StationX { display: none; } Mon, 05 Dec 2022 19:31:22 +0000 en-GB hourly 1 Google Dorks Cheat Sheet: How to Hack using Google Wed, 30 Nov 2022 13:08:20 +0000 Google Dorks Cheat Sheet: How to Hack using Google Read More »

Learning about Google dorks is fundamental to a practical understanding of cyber security, especially penetration testing and ethical hacking. Ingeniously constructed Google queries can uncover leaked passwords and sensitive data, let you view neighborhoods from unsecured cameras, access files not meant for you, and more.

Google dorks are challenging to master for three non-technical reasons:

  1. Valid dorks change often;
  2. Misuse can lead to serious legal repercussions;
  3. The dangers of accidentally inappropriate Google dorking discourage explorers from achieving mastery.

This Google dorks cheat sheet will cover the dorking commands and operators, search parameters, their combinations, questionable dorks, and how to prevent others from Google dorking your online resources.

Google traces every search back to the device issuing it, so take care in handling the clickable examples in this Google dorking cheat sheet, which you may download here.

When you’re ready, let’s dive in.

What Is a Google Dork?

A “Google dork” is an advanced Google search technique. “Google dorking” (aka “Google hacking”) is the activity of performing advanced searches on Google. You can combine different Google dorks to comb data otherwise inaccessible to ordinary users of Google search.

On a browser, if you make too many Google searches in a short time, Google requires that you unscramble garbled letters in an image called a captcha before you can proceed. Captcha completion can frustrate end users like you, but Google servers must nip denial-of-service cyberattacks in the bud.

Unlike most cheat sheets, we cannot guarantee that the commands below will remain unchanged in perpetuity. Google updates its dorks continually, so deprecated techniques don’t appear here, even if you can find them elsewhere on the Internet.

Before You Begin Google Dorking

Google dorking is not a playground where you can flood commands to your heart’s content:

  • Google limits your Google search rate from a single device.
  • It may ban your IP if you issue too many queries.
  • Abuse of dorks may have legal repercussions.

No, you’re not immune even if you’re working from a virtual machine toying with sqlmap.

If you know you can’t resist having fun with it (and you will), you could work from Pagodo, which automates Google searching for potentially vulnerable web pages and applications on the Internet. It also lets you automate the rate at which your device issues Google dorks.

Regardless of how you use Google dorks, respect Google’s Terms of Service. Be careful.

Examples of Creepy Dorks

These dorks reveal vulnerabilities in websites, and their contents may be newsworthy depending on the zeitgeist.

For details on how the following commands work, refer to Text dorks, Google Dorks Operators, and Scope-Restricting Dorks.

inurl:”view.shtml” “Network Camera”,“Camera Live Image”, inurl:”guestimage.html”,intitle:”webcamXP 5’”Get web applications showing live webcam (online camera) footage.
“Not for Public Release” + “Confidential” ext:pdf | ext:doc | ext:xlsxGet links to documents meant to be classified. Some come from governmental websites. & inurl:wp-loginGet login pages of WordPress sites ending in the notoriously unsafe domain “.hk”
”index of” inurl:ftp secretGet FTP servers you want to access containing the keyword “secret”
Critical dorks performed on .env files yielding results such as:
filetype:env [and a sensitive parameter] - Google Search - Google Search results on .env files containing a sensitive parameter.
Popular web development frameworks use .env files to declare general variables and configurations for local and online dev environments, often including passwords.
The dork used to produce the screenshot exposes database passwords. Hence it’s vital to keep .env files from being publicly accessible.
(If you’ve read this cheat sheet in its entirety, you will be able to guess the dork used here.)

This often-updated exploit database contains other Google dorks that expose sensitive information. Proceed with caution.

Google Dorks Search Parameters

A search parameter in a Google dork is the text string payload affixed to or used with the Google dorking command or operator. Without a suitable search parameter, Google treats the dork keyword as an ordinary query keyword at best and returns zero results at worst.

For example, in the search, the domain “” is the parameter. In (psychology OR computer science) AND design, the three subjects of psychology, computer science, and design are the parameters. In 16 F to C (converting a temperature from degrees Fahrenheit to Celsius), 16 is the parameter.

Search parameters include web domains, file extensions, numbers, and character strings with or without quotes.

Google Dorking Commands

As Google’s internal documentation on dorks frequently changes, the following is not an exhaustive list but a list of commands known to return meaningful results. Some of the given commands may be obsolete because they return similar results as a dork-free search. Deprecated commands don’t appear below.

Scope-Restricting Dorks

These help specify your target range of websites or data types. For example, in hunting for e-books, the Google dork “filetype:pdf” is indispensable.

If a command listed below ends with a symbol, include no space between the command and the parameter. The correct way to use each command is in the “Example usage” column. Otherwise, Google will treat the command as an ordinary search keyword rather than a dork.

CommandDescriptionExample usage
site:Restrict search to a particular website, top-level domain, or subdomain.
Additional query items are optional.,, tax return
filetype:, ext:Restrict the returned web addresses to the designated file type.
Unlike most other dorks, this requires additional keywords in the search bar or will return no results.
Here is Google’s official list of common file types it can search.
Google also supports the file extensions db, log, html, mpeg, mov, and flv.
Nonetheless, searches on mp3 and mp4 with and without additional search terms have yielded no results.
filetype:pdf car design,ext:log username
Compare withfiletype:pdf, ext:txt, etc.filetype.pdf - Google Search - "Your search - filetype.pdf - did not match any results."

ext:txt - Google Search - About 5,420,000 results (0.21 seconds)
@Restrict search to a particular social platform.
It supports popular platforms such as Facebook, Twitter, YouTube, and Reddit.
A downside is it’s not as precise as the “site:” dork.
@twitter pentest,@youtube google dorking
imagesize:(height)x(width)Restrict image search results to those of the specified dimensionsYou can use these images as desktop wallpapers or video thumbnails: imagesize:1920×1080
define:Return definitions of a word or phraseCompare define:privacy and a plain search on privacy.
stocks:Check the financial activity of a particular stockstocks:TWTR (Twitter), stocks:gm (General Motors), stocks:pfizer
movie:Return information about any movie with the given titleCompare movie:”phantom of the opera” and “phantom of the opera”.
source:Find reports from a Google News source.source:npr

Informational Dorks

These dorks appear to work best if used as standalone commands, i.e., without additional query items.

CommandDescriptionExample usage
$Search for prices in USD ($). This also works for Euro (€), but not GBP (£) or Yen (¥).ipad $329,iphone €239
cache:Get Google’s last saved version of a particular website. A website snapshot like this is called “cache”
link:Find pages linking to the given
related:Return websites related to the given,
map:Gets a map of the given locationmap:”new york”
weather:Gets the weather of the given locationweather:london
Usable but possibly deprecated commands
location:, loc:Find information about a location.
Results may be inconsistent.
location:NY crime,loc:NY crime
info:, id:Return pages that convey information about the given website.
Finding queries that gave different results with and without the “info:” / “id:” command was difficult.
This command could still help you find the canonical, indexed version of a URL.
“babylon bee” vs info:”babylon bee”: a politically conservative satire website in the US
"babylon bee" - Google Search - About 545,000 results (0.43 seconds)

info:"babylon bee" - Google Search - About 236 results (0.41 seconds)

Also, id:”babylon bee” treats “id” as a search parameter (bold text) in some results:
An entry in [id:"babylon bee" - Google Search] - Example of Google Search treating "id" as another query keyword - Example of Google Search treating "id" as another query keyword

An entry in [id:"babylon bee" - Google Search] - Example of Google Search treating "id" as another query keyword

Text Dorks

These are helpful if you want to look for web pages containing certain text strings or follow particular patterns. For example, those familiar with the URLs of webcam apps, for example, use Google dorks similar to the first entry in this table to find camera footage to watch.

CommandDescriptionExample usage
intitle:, allintitle:Look for pages with titles containing the search terms.
The dork “intitle:” applies to its search parameter only, while “allintitle:” applies to the entire query string.
intitle:toy story, intitle:”toy story”Compare the above with the number of search results of toy story and “toy story”.
allintitle:”toy story”.Compare with intitle:”toy story” — both have the same number of search results.
allintitle:"toy story" - Google Search - About 6,240,000 results (0.80 seconds)

intitle:"toy story" - Google Search - About 6,240,000 results (0.70 seconds)
inurl:Finds links containing the character string.inurl:login.php
allinurl:Finds links containing all words following the colon (:).
Equivalent to applying “inurl:” to discrete search strings.
Compare allinurl: healthy eating vs inurl:healthy inurl:eating:
allinurl: healthy eating - Google Search - About 972,000 results (0.53 seconds)

inurl:healthy inurl:eating - Google Search - About 971,000 results (0.49 seconds)
Usable but possibly deprecated commands
intext:, allintext:Finds websites containing the payload.
The dork “intext:” applies to its search parameter only, while “allintext:” applies to the entire query string.
The websites displayed in the results appear similar to a search without either command.
Compare intext:”Index of /” +.htaccess, allintext:”Index of /” +.htaccess, and “Index of /” +.htaccess.

Google Dorks Operators

Unlike certain Google Dorking commands, you may include spaces between Google dorking operators and your query items. You may combine as many different operators and commands as are necessary.


These refine the search and constrain the results to follow the rules of logic. Most of the following are logical operators.

CommandDescriptionExample usage
" "Return exact matches of a query string enclosed in the double quotes.
Note that these are straight and not curly “” quotation marks. The curly quotes may or may not return similar results as straight quotes.
Single quotes don’t work.
“Google dorking commands”.
Compare ‘movie review’ and “movie review”:
'movie review' - Google Search. - Single quotes enclosing the phrase 'movie review'. About 5,700,000,000 results (0.78 seconds)

"movie review" - Google Search - Double quotes enclosing the phrase "movie review". About 63,900,000 results (0.89 seconds)
OR, |Return sites containing either query item joined by OR or the pipe character |.
This is an inclusive OR.
Amazon OR Google yields the same number of results as Amazon | Google.
Amazon OR Google - Google Search - About 25,270,000,000 results (0.58 seconds)

Amazon | Google - Google Search - About 25,270,000,000 results (0.42 seconds)
( )Groups multiple Google dork operators as a logical statement(black OR white) hat hacker
-Hyphen; excludes search results containing the word or phrase after the hyphen.Amazon -reviews, “sql injection” -“penetration testing”
*Wildcard or glob pattern as a placeholder for query item“type * error” returns pages on Type I and II errors in statistics.
Compare this with the search “type i OR ii error” which doesn’t use this wildcard:
"type * error" - Google Search - About 4,130,000,000 results (0.70 seconds)

type i OR ii error - Google Search - About 3,450,000,000 results (0.62 seconds)
#..#Search a numerical range specified by the two endpoints # inclusive2006..2008 finds all pages that include 2006, 2007, or 2008 in them.
AROUND(N)Match pages containing the search terms separated by at most N other wordsread AROUND(2) book, read AROUND(3) book
Usable but possibly deprecated commands
AND, &, +Concatenation; return sites containing both query items joined by AND, the ampersand symbol & or the plus sign +.
Google seems to assume you’re using this dork whenever you have multiple search items in one query.
This is because the websites in the dorked search results are similar to queries without these dorks. Curiously, the estimated number of search results differs.
Amazon AND Google, Amazon & Google, Amazon + Google.Compare withAmazon Google (no quotes):
Amazon AND Google - Google Search - About 4,730,000,000 results (0.42 seconds)

Amazon & Google - Google Search - About 4,040,000,000 results (0.44 seconds)

Amazon + Google - Google Search - About 5,040,000,000 results (0.68 seconds)

Amazon Google - Google Search - About 4,280,000,000 results (0.63 seconds)
_Wildcard symbol for Google Autocomplete.
Google appears to treat this symbol literally if it’s inside double quotes.
Suppose you can’t recall the name of the late singer Michael Jackson:Michael _ singer, “Michael _” singer.Michael _ singer - Google Search - About 342,000,000 results (0.62 seconds)

"Michael _" singer - Google Search - About 33,700 results (0.35 seconds)
Compare with Michael singer, “Michael *” singer.
Michael singer - Google Search - About 476,000,000 results (0.55 seconds)

"Michael *" singer - Google Search - About 228,000,000 results (0.70 seconds)
Only “Michael *” singer has a direct entry about Michael Jackson on the first page of the search results:
"Michael *" singer - Google Search - result: "Biography for Kids: Michael Jackson - Ducksters" Occupation: Singer; Born August 29, 1958 in Gary, Indiana; Died: June 25, 2009 in Los Angeles


The following are mathematical operations that you can perform on Google.

OperatorsDescriptionExample usageResult
+Addition3 + 2023
Subtraction3 – 20-17
*Multiplication3 * 2060
/Division3 / 200.15
% ofPercentage33% of 4006.6
X^Y, X**YRaise X to the power of Y.
Both operators ^ and ** perform the same operation.
3^2,3**23^2 = 93**2 = 9
in, toConvert a quantity from a given unit to another. Translate words into another language.6 ft 2 inches in cm,140 lbs in kg,100 USD to bitcoin,8 am London time to California time,thank you in spanish6 ft 2 inches = 187.96 cm,140 lbs = 63.5029 kg,100 USD =
100 USD = 0.000052 bitcoin (BTC) on 11 Oct 2022, 1:05pm UTC - Google Search

8:00am Tuesday in London, UK is 12:00am Tuesday in California, USA - Google Search

"thank you" in English = "gracias" in Spanish - Google Search
sqrtSquare rootsqrt(3)1.73205080757
iImaginary number.
Use it with other mathematical operations to see it in action.
N choose RFind how many combinations are possible from N items taken R at a time, where N and R are integers.
6 choose 415
sin, cos, tanTrigonometric functions. You may specify the formula using symbols and natural language.sin(pi/6),sin 30 degreessin(pi/6) = 0.5,sin 30 degrees = 0.5
timerTimertimer for 20 minutesGoogle Timer for 20 minutes: 20m00s. It counts down upon page load. - Google Search
[This has no specific operator]Generate a random number.
Find more on the drop-down dialog box labeled “Tools” on the results page.
flip a coin,roll a dice,show random number from 10 to 40Flip a coin - with drop-down dialog box labeled "Tools" on the results page - Google Search

Roll a dice - Google Search
Show random number from 10 to 40 (Google displays 28 here) - Google Search
[graph] EXPRESSION [from A to B]Graph a mathematical EXPRESSION with variables x and y on an (optional) numerical range from A to B.
The “graph” keyword is only necessary if Google doesn’t understand your query.
sin(x)/xgraph log(x)sqrt(x^2+y^2) from -20 to 20Graph of y=sin(x)/x looks like a peak at x=0 and decreasing ripples towards both horizontal infinities. [sin(x)/x - Google Search]

Graph of y=log(x) looks like a curved arm reaching from bottom left to top right. [graph log(x) - Google Search]

Graph of z=sqrt(x^2+y^2) looks like a paper cone with the tip at (x,y)=(0,0). [sqrt(x^2+y^2) from -20 to 20 - Google Search]

Google also supports other scientific calculator operations on its calculator. This website features additional examples of mathematical operations you can perform on Google.

Examples of Complex Google Dorks

You can combine Google dorking commands and operations for specific results.

CommandDescription intext:scheduledGet links to publicly shared Zoom meetings you may want to access.
"index of" ""Get unsecured SQL dumps.
Data from improperly configured SQL servers will show up on this page.
filetype:yaml inurl:cassandraGet YAML configuration files specific to Apache Cassandra databases
@twitter trending memesFind memes trending on Twitter
@reddit memes -darkFind memes on Reddit that are not dark filetype:pdfFind PDFs on the domain
imagesize:1920x1080 cloudsFind cloud images of dimensions 1920 pixels by 1080 pixels
secret in spanish inurl:dictTranslate the word “secret” to Spanish and limit results to URLs containing “dict” PhD mathFind information on “PhD” and “math” that link to the University of Oxford’s official website. Compare with PhD math: PhD math - Google Search - About 706,000 results (0.57 seconds) PhD math - Google Search - About 630,000 results (0.50 seconds)
filetype:html jamesRumble video pages end in “.html”. This looks for Rumble video URLs containing the keyword “james”.

