Linux Pentesting Cheatsheet

Essential commands for penetration testing on Linux systems

22
Total Commands
7
Categories
25K+
Downloads
4.9★
Community Rating
Showing 22 of 22 commands

Display complete system information

LOWReconnaissance

Initial system reconnaissance to identify OS version, kernel, and architecture

uname -a
Syntax: uname [OPTION]...

Explanation

Essential first command to understand the target system. Reveals kernel version which may have known vulnerabilities.

Example Output

uname -a
# Linux server01 5.4.0-74-generic #83-Ubuntu SMP x86_64 GNU/Linux
#system#info#basic

Check current user identity and privileges

LOWReconnaissance

Verify current privilege level and group memberships

whoami && id

Explanation

Combines user identification with detailed privilege information. Critical for understanding current access level.

Example Output

whoami && id
# www-data
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#user#privileges#basic

List running processes (excluding kernel threads)

LOWReconnaissance

Identify running services and potential attack vectors

ps aux | grep -v "\[" | head -20
Syntax: ps [options]

Explanation

Shows running processes which may reveal services, applications, or privilege escalation opportunities.

Example Output

ps aux | grep -v "\[" | head -20
#processes#services#enumeration

Show listening ports and associated processes

LOWNetwork

Network service enumeration and potential entry points

netstat -tulpn 2>/dev/null | grep LISTEN
Syntax: netstat -tulpn

Explanation

Reveals open ports and services, essential for identifying attack surface and potential vulnerabilities.

Example Output

netstat -tulpn 2>/dev/null | grep LISTEN
# tcp 0.0.0.0:22 LISTEN 1234/sshd
# tcp 0.0.0.0:80 LISTEN 5678/apache2
#network#ports#services

Modern alternative to netstat for socket information

LOWNetwork

Network enumeration on modern Linux systems

ss -tulpn | grep LISTEN
Syntax: ss [options]

Explanation

Faster and more detailed than netstat. Preferred tool on newer systems for network enumeration.

Example Output

ss -tulpn | grep LISTEN
#network#sockets#modern

Find SUID binaries for privilege escalation

MEDIUMPrivilege Escalation

Identify potential privilege escalation vectors through SUID binaries

find / -type f -perm -4000 2>/dev/null
Syntax: find [path] -type f -perm -4000

Explanation

SUID binaries run with owner privileges. Misconfigured SUID binaries are common privilege escalation vectors.

Example Output

find / -type f -perm -4000 2>/dev/null
# /usr/bin/passwd
# /usr/bin/sudo
# /bin/ping
#suid#privesc#binaries

Find SGID binaries and directories

MEDIUMPrivilege Escalation

Locate SGID files that might allow group privilege escalation

find / -type f -perm -2000 2>/dev/null
Syntax: find [path] -type f -perm -2000

Explanation

SGID files run with group privileges. Can be exploited for privilege escalation or information disclosure.

Example Output

find / -type f -perm -2000 2>/dev/null
#sgid#privesc#groups

Find world-writable directories

MEDIUMReconnaissance

Identify directories where files can be written for persistence or exploitation

find / -writable -type d 2>/dev/null | head -20
Syntax: find [path] -writable -type d

Explanation

Writable directories can be used for file uploads, persistence mechanisms, or temporary exploit storage.

Example Output

find / -writable -type d 2>/dev/null | head -20
# /tmp
# /var/tmp
# /dev/shm
#writable#directories#persistence

Find readable configuration files

LOWReconnaissance

Enumerate configuration files that might contain credentials or sensitive information

find /etc -name "*.conf" -readable 2>/dev/null | head -10
Syntax: find [path] -name "*.conf" -readable

Explanation

Configuration files often contain passwords, API keys, or system information useful for further exploitation.

Example Output

find /etc -name "*.conf" -readable 2>/dev/null | head -10
#config#files#credentials

Display ARP table to discover network hosts

LOWNetwork

Network discovery and lateral movement planning

arp -a || ip neigh show
Syntax: arp -a

Explanation

ARP table reveals recently communicated hosts, providing targets for lateral movement.

Example Output

arp -a
# gateway (192.168.1.1) at aa:bb:cc:dd:ee:ff [ether] on eth0
# server (192.168.1.100) at 11:22:33:44:55:66 [ether] on eth0
#arp#network#discovery

Display routing table to understand network topology

LOWNetwork

Understanding network layout for pivoting and lateral movement

route -n || ip route show
Syntax: route -n

Explanation

Routing information reveals network segments and potential pivot points for lateral movement.

Example Output

route -n
# 0.0.0.0 192.168.1.1 UG eth0
# 192.168.1.0/24 0.0.0.0 U eth0
#routing#network#topology

Quick ping sweep of local subnet

MEDIUMNetwork

Discover live hosts in the current network segment

for i in {1..254}; do timeout 1 ping -c1 192.168.1.$i 2>&1 | grep "64 bytes" | cut -d" " -f4 | cut -d":" -f1; done
Syntax: for i in {1..254}; do ping -c1 [network].$i; done

Explanation

Identifies active hosts in the network. May generate network traffic that could be detected by monitoring systems.

