Linux Pen Testing Commands

Linux Commands for Penetration Testers https://highon.
coee/docs/linux-commands/
HOME DOCS BLOG
PEN TESTING
Linux Commands for

Pen Testing
Penetration Testers Survival Guide
Linux
A collection of hopefully useful Linux Commands for
Penetration
Commands for pen testers, this is not a
Testers
complete list but a collection of commonly
used commands + syntax as a sort of TOOLS
cheatsheet, this content will be constantly

updated as I discover new awesomeness.
Linux Penetration Testing

Commands
Linux Network Commands
System Information Commands

Redhat / CentOS / RPM Based
Distros
YUM Commands
Debian / Ubuntu / .deb Based
1 of 22 03/11/14 13:48
Linux Commands for Penetration Testers https://highon.coee/docs/linux-commands/
Distros
Linux User Management
Linux Decompression Commands
Linux Compression Commands
Linux File Commands
Samba Commands
Breaking Out of Limited Shells

Misc Commands
Linux File System Permissons
Linux File System
Linux Interesting Files / Dirs
Linux Network Commands
COMMAND DESCRIPTION
Show Linux
network ports
netstat -tulpn
with process
ID's (PIDs)
Watch TCP,
UDP open
ports in real
watch ss -stplu
time with
socket
summary.
2 of 22 03/11/14 13:48
COMMAND DESCRIPTION
Show
lsof -i established
connections.
Change MAC
macchanger -m MACADDR INTR address on
KALI Linux.
Set IP address
ifconfig eth0 192.168.2.1/24
in Linux.
Add IP
address to
existing
ifconfig eth0:1 192.168.2.3/24
network
interface in
Linux.
Change MAC
address in
ifconfig eth0 hw ether MACADDR
Linux using
ifcong.
Change MTU
size Linux
using ifcong,
ifconfig eth0 mtu 1500
change 1500
to your
desired MTU.
Dig reverse
dig -x 192.168.1.1 lookup on an
IP address.
3 of 22 03/11/14 13:48
COMMAND DESCRIPTION
Reverse
lookup on an
host 192.168.1.1 IP address, in
case dig is not
installed.
Perform a
DNS zone
dig @192.168.2.2 domain.com -t AXFR
transfer using
dig.
Perform a
DNS zone
host -l domain.com nameserver
transfer using
host.
Get hostname
nbtstat -A x.x.x.x
for IP address.
Adds a hidden
IP address to
Linux, does
ip addr add 192.168.2.22/24 dev eth0 not show up
when
performing an
ifcong.
Blocks access
to google.com
tcpkill -9 host google.com
from the host
machine.
Enables IP
echo "1" > /proc/sys/net/ipv4/ip_forward forwarding,
4 of 22 03/11/14 13:48
COMMAND DESCRIPTION
turns Linux
box into a
router - handy
for routing
trafc
through a box.
Use Google
echo "8.8.8.8" > /etc/resolv.conf
DNS.
System Information Commands
Useful for local enumeration.
COMMAND DESCRIPTION
Shows
currently
whoami
logged in user
on Linux.
Shows
currently
id logged in user
and groups
for the user.
Shows last
last logged in
users.
Show
mount mounted
5 of 22 03/11/14 13:48
COMMAND DESCRIPTION
drives.
Shows disk
usage in
df -h human
readable
output.
Reset
echo "user:passwd" | chpasswd password in
one line.
List users on
getent passwd
Linux.
Shows
contents of
strings /usr/local/bin/blah none text les,
e.g. whats in a
binary.
Shows
running
uname -ar
kernel
version.
Add a new
PATH, handy
PATH=$PATH:/my/new-path
for local FS
manipulation.
Show bash
history,
history
commands
6 of 22 03/11/14 13:48
COMMAND DESCRIPTION
the user has

entered
previously.
Redhat / CentOS / RPM Based Distros
COMMAND DESCRIPTION
Shows Redhat /
cat /etc/redhat-release CentOS version
number.
List all installed

RPM's on an
rpm -qa
RPM based
Linux distro.
Check installed
RPM is patched
rpm -q --changelog openvpn against CVE,
grep the output
for CVE.
YUM Commands
Package manager used by RPM based

systems, you can pull some usefull
information about installed packages and or
install additional tools.
COMMAND DESCRIPTION
7 of 22 03/11/14 13:48
COMMAND DESCRIPTION
Update all
RPM
packages with
yum update
YUM, also
shows whats
out of date.
Update
individual
packages, in
yum update httpd
this example
HTTPD
(Apache).
Install a
yum install package package using
YUM.
Exclude a
package from
yum --exclude=package kernel* update
being updates
with YUM.
Remove
yum remove package package with
YUM.
Remove
yum erase package package with
YUM.
Lists info
yum list package about yum
package.
8 of 22 03/11/14 13:48
COMMAND DESCRIPTION
What a
packages
does, e.g
yum provides httpd
Apache
HTTPD
Server.
Shows
package info,
yum info httpd
architecture,
version etc.
Use YUM to
install local
yum localinstall blah.rpm RPM, settles
deps from
repo.
Shows deps
yum deplist package
for a package.
List all
yum list installed | more installed
packages.
Show all YUM