How to Prevent Google Dorks

With great power comes great responsibility, and even if you use Google Dorks with the utmost care, other entities may not. Here are some suggestions to avoid becoming the next victim of unwanted Google Dorking.

  • Implement IP-based restrictions and password authentication to protect private areas. Securing your login portals discourages unauthorized access.
  • Encrypt all sensitive information, like usernames, passwords, email addresses, phone numbers, and physical addresses. This way, in the event of data leakage, the original data remains unexposed.
  • Run vulnerability scans to find and disable Google dorks. Examples of vulnerability scanners are Nessus and Qualys.
  • Run regular dork queries on your website to discover loopholes and sensitive information before attacks occur. Sqlmap is a helpful tool.
  • If you find sensitive content exposed on your website and you’ve exhausted all other means of removing it (such as changing your passwords or renaming your login pages), request its removal through Google Search Console.
  • Be judicious in the use of robots.txt. Read the warning below.

A Word of Caution

Other websites mentioning Google Dorks typically recommend using robots.txt to conceal sensitive content or to stop Google from indexing specific parts of your website. On your website server, you can find robots.txt in the root-level directory, such as /public_html.

What seems like a simple, good-faith solution to eliminate complex reconnaissance via Google Dorks is, to an intelligent hacker, a treasure trove and a cash cow. Instead of backing off, they’ll attack your website by targeting the items listed in robots.txt.

Hence, it’s best to adopt this measure cautiously. The most prudent use of robots.txt is instructing Google to exclude one’s entire website, as follows:

User-agent: *Disallow: /

Such a robots.txt file compels visitors looking for information to use the search function inside the website. A well-built internal search function may have safeguards against Google dorking, SQL injection, and other hacking techniques. These safeguards protect the website better than allowing external search engines such as Google to index the website.


Ethical and legal considerations abound when using Google dorks. They are such powerful tools for uncovering data and locating vulnerabilities that your intention and frequency in using them are paramount to your Google dorking experience. Google dorking is an invaluable tool for practical cyber security research when used responsibly.

We hope this Google dorking cheat sheet is helpful to you. Remember: with great power comes great responsibility. More important than enjoying Google dorking, stay safe.

Frequently Asked Questions

]]> 0
curl Cheat Sheet: Helpful Commands and Exciting Hacks Tue, 29 Nov 2022 12:53:54 +0000 curl Cheat Sheet: Helpful Commands and Exciting Hacks Read More »

With the command-line application curl (aka cURL, short for “client URL”), you can automate batch actions such as submitting thousands of Google Forms, flooding servers with requests in penetration testing, and accessing remote files hands-free using only Unix bash scripting without additional programming languages.

This curl cheat sheet aims to provide an overview of curl for beginners and a taste of hacking with curl for cybersecurity fans like you. Download this curl cheat sheet here

Keep the Terminal program (on Unix/Linux systems, including macOS) at hand to try out the commands below, many of which yield meaningful results. When you’re ready, let’s dive in.

Refresher: What Is curl?

In computer networking, a client is a machine that asks for data or services, and a server is a machine that provides them. curl is a command-line program for clients to submit requests to servers.

curl is helpful for quickly and automatically checking responses from servers, its prime usage being curl GET and curl POST commands. As curl operates at the protocol level (HTTP/S, FTP, SCP, IMAP, POP3, SMTP, etc.), you can tailor server requests and cyber attacks to complex vulnerabilities not covered by handy security tools such as BurpSuitePro.

The more familiar you are with curl, the more finely you can adjust curl operations. This curl cheat sheet will help you get started.

Note: The live websites in the commands below work at the time of writing, but URLs and technology may change anytime.

Web Browsing

The most straightforward use of curl is the command-line display of websites and files, which is also how most computer science students learn about curl in the first place.

curl options (aka flags) begin with a hyphen (-) or two (–), and they take arguments that are strings, URLs or file paths.

curl http://example.comReturn the source file of a URL
curl --list-only ""List contents of the directory
curl -lAbbreviation of curl --list-only
curl --location ""Redirect query as specified by HTTP status response code 3xx. This URL directory,, does not return the list of MP3 files using the curl --list-only command, but it does with curl --location.
curl -LAbbreviation of curl --location
curl --fail-early ""Fail quickly in resolving
curl --head ""Fetch HTTP headers of the URL
curl -IAbbreviation of curl --head
curl --head --show-error ""Check whether the site is down
curl --head --location "" | grep LocationExpand a shortened or disguised URL: redirects to a public YouTube playlist.
This is also helpful when you want to unearth the actual websites behind the long, convoluted, redirect-intensive email newsletter hyperlinks.

Downloading Files

The commands below come in handy when you want to scrape websites for content. The following commands return meaningful results as of writing. Change the parameters to suit your purposes.

curl --output hello.html http://example.comOutputs the URL to a file hello.html
curl -oAbbreviation of curl --output. -o only works if placed before the target URL parameter.
curl --remote-name ""Download a file from, saving the file without changing its name
curl --remote-name "" --output cryptography_notes.pdfDownload a file from and rename it to cryptography_notes.pdf
Alternatively, you may replace --output with >. Replacing --output with -o does not work here.
curl --remote-name --continue-at - ""Continue a partial download of a file
curl "{Linux,Windows,OSX}" --output "file_#1.html"Download files from multiple locations and name them according to the format file_(operating system).html
curl "[158-161]/[158-161]-0.{txt,zip}" --output "bk#1_#2.#3"Download a sequence of files and outputs bk158_158.txt,, …,
curl --location | grep '.mp4' | cut -d \" -f 8 | while read i; do curl"${i}" -o "${i##*/}"; doneDownload all MP4 files from the URL
Here, use grep to filter out the MP4 files, cut to find the path to the required files (the delimiter is ” and the path string was at the 8th such delimiter), 
A while-loop with curl helps download the files recursively.
You’ll need to modify the grep and cut commands to download other file types and locate relevant hyperlinks in the HTML source code of the URL you specify.

curl GET Commands

Use these commands to make a GET request using curl. curl GET commands may require you to pass authorization keys via the --header flag.

You can also make other HTTP requests such as PUT and DELETE using curl and the appropriate flags. 

curl --request GET ""Fetch the HTML source of the URL and output it in the terminal console
curl -XAbbreviation of curl --request
curl --request GET '' --header 'Content-Type: application/json'Get all MongoDB documents from the viewdata-kqgls app with the given secret string and content type header as query parameters.
The expected result is a JSON object containing all documents.
(The URL is a custom API endpoint I made on MongoDB.)
curl --request GET '' --header 'Content-Type: application/json'Get a MongoDB document from the viewdata-kqgls app with the given ID, secret string, and content type header as query parameters.
The expected result is the document, if it exists:{"_id":"636b5046e54ce11139fd8b96","name":"Alice Bob","age":25,"greeting":"Greetings, everyone."}

curl POST Commands

Use these commands to make a POST request using curl. curl POST commands may require the --header flag to pass authorization keys.

You can also make other HTTP requests such as PUT and DELETE using curl and the appropriate flags.

curl --headerPass a header to the server URL
curl -HAbbreviation of curl --header
curl --request POST "" -d 'some data'Fetch the HTML source of the URL
curl -XAbbreviation of curl --request
curl --request POST '' --header 'Content-Type: application/json' --header 'api-key: ZAEOuvuEVLF5ll3kGP8FFkAj1GMKB8xu1jRx5D7210gXiZHa5agdbSq8pzbpI8Lo' --data-raw '{"dataSource": "Cluster0","database": "curlhacks","collection": "curlhacks","document": { "name": "Alice Bob", "age": 25, "greeting": "Greetings, everyone." }}'Upload via the MongoDB Data API the given Javascript object to a database and collection both named curlhacks.
The expected output:{"insertedId":"636b5046e54ce11139fd8b96"}
This means curlhacks has registered the new Javascript object as a MongoDB document with the given ID.
curl --request POST '' --header 'Content-Type: application/json' --header 'api-key: ZAEOuvuEVLF5ll3kGP8FFkAj1GMKB8xu1jRx5D7210gXiZHa5agdbSq8pzbpI8Lo' --data-raw '{"dataSource": "Cluster0","database": "curlhacks","collection": "curlhacks","filter": { "name": "Alice Bob" }}'Enquire via the MongoDB Data API the database and collection, both named curlhacks, for a document with the key-value pair {"name": "Alice Bob"}.
The expected output is the requested document:{"document":{"_id":"636b5046e54ce11139fd8b96","name":"Alice Bob","age":25,"greeting":"Greetings, everyone."}}
curl --request POST '' --header 'Content-Type: application/json' --header 'api-key: ZAEOuvuEVLF5ll3kGP8FFkAj1GMKB8xu1jRx5D7210gXiZHa5agdbSq8pzbpI8Lo' --data-raw '{"dataSource": "Cluster0","database": "curlhacks","collection": "curlhacks","filter": { "_id": { "$oid": "636b4f88fd82bd55d90962c6" } }}'Delete via the MongoDB Data API a document with the given ID from the database and collection, both named curlhacks.
The expected output:{"deletedCount":1}
This means curlhacks has deleted a MongoDB document, namely the one specified.

API Interaction

The following commands can help you automate web query requests, such as Google Form submissions. The examples below are chock-full of Google Form URLs because of a real-life hack so egregious the full source code must remain private.

I wanted a news organization to win an award so badly, I generated 12,000+ submissions to the award nomination Google Form over two months using temporary email addresses and mix-and-match reasons. I was sad the media company didn’t win, but if it did, it’d face the conundrum of having reported on voting fraud yet having voting fraud seal its victory.

Identifying the various fields in the award submission Google Form - screenshot by author

Identifying the various fields in the award submission Google Form

Example of journalism awards Google Form hack - screenshot by author

Example of a Google Form URL which I could have submitted through curl, blanking out the Google Form ID and identifying information about the news company.

Go to curl GET and curl POST commands for GET- and POST-specific API interactions using curl.

curl ""Query an API endpoint
curl --header "Auth-Token:$DB_APP_TOKEN" ""Pass a header to a server URL. A header is ​​a field of an HTTP request or response that passes additional context and metadata about the request or response.
In this example, the header is an authorization token.
curl -HAbbreviation of curl --header
curl --data "ABC 123" "[GoogleFormID]/formResponse"Send URL-encoded raw data "ABC 123" to an API endpoint, in this case a Google Form.
curl -dAbbreviation of curl --data
curl --data "ABC 123" "[GoogleFormID]/formResponse" > output.htmlSend URL-encoded raw data "ABC 123" to an API endpoint, in this case a Google Form, and output to output.html data returned from the server
curl --form "" --form "submit=Submit" "[GoogleFormID]/formResponse" > output.htmlEmulate sending an email address to an API endpoint (Google Form here) followed by pressing the Submit button.
The output file, output.html, will have a filled email address field.
curl -FAbbreviation of curl --form
curl --form "entry.123456789=</Users/user1/Downloads/playlist.m3u" "[GoogleFormID]/formResponse" > output.htmlSend to an API endpoint (Google Form here) the file contents of /Users/user1/Downloads/playlist.m3u to the parameter entry.123456789.
The symbol < here means you’re sending data to the server, as opposed to > for data you receive from the server.
You can find the parameters of the form entry.123456789 (the number may not be nine digits long) using your browser’s Inspector.
On Chrome-based browsers, right-click the page and select “Inspect” to see the Inspector.
The output file, output.html, will show the file contents in the corresponding field.
curl --form "entry.123456789=</Users/user1/Downloads/playlist.m3u" --form "" "[GoogleFormID]/formResponse"Send more than one piece of data to the given API endpoint.
This command sends over the email and playlist file specified.
The output for this command will be in the terminal.
curl --data "entry.123456789=</Users/user1/Downloads/playlist.m3u&" "[GoogleFormID]/formResponse"Similarly as above, send more than one piece of data to the given API endpoint.
This command sends over the email and the raw data string"</Users/user1/Downloads/playlist.m3u".
The output for this command will be in the terminal.
curl --form "input=@pic1.jpg" "" > output.html
curl --form "input=/Users/user1/Downloads/pic1.jpg" "" > output.html
Send a file /Users/user1/Downloads/pic1.jpg as form data to the given API endpoint.
Both commands are equivalent. They send an image file to
– Use @ if the file is in the current working directory (obtained via pwd);
– Don’t use @ if you provide the full directory path of the file.
The output file, output.html, will show the image-resizing options returned by the API.


It appears that the sole action of sending cookies to the target website doesn’t affect the HTML layout of the website. Nevertheless, curl supports the following methods:

curl --cookie "registered=yes"Send "registered=yes" as cookie
curl --cookie "name=alice;"Send “name=alice” and "" as cookies
curl --cookie import_cookies.txtSend the contents of import_cookies.txt as cookie(s).
As most browsers no longer support the “Set-Cookie:” prefix, format your cookies in the file as:
curl -bAbbreviation of --cookie
curl --cookie-jar mycookies.txtWrite cookies to mycookies.txt after executing the curl operation on other flags
curl -cAbbreviation of --cookie-jar
curl --dump-header headers_and_cookies.txt http://example.comOutput HTTP headers and cookie data of to headers_and_cookies.txt
curl -DAbbreviation of curl --dump-header

curl Script

You can use curl commands in bash scripts. Here are some example scripts involving curl commands:

curl-install-package.shInstall packages with curl
curl-url-time.shCheck a website response time
curl-format-json.shBeautify json output for curl response
curl-remote-scripts.shcurl run remote scripts

curl Advanced

Here are some commands for fine-tuning your curl operations.

curl -hShow help commands
curl --versionShow curl version
curl -v verbose output while connecting to the URL
You may use this -v flag along with other flags such as --head, --location.
curl --trace ftp_corel.txt details of the packets captured in the connection to the URL
curl -s > twitter.htmlDownload the URL in silent mode, not outputting the progress
curl -L "" --connect-timeout 0.1Specify the maximum time in seconds (0.1 seconds in this example) allowed to connect to the URL
curl -s -w '%{remote_ip} %{time_total} %{http_code} \n' -o /dev/null http://an­kush.ioReturn the specified parameter values as a string '%{remote_ip} %{time_total} %{http_code} \n' on the terminal output and suppress all other system output
curl -r 0-99 http://example.comGet the first 100 bytes of the URL
curl -r -500 http://example.comGet the last 500 bytes of the URL
curl -r 0-99 ftp://ftp.corel.comGet the first 100 bytes of an FTP URL. curl only supports ranges with explicit start and end positions.
curl -m 0.1Specify maximum operation time in seconds (0.1s here)

curl Request Example

Let’s conclude this article with a curl POST request hack. Proceed at your own risk.

CommandDescriptionTest Result
curl -X POST --data-urlencode phone='+[area code][phone number]' --data-urlencode message='Please delete this message. This is a service provided by textbelt.' -d key=textbeltSend a free SMS text message to a phone number in E.164 format via with the API key textbelt.
If you have a custom API key, replace “textbelt” with it.
On the terminal:{"success":true,"textId":"205381667028627395","quotaRemaining":0}
On the phone:
textbelt free SMS - screenshot by author

We hope this curl cheat sheet helps you to explore curl and its uses. Happy curl hacking!

Frequently Asked Questions

]]> 0
Splunk Cheat Sheet: Search and Query Commands Fri, 25 Nov 2022 16:04:26 +0000 Splunk Cheat Sheet: Search and Query Commands Read More »

Whether you’re a cyber security professional, data scientist, or system administrator when you mine large volumes of data for insights using Splunk, having a list of Splunk query commands at hand helps you focus on your work and solve problems faster than studying the official documentation.

This article is the convenient list you need. It provides several lists organized by the type of queries you would like to conduct on your data: basic pattern search on keywords, basic filtering using regular expressions, mathematical computations, and statistical and graphing functionalities.

The following Splunk cheat sheet assumes you have Splunk installed. It is a refresher on useful Splunk query commands. Download a PDF of this Splunk cheat sheet here.

Brief Introduction of Splunk

The Internet of Things (IoT) and Internet of Bodies (IoB) generate much data, and searching for a needle of datum in such a haystack can be daunting.

Splunk is a Big Data mining tool. With Splunk, not only is it easier for users to excavate and analyze machine-generated data, but it also visualizes and creates reports on such data.

