WSL for non-programming security analysts
I have a friend who isn’t a developer and believes that coding is beyond their grasp. They work as a security analyst and prefer using Windows as their operating system. I discovered that introducing them to the Windows Subsystem for Linux significantly enhanced their daily tasks. It allowed them to replace inefficient online tools or labor-intensive manual processes with simple command-line solutions.
I’d like to share these tricks with a wider audience.
What you’ll need
- Install WSL
- WSL introduction, especially “Run basic WSL commands”
- Accessing Windows files on WSL, and vice versa
How this works
Each use case serves as a demonstration of a specific tool. Given the ubiquity of these tools, you can easily find online resources to further maximize their utility.
Lines initiated with $ denote user input, while lines without it represent the computer’s responses.
Furthermore, these tools can be combined to perform more intricate tasks. For instance, you can use them to filter a list of domains and only display those registered by BestCompany. If you’re interested in learning how to harness these capabilities, you can explore bash tutorials like this one, among many others.
Who owns this domain (whois)
Instead of using random sites, get the data yourself firsthand
$ whois google.com
Domain Name: GOOGLE.COM
Registry Domain ID: 2138514_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-09-09T15:39:04Z
Creation Date: 1997-09-15T04:00:00Z
Registry Expiry Date: 2028-09-14T04:00:00Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2086851750
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: NS1.GOOGLE.COM
Name Server: NS2.GOOGLE.COM
Name Server: NS3.GOOGLE.COM
Name Server: NS4.GOOGLE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2023-09-08T15:27:09Z <<<
...
Search a directory for specific text (grep)
Need to search for the word “password” in a directory containing a trillion files?
$ grep -r password
page2.txt:password
page2.txt:passwords
page2.txt:password's
page1.txt:This is my password: 1232
Just looking to list the files containing the word “password”?
$ grep -r -l password
page2.txt
page1.txt
Case insensitive match (“Password” or “pAssWoRd”)?
$ grep -r -i password
page3.txt:the SeCreT PassWord is potato
page2.txt:password
page2.txt:passwords
page2.txt:password's
page1.txt:This is my password: 1232
What kind of file is this (file)
Looking to determine the file type of a file that lacks an extension?
$ file riddle
riddle: Zip archive data, at least v1.0 to extract, compression method=store
Interested in determining the file types for all files in your directory, even those without extensions?
$ file *
dunno: SQLite 3.x database, last written using SQLite version 3041002, file counter 973, database pages 2280, 1st free page 744, free pages 638, cookie 0x272, schema 4, UTF-8, version-valid-for 973
enigma: SVG Scalable Vector Graphics image
mystery: JSON text data
riddle: Zip archive data, at least v1.0 to extract, compression method=store
unclear: OpenDocument Spreadsheet
unknown: Microsoft Word 2007+
whoknows: Composite Document File V2 Document, Little Endian, Os: Windows, Version 1.0, Code page: -535, Revision Number: 1, Total Editing Time: 00:13, Create Time/Date: Fri Sep 8 16:32:55 2023, Last Saved Time/Date: Fri Sep 8 16:33:08 2023
DNS information (host, dig)
Need a brief summary of where a specific domain is currently pointing?
$ host gmail.com
gmail.com has address 172.217.18.5
gmail.com has IPv6 address 2a00:1450:4001:812::2005
gmail.com mail is handled by 30 alt3.gmail-smtp-in.l.google.com.
gmail.com mail is handled by 10 alt1.gmail-smtp-in.l.google.com.
gmail.com mail is handled by 5 gmail-smtp-in.l.google.com.
gmail.com mail is handled by 40 alt4.gmail-smtp-in.l.google.com.
gmail.com mail is handled by 20 alt2.gmail-smtp-in.l.google.com.
And translate an IP to a name, if available
$ host 172.217.18.5
5.18.217.172.in-addr.arpa domain name pointer fra24s22-in-f5.1e100.net.
5.18.217.172.in-addr.arpa domain name pointer fra15s28-in-f5.1e100.net.
5.18.217.172.in-addr.arpa domain name pointer fra02s19-in-f5.1e100.net.
For detailed answers to specific questions, you can utilize the dig command.
$ dig gmail.com
; <<>> DiG 9.18.18 <<>> gmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17879
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;gmail.com. IN A
;; ANSWER SECTION:
gmail.com. 234 IN A 172.217.18.5
;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Sep 08 18:40:44 IDT 2023
;; MSG SIZE rcvd: 54
There is more
This list is not exhaustive. Linux, which relies heavily on command-line interfaces, offers a multitude of powerful tools that are readily installable with ample documentation available. You can tap into the knowledge of Linux-savvy friends or conduct online searches to discover numerous options that can significantly simplify your life.