Terminal tips

This page contains useful security-related command-line tools and their commands, tested on Arch Linux. Commands on other Linux-based operating systems or Windows might differ and aren’t included.

bash aliases

Bash aliases aren’t a tool but helpful when you want to execute some commands quickly. You can directly set aliases in your “~/.bashrc” file. However, we recommend creating a new file (e.g., “~/.bash_aliases”) to store your aliases.

To create an alias, just add alias [shortcut]='[command]' to your “~/.bashrc” file. For instance, on Debian-like operating systems, you can add alias ua='sudo apt update && sudo apt upgrade && sudo apt autoremove'. Then, restart your terminal window. If you enter ua now, your system executes all the three commands in succession.

If you define your aliases in a separate file, you need to add a link to your “~/.bashrc” file. To do so, add the following to your “~/.bashrc” file:

if [ -f ~/.bash_aliases ]; then
  . ~/.bash_aliases
fi

Change “~/.bash_aliases” to the name of your file. Kindly note that this file is executed to add your commands.

cheat

cheat is a small tool to create and view interactive cheat sheets using the command line. For instance, enter cheat gpg, cheat git, cheat openssl, or cheat nmap. By default, cheat sheets are stored at “~/.cheat” and can be modified.

chromium

The web browser Chromium can be configured by changing so-called switches. The switches allow you to restrict cipher suites and the TLS version used by Chromium. You could change the configuration in the terminal; however, future updates will overwrite this.

Therefore, create “~/.config/chromium-flags.conf” and add:

  • --cipher-suite-blacklist=0x009c,0x009d,0x002f,0x0035,0x000a,0xc013,0xc014 (disables weak cipher suites)
  • --ssl-version-min=tls1.2 (disables all TLS versions except TLS 1.2)

Use Qualys' SSL Client Test to check if all weak cipher suites are disabled.

curl

curl is a “command line tool and library for transferring data with URLs.” It is a handy multitool that supports many network protocols. Some basic commands are:

  • curl --head [domainname] displays HTTP response headers (including security-relevant headers).
  • curl --header '[header]' [domainname] adds the ‘[header]’ to your request.
  • curl --insecure https://[domainname] connects to the domain and ignores any certificate errors.
  • curl --sslv3 https://[domainname] connects to the domain using insecure SSLv3 (also works for other insecure SSL/TLS versions).
  • curl -u user:password -O ftp://[domainname]/[file] downloads a file using username and password authentication via FTP.

There are many other options. Just test it and look at man curl.

dig

dig is part of BIND and can be used to check domains for DNSSEC:

  • dig [domain-name] +multiline
    • “status” should be “NOERROR” (“SERVFAIL” means that there is a problem with the DNS server configuration, e.g., DNSSEC configuration is broken)
    • “flags” must contain “ad” (authentic data)
  • dig [domain-name] +multiline +dnssec
    • This query sets the “DNSSEC OK” (DO) bit and requests DNSSEC records to be sent, if available
    • Look for “RRSIG” resource records
  • dig [domain-name] +trace
    • This query emulates a DNS resolver. It starts from the root of the DNS hierarchy and works down using iterative DNS queries.

gpg

GnuPG is often already installed on your machine and can be used for e-mail encryption and signing. You can use it in your terminal, of course. GPG itself is an implementation of OpenPGP.

How to create an OpenPGP key

This section describes how to create a Curve25519 key using gpg 2.2.13. If you don’t know your version, open a terminal and enter gpg --version.

  • Open your terminal.
  • Enter gpg --expert --full-generate-key.
  • Select (9) ECC and ECC.
  • Select (1) Curve 25519.
  • Enter the validity period, and confirm it by entering y.
    • For e-mails, we recommend 6m (= six months).
    • for Git signing, we recommend 1y (= one year).
    • for internal use, we recommend less than 2y (= two years).
  • Enter your full name.
  • Enter your e-mail address.
    • For e-mails, you need to enter your real e-mail address.
    • For Git signing/internal use, you can enter an arbitrary address (e.g., git(at)lenka.laptop).
  • Enter a comment if needed.
  • Check everything, and confirm it.
  • Enter a passphrase used to encrypt your OpenPGP key locally. You must enter this password every time you want to decrypt/sign something.
  • After creation, save the location of the revocation certificate. You need the certificate to revoke your key if you lose access to your private OpenPGP key.
  • Your new OpenPGP key pair is ready now. Enter gpg --list-secret-keys to see it.
  • You can export your public OpenPGP key by entering gpg --armor --export [key-id] > my-public-gpg-key.asc.

Asymmetric encryption

We save our cleartext as “clear.txt.” You can also use echo 'your message', of course. The ciphertext is stored as “cipher.txt.”