Splunk Enterprises-Search Result

Splunk Enterprise search results on sample data

Splunk contains three processing components:

  • The Indexer parses and indexes data added to Splunk.
  • The Forwarder (optional) sends data from a source.
  • The Search Head is for searching, analyzing, visualizing, and summarizing your data.
Splunk Processing Components

Search Language in Splunk

Splunk uses what’s called Search Processing Language (SPL), which consists of keywords, quoted phrases, Boolean expressions, wildcards (*), parameter/value pairs, and comparison expressions. Unless you’re joining two explicit Boolean expressions, omit the AND operator because Splunk assumes the space between any two search terms to be AND.

Basic Search offers a shorthand for simple keyword searches in a body of indexed data myIndex without further processing:

index=myIndex keyword

An event is an entry of data representing a set of values associated with a timestamp. It can be a text document, configuration file, or entire stack trace. Here is an example of an event in a web activity log:

[10/Aug/2022:18:23:46] userID=176 country=US paymentID=30495

Search commands help filter unwanted events, extract additional information, calculate values, transform data, and statistically analyze the indexed data. It is a process of narrowing the data down to your focus. Note the decreasing number of results below:

Finding entries without IPv4 address on sample data
Finding entries without IPv4 address on sample data

Common Search Commands

chart, timechartReturns results in a tabular output for (time-series) charting
dedup XRemoves duplicate results on a field X
evalCalculates an expression (see Calculations)
fieldsRemoves fields from search results
head/tail NReturns the first/last N results, where N is a positive integer
lookupAdds field values from an external source
renameRenames a field. Use wildcards (*) to specify multiple fields.
rexExtract fields according to specified regular expression(s)
searchFilters results to those that match the search expression
sort XSorts the search results by the specified fields X
statsProvides statistics, grouped optionally by fields
mstatsSimilar to stats but used on metrics instead of events
tableDisplays data fields in table format.
top/rareDisplays the most/least common values of a field
transactionGroups search results into transactions
whereFilters search results using eval expressions. For comparing two different fields.

SPL Syntax

Begin by specifying the data using the parameter index, the equal sign =, and the data index of your choice: index=index_of_choice.

Complex queries involve the pipe character |, which feeds the output of the previous query into the next.

This is the shorthand query to find the word hacker in an index called cybersecurity:

index=cybersecurity hacker

SPL search termsDescription
Full Text Search
CybersecurityFind the word “Cybersecurity” irrespective of capitalization
White Black HatFind those three words in any order irrespective of capitalization
"White Black+Hat"Find the exact phrase with the given special characters, irrespective of capitalization
Filter by fields
source="/var/log/myapp/access.log" status=404All lines where the field status has value 404 from the file /var/log/myapp/access.log
source="bigdata.rar:*" index="data_tutorial" Code=REDAll entries where the field Code has value RED in the archive bigdata.rar indexed as data_tutorial
index="customer_feedback" _raw="*excellent*"All entries whose text contains the keyword “excellent” in the indexed data set customer_feedback
Filter by host
host="myblog" source="/var/log/syslog" FatalShow all Fatal entries from /var/log/syslog belonging to the blog host myblog
Selecting an index
index="myIndex" passwordAccess the index called myIndex and text matching password.
source="*"Access the data archive called and parse all its entries (*).
sourcetype="datasource01"(Optional) Search data sources whose type is datasource01.

This syntax also applies to the arguments following the search keyword. Here is an example of a longer SPL search string:

index=* OR index=_* sourcetype=generic_logs | search Cybersecurity | head 10000

In this example, index=* OR index=_* sourcetype=generic_logs is the data body on which Splunk performs search Cybersecurity, and then head 10000 causes Splunk to show only the first (up to) 10,000 entries.

Basic Filtering

You can filter your data using regular expressions and the Splunk keywords rex and regex. An example of finding deprecation warnings in the logs of an app would be:

index="app_logs" | regex error="Deprecation Warning"

SPL filtersDescriptionExamples
searchFind keywords and/or fields with given valuesindex=names | search Chris
index=emails | search
regexFind expressions matching a given regular expressionFind logs not containing IPv4 addresses:
index=syslogs | regex
rexExtract fields according to specified regular expression(s) into a new field for further processingExtract email addresses:
source="email_dump.txt" | rex
field=_raw "From:
<(?<from>.*)> To: <(?<to>.*)>"

The biggest difference between search and regex is that you can only exclude query strings with regex. These two are equivalent:

  • source="access.log" Fatal
  • source="access.log" | regex _raw=".*Fatal.*"

But you can only use regex to find events that do not include your desired search term:

  • source="access.log" | regex _raw!=".*Fatal.*"

The Splunk keyword rex helps determine the alphabetical codes involved in this dataset:

Alphabetical codes in sample data
Alphabetical codes in sample data


Combine the following with eval to do computations on your data, such as finding the mean, longest and shortest comments in the following example:

index=comments | eval cmt_len=len(comment) | stats

avg(cmt_len), max(cmt_len), min(cmt_len) by index

FunctionReturn value / ActionUsage:eval foo=…
abs(X)absolute value of Xabs(number)
case(X,"Y",…)Takes pairs of arguments X and Y, where X arguments are Boolean expressions. When evaluated to TRUE, the arguments return the corresponding Y argumentcase(id == 0, "Amy", id == 1,"Brad", id == 2, "Chris")
ceil(X)Ceiling of a number Xceil(1.9)
cidrmatch("X",Y)Identifies IP addresses that belong to a particular subnetcidrmatch("",ip)
coalesce(X,…)The first value that is not NULLcoalesce(null(), "Returned val", null())
cos(X)Cosine of Xn=cos(60) #1/2
exact(X)Evaluates an expression X using double precision floating point arithmeticexact(3.14*num)
exp(X)e (natural number) to the power X (eX)exp(3)
if(X,Y,Z)If X evaluates to TRUE, the result is the second argument Y. If X evaluates to FALSE, the result evaluates to the third argument Zif(error==200, "OK", "Error") 
in(field,valuelist)TRUE if a value in valuelist matches a value in field. You must use the in() function embedded inside the if() functionif(in(status, "404","500","503"),"true","false")
isbool(X)TRUE if X is Booleanisbool(field)
isint(X)TRUE if X is an integerisint(field)
isnull(X)TRUE if X is NULLisnull(field)
isstr(X)TRUE if X is a stringisstr(field)
len(X)Character length of string Xlen(field)
like(X,"Y")TRUE if and only if X is like the SQLite pattern in Ylike(field, "addr%")
log(X,Y)Logarithm of the first argument X where the second argument Y is the base. Y defaults to 10 (base-10 logarithm)log(number,2)
lower(X)Lowercase of string Xlower(username)
ltrim(X,Y)X with the characters in Y trimmed from the left side. Y defaults to spaces and tabsltrim(" ZZZabcZZ ", " Z")
match(X,Y)TRUE if X matches the regular expression pattern Ymatch(field, "^\d{1,3}\.\d$")
max(X,…)The maximum value in a series of data X,…max(delay, mydelay)
md5(X)MD5 hash of a string value Xmd5(field)
min(X,…)The minimum value in a series of data X,…min(delay, mydelay)
mvcount(X)Number of values of Xmvcount(multifield)
mvfilter(X)Filters a multi-valued field based on the Boolean expression Xmvfilter(match(email, "net$"))
mvindex(X,Y,Z)Returns a subset of the multi-valued field X from start position (zero-based) Y to Z (optional)mvindex(multifield, 2)
mvjoin(X,Y)Joins the individual values of a multi-valued field X using string delimiter Ymvjoin(address, ";")
now()Current time as Unix timestampnow()
null()NULL value. This function takes no arguments.null()
nullif(X,Y)X if the two arguments, fields X and Y, are different. Otherwise returns NULL.nullif(fieldX, fieldY)
random()Pseudo-random number ranging from 0 to 2147483647random()
relative_time (X,Y)Unix timestamp value of relative time specifier Y applied to Unix timestamp Xrelative_time(now(),"-1d@d")
replace(X,Y,Z)A string formed by substituting string Z for every occurrence of regex string Y in string X
The example swaps the month and day numbers of a date.
replace(date, "^(\d{1,2})/(\d{1,2})/", "\2/\1/")
round(X,Y)X rounded to the number of decimal places specified by Y, or to an integer for omitted Yround(3.5)
rtrim(X,Y)X with the characters in (optional) Y trimmed from the right side. Trim spaces and tabs for unspecified Yrtrim(" ZZZZabcZZ ", " Z")
split(X,"Y")X as a multi-valued field, split by delimiter Ysplit(address, ";")
sqrt(X)Square root of Xsqrt(9) # 3
strftime(X,Y)Unix timestamp value X rendered using the format specified by Ystrftime(time, "%H:%M")
strptime(X,Y)Value of Unix timestamp X as a string parsed from format Ystrptime(timeStr, "%H:%M")
substr(X,Y,Z)Substring of X from start position (1-based) Y for (optional) Z characterssubstr("string", 1, 3) #str
time()Current time to the microsecond.time()
tonumber(X,Y)Converts input string X to a number of numerical base Y (optional, defaults to 10)tonumber("FF",16)
tostring(X,Y)Field value of X as a string.
If X is a number, it reformats it as a string. If X is a Boolean value, it reformats to “True” or “False” strings.
If X is a number, the optional second argument Y is one of:”hex”: convert X to hexadecimal,”commas”: formats X with commas and two decimal places, or”duration”: converts seconds X to readable time format HH:MM:SS.
This example returns bar=00:08:20:
| makeresults | eval bar = tostring(500, "duration")
typeof(X)String representation of the field typeThis example returns  "NumberBool":
| makeresults | eval n=typeof(12) + typeof(1==2)
urldecode(X)URL X, decoded.urldecode("")
validate(X,Y,…)For pairs of Boolean expressions X and strings Y, returns the string Y corresponding to the first expression X which evaluates to False, and defaults to NULL if all X are True.validate(isint(N), "Not an integer", N>0, "Not positive")

Statistical and Graphing Functions

Common statistical functions used with the chart, stats, and timechart commands. Field names can contain wildcards (*), so avg(*delay) might calculate the average of the delay and *delay fields.

FunctionReturn value
Usage: stats foo=… / chart bar=… / timechart t=…
avg(X)average of the values of field X
count(X)number of occurrences of the field X. To indicate a specific field value to match, format X as eval(field="desired_value").
dc(X)count of distinct values of the field X
earliest(X)latest(X)chronologically earliest/latest seen value of X
max(X)maximum value of the field X. For non-numeric values of X, compute the max using alphabetical ordering.
median(X)middle-most value of the field X
min(X)minimum value of the field X. For non-numeric values of X, compute the min using alphabetical ordering. 
mode(X)most frequent value of the field X
percN(Y)N-th percentile value of the field Y. N is a non-negative integer < 100.Example: perc50(total) = 50th percentile value of the field total.
range(X)difference between the max and min values of the field X
stdev(X)sample standard deviation of the field X
stdevp(X)population standard deviation of the field X
sum(X)sum of the values of the field X
sumsq(X)sum of the squares of the values of the field X
values(X)list of all distinct values of the field X as a multi-value entry. The order of the values is alphabetical
var(X)sample variance of the field X

Index Statistics

Compute index-related statistics.

From this point onward, splunk refers to the partial or full path of the Splunk app on your device $SPLUNK_HOME/bin/splunk, such as /Applications/Splunk/bin/splunk on macOS, or, if you have performed cd and entered /Applications/Splunk/bin/, simply ./splunk.

| eventcount summarize=false index=* | dedup index | fields indexList all indexes on your Splunk instance. On the command line, use this instead:
splunk list index
| eventcount summarize=false report_size=true index=* | eval size_MB = round(size_bytes/1024/1024,2)Show the number of events in your indexes and their sizes in MB and bytes
| REST /services/data/indexes | table title currentDBSizeMBList the titles and current database sizes in MB of the indexes on your Indexers
index=_internal source=*metrics.log group=per_index_thruput series=* | eval MB = round(kb/1024,2) | timechart sum(MB) as MB by seriesQuery write amount in MB per index from metrics.log
index=_internal metrics kb series!=_* "group=per_host_thruput" | timechart fixedrange=t span=1d sum(kb) by seriesQuery write amount in KB per day per Indexer by each host
index=_internal metrics kb series!=_* "group=per_index_thruput" | timechart fixedrange=t span=1d sum(kb) by seriesQuery write amount in KB per day per Indexer by each index

Reload apps

To reload Splunk, enter the following in the address bar or command line interface.

Address barDescription
http://localhost:8000/debug/refreshReload Splunk. Replace localhost:8000 with the base URL of your Splunk Web server if you’re not running it on your local machine.
Command lineDescription
splunk _internal call /data/inputs/monitor/_reloadReload Splunk file input configuration
splunk stop
splunk enable webserver
splunk start
These three lines in succession restart Splunk.

Debug Traces

You can enable traces listed in $SPLUNK_HOME/var/log/splunk/splunkd.log.

To change trace topics permanently, go to $SPLUNK_HOME/bin/splunk/etc/log.cfg and change the trace level, for example, from INFO to DEBUG: category.TcpInputProc=DEBUG


08-10-2022 05:20:18.653 -0400 INFO  ServerConfig [0 MainThread] - Will generate GUID, as none found on this server.


08-10-2022 05:20:18.653 -0400 DEBUG  ServerConfig [0 MainThread] - Will generate GUID, as none found on this server.

To change the trace settings only for the current instance of Splunk, go to Settings > Server Settings > Server Logging:

Server Logging

Filter the log channels as above.

Select Log Server

Select your new log trace topic and click Save. This persists until you stop the server.


The following changes Splunk settings. Where necessary, append -auth user:pass to the end of your command to authenticate with your Splunk web server credentials.

Command lineDescription
splunk btool inputs listList Splunk configurations
splunk btool checkCheck Splunk configuration syntax
Input management
splunk _internal call /data/inputs/tcp/rawList TCP inputs
splunk _internal call /data/inputs/tcp/raw -get:search sourcetype=fooRestrict listing of TCP inputs to only those with a source type of foo
License details of your current Splunk instance
splunk list licensesShow your current license
User management
splunk _internal call /authentication/providers/services/_reloadReload authentication configurations for Splunk 6.x
splunk _internal call /services/authentication/users -get:search adminSearch for all users who are admins
splunk _internal call /services/authentication/users -get:search indexes_editSee which users could edit indexes
splunk _internal call /services/authentication/users/helpdesk -method DELETEUse the remove link in the returned XML output to delete the user  helpdesk

Capacity Planning

Importing large volumes of data takes much time. If you’re using Splunk in-house, the software installation of Splunk Enterprise alone requires ~2GB of disk space. You can find an excellent online calculator at

The essential factors to consider are:

  • Input data
    • Specify the amount of data concerned. The more data you send to Splunk Enterprise, the more time Splunk needs to index it into results that you can search, report and generate alerts on.
  • Data Retention
    • Specify how long you want to keep the data. You can only keep your imported data for a maximum length of 90 days or approximately three months.
    • Hot/Warm: short-term, in days.
    • Cold: mid-term, in weeks.
    • Archived (Frozen): long-term, in months.
  • Architecture
    • Specify the number of nodes required. The more data to ingest, the greater the number of nodes required. Adding more nodes will improve indexing throughput and search performance.
  • Storage Required
    • Specify how much space you need for hot/warm, cold, and archived data storage.
  • Storage Configuration
    • Specify the location of the storage configuration. If possible, spread each type of data across separate volumes to improve performance: hot/warm data on the fastest disk, cold data on a slower disk, and archived data on the slowest.

We hope this Splunk cheat sheet makes Splunk a more enjoyable experience for you. To download a PDF version of this Splunk cheat sheet, click here.

Frequently Asked Questions

]]> 0
How to Use Metasploit in Kali Linux: A Step-By-Step Tutorial Thu, 24 Nov 2022 13:03:00 +0000 How to Use Metasploit in Kali Linux: A Step-By-Step Tutorial Read More »

Getting started with Metasploit can be challenging for new users. You may have trouble installing Metasploit as antivirus applications often flag it as malicious, and failing to install prerequisite software (e.g., PostgreSQL) will limit functionality.

