Top Cybersecurity Commands Every Beginner Must Know in 2025
Table of Contents
- Why Learn Cybersecurity Commands?
- ping — The First Tool Everyone Learns
- netstat — See What's Connected to Your Machine
- nmap — The Network Scanner Professionals Rely On
- traceroute / tracert — Follow the Path of Your Data
- whois — Look Up Who Owns a Domain
- curl — Test Web Servers from the Terminal
- ss — netstat's Faster Replacement
- ufw — Manage Your Linux Firewall Simply
- chmod & chown — Control File Permissions
- openssl — Work with Certificates and Encryption
- Bonus: Essential Windows Security Commands
- Safe Practice Tips for Beginners
Why Learn Cybersecurity Commands?
Most people think cybersecurity is about big expensive software dashboards. It is not. A huge chunk of the real work happens right in the terminal, with tools that have been around for decades.
If you are trying to break into IT, aiming for certifications like CompTIA Security+, CEH, or OSCP, or you just want to understand what is actually happening on your home network — these commands are where you start. Job postings for security analysts, SOC engineers, and network administrators consistently list command line proficiency as a requirement. Not a nice-to-have. A requirement.
This guide is written for people who are curious, not reckless. Every command here can be run on your own machine or your own network without breaking any law. I will flag when something needs extra care.
1. ping — The First Tool Everyone Learns
Everyone who has ever called their ISP for help has heard "can you ping Google?" It sounds trivial. It is not.
ping sends small data packets to a target and measures how long they take to come back. It tells you whether a host is reachable, how fast the connection is, and whether there is packet loss. In security work, it is a basic reconnaissance check before doing anything more serious.
# Basic ping — send 4 packets to google.com ping -c 4 google.com PING google.com (142.250.194.46): 56 data bytes 64 bytes from 142.250.194.46: icmp_seq=0 ttl=118 time=14.2 ms 64 bytes from 142.250.194.46: icmp_seq=1 ttl=118 time=13.8 ms --- google.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss
On Windows, the flag is ping -n 4 google.com instead of -c.
What security professionals actually look for: high latency, intermittent packet loss, or a host that does not respond at all. A server not responding to ping does not mean it is offline — it may just have ICMP blocked by a firewall, which is itself useful information.
2. netstat — See What's Connected to Your Machine
This one is underrated by beginners and constantly used by professionals. netstat shows you active network connections, listening ports, and routing tables. If malware is running on your machine and phoning home, this command can catch it.
# Show all active connections with process IDs (Linux/Mac) netstat -tulnp # Windows equivalent netstat -ano
The flags for the Linux version: -t shows TCP connections, -u shows UDP, -l lists only listening ports, -n shows numerical addresses instead of resolving hostnames (faster), and -p shows the process name.
A realistic use case: you notice your internet is slow. You run netstat -tulnp and see an unfamiliar process on port 4444 with an established connection to an IP address you do not recognize. That is worth investigating.
3. nmap — The Network Scanner Professionals Rely On
Nmap is probably the most famous tool in network security. It scans a host or range of hosts to find open ports, detect running services, and sometimes identify the operating system. Security teams use it to audit their own infrastructure. So do attackers, which is why learning it from a defensive angle matters.
Install it on Linux with sudo apt install nmap. On Windows, download it from nmap.org.
# Scan your own local machine nmap localhost # Scan a specific target for open ports (run on YOUR own device/lab only) nmap -sV 192.168.1.1 # Scan for common ports with OS detection nmap -A -T4 192.168.1.1
The -sV flag tries to identify what version of software is running on each open port. This is how auditors find servers running outdated, vulnerable versions of Apache or OpenSSH. The -A flag is aggressive — it does OS detection, version detection, script scanning, and traceroute.
One thing beginners miss: the scan results tell you what is exposed. If port 22 (SSH) is open on your router from the outside, that is an attack surface. Closing or restricting it is the obvious next step.
4. traceroute / tracert — Follow the Path of Your Data
When you load a website, your request does not go directly there. It hops through multiple routers. traceroute (Linux/Mac) and tracert (Windows) show you each of those hops and how long each one takes.
# Linux / Mac traceroute google.com # Windows tracert google.com
In security, this is useful for spotting unexpected routing, identifying where traffic is being intercepted, and diagnosing latency. If you are connected to a VPN and traceroute shows your traffic still exiting through your local ISP, your VPN has a leak. That is exactly the kind of thing this command catches.
5. whois — Look Up Who Owns a Domain
whois queries domain registration databases and returns information about who registered a domain, when it was registered, and through which registrar. It is one of the first steps in OSINT (Open Source Intelligence) investigations.
# Linux / Mac whois example.com # You can also use online tools: whois.domaintools.com
Modern registrations often use privacy protection, so you may see "Redacted for privacy" instead of a real name. But you will still get the registrar, registration dates, and name servers — useful for determining if a suspicious domain is brand new (a red flag in phishing investigations).
6. curl — Test Web Servers from the Terminal
curl is a command line tool for transferring data using URLs. Security professionals use it to inspect HTTP headers, test API endpoints, check SSL certificates, and verify that a server is responding correctly without opening a browser.
