This page contains useful security-related command line tools and their commands, tested on Arch Linux. Commands on other Linux-based operating systems or Windows might differ and aren't included.
Follow us on Mastodon:
cheat is a small tool to create and view interactive cheat sheets using the command line. For instance, enter
cheat openssl, or
cheat nmap. By default, cheat sheets are stored at
~/.cheat and can be modified.
The web browser Chromium can be configured by changing so-called switches. This allows you to restrict cipher suites and the TLS version used by Chromium. You could change the configuration in the terminal, however, future updates will overwrite this.
~/.config/chromium-flags.conf and add:
--cipher-suite-blacklist=0x009c,0x009d,0x002f,0x0035,0x000a,0xc013,0xc014(disables weak cipher suites)
--ssl-version-min=tls1.2(disables all TLS versions except TLS 1.2)
Use Qualys’ SSL Client Test to check if all weak cipher suites are disabled.
curl is a “command line tool and library for transferring data with URLs”. It is basically a very handy multitool that supports many different network protocols. Some basic commands are:
curl --head [domainname]displays HTTP response headers (including security-relevant headers).
curl --header "[header]" [domainname]adds the
[header]to your request.
curl --insecure https://[domainname]connects to the domain and ignores any certificate errors.
curl --sslv3 https://[domainname]connects to the domain using insecure SSLv3 (works also for other insecure SSL/TLS versions).
curl -u user:password -O ftp://[domainname]/[file]downloads a file using username and password authentication via FTP.
There are many other options. Just test it and look at
dig is part of BIND and can be used to check domains for DNSSEC:
dig [domain-name] +multiline
- “status” should be “NOERROR” (“SERVFAIL” means that there is a problem with the DNS server configuration, e.g., DNSSEC configuration is broken)
- “flags” must contain “ad” (authentic data)
dig [domain-name] +multiline +dnssec
- This query sets the “DNSSEC OK” (DO) bit and requests DNSSEC records to be sent, if available
- Look for “RRSIG” resource records
dig [domain-name] +trace
- This query emulates a DNS resolver. It starts from the root of the DNS hierarchy, and works down using iterative DNS queries.
fscrypt is a high-level tool for the management of Linux filesystem encryption. fscrypt manages metadata, key generation, key wrapping, PAM integration, and provides a uniform interface for creating and modifying encrypted directories. See our “Monthly review – November 2019” for guidance.
How to create an OpenPGP key
This section describes how to create an Curve25519 key using gpg 2.2.13. If you don't know your version, open a terminal and enter
- Open your terminal.
gpg --expert --full-generate-key
(9) ECC and ECC
(1) Curve 25519
- Enter validity period, and confirm it by entering
- for e-mail, we recommend
- for Git signing, we recommend
- for internal use, we recommend less than
- for e-mail, we recommend
- Enter your full name
- Enter your e-mail address
- for e-mail, you need to enter your real e-mail address
- for Git signing/internal use, you can enter an arbitrary address (e.g., git(at)lenka.laptop)
- Enter a comment, if needed
- Check everything, and confirm it
- Enter a passphrase, used to locally encrypt your GnuPG key. You must enter this password every time you want to decrypt/sign something.
- After creation, save the location of the revocation certificate. You need the certificate to revoke your key if you lose access to your private GPG key.
- Your new key pair is ready now. Enter
gpg --list-secret-keysto see it.
- You can export your public key by entering
gpg --armor --export [key-id] > my-public-gpg-key.asc
You can also quickly create a new modern OpenPGP key as shown in our “Monthly review – August 2019”.
We save our cleartext as
clear.txt. You can also use
echo "your message", of course. The ciphertext is stored as
- Encrypt and sign:
cat clear.txt | gpg -esar [key-id-of-the-recipient] -u [your-key-id] > cipher.txt
-ameans ASCII format
-rmeans encrypt for the following key id of the recipient
-umeans use the following (your) key id for signing
cat cipher.txt | gpg -d > clear.txt
gpg can be used to symmetrically encrypt data, too:
gpg -c --cipher-algo AES256 clear.txt
-cmeans symmetrically encrypt
--cipher-algo AES256means use AES-256 for encryption
gpg -d ciphertext.gpg > clear.txt
Please note that the key used for encryption/decryption is temporarily cached by your device. When you are running gpg 2.2.7 or newer, you can turn off caching by adding
Well-known tools use imagemagick, so it is likely that imagemagick is already installed on your machine. You can use it to remove metadata from photos:
- Remove metadata:
mogrify -strip [filename]
-stripmeans “strip the image of any profiles, comments or these PNG chunks: bKGD, cHRM, EXIF, gAMA, iCCP, iTXt, sRGB, tEXt, zCCP, zTXt and date”
- View metadata:
identify -format '%[EXIF:*]' [filename]
- shows Exif metadata in the file
Minisign is a small tool that uses Ed25519 for cryptographic signing. See our “Monthly review – August 2019” for examples.