This tutorial will help you bypass these pitfalls by teaching you how to use Metasploit in Kali Linux on a Virtual Machine (VM). On Kali, you’ll find Metasploit Framework pre-installed along with 600 other useful security tools. We’ll also help you set up a deliberately vulnerable system (Metasploitable3) with which to practice.

In this tutorial, we will cover:

  • Deploying a Kali Linux virtual machine with Metasploit pre-installed
  • Setting up a target in a virtual lab
  • A sample walkthrough against a vulnerable MySQL Server
  • Frequently Asked Questions (FAQ)

Without further ado, let’s get started!

Minimum System Requirements for Metasploit

Kali Linux (in its barebones state) can run on as little as 128MB of RAM and 2GB of disk space, but this isn’t sufficient to run Metasploit Framework. For that, the minimum system requirements are:

  • Processor: 2GHz+ processing power
  • Memory: 4GB of RAM (8GB is recommended)
  • Storage: 1GB of disk space (50GB is recommended)

Note: If you are installing Metasploit Framework as a stand-alone application on Windows, Linux, or OSX, you should disable your antivirus software and firewall as these can interfere with installation and operation!

How to Setup a Metasploit Virtual Lab Using Kali Linux and Metasploitable3

While it’s possible to install Metasploit Framework as a standalone application, the quickest (and easiest) way to get started with Metasploit is to use a Linux distribution it’s already present on, such as Kali Linux. 

We’ll use Metasploitable3, which includes an intentionally-vulnerable Windows Server 2008 R2 Virtual Machine (VM) for our target. To do this, we will download and install:

  • Oracle VirtualBox to host our VMs on a compatible Windows PC
  • Vagrant to provision our Metasploitable3 VMs (Windows Server 2008 R2)
  • The Kali Linux Virtual Appliance for VirtualBox

Download and Install VirtualBox

1. Download and install the latest version of VirtualBox using the Windows hosts link:

Download and install virtualbox window

Follow the on-screen prompts to complete the installation. For a detailed explanation of the Setup Wizard options, you can refer to Chapter 2 of the VirtualBox manual.

2. Once installed, you’ll see the Oracle VM VirtualBox in your start menu, click on it to launch the VirtualBox application.
3. We’ll also need to download and install the Oracle VM VirtualBox Extension Pack as  it’s required to run the Kali Linux Virtual Appliance:

4. Running the file will prompt you with a warning. Click Install to proceed:

5. After reading the license terms, click I Agree to proceed:

6. When completed, you’ll receive a notice indicating that the installation was successful.

Click OK to close the window:

Install Vagrant and Provision the Metasploitable3 VMs

Rapid7 (the developers of Metasploit and Metasploitable) uses an open-source tool called Vagrant to provide their pre-built Metasploitable3 images. In the instructions below, we will:

  • Install Vagrant
  • Pull down Rapid7’s Vagrant configuration file, “Vagrantfile,” from their GitHub repository
  • Deploy the Metasploitable3 VMs using Vagrant

The configuration file (i.e., “Vagrantfile”) provisions two Metasploitable3 VMs images, Ubuntu 14.04 and Window Server 2008 R2 – we’ll be using the later. These VMs will require 65GB of storage and 4.5GB of RAM, so be sure you have sufficient resources before deploying these VMs.

Note: The Window Server 2008 R2 operating system uses a trial license which may have expired on the provisioned VM. The VM will shut down every 1-2 hours if the trial expires, so you’ll either want to rebuild the VM or give it a license key (if you have one).

  1. We’ll need to download and install the latest version of Vagrant to provision Metasploitable3 VMs:

Note: “686” refers to the 32-bit version. We’ll be using “Amd64”, the 64-bit version. The installation will require a reboot!

After downloading the installation package, simply run it and follow the prompts to complete the installation. The product documentation (found here) can help you answer any questions about installation or compatibility.

  1. With VirtualBox and Vagrant installed, we can pull down the Metasploitable3 VMs. To do this, open PowerShell as an administrator and create a new staging folder (I chose “D:\Temp” for this demonstration).

    a. Run the following command to pull down the Vagrant deployment script for the Metasploitable3 VMs from the GitHub repository: Invoke-WebRequest -Uri “” -OutFile “Vagrantfile”

b. Then run vagrant up to download and provision the Metasploitable3 VMs:

  1. For your VMs to be on the same network as your host, you’ll want to configure their network adapters to run in “bridged” mode (i.e., the virtual network adapter behaves as though it’s on the same network as the physical VM host). You can do this by clicking on Settings > Network and selecting Bridged Adapter:

Click OK to save the settings.

  1. You’ll need to log into the Windows Server 2008 R2 VM and verify its IP address. The default credentials are:
    1. Username: vagrant
    2. Password: vagrant
  2. Open Command Prompt and run ipconfig to verify the IP address ( on my VM):

Your IP address will differ depending on the DHCP range used by your test environment’s network. Take note of this address as you’ll need it later.

We now have a Metasploitable3 VM running and ready to exploit! Next, we’ll need to download and configure our Kali Linux VM.

Download and Configure the Kali Linux Virtual Appliance for VirtualBox

Note: We will not need to download and install Metasploit Framework and its optional supporting tools since they’re already present on that image.

1. Browse to and select Virtual Machines from the list of available platforms:

2. We’ll choose the 64-bit (default) and select VirtualBox VM. Click the to download the file:

3. Once the Kali Linux virtual appliance file finishes downloading, you can import it into VirtualBox by opening the Oracle VM VirtualBox Manager and selecting File > Import Appliance…

4. Locate the downloaded Kali Linux virtual appliance file and select Open, then click Next and finally Import:

You can monitor the import process using the display bar, which closes when completed.

5. You will now see both Metasploitable3 VMs and Kali Linux VMs in your list:

Before we launch Kali, we’ll want to configure the VM’s network adapter in bridged mode, just as we did for our Metasploitable3 Windows Server 2008 R2 VM (see step 3 of the previous section).

6. Select the Kali Linux VM from the list and click Start to run the VM:

Note: If your Kali Linux appliance failed to launch, this could be because you did not install the Oracle VM VirtualBox Extension Pack, which you can find here.

7. You can now login to the Kali Linux VM using the default credentials:

  • Username: kali
  • Password: kali

8. Before starting the Metasploit Framework console, we’ll want to verify that we have network connectivity from Kali Linux to the Metasploitable3 VM by pinging its IP address (the one we noted in Step 5 of the previous section). To do this, open a terminal session using CTRL+ALT+T, then ping the IP address of the Metasploitable3 server:

We are now ready to begin using Metasploit!

How to Use Metasploit in Kali Linux

  1. Click the Applications button in the upper right-hand corner of the screen (shaped like a white dragon with a blue background)
  2. As you begin to type, “metasploit,” the search bar auto-complete will bring up the metasploit framework application:

The shortcut launches a terminal window and runs the following command:

To understand what this is doing, we can break the command down into three parts:

  1. In Unix-like operating systems such as Linux, ‘sudo’ is used to run other commands that require elevated permissions (required by the next two steps).
  2. The command ‘msfdb init’ starts the PostgreSQL service, checks to see if a database exists for Metasploit, and if not, creates it.
  3. Lastly, ‘&&’ checks whether the preceding command (i.e., ‘msfdb init’) executed successfully, and if so, runs the subsequent command ‘msfconsole,’ launching the Metasploit Framework Console.

The console displays one of several random banners upon launch:

You can display a different banner at any time by using the Banner command, or if you’re running Metasploit from a terminal window, you can include the -q switch (e.g., msfconsole -q) to prevent a banner from displaying on launch.

Before you begin, run the ‘db_status’ command to verify that the PostgreSQL service is running and that the Metasploit Framework database is initialized:

Note: If it doesn’t display “Connected to msf,” ensure that the PostgreSQL service is started (e.g., open a terminal window and type sudo service postgresql start), then rerun msfdb init.

How to Use the Metasploit Framework Console

The Metasploit Framework Console (msfconsole) is a command-line interface (CLI) that allows you to search for and run modules (stand-alone pieces of software used to perform a particular task) and fall into three broad categories:

  • Auxiliary: These modules gather information about a target, such as the TCP Port Scanner and SSH Login Scanners used in our demonstration attack.
  • Exploits: These modules (through the use of payloads) take advantage of discovered vulnerabilities to exploit known weaknesses on target systems. E.g., the ProFTPD attack we used to gain access to the user list on our target system.
  • Payloads: Payloads are the code used by the exploit module to interact with a target.

To get started, enter help to view a list of commands:

Some other useful commands include:

  • Search –  Used to look up modules by name, description, CVE number, etc.
  • Use – Launches a module by name, search term, or index number
    • Options – Display options for a loaded module
    • Set – Configure specific options/variables from inside a loaded module
    • Run – Runs the loaded module
  • Back – Backs out of the current context you’re in
  • Exit – Quits the console

In the walkthrough below, we’ll provide detailed examples of how to use these commands.


Metasploit Walkthrough: Exploiting MySQL

Now that we have set up our virtual lab, verified connectivity, and covered some basic concepts and commands, let’s step through a sample MySQL exploit.

MySQL Service Discovery

We’ll want to use a port scanner to understand what ports are open on our target. While Kali Linux comes pre-packaged with several port scanning tools, we can also see which ones are available in the Metasploit Framework console using the search command (e.g., search portscan):

The keyword in the search is highlighted. Number 5 looks promising, so let’s use the info to provide us with additional information (i.e., info 5):

Having read the description, we know that this utility is suitable for our purposes, so we’ll enter use 5 to load the “TCP Port Scanner” module:

Note that the prompt has changed to “msf6 auxiliary(scanner/portscan/tcp) >”, indicating that the “TCP Port Scanner” module is currently loaded.

Although the info command provided us with a list of available options, we can use the options command from within the module context to display their current configuration:

We can see that RHOSTS is the parameter for our target, so we’ll need to configure it using the set command (i.e., set RHOSTS

If we enter options again, we can see that the RHOSTS parameter is set to our Metasploitable3 VM’s IP address:

The default port range for this scanner is 1-10,000. If left as-is, the scanner would eventually determine that port 3306 (MySQL) is open. For the sake of brevity, we’ll use the set command to update this to only check for the presence of MySQL on the target (Port 3306):

With our options set, we can now use the run command to scan on 3306:

Kali Linux comes with several other third-party port-scanning utilities, including Nmap, which we can use to interrogate port 3306 to learn more about the MySQL service running using the following command

sudo nmap -sV -O -p3306

  • Sudo nmap runs the Nmap command with elevated permissions (required by the -O switch, described below)
  • -sV probes the target ports to attempt to determine the service running on that port and its  version (required to determine whether the target is using an old/known vulnerable version of a particular service)
  • -O enables Operating System detection (also useful as the OS may have known vulnerabilities associated with it)
  • is the IP address of our target
  • -p3306 specifies the port(s) we want to scan (we chose port 3306 since we know the target is listening on that that)

Our Nmap scan confirms MySQL is running on the target server running version 5.5.20. You can also use the search command to look for a module to we can use to determine the MySQL version (e.g., search type:auxiliary mysql)

Looking at the list above, number 11 (auxiliary/scanner/mysql/mysql_version) seems suitable. To select it, enter use 11:

use 11 terminal console output

If we look at the options for this module, we can see that it requires a target host (RHOSTS). We’ll set this to, verify the settings with the options command again and then run the module:

Bruteforcing the MySQL Root Account

Now that we’ve confirmed MySQL’s version and port number, we can attempt to connect to the instance and bruteforce the root password using the auxiliary/scanner/mysql/mysql_login module (e.g., use auxiliary/scanner/mysql/mysql_login) :

use auxiliaryscannermysqlmysql_login terminal console output

We’ll review the list of options, then set RHOSTS to This module also supports the use of word list, we’ll use /usr/share/wordlists/rockyou.txt, but first, we’ll need to unzip it. Open a terminal session (CTRL+ALT+T) and use the following command to unzip the archive: gunzip /usr/share/wordlists/rockyou.txt.gz

gunzip /usr/share/wordlists/rockyou.txt.gz terminal console output

Going back to the Metasploit session, we can use “set PASS_FILE /usr/share/wordlists/rockyou.txt” to define the wordlist path and run the module:

set PASS_FILE /usr/share/wordlists/rockyou.txt terminal console output

The output indicates that the root password is blank.

Enumerating Data From MySQL

In cyber security, “enumeration” is the extraction of useful information from a compromised target to gain access to sensitive information.

We can load the MySQL Enumeration Module (auxiliary/admin/mysql/mysql_enum) to retrieve a list of the MySQL accounts and their privileges:

use auxiliary/admin/mysql/mysql_enum terminal console output

MySQL Exploitation

As we can see from MySQL enumeration results, root access allows us to compromise any data available in SQL server. We can use the “MySQL SQL Generic Query” module (auxiliary/admin/mysql/mysql_sql) to run SQL commands on the target server:

use auxiliary/admin/mysql/mysql_sql terminal console output

We’ll set USERNAME to root, RHOSTS to and SQL to show databases, confirm our options and run the module:

set USERNAME root terminal console output

This gives us a list databases on the server but is a bit tedious to work with as you have to keep updating the SQL option and rerunning the module to get anywhere with it. Instead, we’ll just connect directly to the MySQL instance using our root privileges in a new terminal session (CTRL+ALT+T):

CTRL+ALT+T terminal console output

I’d like gain access to that WordPress application, so let’s change the admin password to something we know (e.g., MyNewPassword123!):

change the admin password terminal console output

Lastly, let’s try logging in to WordPress web application using the newly reset Admin Password:

metasploit3 admin login

This works as we can log in successfully using the reset credentials:

metasploit3 dashboard

Note: An alternative (read: better) option would be to use our MySQL root access to create a new admin user account on any systems we wanted to compromise as changing an existing password (and other destructive behavior) is more likely to be detected by a  user or systems administrator.


In this tutorial, we described how to set up a virtual lab using Kali Linux and Metasploitable3, explained the basics of Metasploit Framework, and demonstrated an attack against a vulnerable MySQL Database Server running on Windows Server 2008 R2.

The information and examples provided in this tutorial only scratch the surface of what you can do with Kali Linux and Metasploit Framework. To learn more about this and other penetration testing tools, consider checking out StationX’s Complete Ethical Hacker Course.

Frequently Asked Questions

]]> 0
CEH vs OSCP 2022: Which One Should You Pursue? Wed, 23 Nov 2022 12:50:30 +0000 CEH vs OSCP 2022: Which One Should You Pursue? Read More »

Obtaining an industry-recognized cyber security certification like EC-Council’s Certified Ethical Hacker (CEH) or Offensive Security’s Offensive Security Certified Professional (OSCP) is an excellent way for aspiring cyber security professionals to highlight their skills and capabilities. Whether you pursue CEH vs OSCP will depend on your career goals, time, and budget.

This article will compare and contrast these two popular penetration testing-focused certifications to help you decide which one is right for you. Some of the major topics we’ll cover are a breakdown of both certifications, their exam formats, attractiveness to employers, and earning potential. We’ll conclude with a “Final Verdict” of our recommendations.

About CEH and OSCP Certifications

The CEH and OSCP are popular and widely recognized penetration testing certifications. Before we dive into our comparison, it’s important to point out that there are two different CEH certifications: CEH (ANSI) and CEH (Practical).

CEH (ANSI) refers to the certification obtained through passing EC-Council’s multiple-choice exam. The lesser-known CEH (Practical) exam is a set of capture-the-flag (CTF) style scenarios to be solved in a proctored virtual lab. Completing both exams awards you the CEH (Master) designation.

The OSCP exam involves not only compromising several vulnerable machines but also collecting evidence of your exploits and providing a thorough report of the precise steps you took to achieve them. In other words, the sorts of things you’d be doing in the role of a penetration tester.

About Certified Ethical Hacker CEH (ANSI)

CEH certification was established in 2003 by EC-Council, an ANSI 17024 accredited organization. EC-Council purports its CEH certification to be the world’s most in-demand ethical hacking certification, and for good reason! More on that below.