# Check the HTTP headers a server returns curl -I https://example.com # Test if a specific port is responding curl -v telnet://192.168.1.1:80 # Download a file curl -O https://example.com/file.txt
The -I flag fetches only headers, not the full page. Security analysts check headers for things like missing X-Frame-Options, Content-Security-Policy, or Strict-Transport-Security — these missing headers mean the site is potentially vulnerable to certain attacks like clickjacking.
7. ss — netstat's Faster Replacement
On modern Linux systems, ss has largely replaced netstat. It does the same job but faster, with more output options. If netstat is not installed on your system, this is why.
# Show all TCP connections ss -t # Show listening ports with process info ss -tlnp # Show all connections (TCP + UDP) with state ss -tulnp
The output format is slightly different from netstat, but the logic is identical. If you see a port in LISTEN state that should not be open, that is worth investigating. A quick Google of the port number usually tells you what service it belongs to.
8. ufw — Manage Your Linux Firewall Simply
ufw stands for Uncomplicated Firewall, and it genuinely earns that name. It is the front-end for iptables on Ubuntu and Debian-based systems, and it lets you manage firewall rules without needing to memorize iptables syntax.
# Check current firewall status sudo ufw status verbose # Enable the firewall sudo ufw enable # Allow SSH connections (important — do this BEFORE enabling if on a remote server) sudo ufw allow ssh # Allow a specific port sudo ufw allow 80/tcp # Block a specific IP address sudo ufw deny from 203.0.113.100
If you are running a VPS or home server, ufw should be one of the first things you configure. The default rule should be: deny all incoming, allow all outgoing, then open only what you actually need.
9. chmod & chown — Control File Permissions
A big chunk of real-world Linux security breaches happen because file permissions were set incorrectly. Too permissive, and anyone with access to the system can read or execute files they should not. chmod changes permissions. chown changes ownership.
# View current file permissions ls -la /var/www/html/ # Give owner read+write, group and others read only chmod 644 config.php # Make a script executable by the owner only chmod 700 myscript.sh # Change file owner to www-data (web server user) sudo chown www-data:www-data /var/www/html/
The numbers in chmod are octal: 7 = read+write+execute, 6 = read+write, 5 = read+execute, 4 = read only. The three digits represent owner, group, and others respectively. A file set to 777 means anyone can read, write, and execute it — that is almost never what you want on a server.
10. openssl — Work with Certificates and Encryption
OpenSSL is used everywhere — to generate SSL certificates, test encrypted connections, inspect certificate chains, and work with cryptographic keys. If you manage a website, a server, or any application that uses HTTPS, you will eventually need this.
# Check the SSL certificate of a website openssl s_client -connect example.com:443 # Check certificate expiry date echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates # Generate a self-signed certificate (for testing) openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes # Hash a file with SHA-256 (verify file integrity) openssl dgst -sha256 filename.txt
The certificate expiry check is genuinely useful. Expired SSL certificates are surprisingly common — even at large organizations — and they cause browsers to block users with scary warnings. Running this as a quick cron job on your servers will save you from embarrassing outages.
11. Bonus: Essential Windows Security Commands
Not everyone works in Linux. Here are some Windows commands that belong in any security toolkit:
ipconfig — Network Configuration
# See your full network config ipconfig /all # Release and renew your IP address ipconfig /release ipconfig /renew
net user — Manage User Accounts
# List all user accounts on the machine net user # See details for a specific account net user Administrator
tasklist & taskkill — Process Management
# See all running processes tasklist # End a suspicious process by PID taskkill /PID 1234 /F
sfc /scannow — System File Checker
# Scan for corrupted system files (run as Administrator) sfc /scannow
The system file checker is often underused. If you suspect a system file has been modified by malware — which does happen — this command will scan Windows system files against known good versions and repair them automatically.
12. Safe Practice Tips for Beginners
A few honest pointers before you start running these commands everywhere:
Use a home lab. Tools like VirtualBox or VMware let you spin up virtual machines where you can practice without touching anything real. TryHackMe and Hack The Box also provide legal, structured environments designed specifically for learning these skills.
Understand what a command does before running it. This sounds obvious. Most people skip it anyway. Running man nmap or nmap --help takes 30 seconds and tells you exactly what each flag does.
Keep a notes file. Cybersecurity has a lot of commands with non-obvious syntax. A plain text file with annotated examples you have actually run is worth more than any cheatsheet you download from a random GitHub repo.
Know the laws in your country. India's IT Act 2000, the US Computer Fraud and Abuse Act, and the UK Computer Misuse Act all treat unauthorized access seriously. Intent does not change liability. Only test on systems you own or have explicit written permission to test.
Learn to read the output, not just run the command. Many beginners run nmap and stare at the output without knowing what they are looking at. Learn what an "open" port means versus "filtered" versus "closed." That is where the actual skill lives.
Practice consistently, not intensely. 20 minutes every day beats a 4-hour session once a week. The terminal starts feeling natural fast if you use it regularly.
Wrapping Up
Cybersecurity does not start with expensive tools or complex software. It starts with understanding what is happening on your own system. These commands — ping, netstat, nmap, traceroute, whois, curl, ss, ufw, chmod, openssl — are the building blocks that professionals go back to constantly.
If you are working toward a career in security, make these commands second nature before moving on to heavier tools like Wireshark, Metasploit, or Burp Suite. The fundamentals hold up. The tools built on top of them change constantly.
Start with netstat -tulnp on your own machine tonight. See what ports are open. Look up anything unfamiliar. That is genuinely how this skill develops.