Home Audience Admin Common UNIX Commands and Tools that Enhance Security

Common UNIX Commands and Tools that Enhance Security


These powerful UNIX commands and tools fortify digital defences. Take a look.

In our current security system development environment, we have different tools and commands that are readily available for use by an engineer, especially the security engineer. Let’s explore the most popular commands and tools among these that help us protect against or monitor potential security attacks.


There are hundreds of commands that are useful for security analysts. Here are a few most commonly used ones.

  • ipconfig / ifconfig
    • Shows the configuration of the assigned network interface to the server.
    • Includes MAC address, IPv4 address, IPv6 address, default gateway, transferred and received packet sizes and dropouts, MTU or maximum transmission unit that states the maximum size of the packet the network interface can transfer, and so on.
    • The ipconfig command is used in Windows, and ifconfig is for Linux/UNIX and iOS.
  • ping
    • This is the basic command to validate the reachability of the server with the given server name or IP address.
    • It provides information on the response time to determine RTT (round trip time).
    • Usually uses ICMP protocol request and reply.
  • arp
    • Shows the local machine’s ARP (address resolution protocol) cache.
    • ARP cache displays the list of MAC addresses of the interface associated with each IP address, which the local host has communicated with recently.
    • This command can also be used to investigate a suspicious spoof attack.
  • traceroute / tracert
    • Reports the list of hops needed to be made from source to the destination host.
    • RTT is well reported.
    • tracert is a Windows command and traceroute is a Linux-based command.
    • ICMP or UDP is used in this communication.
  • route
    • Edits or views the host’s local routing table.
    • By default, all the traffic from the host is routed via the gateway router.
    • Additional entries found in this table could be suspicious.
  • getmac
    • Returns the MAC address and the list of network protocols associated with each address for all the network cards in the host.
  • pathping / mtr
    • Provides information about network latency and network loss at intermediate hops between a source and destination.
    • Is a combination of traceroute and ping commands.
    • Windows uses pathping, while Linux uses mtr commands.
  • nmap
    • This command uses diverse methods for scanning the ports and services, and for running network IP addresses.
  • netstat
    • Shows the process state of the ports in the host.
    • Is able to identify only the authorised services that are running, and the connections made from different hosts.
  • nslookup
    • Returns the query name records for the given domain name or IP address using the DNS resolver.
  • netcat
    • Enables reading and writing data between hosts.
    • One of the most powerful commands, it is considered a Swiss army knife of networking tools.
  • dnsenum
    • Returns as much information and all the IP addresses that are in use for a domain.
  • scanless
    • Scans all the services and ports that are running and open in a host.
  • curl
    • Performs data transfer over many protocols, commonly used for HTTP.
    • Other supported protocols are FTP, IMAP, LDAP, POP3, SMB, and SMTP.
  • tcpdump
    • Packet and protocol analysis are essential parts of security.
    • tcpdump can be used to capture the packets from an interface and generate the .pcap file.
    • Can filter packets to save only a selected number of frames.
  • wireshark
    • Packet capture and analysis are done using a graphical interface.
    • Captured packets can be easily analysed using wireshark.
  • hping
    • hping is an open source packet generator and analyser for TCP/IP protocol.
    • It can be used to send large volumes of TCP traffic at a target while spoofing the source IP address to appear from a random or specified user source.
    • Subset of uses of hping:
      • Firewall testing
      • Advanced port scanning
      • Remote uptime guessing
      • TCP/IP stack auditing
  • tcpreplay
    • Replays the previously captured traffic, which is saved in a .pcap file in the network interface.
  • lsattr
    • Displays the information on the attributes of the specific device or type of the device.
  • dig
    • This is the abbreviation for ‘domain information groper’.
    • Like nslookup, it is used for querying the information about the domain from the DNS. The difference is that nslookup can be used for one server whereas dig can return the results of multiple servers at the same time.
  • lsof
    • Returns the list of open files and the processes that have opened them.
    • This command is used in UNIX-like operating systems.
  • dd
    • Allows copying raw data from one source disk to another.
    • Called as ‘disk/data duplicator’.
  • openssl
    • OpenSSL is an open source command line tool that is commonly used to generate private keys, create CSRs, install your SSL/TLS certificate, and identify certificate information.
  • memdump
    • Displays a hexadecimal memory dump defined by a starting address and specified number of bytes.
  • free
    • Displays the total amount of free space available, along with the amount of memory used and swap memory in the system, and also the buffers used by the kernel.
  • ssh
    • Provides a secure encrypted connection between two hosts over an insecure network.
  • nbtstat
    • Displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache.
    • Helps troubleshoot NetBIOS name resolution issues.
    • Displays the name of the current host system, and only root user authority can set the host name.
  • top
    • Shows the real-time view of the processes running on the system.
  • systeminfo / uname
    • Displays the information about the host, such as processor, kernel details, and operating system details.