Example Output

for i in {1..254}; do timeout 1 ping -c1 192.168.1.$i 2>&1 | grep "64 bytes" | cut -d" " -f4 | cut -d":" -f1; done
#ping#sweep#discovery

List sudo privileges for current user

LOWPrivilege Escalation

Identify commands that can be run with elevated privileges

sudo -l
Syntax: sudo -l

Explanation

Shows sudo permissions which are often misconfigured and can lead to privilege escalation.

Example Output

sudo -l
# User www-data may run the following commands:
# (root) NOPASSWD: /usr/bin/systemctl restart apache2
#sudo#privileges#escalation

Enumerate scheduled tasks and cron jobs

LOWPrivilege Escalation

Find scheduled tasks that might be exploitable or reveal system behavior

cat /etc/crontab && ls -la /etc/cron* && crontab -l 2>/dev/null
Syntax: cat /etc/crontab

Explanation

Cron jobs running as root with writable scripts are common privilege escalation vectors.

Example Output

cat /etc/crontab
# */5 * * * * root /opt/backup.sh
#cron#scheduled#tasks

Find files with special capabilities

MEDIUMPrivilege Escalation

Identify binaries with dangerous capabilities for privilege escalation

getcap -r / 2>/dev/null | grep -v "Operation not permitted"
Syntax: getcap -r [path]

Explanation

Linux capabilities can grant specific privileges. Misconfigured capabilities can lead to privilege escalation.

Example Output

getcap -r / 2>/dev/null
# /usr/bin/ping = cap_net_raw+ep
# /usr/bin/python3.8 = cap_setuid+ep
#capabilities#privesc#binaries

Monitor authentication logs in real-time

LOWMonitoring

Monitor login attempts and authentication events

tail -f /var/log/auth.log 2>/dev/null || tail -f /var/log/secure 2>/dev/null
Syntax: tail -f /var/log/auth.log

Explanation

Authentication logs reveal login patterns, failed attempts, and potential detection of intrusion activities.

Example Output

tail -f /var/log/auth.log
#logs#auth#monitoring

Show recent user login history

LOWMonitoring

Analyze user access patterns and identify suspicious logins

last -a | head -20
Syntax: last -a

Explanation

Login history helps identify normal vs. suspicious access patterns and potential unauthorized access.

Example Output

last -a | head -20
# root pts/0 192.168.1.100 Mon Jan 15 10:30 - 11:45 (01:15)
# user1 tty1 Mon Jan 15 09:00 - 10:00 (01:00)
#logins#history#users

Check SSH authorized keys for persistence

MEDIUMPersistence

Verify SSH key-based access and identify potential backdoors

cat ~/.ssh/authorized_keys 2>/dev/null && find /home -name "authorized_keys" 2>/dev/null
Syntax: cat ~/.ssh/authorized_keys

Explanation

SSH keys provide persistent access. Unauthorized keys in authorized_keys files indicate potential backdoors.

Example Output

cat ~/.ssh/authorized_keys
#ssh#keys#backdoor

Check for suspicious aliases or functions in user profiles

MEDIUMPersistence

Detect command aliases that might hide malicious activity

find /home -name ".bashrc" -exec grep -l "alias\|function" {} \; 2>/dev/null
Syntax: grep -l "alias" ~/.bashrc

Explanation

Malicious aliases can redirect commands to backdoors or hide attacker activities from system administrators.

Example Output

find /home -name ".bashrc" -exec grep -l "alias\|function" {} \;
#bashrc#aliases#persistence

Find processes running deleted executables (potential fileless malware)

HIGHForensics

Detect processes running from deleted files (potential malware)

ls -la /proc/*/exe 2>/dev/null | grep deleted
Syntax: ls -la /proc/*/exe

Explanation

Processes running deleted executables often indicate malware or attempts to hide malicious code.

Example Output

ls -la /proc/*/exe 2>/dev/null | grep deleted
#processes#deleted#malware

Search process memory for sensitive strings

HIGHData Extraction

Extract sensitive information from process memory

strings /proc/[PID]/maps | grep -E "password|key|secret" 2>/dev/null
Syntax: strings /proc/[PID]/maps

Explanation

Process memory may contain passwords, keys, or other sensitive data in plaintext.

Example Output

strings /proc/1234/maps | grep -i password
#memory#strings#credentials

List open files and network connections

LOWNetwork

Detailed network connection analysis and process identification

lsof -i -P -n | grep LISTEN
Syntax: lsof -i -P -n

Explanation

Provides detailed information about which processes are using network connections and files.

Example Output

lsof -i -P -n | grep LISTEN
# sshd 1234 root 3u IPv4 12345 TCP *:22 (LISTEN)
#lsof#network#files

Quick Reference Guide

Risk Levels

Low:Safe reconnaissance
Medium:May generate logs
High:Detectable/Dangerous

Best Practices

  • • Always check permissions first
  • • Redirect errors to /dev/null
  • • Use timeout for network commands
  • • Document your findings
  • • Clean up after testing

Common Paths

  • • /etc/passwd - User accounts
  • • /etc/shadow - Password hashes
  • • /var/log/ - System logs
  • • /tmp/ - Temporary files
  • • /proc/ - Process information
Browse More Cheatsheets

This cheatsheet is maintained by the TheCyberHub community. Last updated: January 2025 • Report an issue Suggest improvements