  • Encrypt and sign: cat clear.txt | gpg -esar [key-id-of-the-recipient] -u [your-key-id] > cipher.txt
    • “-e” means encrypt
    • “-s” means sign
    • “-a” means ASCII format
    • “-r” means encrypt for the following key id of the recipient
    • “-u” means use the following (your) key id for signing
  • Decrypt: cat cipher.txt | gpg -d > clear.txt
    • “-d” means decrypt

Symmetric encryption

gpg can be used to symmetrically encrypt data, too:

  • Encrypt: gpg -c --cipher-algo AES256 clear.txt
    • “-c” means symmetrically encrypt
    • “–cipher-algo AES256” means use AES-256 for encryption
  • Decrypt: gpg -d ciphertext.gpg > clear.txt
    • “-d” means decrypt

Please note that your device temporarily caches the key used for encryption/decryption. When you are running gpg 2.2.7 or newer, you can turn off caching by adding --no-symkey-cache.

imagemagick

Well-known tools use imagemagick, so it is likely that imagemagick is already installed on your machine. You can use it to remove metadata from photos:

  • Remove metadata: mogrify -strip [filename]
    • “-strip” means “strip the image of any profiles, comments or these PNG chunks: bKGD, cHRM, EXIF, gAMA, iCCP, iTXt, sRGB, tEXt, zCCP, zTXt and date”
  • View metadata: identify -format '%[EXIF:*]' [filename]
    • shows Exif metadata in the file

openssl

You can use openssl for many purposes. For example, whenever you need pseudo-random bytes:

  • Print bytes to terminal: openssl rand [number-of-bytes]
  • Hex format: openssl rand -hex [number-of-bytes]

Then, there is OpenSSL’s SSL/TLS client program:

  • openssl s_client -connect infosec-handbook.eu:443 connects to the domain. The output contains information about certificates, TLS parameters, and TLS session tickets.

pwgen

Do you need a password now? Use pwgen:

  • Create passwords containing upper-case and lower-case chars, digits and special chars: pwgen -scyn1 [number-of-characters] [number-of-passwords]
  • Create passwords containing upper-case and lower-case chars and digits: pwgen -scn1 [number-of-characters] [number-of-passwords]

qrencode

qrencode can be used to transform arbitrary strings into QR codes:

  • qrencode -o [qr-filename].png '[string]'
  • Change the pixel size: qrencode -o [qr-filename].png -s [pixel-size] '[string]'

subnetcalc

subnetcalc is a CLI-based calculator for subnets of IPv4 and IPv6 networks.

  • subnetcalc 192.168.1.1/24 prints network, netmask, broadcast address, max. hosts, properties, and more.
  • subnetcalc infosec-handbook.eu prints IP addresses, properties, geo-information about the IP address, and more.

ykman

You can use the official YubiKey Manager (ykman) for advanced management of your YubiKey. See ykman [option] -h for all commands and options. Various commands allow you to manage, protect, or reset the applications on your YubiKey.

We use ykman 4.0 in the following. Enter ykman -v to see your version.

  • ykman list: List all YubiKeys connected to your device, including their serial numbers.
  • ykman [--device serialnumber] info: Show the details of a specific YubiKey.
  • ykman config -h: Enable or disable features of your YubiKey.
  • ykman config set-lock-code [application]: Set a lock code to protect the configuration of an application (up to 32 characters).
  • ykman fido credentials -h: Manage client-side discoverable credentials (WebAuthn) on the YubiKey.
  • ykman oath accounts -h: Manage OATH applications like TOTP on the YubiKey.

zbarimg + oathtool

Do you want to use two-factor authentication in the terminal? You can use OATH-TOTP with zbarimg + oathtool:

  • Enable 2FA on the website. Normally, you will see a QR code. Save this QR code.
  • Use zbarimg [file-containing-qr-code] to show the string representation of the QR code. This looks like QR-Code:otpauth://totp/[blabla]?secret=T2LAELPYIS2NGNYE&issuer=[website-owner]&algorithm=SHA1&digits=6&period=30
    • “secret=T2LAELPYIS2NGNYE” is the important part here!
    • “algorithm=SHA1” is the used hash function
    • “digits=6” means that the OTP is 6 digits long
    • “period=30” means that the OTP changes every 30 seconds
  • Use oathtool --base32 --totp 'T2LAELPYIS2NGNYE' to get your OTP each time.
  • The output is like “608166.”

WARNING: The secret (e.g., T2LAELPYIS2NGNYE) is a secret! Store it like a password and use a second device to generate your OTPs. Do not use the device that you use to log in! Do not store the shared OTP secret and the password in the same database!

zmap

zmap is a fast network scanning tool. It comes in handy for large-scale (internet-wide) scans. One example command is zmap -p [port] -o [output-filename].csv [network]. You can add “–dryrun” to test your command without actually running it.