Essential Linux Penetration Testing Commands Cheat Sheet

System Information

uname -a

– display kernel version, architecture and OS details. cat /etc/hostname – show the host name. cat /etc/os-release – identify distribution name and version. cat /proc/cpuinfo – list CPU model and core count. cat /proc/meminfo – view total and available memory. ip a or ifconfig -a – enumerate network interfaces and IP addresses.

Package Management – RPM/YUM (RedHat, CentOS, Fedora)

yum list installed

– list all packages currently installed. yum info <package> – show detailed information for a specific package. yum check-update – display packages with available updates. yum repolist – enumerate configured YUM repositories. rpm -qa – query the RPM database for installed packages.

Package Management – APT/Dpkg (Debian, Ubuntu)

dpkg -l

– list installed .deb packages. apt list --installed – alternative view of installed packages. apt-cache policy <package> – show candidate version and repository. apt list --upgradable – packages that have newer versions available. apt-cache madison <package> – display all available versions.

Linux User Management

cat /etc/passwd

– list all user accounts. cat /etc/group – list groups and memberships. id <user> – display UID, GID and group list for a user. getent passwd – query the NSS database for user entries. useradd, usermod, userdel – create, modify or delete local accounts. groupadd, groupdel – manage groups.

Archive Extraction and Inspection

tar -xf <file.tar>

– extract a tar archive. tar -xzf <file.tar.gz> – extract a gzipped tarball. unzip <file.zip> – extract a zip archive. gzip -d <file.gz> – decompress a gzip file. bzip2 -d <file.bz2> – decompress a bzip2 file. find . -type f -name "*.log" -exec grep -i "password" {} + – search inside extracted files.

File Manipulation

ls -la

– detailed directory listing. cp -r <src> <dest> – copy files or directories. mv <src> <dest> – move/rename. rm -rf <path> – delete files or directories recursively. find / -perm -4000 -type f 2>/dev/null – locate set‑uid binaries. grep -R "secret" /etc 2>/dev/null – recursive content search.

Samba Share Access

smbclient //SERVER/SHARE -U username

– connect to a Windows/Samba share.

mount -t cifs //SERVER/SHARE /mnt/point -o username=USER,password=PASS

– mount the share locally. net view -U username – list available shares on a host.

Bypassing Shell Restrictions

Small Python one‑liners can be used when the interactive shell is limited. Example:

python -c 'import os,pty; pty.spawn("/bin/bash")'

Other tricks include using awk 'BEGIN{system("/bin/sh")}' or perl -e 'exec "/bin/sh";' to spawn a full shell.

Miscellaneous Useful Commands

ps aux

– list all running processes. netstat -tulpn or ss -tulpn – show listening sockets. whoami – display current effective user. id – display user and group IDs. history – view command history (may be cleared). env – list environment variables.

Clearing Bash History

To remove traces of commands after a compromise:

history -c
cat /dev/null > ~/.bash_history
unset HISTFILE

Filesystem Permission Checks

find / -perm -4000 -type f 2>/dev/null

– locate world‑writable set‑uid binaries. find / -perm -2000 -type f 2>/dev/null – locate set‑gid binaries. find / -type d -perm -o+w 2>/dev/null – list world‑writable directories. ls -lR /etc | grep "\.conf" – search for configuration files that may contain credentials.

Common Privilege‑Escalation Files and Directories

Typical locations that may contain sensitive data or misconfigurations useful for escalation: /etc/passwd and /etc/shadow – user accounts and password hashes. /etc/sudoers and files under /etc/sudoers.d/ – sudo permissions. /etc/cron* – scheduled jobs that may be writable. /var/www – web root files. /home/*/.ssh/authorized_keys – SSH authorized keys. /proc/*/environ – process environment variables. /tmp and /var/tmp – world‑writable temporary directories.

Interesting Files and Directories for Post‑Exploitation

Additional paths that often contain credentials, tokens, or configuration data useful for deeper compromise: /root/.ssh – private keys of the root account. /etc/hosts.allow and /etc/hosts.deny – TCP wrappers. /var/log/auth.log or /var/log/secure – authentication logs. /opt – third‑party applications that may be misconfigured. /usr/local/bin – custom binaries that may be writable. /dev/shm – shared memory, often world‑writable.