Certified Ethical Hacker-ANSI

CEH is a standalone certification acquired through successfully completing a written exam covering a breadth of ethical hacking and information security topics. For the sake of clarity, we’ll refer to this certification going forward as “CEH (ANSI).”

Although the CEH (ANSI) certification is in high demand by prospective employers, serious cyber security professionals lend far less credence to it, given the short preparation required (usually a 5-day boot camp), and its relative ease compared to hands-on examinations, such as the OSCP.

About Certified Ethical Hacker CEH (Practical)

In 2018, EC-Council introduced the CEH (Practical) exam, an optional certification CEH (ANSI) holders can pursue and consists of a hands-on, scenario-based lab. Completing both the CEH (ANSI) and CEH (Practical) awards the designation of CEH (Master).

Certified Ethical Hacker- Practical

Despite its focus on real-world competency, the CEH (Master) designation isn’t particularly well-known among employers, as we’ll demonstrate in the “Job Opportunities” section below.

About Offensive Security Certified Professional (OSCP)

OSCP is a penetration testing certification designed by the creators of Kali Linux to test your real-world penetration testing knowledge and skill set.

Offensive Security Certified Professional OSCP

The OSCP certification is a departure from traditional exam formats. In place of questions is a network of systems containing exploitable vulnerabilities for you to discover, exploit and document.

Offensive Security emphasizes a learn-by-doing approach. Their mantra, “Try Harder,” is short-hand for their values of persistence, creativity, and perception. If the road to becoming a penetration tester is a journey, the OSCP is a marathon. There are no shortcuts.

Exam Details

CEH (ANSI) Exam Details

The CEH (ANSI) is a closed-book, knowledge-based exam. It consists of 125 multiple-choice questions covering 20 domains and must be completed within 4 hours. Some of the topics covered include:

  • Information security threats and attack vectors
  • Attack detection
  • Attack prevention
  • Information security procedures and methodologies

The minimum passing score for CEH (ANSI) exam can range from 60% to 85%, depending on the test bank you receive.

The specific topics you’ll need to know for the exam are covered in our comprehensive CEH exam cheat sheet.

CEH (Practical) Exam Details

The CEH (Practical) is an open-book, skills-based exam. It consists of 20 challenges to be completed within 6 hours. These challenges require you to demonstrate several ethical hacking techniques, including:

  • Port scanning
  • Vulnerability detection
  • System attacks (e.g., DoS, DDoS, session hijacking, web server and web application attacks, wireless threats)
  • SQL injection attacks, methodology, and evasion

The minimum passing score for the CEH (Practical) exam is 70% (i.e., 14/20 challenges completed).

As a reminder, completing both the CEH (ANSI) and CEH (Practical) awards you the CEH (Master) designation.

OSCP Exam Details

The OSCP “exam” is a proctored lab that simulates a network containing several vulnerability target systems. The tester will receive an email from Offensive Security containing the VPN path and credentials to access the lab, a list of targets, and a link to the exam control panel (a web portal used to submit evidence).

Your objective is to discover and exploit vulnerabilities on each target to gain access to a “proof” file. Proof files contain hashes that users can only view with appropriate permissions. The exam control panel includes a section you can use to submit these hashes as proof of exploitation.

As part of your documentation, you will need to prepare a penetration test report describing the steps you took to gain privileged access to each target system. You must include screenshots of each compromised proof file’s contents (hash) from their original location and IP addresses.

Late last year, Offensive Security announced that the exam structure was changing to introduce Active Directory and de-emphasize buffer overflow. The current test breaks down as follows:

  • Three individual machines worth 20 points each (10 points for low-privilege, 10 points for privilege escalation) 
  • An Active Directory set (two clients, one domain controller) worth 40 points (points are awarded for the full exploit chain of the domain only)

Participants have 23 hours and 45 minutes to complete the exam and another 24 hours to submit their documentation. The minimum passing score for the OSCP is 70 points. 

You can earn an additional 10 bonus points, which will count toward your score by completing the self-paced labs included in the coursework.

Eligibility Requirements

CEH (ANSI) Requirements

As a prerequisite to taking the CEH (ANSI) exam, EC-Council requires candidates to either:

  1. To complete EC-Council’s official CEH training course or
  2. Possess at least two years of work experience in Information Security

If you have the relevant information security experience and wish to skip the official training course, you must submit an eligibility application form and pay a fee (details below). This fee is non-refundable, regardless of whether or not your application to sit for the exam is accepted.

CEH (Practical) Requirements

The CEH (Practical) exam is intended for those who have successfully completed the CEH (ANSI), but has no other requirements otherwise.

OSCP’s Requirements

Offensive Security lists the course prerequisites for the OSCP exam as follows:

  • Solid understanding TCP/IP networking
  • Reasonable Windows and Linux administration experience
  • Familiarity with basic Bash and/or Python scripting

It’s worth noting that unlike CEH (ANSI), these are “soft” requirements; there is no eligibility application; the only validation of the experience above is whether or not you pass the exam.

Winner: OSCP

There is no eligibility requirement to sit for the OSCP exam; regardless of experience, anyone may attempt it.

Exam Difficulty

The CEH (ANSI) exam tests your knowledge of cyber security and penetration testing concepts.

The CEH (Practical) exam takes this one step further by requiring you to demonstrate these skills at a component level, each designed to test competency in a specific area (e.g., packet sniffing, steganography, etc.).

The OSCP is exponentially more difficult (and more realistic) because it does not provide any guidance as to what you’ll need to do to exploit each system – that’s for Offensive Security to know and for you to find out… within 23 hours and 45 minutes.

Winner: CEH (ANSI)

Most beginners looking for an entry-level cyber security certification will find the OSCP prohibitively difficult. The CEH (ANSI) exams offer a means to build foundational knowledge and the confidence to tackle progressively more difficult certifications like the CEH (Practical) and OSCP.

Recognition and Reputation

CEH (ANSI)’s Reputation

The CEH (ANSI) certification carries a certain mystique with prospective employers due to its maturity, ANSI accreditation, and endorsement from the Department of Defense. However, the CEH (ANSI) garners less enthusiasm from the cyber security community due to its ease of acquisition.

CEH (Practical)’s Reputation

The CEH (Practical) lacks both the rigor of the OSCP and CEH (ANSI)’s recognition.

OSCP’s Reputation

The OSCP is widely known and respected as a highly challenging certification, even for experienced penetration testers. It requires you to perform penetration testing instead of rote memorization of terms and utilities.

Further, it requires that the tester provide sufficient elaboration of the steps taken to execute the compromise – a skill overlooked in CEH but crucial to penetration testing as a profession.

Winner: OSCP

While EC-Council boasts that CEH is the “gold standard” of ethical hacking, holders of this certification are not known for being prepared for a penetration testing role. In contrast, those who’ve completed with OSCP exam successfully have proven their capability.

Job Opportunities

We searched US-based opportunities across three popular job boards and found that “CEH” was included in job descriptions 1.5 to 3 times more often than “OSCP”. Job descriptions featuring “CEH (Practical)” received the fewest hits at approximately 1-5% of the numbers we observed for the “CEH” search term.

CEH vs OSCP Job Opportunities Table

Between 4-16% of the postings included both search terms, suggesting either certification would be acceptable.

The table below was compiled from data* published on, comparing salary ranges by certification and job title. They did not differentiate between CEH (ANSI) and CEH (Practical) holders, but we’ll assume they meant the prior:

CEH vs OSCP Salary Range Table

*The figures above were current as of September 2022. The CEH certification was based on 2,612 individual reports, while the OSCP salaries came from a much smaller sample size of 440 individuals.

In addition to Job title, experience also goes a long way toward determining overall compensation for a given role. The graph below illustrates a breakdown of the average experience level of CEH (ANSI) holders according to

CEH average experience level

Although CEH (ANSI) is considered an entry-level ethical hacking certification, the data implies that very few entry-level job candidates hold that certification. By comparison, far fewer late-career and experienced candidates are pursuing an OSCP:

OSCP average experience level

Winner: CEH (ANSI)

Prospective employers are asking for CEH-certified applicants far more often than OSCP holders. The job postings we reviewed usually didn’t specify whether they were looking for CEH (ANSI), CEH (Practical), or both ( i.e., CEH (Master) designation).

While a CEH (ANSI) certification alone might help you to get your foot in the door, the competency demonstrated by attaining a CEH (Practical) certification and, to a greater extent, the OSCP certification may help you be successful in that role.

Cost and Recertification


Before purchasing an exam voucher, you must spend $850 for the official CEH training course.

Alternatively, if you have at least two years of information security experience can submit an eligibility application form and a non-refundable $100 application fee. If EC-Council rejects your application, they will not issue a refund.

The current cost of the CEH (ANSI) exam voucher through Pearson Vue is $1,199. If you plan to take the exam online via ProctorU, you can save a little money by purchasing an ECC exam voucher for $950.

If you fail your CEH (ANSI) exam, you can apply for a retake, and if approved, you can purchase the voucher for $499.

CEH (Practical) Cost

The CEH (Practical) exam voucher is $550.

At a minimum, an experienced Information Security Professional will pay $1,600 for their CEH (Master) designation.

Candidates that don’t meet the experience eligibility requirements can expect to pay at least $2,350 for their CEH (Master) designation.

Upon successful completion, all EC-Council certifications are valid for three years. To recertify, you must:

  1. Pay an annual membership fee of $80
  2. Earn 120 EC-Council Continuing Education (ECE) credits within the three-year window (per certification)

You can earn ECE credits by earning other security-related certifications and attending information security-related conferences and events. You can read more about EC-Council’s ECE Policy here.


Offensive Security doesn’t sell a stand-alone exam voucher. Instead, they offer a bundle for $1,499 that includes the following:

  • The course (PEN-200)
  • 90 days of lab access (online)
  • OSCP exam certification fee (1 attempt)

You can purchase additional lab access for $359/per 30-day extension. If you don’t pass the first time, you can retake the exam for $249.

Another option is to purchase Offensive Security’s Learn One subscription plan. For $2,499 annually, you will receive the following:

  • Access to the OSCP course material and two exam attempts
  • One year of access to the course labs
  • One year of access to the Proving Groups Practice targets (virtual lab)
  • Access to pre-requisite content
  • Access to the Kali Linux Certified Professional (KLCP) course material and exam voucher
  • Access to the Offensive Security Wireless Professional (OSWP) course material and exam voucher

The OSCP (and other certifications offered by Offensive Security) do not expire and do not need to be renewed.

Winner: OSCP

If you can commit to a significant amount of study time and lab practice over a relatively short period (90 days), the OSCP certification bundle may be the right choice. It’s between $100-850 less expensive than earning a CEH (Master) designation.

This gap widens when you factor in the cost of CEH recertification ($80/year, not including any other expenses incurred through earning ECE credits).

The Learn One subscription is a better option for those who need more time to prepare since you’ll have an entire year’s worth of access. While it’s more expensive than the CEH, the hands-on lab access and additional certification coursework offer more value (provided you can complete all three courses and their exams within a year).

CEH vs OSCP – The Final Verdict

The decision of OSCP vs CEH (or possibly both) ultimately rests on your career goals. The table below summarizes the criteria we evaluated in this article:

CEH ANSI vs CEH practical vs OSCP Final Verdict Table

If you’re serious about pursuing a career as a penetration tester, you should be working toward your OSCP certification.

Otherwise, if you’re looking to make a career change, perhaps from a general IT background into a more cyber security-focused role, earning your CEH (ANSI) certification may help you get recognized by prospective employers.

Since most employers aren’t looking for CEH (Practical) candidates, we can’t recommend going beyond CEH (ANSI). 

While CEH (ANSI) and CEH (Practical) can be used as stepping stones to prepare for OSCP, those who earn their OSCP won’t have use for a CEH (Master) designation.

StationX offers bundles for both CEH and OSCP certification through our VIP subscription. VIP membership provides you with the relevant content needed to successfully prepare for and pass either exam and unlimited access to hundreds of other courses covering information technology, information security, computer networking, and much more!

]]> 0
HTTP Status Codes Cheat Sheet: A Quick Reference Tue, 22 Nov 2022 12:24:01 +0000 HTTP Status Codes Cheat Sheet: A Quick Reference Read More »

When you’re working with web applications, whether as a website administrator or a penetration tester, chances are you’ve had to do a web search on a three-digit code like “how to fix 404 error” and wade through the same volume of search results repeatedly. You’ve seen the three-digit code before, but it always slips your mind.

These three-digit codes are called HTTP status codes. They’re crucial to understanding server behavior, conducting appropriate security tests, or refraining from overdoing them. Servers flooded with requests usually return 4XX or 5XX errors, which you will find below, and having too many redirects can also point to serious cyber space security problems.

From now on, you don’t have to do those searches anymore because we have prepared this HTTP status codes cheat sheet for you. You can download this cheat sheet here.

When you’re ready, let’s dive in.

What Is an HTTP Status Code?

HTTP is short for “Hypertext Transfer Protocol”. An HTTP status code consists of three digits. It tells you the result of a client request to a server and the semantics of the server response, including whether the request was successful and its contents if such a payload exists. All valid status codes are between 100 and 599 inclusive.

HTTP status codes come in five classes, each of which has the same theme. In the graphic below, “you” refers to the client, and “I” to the server:

Human-friendly guide to HTTP Status Codes

The Top 5 Most Commonly Used Status Codes

The RFC 9110 specification consists of 63 standard status codes, beyond which are custom HTTP status codes defined by server administrators. Here are the top five status codes you need to know:

  1. 200 OK: Ideally, you want this because it means you’ve found your desired website or the data on a submitted web form has reached its destination intact.
  2. 301 Moved Permanently / 308 Permanent Redirect: Websites often shorten their addresses for easy visitor access, such as omitting “www.” A shortened link redirects users to a web resource at its original, longer Uniform Resource Identifier (URI).
  3. 404 Not Found: The server is up, but the resource is missing, thanks to deletion or a modified URI, as is often the case for website updates.
  4. 403 Forbidden: The server denies the client access to a resource. We have a penchant for challenging this status code: Opening the frame source of some embedded videos in a new tab gives me this error, as the videos have a strict same-origin policy. Yet sometimes, we could download those videos from alternate source URLs found through the browser’s Inspector.
  5. 501 Internal Server Error / 503 Service Unavailable: The server is not functioning and can’t respond to any requests you make to it. Visitors of the website are at the mercy of administrators.

Informational Requests: 1XX

When a server returns a 1XX code, it means the server has received and understood your request, and your browser only needs to wait for the server to finish processing your data.

100ContinueThe server has received the request headers, and the client should proceed to send the request body.
101Switching ProtocolsThe requester has asked the server to change protocols using a protocol upgrade mechanism, and the server has agreed.
102ProcessingThe server has accepted the entire request but is still processing it.
103Early HintsUse it with the Link header to preload resources while the server prepares a response.

Success Requests: 2XX

2XX requests mean your transmitted data has reached the server or the resource you want from the server has arrived safely at your machine.

200OKThe request succeeded.
201CreatedThe server acknowledged a newly created resource.
202AcceptedThe server has received the client’s request but is still processing it.
203Non-Authoritative InformationThe server’s response to the client differs from the initial response that the server sent.
204No ContentThe server has processed the request but isn’t returning any content.
205Reset ContentThe client should refresh the document sample.
206Partial ContentThe server is sending only part of the resource.
207Multi-StatusThe server response may contain multiple response codes.
208Already ReportedThe server response highlights duplicate internal contents with this status code.
226IM UsedIM stands for “instance manipulation” in HTTP Delta Coding. The server has fulfilled a GET request, and the server response involves IMs.

Redirection Requests: 3XX

When you encounter a 3XX status code, the server will redirect you to a web location different from your initial URI.

300Multiple ChoicesThe client must choose among several possible responses for the server request.
301Moved PermanentlyThe server tells the client the requested resource is now at another URI permanently.
302FoundThe server tells the client that the requested resource is temporarily at another URI.
303See OtherThe server doesn’t redirect the client to the requested resource but to another page.
304Not ModifiedThe server response is the same as in the past, so the client can continue to use the client’s cached version of the server response.
305Use Proxy (deprecated)The client could only access the requested resource through a proxy given in the response. Deprecation was because in-band configuration of a proxy is insecure.
306(unused/reserved)A previous version of the HTTP/1.1 specification used this response code.
307Temporary RedirectThe server tells the client that the resource they are looking for is temporarily at another URI.
Unlike 302, the client must access the new URI using the same HTTP method as the original URI.
308Permanent RedirectThe server tells the client that the resource they are looking for is now at another URI permanently.
Unlike 301, the client must access the new URI using the same HTTP method as the original URI.