Here are a few commonly used tools for enhancing security in digital networks.


  • This remote security scanning tool scans and raises alerts if any vulnerabilities that malicious attackers could exploit are found.
  • These include sensitive information, unauthorised control, misconfiguration, denial of service vulnerabilities, vulnerable passwords, and so on.


  • Metasploit is an open source exploit framework, though it also has the enterprise edition for performing ethical hacking.
  • It provides information on security vulnerabilities and allows customisation for penetration testing on networks and systems.


  • This framework has been developed for penetration testing and evidence gathering.
  • It saves time by automating the execution of open source or commercial tools and viewing the results in web reports.


  • This command-line tool acts as a search engine for the given domain and finds the list of email accounts, subdomain names, virtual hosts, open ports and employee details.
  • It gathers this information from public sources.


  • Fileless attacks occur in the memory without writing into disks. fireELF is an open source fileless malware framework that injects fileless exploit payloads into a cross-platform host.


  • This open source exploit framework provides vulnerability scanners that are dedicated for embedded systems.
  • It allows penetration testing operations such as:
    • exploits: Modules taking advantage of vulnerabilities
    • creds: Modules to test credentials
    • scanners: Modules to check if any vulnerability is found to exploit
    • payloads: Modules for generating payloads for various architecture and injection points
    • generic: Modules to perform general attacks


  • BeEF is the abbreviation of ‘browser exploitation framework’ and is used for recovering web sessions and exploiting client side scripting, including mobile clients.
  • This penetration testing tool focuses only on web browsers.


  • This is the most popular open source web application and mobile security scanner tool, used by both developers and penetration testers.


  • This open source comprehensive scanning and exploit tool has been developed exclusively for Amazon, for AWS penetration testing.


  • Cuckoo is an open source malware analysis tool, used to launch malware in a secure and isolated environment.
  • Providing a file to the command Cuckoo returns the result of the complete impact when the file is executed in an isolated environment.


  • WinHex is a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security.
  • An advanced tool for everyday and emergency use, it inspects and edits all kinds of files, and recovers deleted files or lost data from hard drives with corrupt file systems or from digital camera cards.

FTK Imager

  • This data preview and imaging tool lets you quickly assess electronic evidence for further analysis.


  • Autospy is a digital forensics platform and graphical interface for digital forensics tools.
  • It is used by the law enforcement, military, and corporate examiners to investigate what happened on a computer, and can recover photos from a camera’s memory card.


  • This tool allows users to ‘sniff’ or monitor their internet traffic in real time, capturing all the data flowing to and from their computer.
  • By recording packets, they can trace connection states to the exact point at which these fail, which may help to diagnose some types of problems that are otherwise difficult to detect.


  • Brutus is one of the most powerful, fastest, and flexible remote password cracking tools.
  • This password cracker bangs against network services of remote systems, trying to guess passwords by using a dictionary and permutations thereof.
  • It supports protocols like HTTP, POP3, FTP, SMB, TELNET, IMAP, and NNT.

Cain and Abel

  • Cain and Abel is a password recovery tool for Microsoft Windows, used to recover many kinds of passwords using methods such as network packet sniffing. It attempts to crack various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks.
  • Cryptanalysis attacks are done via rainbow tables, which can be generated with the winrtgen.exe program provided with Cain and Abel.

John the Ripper

  • John the Ripper is a password-cracking tool for UNIX-based systems.
  • It is designed to test password strength and brute-force encrypted (hashed) passwords, as well as crack passwords using dictionary attack methods.
  • It takes text string samples from a word list using common dictionary words or common passwords, and also works with encrypted passwords.

THC Hydra

  • THC Hydra is a parallelised network login cracker.
  • It works by using different approaches to perform brute-force attacks in order to guess the right user name and password combination.


  • Powershell is for Windows and Bash is for Linux-based operating systems. These are used for task automation consisting of the execution of command-line tools.


  • Python is a useful programming language for cybersecurity professionals because it can perform a variety of cybersecurity functions, like malware analysis, penetration testing, and scanning.



Please enter your comment!
Please enter your name here