yum grouplist | more
groups.
Install YUM
yum groupinstall 'Development Tools'
group.
Debian / Ubuntu / .deb Based Distros
COMMAND DESCRIPTION
9 of 22 03/11/14 13:48
COMMAND DESCRIPTION
Shows Debian
cat /etc/debian_version
version number.
Shows Ubuntu
cat /etc/*-release
version number.
List all installed

packages on
dpkg -l
Debian / .deb based
Linux distro.
Linux User Management
COMMAND DESCRIPTION
useradd new-user Creates a new Linux user.
Reset Linux user password,

passwd username enter just passwd if you
are root.
deluser username Remove a Linux user.
Linux Decompression Commands
How to extract various archives (tar, zip, gzip,

bzip2 etc) on Linux and some other tricks for
searching inside of archives etc.
COMMAND DESCRIPTION
10 of 22 03/11/14 13:48
COMMAND DESCRIPTION
Extracts zip le
unzip archive.zip
on Linux.
Search inside a
zipgrep *.txt archive.zip
.zip archive.
Extract tar le
tar xf archive.tar
Linux.
Extract a tar.gz
tar xvzf archive.tar.gz
le Linux.
Extract a
tar xjf archive.tar.bz2 tar.bz2 le
Linux.
Search inside a
tar ztvf file.tar.gz | grep blah
tar.gz le.
Extract a gzip
gzip -d archive.gz
le Linux.
Read a gz le
zcat archive.gz Linux without
decompressing.
Same function
as the less
zless archive.gz
command for
.gz archives.
Search inside
.gz archives on
zgrep 'blah' /var/log/maillog*.gz
Linux, search
11 of 22 03/11/14 13:48
COMMAND DESCRIPTION
inside of
compressed log
les.
Use vim to read

.txt.gz les (my
vim file.txt.gz
personal
favorite).
UPX compress
upx -9 -o output.exe input.exe
.exe le Linux.
Linux Compression Commands
COMMAND DESCRIPTION
Creates a .zip
zip -r file.zip /dir/*
le on Linux.
Creates a tar
tar cf archive.tar files
le on Linux.
Creates a
tar czf archive.tar.gz files tar.gz le on
Linux.
Creates a
tar cjf archive.tar.bz2 files tar.bz2 le on
Linux.
Creates a
gzip file le.gz le on
Linux.
12 of 22 03/11/14 13:48
Linux File Commands
COMMAND DESCRIPTION
Display size of
df -h blah
le / dir Linux.
Compare /
Show
diff file1 file2 differences
between two
les on Linux.
Generate
md5sum file MD5SUM
Linux.
Check le
against
MD5SUM on
md5sum -c blah.iso.md5 Linux, assuming
both le and
.md5 are in the
same dir.
Find out the

type of le on
file blah Linux, also
displaus if le is
32 or 64 bit.
Convert
Windows line
dos2unix
endings to Unix
/ Linux.
13 of 22 03/11/14 13:48
COMMAND DESCRIPTION
Creates a new
le using the
timestamp data
from the
touch -r ref-file new-file
reference le,
drop the -r to
simply create a
le.
Remove les
and directories
rm -rf without
prompting for
conrmation.
Samba Commands
Connect to a Samba share from Linux.
$ smbmount //server/share /mnt/win -o user

$ smbclient -U user \\\\server\\share
$ mount -t cifs -o username=user,password=
Breaking Out of Limited Shells
Credit to G0tmi1k for these (or wherever he

stole them from!).
The Python trick:
14 of 22 03/11/14 13:48
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i
Misc Commands
COMMAND DESCRIPTION
Reboot Linux
init 6 from the
command line.
Compile C
gcc -o output.c input.c
code.
Cross compile
C code,
gcc -m32 -o output.c input.c compile 32 bit
binary on 64
bit Linux.
Disable bash
unset HISTORYFILE history
logging.
Connect to
rdesktop X.X.X.X RDP server
from Linux.
15 of 22 03/11/14 13:48
COMMAND DESCRIPTION
Kill current
kill -9 $$
session.
Change
chown user:group blah owner of le
or dir.
Change
owner of le
or dir and all
chown -R user:group blah underlying
les / dirs -
recersive
chown.
Change le /
dir
permissions,
see [Linux File
System
chmod 600 file
Permissons]
(#linux-
le-system-
permissions)
for details.
Clear bash history:
$ ssh user@X.X.X.X | cat /dev/null > ~/.bash_history
Linux File System Permissions
16 of 22 03/11/14 13:48
VALUE MEANING
rwxrwxrwx No restriction, global WRX any