Client Errors: 4XX

These are client errors, such as a missing page, incorrect data format, unauthorized access, or a mistake in the request.

400Bad RequestThe client has sent a request with incomplete, ill-constructed, or invalid data.
401UnauthorizedThe client lacks the authorization needed to access the requested resource.
402Payment RequiredA rare status code reserved for digital payment systems.
403ForbiddenThe server prohibits the client from accessing the resource.
404Not FoundThis code denotes a nonexistent resource on a working server.
405Method Not AllowedThe server has received and recognized the request but has rejected the specific request method.
406Not AcceptableThe website or web application doesn’t support the client’s request with a particular protocol.
407Proxy Authentication RequiredSimilar to 401 Unauthorized, but the server requires authorization via a proxy.
408Request TimeoutThe request the client sent to the server has expired.
409ConflictThe request transmitted conflicts with the server’s internal operations.
410GoneThe resource sought by the client is permanently unavailable.
411Length RequiredThe server requires the Content-Length header field, but it was missing in the request, so the server rejected it.
412Precondition FailedThe server does not meet the conditions indicated by the client.
413Payload Too LargeRequest entity exceeds server limits.
414URI Too LongThe URI requested by the client is longer than the server is willing to interpret.
415Unsupported Media TypeThe server doesn’t support the media format of the requested data and thus rejects the request.
416Requested Range Not SatisfiableThe server response cannot fulfill the range specified by the Range header field in the request.
417Expectation FailedThe server cannot meet the expectation indicated by the Expect request header field.
418I’m a teapotThe server sends this response to undesirable requests, such as automated queries.
421Misdirected RequestThe request went to a server unable to produce a response.
422Unprocessable EntitySemantic errors in the request prevented the server from sending the expected response.
423LockedThe requested resource is locked.
424Failed DependencyThe failure of a previous request doomed this request to failure.
425Too EarlyThe server aborted a request that might be part of an (intentional or unintentional) replay attack.
426Upgrade RequiredThe server would only perform the request after the client upgrades to one or more different protocols specified in its Upgrade header in a 426 response.
428Precondition RequiredThe origin server requires the request to satisfy certain conditions.
429Too Many RequestsThe client has sent too many requests in a given amount of time.
431Request Header Fields Too LargeThe server is unwilling to process the request because of oversized header fields.
451Unavailable for Legal ReasonsThe server cannot legally provide the requested resource, such as a government-censored page.

Server Errors: 5XX

These are server errors. The client has made a valid request, but the server cannot provide the requested resource.

500Internal Server ErrorThe server has run into problems while processing the client’s request.
501Not ImplementedThe server can’t resolve the client’s HTTP request method.
502Bad GatewayThe server, acting as a gateway or proxy, received an invalid message from an inbound server.
503Service UnavailableThe server appears non-functional and can’t process the client’s request.
504Gateway TimeoutThe server, acting as a gateway, fails to produce a response in time.
505HTTP Version Not SupportedThe server doesn’t support the HTTP version used in the request.
506Variant Also NegotiatesThe server has an internal configuration error that leads to content conflicts.
507Insufficient StorageThe server doesn’t have enough storage to perform the HTTP method of the request.
508Loop DetectedThe server detected an infinite loop while processing the request.
510Not ExtendedThe server requires further extensions to the request before fulfilling it.
511Network Authentication RequiredThe client needs to get authenticated on the network to access the resource.

Codes for Web Application Security Testing

Here are the most relevant HTTP status codes for security testing of web apps:

301Moved Permanently
400Bad Request
404Not Found
405Method Not Allowed
500Internal Server Error
502Bad Gateway
503Service Unavailable
504Gateway Timeout


This HTTP status codes cheat sheet covers all HTTP codes. We hope this HTTP error codes cheat sheet helps you troubleshoot web applications and improve their security. Once familiar with these HTTP status codes, explore the Web Hacking courses included in our VIP Membership to consolidate your learning. Have fun.

Frequently Asked Questions

]]> 0
Unix Commands Cheat Sheet: All the Commands You Need Mon, 14 Nov 2022 13:09:03 +0000 Unix Commands Cheat Sheet: All the Commands You Need Read More »

To make full use of Unix operating systems such as macOS’s Darwin and Linux’s GNU, you need to learn how to operate Unix from the command line. Committing Unix commands and their usage to memory can be a burden. It’s also hard to tell from the official documentation which commands are important and which less so.

This Unix commands cheat sheet aims to help you pick up and brush up high-priority Unix command-line operations easily. It covers essential commands, the in-built text editor vi, and basic shell scripting. A shell script is a computer program designed to run in Unix command-line terminals, and it’s a key building block of programming in Unix.

Download this Unix command cheat sheet here. If you’re ready, let’s dive in below.

Essential Commands

With these commands, you can obtain critical information about your Unix machine and perform key operations.

System Information

These provide information about your Unix machine.

unameShow the Unix system information.
uname -aDetailed Unix system information
uname -rKernel release information, such as kernel version
uptimeShow how long the system is running and load information.
whoDisplay who is logged in.
wDisplay what users are online and what they are doing.
usersList current users.
whoamiDisplay what user you are logged in as.
suSuperuser; use this before a command that requires root access e.g. su shutdown
calShow calendar where the current date is highlighted.
dateShow the current date and time of the machine.
haltStop the system immediately.
shutdownShut down the system.
rebootRestart the system.
last rebootShow reboot history.
man COMMANDShows the manual for a given COMMAND. To exit the manual, press “q”.

Input/Output Redirection

These are helpful for logging program output and error messages.

echo TEXTDisplay a line of TEXT or the contents of a variable.
echo -e TEXTAlso interprets escape characters in TEXT, e.g. \n → new line, \b → backslash, \t → tab.
echo -n TEXTOmits trailing newline of TEXT.
cmd1 | cmd2| is the pipe character; feeds the output of the command cmd1 and sends it to the command cmd2, e.g. ps aux | grep python3.
cmd > fileOutput of cmd is redirected to file. Overwrites pre-existing content of file.
cmd > /dev/nullSuppress the output of cmd.
cmd >> fileOutput of cmd is appended to file.
cmd < fileInput of cmd is read from file.
cmd << delimInput of cmd is read from the standard input with the delimiter character delim to tell the system where to terminate the input. Example for counting the number of lines of ad-hoc input:
wc -l << EOF
> I like
> apples
> and
> oranges.

Hence there are only 4 lines in the standard input delimited by EOF.

File Management

In the following commands: X may refer to a single file, a string containing a wildcard symbol referring to a set of multiple files e.g. file*.txt, or the stream output of a piped command (in which case the syntax would be X | command instead of command X); Y is a single directory; A and B are path strings of files/directories.

*Wildcard symbol for variable length, e.g. *.txt refers to all files with the TXT extension.
?Wildcard symbol referring to a single character, e.g. Doc?.docx can refer to Doc1.docx, DocA.docx, etc.
lsList the names of files and subfolders in the current directory. Options include -l, -a, -t which may be combined e.g. -alt.
ls -lAlso show details of each item displayed, such as user permissions and the time/date when the item was last modified.
ls -aAlso display hidden files/folders. May be combined with ls -l to form ls -al.
ls -tSort the files/folders according to the last modified time/date, starting with the most recently modified item.
ls X List the files 
cd YChange directory to Y. Special instances of Y:
.  — current directory
.. — parent directory
cdTo the $HOME directory
cd ..Up one level to enclosing folder / parent directory
cd /etcTo the /etc directory
cmp A BCompare two files A and B for sameness. No output if A and B are identical, outputs character and line number otherwise.
diff A BCompare two files A and B for differences. Outputs the difference.
pwdDisplay the path of the current working directory.
mkdir XMake a new directory named X inside the current directory.
mv A BMove a file from path A to path B. Also used for renaming files.
Moving between directories folder1 and folder2:
mv ./folder1/file.txt ./folder2
The file name will remain unchanged and its new path will be ./folder2/file.txt.
Renaming a file: mv new_doc.txt expenses.txt
The new file name is expenses.txt.
cp A BCopy a file from path A to path B. Usage similar to mv both in moving to a new directory and simultaneously renaming the file in its new location.
Example: cp ./f1/file.txt ./f2/expenses.txt simultaneously copies the file file.txt to the new location with a new name expenses.txt.
cp -r Y ZRecursively copy a directory Y and its contents to Z. If Z exists, copy source Y into it; otherwise, create Z and Y becomes its subdirectory with Y’s contents
rm XRemove (delete) X permanently.
rm -r YRecursively delete a directory Y and its contents
rm -f XForcibly remove file X without prompts or confirmation
rm -rf YForcibly remove directory Y and its contents recursively
rmdir YRemove a directory Y permanently, provided Y is empty.
duShow file/folder sizes on disk.
du -ahDisk usage in human readable format (KB, MB etc.)
du -shTotal disk usage of the current directory
dfDisplay free disk space.
du -hFree and used space on mounted filesystems
du -iFree and used inodes on mounted filesystems
open XOpen X in its default program.
open -e XOpens X in the default text editor (macOS: TextEdit)
touch XCreate an empty file X or update the access and modification times of X.
cat XView contents of X.
cat -b XAlso display line numbers as well.
wc XDisplay word count of X.
head XDisplay the first lines of X. If more than a single file is specified, each file is preceded by a header consisting of the string “==> X <==” where “X” is the name of the file.
head -n 4 XShow the first 4 lines of X.
ls *.c | head -n 5Display the first 5 items of a list of *.c files in the current directory.
tail XDisplay the last part of X. If more than a single file is specified, each file is preceded by a header consisting of the string “==> X <==” where “X” is the name of the file.
tail -n +1 XDisplay entire contents of the file(s) X specified, with header of respective file names
lessRead a file with forward and backward navigation. Often used with pipe e.g. cat file.txt | less
ln -s A SCreate symbolic link of path A to link name S.

Search and Filter

grep patt XSearch for a text pattern patt in X. Commonly used with pipe e.g. ps aux | grep python3 filters out the processes containing python3 from all running processes of all users.
grep -v patt XReturn lines not matching the specified patt.
grep -l patt XOnly the names of files containing patt are written to standard output.
grep -i patt XPerform case-insensitive matching. Ignore the case of patt.
findFind files.
find /path/to/src -name "*.sh"Find all files in /path/to/src matching the pattern “*.sh” in the file name.
find .. -size +2MFind all files in the parent directory larger than 2MB.
locate nameFind files and directories by name.
sort XArrange lines of text in X alphabetically or numerically.


tarManipulate archives with TAR extension.
tar -cf archive.tar YCreate a TAR archive named archive.tar containing Y.
tar -xf archive.tarExtract the TAR archive named archive.tar.
tar -tf archive.tarList contents of the TAR archive named archive.tar.
tar -czf archive.tar.gz YCreate a gzip-compressed TAR archive named archive.tar.gz containing Y.
tar -xzf archive.tar.gzExtract the gzip-compressed TAR archive named archive.tar.gz.
tar -cjf archive.tar.bz2 YCreate a bzip2-compressed TAR archive named archive.tar.bz2 containing Y.
tar -xjf archive.tar.bz2Extract the bzip2-compressed TAR archive named archive.tar.bz2.
zip -r YZip Y to the ZIP archive
unzip Z.zipUnzip to the current directory.

File Transfer

These are for uploading and downloading files.

ssh user@accessConnect to access as user.
ssh accessConnect to access as your local username.
ssh -p port user@accessConnect to access as user using port.
scp [user1@]host1:[path1] [user2@]host2:[path2]Login to hostN as userN via secure copy protocol for N=1,2. path1 and path2 may be local or remote. If user1 and user2 are not specified, your local username will be used.
scp -P port [user1@]host1:[path1] [user2@]host2:[path2] Connect to hostN as userN using port for N=1,2.
scp -r [user1@]host1:[path1] [user2@]host2:[path2]Recursively copy all files and directories from path1 to path2.
sftp [user@]accessLogin to access as user via secure file transfer protocol. If user is not specified, your local username will be used.
sftp accessConnect to access as your local username.
sftp -P port user@accessConnect to access as user using port.

File Permissions

Not all files are equally accessible. To prevent unwanted tampering, some files on your device may be read-only. For more information about file permissions on Unix, refer to our Linux File Permissions Cheat Sheet, as the same content applies to Unix.

Unix/Linux file permissions
File permissions on Unix
chmod permission fileChange permissions of a file or directory. Permissions may be of the form [u/g/o/a][+/-/=][r/w/x] (see examples below) or a three-digit octal number.
chown user2 fileChange the owner of a file to user2.
chgrp group2 fileChange the group of a file to group2.

Usage examples:

  • chmod +x testfile → allow all users to execute the file
  • chmod u-w testfile → forbid the current user from writing or changing the file
  • chmod u+wx,g-x,o=rx testfile → simultaneously add write & execute permissions to user, remove execute permission from group, and set the permissions of other users to only read and write.

Numeric Representation

OctalPermission(s)Equivalent to application of
0No permissions-rwx
1Execute permission only=x
2Write permission only=w
3Write and execute permissions only: 2 + 1 = 3=wx
4Read permission only=r
5Read and execute permissions only: 4 + 1 = 5=rx
6Read and write permissions only: 4 + 2 = 6=rw
7All permissions: 4 + 2 + 1 = 7=rwx


  • chmod 777 testfile → allow all users to execute the file
  • chmod 177 testfile → restrict current user (u) to execute-only, while the group (g) and other users (o) have read, write and execute permissions
  • chmod 365 testfile → user (u) gets to write and execute only; group (g), read and write only; others (o), read and execute only.

Process Management

The following is redolent of functions in Windows’ Task Manager, but on the command line.

&Add this character to the end of a command/process to run it in the background.
psShow process status. Often used with grep e.g. ps aux | grep python3 displays information on processes involving python3.

Meaning of aux:
a = show processes for all users
u = show user or owner column in output
x = show processes not attached to a terminal
ps -e
ps -A
Either of these two commands prints all running processes in the system.
ps -efPrint detailed overview.
ps -U root -u rootDisplay all processes running under the account root.
ps -eo pid,user,commandDisplay only the columns PID, USER and COMMAND in ps output.
topDisplay sorted information about processes.
kill PIDKill a process specified by its process ID PID, which you may obtain using the ps command.
lsofList all open files on the system. (This command helps you pinpoint what files and processes are preventing you from successfully ejecting an external drive.)


These commands regulate how your Unix machine communicates with other computers, such as the local area network (LAN) router or external websites.

ifconfigDisplay all network interfaces with IP addresses
netstatPrint open sockets of network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

This command is often piped with the less command:
e.g. netstat -a | less
netstat -aShow both listening and non-listening sockets.
netstat -lShow only listening sockets, which are omitted by default.
ping hostSend ICMP echo request to host, which may be a symbolic name, domain name or IP address.
whois domainDisplay whois information for domain.
dig domainDisplay DNS information for domain.
host domainDisplay DNS IP address for domain.
wget LINKDownload from location LINK.
curl LINKDisplay the HTML source of LINK.

Vi Editor – Basic Commands

Built into Unix systems, vi (or vim) is a command-line visual editor. For simple text file manipulation, the following commands will suffice.

In the Unix terminal:

vi XCreate a new file X in the vi editor, or open X if X already exists.
vi -R X
view X
Open an existing file X in read-only mode.

While using vi editor (command mode):

:qQuit the vi editor.
:q!Quit the vi editor without saving changes.
:wSave changes.
:w filenameSave the file as filename.
:wqSave changes and quit vi editor.
iEnter insert mode and amend the opened file. To return to command mode and use the other commands in this table, press the ESC key.
oEnter insert mode and add a new line underneath the cursor.
xDelete the character under the cursor location.
ddDelete the line where the cursor is located.
rReplace the character under the cursor location with the key the user presses next.
yyCopy the current line.
pPaste the line that was copied beneath the cursor.
0Go to the beginning of the line.
$Go to the end of the line.
h,j,k,lMove the cursor left, down, up, right respectively.
GJump to the first character of the last line of the file.
ggJump to the first character of the first line of the file.
/fooSearch for instances of “foo” in the open file.
:%s/foo/barReplace every instance of “foo” with “bar” in the open file.

