Display complete system information
LOWReconnaissanceInitial system reconnaissance to identify OS version, kernel, and architecture
uname -a
uname [OPTION]...
Explanation
Essential first command to understand the target system. Reveals kernel version which may have known vulnerabilities.
Example Output
uname -a # Linux server01 5.4.0-74-generic #83-Ubuntu SMP x86_64 GNU/Linux
Check current user identity and privileges
LOWReconnaissanceVerify current privilege level and group memberships
whoami && id
Explanation
Combines user identification with detailed privilege information. Critical for understanding current access level.
Example Output
whoami && id # www-data # uid=33(www-data) gid=33(www-data) groups=33(www-data)
List running processes (excluding kernel threads)
LOWReconnaissanceIdentify running services and potential attack vectors
ps aux | grep -v "\[" | head -20
ps [options]
Explanation
Shows running processes which may reveal services, applications, or privilege escalation opportunities.
Example Output
ps aux | grep -v "\[" | head -20
Show listening ports and associated processes
LOWNetworkNetwork service enumeration and potential entry points
netstat -tulpn 2>/dev/null | grep LISTEN
netstat -tulpn
Explanation
Reveals open ports and services, essential for identifying attack surface and potential vulnerabilities.
Example Output
netstat -tulpn 2>/dev/null | grep LISTEN # tcp 0.0.0.0:22 LISTEN 1234/sshd # tcp 0.0.0.0:80 LISTEN 5678/apache2
Modern alternative to netstat for socket information
LOWNetworkNetwork enumeration on modern Linux systems
ss -tulpn | grep LISTEN
ss [options]
Explanation
Faster and more detailed than netstat. Preferred tool on newer systems for network enumeration.
Example Output
ss -tulpn | grep LISTEN
Find SUID binaries for privilege escalation
MEDIUMPrivilege EscalationIdentify potential privilege escalation vectors through SUID binaries
find / -type f -perm -4000 2>/dev/null
find [path] -type f -perm -4000
Explanation
SUID binaries run with owner privileges. Misconfigured SUID binaries are common privilege escalation vectors.
Example Output
find / -type f -perm -4000 2>/dev/null # /usr/bin/passwd # /usr/bin/sudo # /bin/ping
Find SGID binaries and directories
MEDIUMPrivilege EscalationLocate SGID files that might allow group privilege escalation
find / -type f -perm -2000 2>/dev/null
find [path] -type f -perm -2000
Explanation
SGID files run with group privileges. Can be exploited for privilege escalation or information disclosure.
Example Output
find / -type f -perm -2000 2>/dev/null
Find world-writable directories
MEDIUMReconnaissanceIdentify directories where files can be written for persistence or exploitation
find / -writable -type d 2>/dev/null | head -20
find [path] -writable -type d
Explanation
Writable directories can be used for file uploads, persistence mechanisms, or temporary exploit storage.
Example Output
find / -writable -type d 2>/dev/null | head -20 # /tmp # /var/tmp # /dev/shm
Find readable configuration files
LOWReconnaissanceEnumerate configuration files that might contain credentials or sensitive information
find /etc -name "*.conf" -readable 2>/dev/null | head -10
find [path] -name "*.conf" -readable
Explanation
Configuration files often contain passwords, API keys, or system information useful for further exploitation.
Example Output
find /etc -name "*.conf" -readable 2>/dev/null | head -10
Display ARP table to discover network hosts
LOWNetworkNetwork discovery and lateral movement planning
arp -a || ip neigh show
arp -a
Explanation
ARP table reveals recently communicated hosts, providing targets for lateral movement.
Example Output
arp -a # gateway (192.168.1.1) at aa:bb:cc:dd:ee:ff [ether] on eth0 # server (192.168.1.100) at 11:22:33:44:55:66 [ether] on eth0
Display routing table to understand network topology
LOWNetworkUnderstanding network layout for pivoting and lateral movement
route -n || ip route show
route -n
Explanation
Routing information reveals network segments and potential pivot points for lateral movement.
Example Output
route -n # 0.0.0.0 192.168.1.1 UG eth0 # 192.168.1.0/24 0.0.0.0 U eth0
Quick ping sweep of local subnet
MEDIUMNetworkDiscover live hosts in the current network segment
for i in {1..254}; do timeout 1 ping -c1 192.168.1.$i 2>&1 | grep "64 bytes" | cut -d" " -f4 | cut -d":" -f1; done
for i in {1..254}; do ping -c1 [network].$i; done
Explanation
Identifies active hosts in the network. May generate network traffic that could be detected by monitoring systems.