You can use openssl for many purposes. For example, whenever you need pseudo-random bytes:
- Print bytes to terminal:
openssl rand [number-of-bytes]
- Hex format:
openssl rand -hex [number-of-bytes]
Then, there is OpenSSL's SSL/TLS client program:
openssl s_client -connect infosec-handbook.eu:443connects to the domain. The output contains information about certificates, TLS parameters, and TLS session tickets.
Do you need a password now? Use pwgen:
- Create passwords containing upper-case and lower-case chars, digits and special chars:
pwgen -scyn1 [number-of-characters] [number-of-passwords]
- Create passwords containing upper-case and lower-case chars and digits:
pwgen -scn1 [number-of-characters] [number-of-passwords]
qrencode can be used to transform arbitrary strings into QR codes:
qrencode -o [qr-filename].png "[string]"
- Change the pixel size:
qrencode -o [qr-filename].png -s [pixel-size] "[string]"
signal-cli can be used as a Signal messenger client in the terminal. See our “Monthly review – September 2019” for examples.
subnetcalc is a CLI-based calculator for subnets of IPv4 and IPv6 networks.
subnetcalc 192.168.1.1/24prints network, netmask, broadcast address, max. hosts, properties, and more.
subnetcalc infosec-handbook.euprints IP addresses, properties, geo information about the IP address, and more.
The official YubiKey Manager can be used to manage the features of a YubiKey. For all commands, see YubiKey Manager CLI (ykman) User Manualexternal link .
ykman list: List all YubiKeys connected to the device.
ykman info: Show details of a connected YubiKey, including its serial number.
config command can be used to enable or disable applications (features) on the YubiKey.
ykman config [nfc|usb] -e [OTP|U2F|OPGP|PIV|OATH|FIDO2]: Enable features of your YubiKey over NFC or USB.
ykman config [nfc|usb] -d [OTP|U2F|OPGP|PIV|OATH|FIDO2]: Disable features of your YubiKey over NFC or USB.
ykman config set-lock-code [application]: Set a lock code to protect the configuration of an application (up to 32 characters).
If you own a normal YubiKey, the following commands are only relevant for WebAuthn. If you own a FIPS-certified YubiKey, the same commands can be used for U2F.
ykman fido list: List all resident credentials (WebAuthn) on the YubiKey.
ykman fido set-pin: Set a PIN to protect resident credentials (4 and 128 characters).
ykman fido reset: Reset FIDO-related credentials (WebAuthn and U2F).
oath command can be used to manage OATH-TOTP credentials. You can use it instead of the Yubico Authenticator.
ykman oath add -i [issuer] [name] [secret]: Register OATH-TOTP issued by [issuer] using the [secret] (provided by the issuer) and store it as [name]. (By default, TOTPs have 6 digits, use SHA-1, and are valid for 30 seconds.)
ykman oath code: Show TOTPs for all accounts on the YubiKey.
ykman oath code -s [name]: Show the TOTP for the specified account.
ykman oath delete [name]: Remove the specified account.
ykman oath reset: Reset OATH-related credentials (HOTP and TOTP).
ykman oath set-password: Set a password to protect OATH-related credentials (HOTP and TOTP).
zbarimg + oathtool
- Enable 2FA on the website. Normally, you will see a QR code. Save this QR code.
zbarimg [file-containing-qr-code]to show the string representation of the QR code. This looks like
oathtool --base32 --totp "T2LAELPYIS2NGNYE"to get your OTP each time.
- The output is like
WARNING: The secret (e.g., T2LAELPYIS2NGNYE) is a secret! Store it like a password and only use a second device to generate your OTPs. Do not use the device which you use for login! Do not store this secret and the normal password in the same database!
There is also the Python 3 script “MinTOTP” that can be used to generate TOTP codes. See our “Monthly review – October 2019”.
zmap is a fast network scanning tool. It is very useful for large-scale (internet-wide) scans. One example command is
zmap -p [port] -o [output-filename].csv [network]. You can add
--dryrun to test your command without actually running it.