Shell Programming – Basic Commands

The file extension for shell scripts is .sh.

echo $VARDisplay the contents of a variable.
read VARGet standard input and save it to variable VAR.
#Designates all text after # on the same line to be comments (not executed).
#!/bin/shAlert the system that a shell script is being executed. Used as the first line of the shell script.


Valid Shell variable names contain alphanumeric [A-Z, a-z, 0-9] characters and/or underscore (_). The variable must begin an alphabetical character and is usually uppercase.

VAR_NAME=VALUEDefine a variable VAR_NAME and give it a VALUE. The value may be a number or string enclosed by double quotation marks (“). Examples:
PERSON="John Smith"
readonly VAR_NAMEMake the variable VAR_NAME read-only.
unset VAR_NAMEDelete the variable VAR_NAME.
$VAR1$VAR2Concatenate the values of the variables $VAR1 and $VAR2.

Reserved Variables

By using any of the following in your shell scripts, you call values from special variables in Unix.

$0File name of the current shell script.
$1, $2, $3, …, ${10}, ${11}, …References to the arguments supplied to the script: $1 is the first argument, $2 is the second argument, and so on.
$#The number of arguments supplied to a script.
$*Refer to arguments separated by spaces. Here, "a b c" d e are considered 5 separate arguments.
"$@"Refer to arguments grouped by the double quotes enclosing them. Here, "a b c" d e are considered 3 arguments.
$?The exit status of the last command executed: 0 for success and 1 or other numbers for various errors.
$$Process ID of the shell script.
$!Process number of the last background command.


In ksh shell: set -A ARRAY_NAME value1 value2 ... valueN

In bash shell: ARRAY_NAME=(value1 ... valueN)

Accessing array values (zero-indexed, i.e. first element is at [0] not [1]):

Array variableDescription
${ARRAY_NAME[index]}Display the value at [index] of ARRAY_NAME.
${ARRAY_NAME[*]}Display all values of the array ARRAY_NAME.
${ARRAY_NAME[@]}Same as ${ARRAY_NAME[*]}.

Basic Operators

These are used in the expressions in decision making and loop control.

For arithmetic and relational operators, the arguments are applied to both sides of each operator, separated by spaces, e.g. 2 + 2 (not 2+2).

Arithmetic operatorDescription
Relational operatorDescription
-eqEqual to
-neNot equal to
-gtGreater than
-ltLess than
-geGreater than or equal to
-leLess than or equal to
Boolean operatorDescription
!Logical negation / not: inverts true/false condition
-oLogical OR (inclusive): returns true if any one of the operands is true
-aLogical AND: returns true if all operands are true
String operatorDescription
=Returns true if the two operands on both sides of = are equal.
!=Returns true if the two operands on both sides of != are not equal.
-z $STRING_VARReturns true if $STRING_VAR is zero in length.
-n $STRING_VARReturns true if $STRING_VAR is not zero in length.
[ $STRING_VAR ]Returns true if $STRING_VAR is not the empty string.

In the following, FILE is a variable containing a string to a file/directory path.

File operatorDescription
-d $FILEReturns true if FILE is a directory.
-f $FILEReturns true if FILE is an ordinary file as opposed to a directory or special file.
-r $FILEReturns true if FILE is readable.
-w $FILEReturns true if FILE is writable.
-x $FILEReturns true if FILE is executable.
-e $FILEReturns true if FILE exists, even if FILE is a directory.
-s $FILEReturns true if FILE size is greater than zero.

Decision Making

if…fiif [ expression ]

   Statement(s) to be executed if expression is true
if…else…fiif [ expression ]

   Statement(s) to be executed if expression is true
   Statement(s) to be executed if expression is false
if…elif…else…fiif [ expression1 ]
Statement(s) to be executed if expression1 is true
elif [ expression2 ]
Statement(s) to be executed if expression2 is true
elif [ expression3 ]
Statement(s) to be executed if expression3 is true
Statement(s) to be executed if none of the given expressions is true
case…esaccase word in
Statement(s) to be executed if pattern1 matches word
Statement(s) to be executed if pattern2 matches word
Statement(s) to be executed if pattern3 matches word
Default condition to be executed

Loop Control

Loop typeSyntax
forfor VAR in word1 word2 … wordN
Statement(s) to be executed for every word

Note: word1 word2 … wordN may be a list of numbers (e.g. 1 2 3 4 5) or a set of paths (e.g. /home/folder*/app/).
whilewhile command
Statement(s) to be executed if command is true

Infinite loop: use : as the command, i.e. while :.
untiluntil command
Statement(s) to be executed until command is true
selectAvailable in ksh and bash but not sh. Behaves like a for-loop with the numbers replaced by the words.

select VAR in word1 word2 ... wordN
Statement(s) to be executed for every word
Flow controlSyntax
breakExit a loop.
continueExit the current iteration of the loop and proceed with the next iteration.
Ctrl+CKey combination to abort a running process
Ctrl+LKey combination to remove the previous command and its output (macOS: command+L)


This article covers all the basic commands you need to know when learning to operate Unix from the command line. We hope this Unix command cheat sheet is an excellent addition to your programming and cybersecurity toolkit. See Unix commands in action with our Complete Cyber Security Course available with a StationX VIP membership.

Frequently Asked Questions

]]> 0
Metasploit Commands: How to Get Around in the MSFConsole Sun, 06 Nov 2022 07:37:41 +0000 Metasploit Commands: How to Get Around in the MSFConsole Read More »

The Metasploit Framework Console (MSFConsole) is a Command-Line Interface (CLI) and the primary way to interact with Metasploit. Some novice users may find it difficult to use, mainly those not used to working with CLI-driven applications.

Metasploit’s context-specific syntax can be confusing at first, so we’ve written this guide to help explain the core concepts you’ll need to understand. Once you’ve learned a few basic Metasploit Commands, you’ll be able to leverage hundreds of modules to scan systems and perform exploits.

In this article, we’ll cover:

  • How to work with modules
  • Configuring parameters
  • Running exploits and payloads
  • The PostgreSQL database
  • Frequently Asked Questions (FAQ)

Let’s begin!

Navigation and Basic Commands

In this guide, we’ll be running Metasploit Framework on a Kali Linux virtual appliance since it comes pre-loaded (along with a few hundred other useful tools and utilities). Metasploit Framework can also be installed as a stand-alone application for other Linux distributions, macOS and Windows.

Starting the Metasploit Framework Console

You can start the Metasploit Framework Console by searching for and launching the metasploit framework app from the Applications menu (as shown in the following screenshot):

Metasploit Framework Console

You can also start Metasploit in Kali Linux by opening a terminal console (CTRL+ALT+T)  and typing sudo msfdb init && msfconsole:

sudo msfdb init && msfconsole terminal console output

We can break this command down into three basic parts:

command breakdown
  1. Firstly, the sudo command is used to elevate privileges
  2. Next, the msfdb init command initializes the Metasploit PostgreSQL database (used to save testing data)
  3. Lastly, the logical “AND” operator (&&) tells it to launch the Metasploit Framework console with msfconsole if the previous command was successful

Upon launch, an ASCII art banner is displayed each time you run the MSFConsole, but you can also display a new one using the banner command:

banner terminal console output

If you’d prefer to launch MSFConsole without a banner, you do so using the -q switch:

-q terminal console output

There are several other switches available for the msfconsole command, you can use -h to display them all:

-h terminal console output

The command prompt will differ depending on the Metasploit version you’re using. In Metasploit versions 5 and 6, the MSFConsole command prompt is appended with the version number (e.g., “msf5 >” or “msf6 >”), whereas earlier versions appeared as “msf >” without the version number.

From here, you can enter commands to interact with the console.

Getting Help

The first command you should familiarize yourself with is help, which displays a list of available commands in the MSFConsole:

help terminal console output

To learn more about a specific command, you can run help, followed by the name of the command you’d like to learn more about. E.g., help module:

help module terminal console output

Searching for Modules

There are thousands of available modules in Metasploit. You can use the search command to narrow down that list. Typing help search or search -h will display a full list of options available:

Search -h Terminal Console Output

Below are some commonly used parameters:

  • Name (no parameters): If you want to cast a wide net, you can simply type search followed by a keyword. e.g., search portscan
  • CVE: Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed vulnerabilities for specific software applications and libraries, each given a unique identifier or CVE ID. e.g., search cve:2021-45046
  • Type: Narrow down your search to particular module types, such as auxiliary modules (i.e., scanners) or exploit modules. e.g., search type:auxiliary mysql

Obtaining Information About Modules

Once you’ve identified a module you’re interested in using, you can use the info command to find out more about it:

Info Terminal Console Output

How to Use Modules

Once you’ve selected a module, you can load it with the use command:

Use Terminal Console Output

This appends the prompt with the module name in red.

Backing Out of Modules

You can unload a module using the back command:

Back Terminal Console Output

Exiting MSFConsole

Using the exit command will close your connection to the MSFConsole, returning you to the terminal:

Exit Terminal Console Output

Configuring Module Parameters

Now that we’ve covered how to search for and use modules, we’re going to explain how to configure them.

Displaying Module Options

Each module has a list of parameters or options you can configure. Some of these are mandatory, and others are optional. 

After loading a module with the use command, you can type options (or show options) to display a list of available parameters and their descriptions:

Options Terminal Console Output

If you want to verify the value of a specific parameter, you can do so using the get command:

Get Terminal Console Output

Show Advanced Options

To view any advanced options that may be available for a given module, you can use the show advanced command:

show advanced Terminal Console Output

Setting Module Parameters

Before you can use a module to scan or exploit a target, it needs to be configured for your specific use case. You can use the set command to update the value of a parameter:

Set Terminal Console Output

We know from its parameter description that “RHOSTS” represents the remote (read: target) host’s IP ( in my test lab). You can override the value of any previously set parameter value by running the set command again or by using the unset command to clear it:

Get Terminal Console Output 2

Setting Global Variables

You’ll notice that some parameters, such as RHOSTS appear over and over again across multiple modules. Rather than repeatedly entering the RHOSTS value for each new module we load, we can use the setg (as in, “set global”) command:

Setg Terminal Console Output

In the example above, we set the RHOSTS global value to “”, loaded a new module, and checked the value of RHOSTS using the get command. The output verified that it was already configured to our custom value.

Running Modules and Exploits

Once you’ve configured all parameters marked as “required” for the module you’ve loaded, you can execute it using either the run or exploit command:

Run Terminal Console Output

After running an exploit, the results will be displayed, letting you know whether the module ran successfully or not.

Searching for Payloads

Some exploits require a payload (additional code used to interact with the target). You can use the show payloads command to view the available payloads for your exploit module:

Show payloads Terminal Console Output

Selecting a Payload

You can select a payload by using the set payload command, using either its name or number:

Set Payloads Terminal Console Output

In the example above, we’ve configured the exploit to open a reverse perl shell on the target after compromising a known vulnerability on that target’s FTP server.

Useful Database Commands

As mentioned previously in this guide, Metasploit supports using a PostgreSQL database to store information captured during a penetration testing session.

Note: You can run the Metasploit Framework Console without being connected to a database. However, some commands that require a database running (e.g., db_nmap) won’t be usable.

Checking the Database Status

The db_status command will display whether or not the Metasploit database is running:

Db_status Terminal Console Output

Importing and Exporting Data

At some point, you’ll want to get data into and out of the Metasploit database. Some examples of data you might want to work with in Metasploit include network scan results (e.g., Nmap) and vulnerability assessments (e.g., Nessus, OpenVAS).

You can use the db_import command to import data into your Metasploit Database and db_export to export data. For syntax and a full list of support file types, you can use the -h switch (i.e., db_import -h). 

Using Nmap in Conjunction With Your Metasploit Database

Metasploit can run Nmap against targets and save the results to the database. Simply run db_nmap followed by any [Nmap] switches you’d like to use:

Db_nmap Terminal Console Output

Frequently Asked Questions

]]> 0
CISSP vs CASP+ 2022: Which Is Better? Thu, 03 Nov 2022 07:12:11 +0000 CISSP vs CASP+ 2022: Which Is Better? Read More »

CompTIA Advanced Security Practitioner (CASP+) and (ISC)2’s Certified Information Systems Security Professional (CISSP) are both advanced cyber security certifications that are accepted as part of the DoD 8570 framework.

While they claim to have somewhat different audiences, both market themselves to seasoned security professionals looking to prove their expertise and earn high salaries.

Understanding how CISSP vs CASP+ differ and which does more to move your career forward is important when planning your long-term goals, so let’s break them down and see which is better for you.

What Are CISSP and CASP+ Certifications?


The Certified Information Systems Security Professional (CISSP) advertises itself as “the most globally recognized certification in the information security market.” We feel this is a fair claim. 

CISSP Certified Information System Security Professional

CISSP certifies an information security professional’s profound technical and managerial knowledge and expertise to successfully design, engineer, and manage an organization’s total security posture.

In many ways, CISSP is as much about project management as it is technical expertise. It proves you understand risk management, compliance and regulatory agreements, legal issues, business continuity, reporting, designing and auditing security strategies, and many other skills that would not typically be considered “technical.”

CISSP is geared towards seasoned security practitioners, managers, and executives who want to demonstrate their expertise in a broad range of security techniques and principles. Typical CISSP job titles include:

  • Chief Information Security Officer
  • Chief Information Officer
  • Director of Security
  • IT Director/Manager
  • Security Systems Engineer
  • Security Analyst
  • Security Manager
  • Security Auditor
  • Security Architect
  • Security Consultant
  • Network Architect

About CASP+

According to the CompTIA website, “CompTIA Advanced Security Practitioner (CASP+) is an advanced-level cybersecurity certification for security architects and senior security engineers charged with leading and improving an enterprise’s cybersecurity readiness.”

CompTIA Advanced Security Practitioner

The takeaway is that this is a technical certification, not one focusing on management. CompTIA clearly states that CASP+ is “for advanced practitioners — not managers.” It qualifies individuals on their ability to design and implement cybersecurity solutions. If CISSP is about designing and managing, CASP+ is about engineering and implementing.

The CASP+ exam covers applying security practices to cloud / on-permesis / endpoint / mobile infrastructures, monitoring, detection, and incident response, automating security operations, and implementing security solutions.

CASP+ job titles include:

  • Security Architect
  • Senior Security Engineer
  • SOC Manager
  • Security Analyst
  • Application Security Engineer
  • Technical Lead Analyst

As Patrick Lane stated in his blog post on the CompTIA website, CompTIA’s New CASP Exam Is Here: Keep Your Hands on the Keyboard

“Not everyone wants to manage cybersecurity policies. Many cybersecurity professionals want to work directly with cybersecurity technology and geek out on the keyboard forever.”

Exam Details


CISSP is a four-hour examination comprised of multiple choice and Advanced Innovative Questions, which we will discuss further. The required passing score is 700 out of 1000.

The exam content is broken down into eight domains detailed in the official CISSP Certification Exam Outline:

  • Security and Risk Management (15%)
  • Asset Security (10%)
  • Security Architecture and Engineering (13%)
  • Communication and Network Security (13%)
  • Identity and Access Management (IAM) (13%)
  • Security Assessment and Testing (12%)
  • Security Operations (13%)
  • Software Development Security (11%)

The CISSP exam comprises two types of questions: multiple choice and Advanced Innovative Questions. The Advanced Innovative Questions are similar to the Performance Based Questions you find on various CompTIA exams. These are hands-on challenges, as you can see in the example below.

CISSP Advanced Innovative Question sample

Since May 2021, English versions of the exam have changed from a standard linear format to a Computerized Adaptive Testing (CAT) format. This means that the number of questions and difficulty changes depending on how you’ve answered previous questions.

(ISC)2 explains how the CAT system works as follows:

“Following a candidate’s response to an item, the scoring algorithm re-estimates the candidate’s ability based on the difficulty of all items presented and answers provided. With each additional item answered, the computer’s estimate of the candidate’s ability becomes more precise…”

Put simply, the exam adjusts its questions to become more challenging as you go.


