%s String
%d Decimal Assigning Shell Output for ((i=0; i < 1000; i++))
%f Floating point do
%x Hexadecimal CMDOUT=$(pwd) echo $i
\n Newline done
\r Carriage return
\t Horizontal tab
If Statements
Iterating over a list
Command conditional (cmd will
Positional Parameters return 0 if success) for VAL in 20 3 dog 7
Script parameters do
if cmd echo $VAL
$# Number of parameters then done
$0 Name of the script some cmds
$1 else
First parameter
other cmds Case Statement
$2 Second parameter …
fi case $MYVAR in
Default parameters "carl")
File and numeric conditionals echo 'Hi Carl!'
MYVAR=${1:-Cake} ;;
if [[ -e $FILENAME ]] "paul")
then echo 'Hi Paul!'
Note: If parameter 1 is unset, the ;;
echo $FILENAME exists
value of MYVAR will default to Cake fi *) # default
echo 'Goodbye'
User Input exit
;;
Read from stdin File Test Use esac
read MYVAR -d Directory exists
-e File exists Functions
Prompting -r File is readable Declaring a function
-w File is writable
read –p 'Name: ' USRNAME
-x File is executable function myfun ()
{
Reading a File # function body
while IFS="" read MYLINE echo 'This is myfun()'
do Numeric Test Use }
echo "$MYLINE" -eq Equal
done < "somefile.txt" Invoking a function
-gt Greater than
Note: IFS="" preserves whitespace -lt Less than myfun param1 param2

Paul Troncone & Carl Albing, Ph.D. bash Quick Reference https://www.rapidcyberops.com