Example Output
for i in {1..254}; do timeout 1 ping -c1 192.168.1.$i 2>&1 | grep "64 bytes" | cut -d" " -f4 | cut -d":" -f1; done
List sudo privileges for current user
LOWPrivilege EscalationIdentify commands that can be run with elevated privileges
sudo -l
sudo -l
Explanation
Shows sudo permissions which are often misconfigured and can lead to privilege escalation.
Example Output
sudo -l # User www-data may run the following commands: # (root) NOPASSWD: /usr/bin/systemctl restart apache2
Enumerate scheduled tasks and cron jobs
LOWPrivilege EscalationFind scheduled tasks that might be exploitable or reveal system behavior
cat /etc/crontab && ls -la /etc/cron* && crontab -l 2>/dev/null
cat /etc/crontab
Explanation
Cron jobs running as root with writable scripts are common privilege escalation vectors.
Example Output
cat /etc/crontab # */5 * * * * root /opt/backup.sh
Find files with special capabilities
MEDIUMPrivilege EscalationIdentify binaries with dangerous capabilities for privilege escalation
getcap -r / 2>/dev/null | grep -v "Operation not permitted"
getcap -r [path]
Explanation
Linux capabilities can grant specific privileges. Misconfigured capabilities can lead to privilege escalation.
Example Output
getcap -r / 2>/dev/null # /usr/bin/ping = cap_net_raw+ep # /usr/bin/python3.8 = cap_setuid+ep
Monitor authentication logs in real-time
LOWMonitoringMonitor login attempts and authentication events
tail -f /var/log/auth.log 2>/dev/null || tail -f /var/log/secure 2>/dev/null
tail -f /var/log/auth.log
Explanation
Authentication logs reveal login patterns, failed attempts, and potential detection of intrusion activities.
Example Output
tail -f /var/log/auth.log
Show recent user login history
LOWMonitoringAnalyze user access patterns and identify suspicious logins
last -a | head -20
last -a
Explanation
Login history helps identify normal vs. suspicious access patterns and potential unauthorized access.
Example Output
last -a | head -20 # root pts/0 192.168.1.100 Mon Jan 15 10:30 - 11:45 (01:15) # user1 tty1 Mon Jan 15 09:00 - 10:00 (01:00)
Check SSH authorized keys for persistence
MEDIUMPersistenceVerify SSH key-based access and identify potential backdoors
cat ~/.ssh/authorized_keys 2>/dev/null && find /home -name "authorized_keys" 2>/dev/null
cat ~/.ssh/authorized_keys
Explanation
SSH keys provide persistent access. Unauthorized keys in authorized_keys files indicate potential backdoors.
Example Output
cat ~/.ssh/authorized_keys
Check for suspicious aliases or functions in user profiles
MEDIUMPersistenceDetect command aliases that might hide malicious activity
find /home -name ".bashrc" -exec grep -l "alias\|function" {} \; 2>/dev/null
grep -l "alias" ~/.bashrc
Explanation
Malicious aliases can redirect commands to backdoors or hide attacker activities from system administrators.
Example Output
find /home -name ".bashrc" -exec grep -l "alias\|function" {} \;
Find processes running deleted executables (potential fileless malware)
HIGHForensicsDetect processes running from deleted files (potential malware)
ls -la /proc/*/exe 2>/dev/null | grep deleted
ls -la /proc/*/exe
Explanation
Processes running deleted executables often indicate malware or attempts to hide malicious code.
Example Output
ls -la /proc/*/exe 2>/dev/null | grep deleted
Search process memory for sensitive strings
HIGHData ExtractionExtract sensitive information from process memory
strings /proc/[PID]/maps | grep -E "password|key|secret" 2>/dev/null
strings /proc/[PID]/maps
Explanation
Process memory may contain passwords, keys, or other sensitive data in plaintext.
Example Output
strings /proc/1234/maps | grep -i password
List open files and network connections
LOWNetworkDetailed network connection analysis and process identification
lsof -i -P -n | grep LISTEN
lsof -i -P -n
Explanation
Provides detailed information about which processes are using network connections and files.
Example Output
lsof -i -P -n | grep LISTEN # sshd 1234 root 3u IPv4 12345 TCP *:22 (LISTEN)
Quick Reference Guide
Risk Levels
Best Practices
- • Always check permissions first
- • Redirect errors to /dev/null
- • Use timeout for network commands
- • Document your findings
- • Clean up after testing
Common Paths
- • /etc/passwd - User accounts
- • /etc/shadow - Password hashes
- • /var/log/ - System logs
- • /tmp/ - Temporary files
- • /proc/ - Process information
This cheatsheet is maintained by the TheCyberHub community. Last updated: January 2025 • Report an issue • Suggest improvements