777
user can do anything.
rwxr-xr-x Owner has full access, others

755
can read and execute the le.
rwx------ Owner has full access, no one

700
else has access.
rw-rw-rw- All users can read and write

666
but not execute.
rw-r--r-- Owner can read and write,

644
everyone else can read.
rw------- Owner can read and write,

600
everyone else has no access.
Linux File System
DIRECTORY DESCRIPTION
/ / also know as "slash" or the root.
Common programs, shared by the

/bin system, the system administrator
and the users.
Boot les, boot loader (grub),

/boot
kernels, vmlinuz
Contains references to system

/dev
17 of 22 03/11/14 13:48
devices, les with special

properties.
/etc Important system cong les.
/home Home directories for system users.
Library les, includes les for all

/lib kinds of programs needed by the
system and the users.
Files that were saved during

/lost+found
failures are here.
Standard mount point for external

/mnt
le systems.
Mount point for external le

/media
systems (on some distros).
Standard mount point for entire

/net
remote le systems - nfs.
Typically contains extra and third

/opt
party software.
A virtual le system containing

/proc information about system
resources.
/root root users home dir.
Programs for use by the system and

/sbin
the system administrator.
18 of 22 03/11/14 13:48
Temporary space for use by the

/tmp
system, cleaned upon reboot.
Programs, libraries, documentation

/usr
etc. for all user-related programs.
Storage for all variable les and

temporary les created by users,
/var such as log les, mail queue, print
spooler. Web servers, Databases
etc.
Linux Interesting Files / Dirs
Places that are worth a look if you are

attempting to privilege escalate / perform
post exploitation.
Contains local
/etc/passwd
Linux users.
Contains local
account
/etc/shadow
password
hashes.
Contains local
/etc/group account
groups.
19 of 22 03/11/14 13:48
Contains
service init
script - worth
/etc/init.d/
a look to see
whats
installed.
System
/etc/hostname
hostname.
Network
/etc/network/interfaces
interfaces.
System DNS
/etc/resolv.conf
servers.
System
/etc/profile environment
variables.
~/.ssh/ SSH keys.
Users bash
~/.bash_history
history log.
Linux system
log les are
/var/log/
typically
stored here.
UNIX system
log les are
/var/adm/
typically
stored here.
20 of 22 03/11/14 13:48
Apache access
/var/log/apache2/access.log
log le typical
/var/log/httpd/access.log
path.
File system
/etc/fstab
mounts.
21 of 22 03/11/14 13:48
The contents of this website

Proudly hosted by
are 2014 HighOn.Coffee
22 of 22 03/11/14 13:48

Linux Pen Testing Commands

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Linux Pen Testing Commands

Caricato da

Copyright:

Formati disponibili

Linux Commands for Penetration Testers https://highon.

HOME DOCS BLOG

Linux Commands for

cheatsheet, this content will be constantly

Linux Penetration Testing

System Information Commands

Debian / Ubuntu / .deb Based

Linux User Management

Linux Decompression Commands

Linux Compression Commands

Linux File Commands

Breaking Out of Limited Shells

Linux File System Permissons

Linux File System

Linux Interesting Files / Dirs

Linux Network Commands

System Information Commands

Useful for local enumeration.

the user has

Redhat / CentOS / RPM Based Distros

List all installed

Package manager used by RPM based

Show all YUM

Debian / Ubuntu / .deb Based Distros

List all installed

Linux User Management

useradd new-user Creates a new Linux user.

Reset Linux user password,

deluser username Remove a Linux user.

Linux Decompression Commands

How to extract various archives (tar, zip, gzip,

Use vim to read

Linux Compression Commands

Linux File Commands

Find out the

Connect to a Samba share from Linux.

$ smbmount //server/share /mnt/win -o user

Breaking Out of Limited Shells

Credit to G0tmi1k for these (or wherever he

The Python trick:

python -c 'import pty;pty.spawn("/bin/bash")'

Clear bash history:

$ ssh user@X.X.X.X | cat /dev/null > ~/.bash_history

Linux File System Permissions

rwxrwxrwx No restriction, global WRX any

rwxr-xr-x Owner has full access, others

rwx------ Owner has full access, no one

rw-rw-rw- All users can read and write

rw-r--r-- Owner can read and write,

rw------- Owner can read and write,

Linux File System

/ / also know as "slash" or the root.

Common programs, shared by the

Boot les, boot loader (grub),

Contains references to system

devices, les with special

/etc Important system cong les.

/home Home directories for system users.

Library les, includes les for all

Files that were saved during

Standard mount point for external

Mount point for external le

Standard mount point for entire

Typically contains extra and third