The most current version of the CASP+ exam at the time of writing is exam code CAS-004. You have 165 minutes to complete the exam, which will consist of no more than 90 questions. Like most other CompTIA exams, CASP+ consists of both multiple choice and Performance Based Questions (PBQs).

Unlike other certifications from CompTIA, there is no scaled score. This is simply a pass-or-fail exam.

Its domains have been decreased from the previous version, consisting of the following:

  • Security Architecture (29%)
  • Security Operations (30%)
  • Security Engineering and Cryptography (26%)
  • Governance, Risk, and Compliance (15%)

CompTIA’s CASP+ Certification Exam Objectives document breaks down the sub-topics of each domain and what type of questions to expect.

As with most CompTIA exams, the multiple choice questions tend to be in the vein of, “Given a scenario,” where you are given conditions and asked to choose a solution. This may involve the correct way to implement a software application or to make sense of data output.

The PBQs are more hands-on. For example, you might be given an emulated terminal on a Red Hat Linux system and be tasked with closing all unnecessary ports, or installing the correct security patch on a virtual windows environment. See CompTIA’s example of a PBQ below.

Sample PBQ
Screenshot from the PBQ simulator off the CompTIA website

Winner: CISSP

Both exams are primarily multiple-choice with some simulation questions. Both cover many of the same topics. 

CISSP covers a greater range of material, which proves a more diverse skillset of its members. If you fail your CISSP exam, you will receive a score with some information about which domains to focus on. In contrast, CASP+ is a pass/fail exam, meaning you will not receive any feedback on how close you were to passing or on which domain you need to focus.

Eligibility Requirements


We’ve had students ask for clarification on this, as there are several conditions and exceptions to earning this particular certification.

(ISC)2 does not require work experience to sit and write the exam, but it does require work experience to claim the title of CISSP.

Candidates must have a minimum of five years of cumulative paid work experience in two or more of the eight domains of the CISSP common body of knowledge. 

Earning a four-year college degree (or regional equivalent) or an additional

credential from the (ISC)2 approved list will satisfy one year of the required experience. You can only satisfy a total of one year out of the five.

Can you still write the exam without the work experience? Yes.

If you write the exam and pass without having the required paid experience, you become what is known as an “Associate of (ISC)2”. You are permitted to state that you are an associate and that you have passed the exam, but you cannot claim the title of CISSP.

From the time of passing the exam, you will have six years to earn the five years of the required experience. You must also receive an endorsement from a fellow CISSP in good standing.

CISSP Certificates

Many of you reading this may not yet have the required experience to claim the title of CISSP. This does not mean you should dismiss the value of writing the exam. You still add credibility to your name and resume by being an Associate of (ISC)2. Just be aware you must gain the required experience within six years of passing the exam.


CompTIA does not have any strict requirements to write the exam. You will not be denied your certification or eligibility to write the test because you lack prior certifications or proven job experience. However, its recommendations need to be taken into account.

CompTIA strongly recommends you possess a minimum of ten years of experience in Information Technology, with at least five of those years specifically being in Information Security.

As well, CompTIA suggests you have a knowledge base equivalent to that of a Network+, Security+, CySA+ (CompTIA Cybersecurity Analyst), Cloud+, and PenTest+ holder.

CompTIA often recommends a particular amount of experience before attempting even their more beginner-level exams. In most cases, a strong prep course can be a sufficient replacement for missing job experience. In the case of CASP+, this is not recommended.

While we absolutely recommend CASP+ exam prep courses before attempting the exam, at least some hands-on experience should be under your belt before pursuing this particular advanced certification.

Winner: CASP+

CASP+ does not require verifiable experience, while CISSP does. (ISC)2 also requires a CISSP in good standing to vouch for your experience before they will award you the title.

Even though (ISC)2 allows you to become an associate member until you complete the required work experience and receive a member endorsement, CASP+’s lack of hard-and-fast requirements puts it more in reach for some.

Exam Difficulty


As touched on earlier, (ISC)2 has begun using the new CAT system on the CISSP exam. This system is designed to adjust the exam as you go, making it more challenging with each question. As you correctly answer questions, CAT will select more difficult questions from that knowledge domain.

As the questions get more difficult, they also become worth more points. As a result, correctly answering the increasingly complex questions can result in the exam ending earlier with a passing grade.

It does this by assessing your score on question 100. If it determines that you are 95% likely to pass, it will end the exam with a pass. Conversely, if it determines that you are 95% likely to fail, it will end the exam with a failing grade.

If the likelihood of either a pass or fail is less than 95% by question 100, it will reevaluate the odds after each question until question 150, when the exam will end regardless.

CISSP was always considered a difficult exam, but this new system takes it a step further. If it finds you know a domain well, it will make those questions more difficult to create a further challenge. 


The CASP+ exam has a narrower focus than CISSP. As we’ve established, CISSP is a managerial certification covering many aspects of Information Security. CASP+ is a technically focused certification.

What does this mean for difficulty? CompTIA exams are typically thought of as very broad but very shallow. This is a reality of vendor-neutral exams. Since you are not specifically learning the ins and outs of a Cisco or Juniper router and how to configure them, you are given a broad overview that applies as universally as possible.

In our comparison, CASP+ will have a deeper focus on fewer topics than CISSP. CASP+ is about how to perform tasks, while the CISSP asks why you should perform something.

A significant difference students will notice is that CASP+ allows you to review your answers. You can flag questions and return to them later or change your answers so long as you have time remaining. 

By contrast, once you answer a question on the CISSP exam, it’s locked in. The system uses that answer to choose your next question, so there’s no undoing or rethinking anything.

Winner: CASP+

There isn’t a universally accepted opinion on which exam is more difficult. This is likely due to whether the individual exam taker is more technically minded or better at managing larger scenarios.

Our opinion is that the CISSP will be the more challenging one for several reasons. 

First, the CASP+ exam allows you to review and change your answers before submitting the exam. This allows you to let a question stew in your mind while working on other challenges. You may find a hint to an answer hidden in the phrasing of a later question. You cannot go back to a question during the CISSP exam.

Second, there is a greater range of topics to cover for CISSP. A narrower but deeper exam, like with the CASP+, means ideas build upon each other. The wide range of content for CISSP requires greater study.

Third, CISSP is a four-hour exam that uses an algorithm to make itself more difficult as you go. CASP+ selects from a set pool of questions at the beginning and lets you work through them as you wish. 

CASP+ is by no means an easy exam, but we feel CISSP will present a greater challenge to exam takers.

Job Opportunities

Job postings

At the time of writing, an America-wide job search for CISSP on resulted in 20,403 postings, while CASP only resulted in 1,399.

Indeed CISSP Job Posting
Indeed CASP Job Posting

Despite being out for four years, it is not nearly as recognized as CISSP.

DoD clearance

Both exams are included in the DoD 8570 baseline certifications. Both qualify you for many Information Assurance positions, but only CISSP is accepted for an Information Assurance Management Level III position.

DoD clearance


According to ZipRecruiter, the current average salary of a CISSP is $129,000 USD per year ($62/hour). They list the salary of a CASP+ at $112,736 USD per year ($54/hour).

Winner: CISSP

There is no debate here. CISSP is more in demand among recruiters, qualifies you for a higher level of DoD clearance, and pays more per year.

Cost and Recertification

Initial Cost

The cost of writing the CISSP exam is $749 compared to $480 for CASP+. (ISC)2 also requires a membership fee of $125 yearly, which is not the case with CompTIA and CASP+.

Validity and Renewal

Both certifications are valid for a period of three years, after which they must be renewed either by retaking the exam or earning educational credits. CompTIA refers to these as continuing education units (CEUs), while (ISC)2 calls them continuing professional education (CPEs).

CompTIA and (ISC)2 have specific guidelines as to what counts as an educational credit, but in general, these can include taking other security-related courses, earning certifications, speaking at conferences, publishing, or attending industry events. 

CASP+ renews with 75 CEUs within three years of the exam’s validity. The renewal requires a $150 fee.

CISSP requires 120 CPEs to renew, with 40 being earned each year, requiring much more of an investment to maintain.

As an aside, CompTIA considers many popular certifications to be worth 75 CEUs, allowing you to renew your CASP+ with a single exam. This list includes (among others):


  • LPT – Licensed Penetration Tester
  • CCISO – Chief Information Security Officer


  • GSE: GIAC Security Expert
  • GSOM: GIAC Security Operations Manager


  • Certified Information Systems Auditor (CISA)
  • Certified Information Security Manager (CISM)


  • CCFP- Certified Cyber Forensics Professional
  • CISSP – Certified Information Systems Security Professional
Cost & Recertification

Winner: CASP+

CompTIA has made CASP+ an easier certification to renew, a more affordable exam to write, and does not subject its members to yearly fees.

CASP+ vs CISSP – The Final Verdict

Despite the cost, fees, and requirements, CISSP is our choice as the better certification.

CASP+ vs CISSP - Final Verdict

In our experience, there is very little debate on this matter. CISSP is not only a superior certification to CASP+, it is a must-have goal for senior cybersecurity professionals.

Long term, you should aim to pass the Certified Information Systems Security Professional (CISSP) certification. The CISSP is the closest the security industry has to a standard in certification.

While CASP+ markets itself as geared towards those who wish to remain in hands-on technical positions (rather than management), it is still a board-stroke exam. Being vendor-neutral limits how technical it can get.

CISSP covers much of the same material as CASP+ and then much more. It is well-known and highly sought after. CASP+ may be getting recognition as well, but CISSP is too established to be dethroned that easily. 

For a full picture of how different certifications stack up, see our Cyber Security Certificate Landscape. You can also see our complete CISSP training bundle here.

]]> 0
Zenmap vs Nmap: Which One to Use (and When)? Fri, 21 Oct 2022 07:38:09 +0000 Zenmap vs Nmap: Which One to Use (and When)? Read More »

Nmap and Zenmap are popular tools for scanning network ports, services, and IP ranges – but what’s the difference? Why would you use one instead of the other? What are some of the benefits and drawbacks of each?

In this article, we’ll answer these questions and provide an in-depth look at both tools. Some of the major points we’ll discuss are:

  • What Zenmap and Nmap are, their features, and uses
  • Which operating systems they’re available for, and how to install them
  • Pros and Cons of Zenmap vs Nmap
  • Frequently asked questions

In short, everything you might want to know about both products to determine when you might select one over the other and why.

What Are Zenmap and Nmap?

If you’re unfamiliar with these applications, you may be surprised to learn that they are [effectively] the same tool!

Nmap security scanner is a command-line-based multi-platform (Windows, Mac OS X, Linux etc.) network scanning application designed to detect hosts and services on a computer network. 

Zenmap is the official Nmap security scanner GUI (Graphical User Interface) version of Nmap. Like Nmap, Zenmap is also multi-platform (available on Linux, Windows, and other operating systems).

Who Uses Zenmap and Nmap?

Nmap users include everyone from beginners to cyber security professionals.

Network administrators use Nmap (and Zenmap) to map subnets and discover hosts. Cyber security professionals use Nmap to scan target systems for open ports and services they might be running. These security scanners are used during hacking and penetration testing to discover target systems and gather information.

Regardless of the use case, Nmap and Zenmap should never be used to scan networks and systems you don’t own without explicit permission! 

What Are the Capabilities of Zenmap and Nmap?

Both Nmap and Zenmap can be used to provide extensive information about a target network. Some of the commonly-used Nmap features include:

  • Host Discovery: Generate a list of hostnames (i.e., a computer or other device that communicates on a network. E.g., PCs, printers, servers, etc.) and their IP addresses.
  • Port Scanning: Scan specific ports (or ranges of ports) to determine if they’re open on a given target or set of targets.
  • Operating System Detection: Attempts to guess details about the target’s operating system, such as vendor (e.g., Microsoft), underlying OS (e.g., Windows), and OS generation (e.g., 10).
  • Firewall/Intrusion Detection System (IDS) Evasion: Provides several options for advanced users to prevent scanning activities from being detected (and subsequently dropped) by a firewall or IDS system. E.g., Hiding (or spoofing) your IP address, source port, MAC address, etc.

In Nmap, users leverage command-line switches to define scanning parameters. Zenmap’s interface features a command creator which allows the interactive creation of Nmap command lines using drop-down utilities (which can also be edited by advanced users).

Command Line Nmap

Zenmap can also provide (and save) topology map graphics to help you visualize reachable hosts and their ports:

Zenmap topology view (Windows)
Zenmap GUI

Zenmap also allows you to save scan results, which can be compared with one another to determine what’s changed (e.g., hosts or services that were added or removed).

The infographic below provides a side-by-side comparison:

nmap vs zenmap side-by-side comparison

How to Download and Install Zenmap and Nmap

Both Nmap and Zenmap are available for download at At the top of the page, you can select your operating system by clicking on the corresponding anchor link:

Nmap download page

Supported Operating Systems

Some of the operating systems Nmap and Zenmap are available for are:

You can find support for other operating systems at the bottom of this page.

How to Install Zenmap and Nmap on Windows

The following guide will walk you through the installation steps for Zenmap and Nmap on a Windows PC.

1. Browse to, then click on the link to download the latest stable release (version 7.93 at the time of writing):

Nmap download link for Windows

2. Locate and run the installer, e.g., nmap-7.93-setup.exe. The first step of the installation is to accept the license agreement. Select I Agree to continue:

nmap setup window

3. Next, choose the components you want to install. Both setup program installs both Nmap and Zenmap. Untick Zenmap if you wish to forgo the GUI. Click Next to continue:

choose the components window

4. Next, determine where you’d like to install Nmap/Zenmap (C:\Program Files (x86)\Nmap by default). You can leave this as is or install it in a different location by clicking the Browse… button. Click Install to begin installation:

install location window

5. The setup program will validate the installation to let you know it was completed successfully. Click Next to continue:

installation complete window

6. The Nmap setup application will default create shortcuts in your Windows Start Menu and Desktop. Click Next to continue:

create shortcuts window

7. At the end of the installation process, click Finish to close the Nmap Setup application:

finish install window

How to Install Zenmap on Kali Linux

Nmap comes bundled with Kali Linux (along with hundreds of other useful tools), so there’s no need to install it separately. Kali Linux version 2019.4 (and later) removed Zenmap from its package bundle, but you can still install it manually. Here’s how:

1. Begin by updating Kali Linux’s package index list. To this, open a terminal window (CTRL+ALT+T), then enter, sudo apt update:

Upgrade apt in Kali Linux

2. To upgrade all packages, run sudo apt full-upgrade -y:

3. Since Zenmap requires dependencies that are no longer supported in Kali Linux, we’ll need to use “Kaboxer” (Kali Applications Boxer) to install it as a packaged app in a Docker container. Run sudo apt install zenmap-kbx -y:

Install the Zenmap Kaboxer docker container

4. Zenmap will now be available from the application list:

Zenmap in the application list

NMAP vs Zenmap Pros and Cons

Nmap Pros

Free and open source.
Smaller and more portable than Zenmap.
You can run multiple and concurrent scans.
It can be used in environments that lack a GUI (e.g., SSH).

Nmap Cons

The CLI creates a steeper learning curve than GUI-based tools.
Lack of options to export information in a human-readable format suitable for presentation to non-technical stakeholders.

Zenmap Pros

Free and open source.
Easy to use Graphical User Interface (GUI).
Displays scan results in text and graphical formats.
Allows you to save and compare previously-run scans.

Zenmap Cons

Larger footprint compared to Nmap and other CLI-based tools.
Requires dependencies not needed for Nmap, which may or may not be available for your chosen operating system.


In this article, we explained the differences between Nmap and its official GUI, Zenmap. Zenmap is excellent for users who aren’t comfortable working with command line consoles and provides additional functionality in the way of saveable searches and topology graphics.

For those who need a lightweight but powerful network scanning utility and don’t have access to a GUI (e.g., running scans while connected via SSH), Nmap is the way to go.

In conclusion, these are two sides to the same coin, and both are a welcome addition to your cyber security arsenal. You can master Nmap with our Complete Nmap Ethical Hacking Course.

Frequently Asked Questions

]]> 0