Useful Linux Commands

[#1] Find version and type of distribution

To find out what version and type of Linux is, run the following commands at the shell prompt:

cat /etc/issue
cat /etc/os-release
cat /etc/*-release
lsb_release -a
cat /etc/lsb-release
hostnamectl

[#2] Find Kernel version

Use the following commands to see the kernel and gcc version used to build:

cat /proc/version
uname -a
uname -srm
uname --kernel-name --kernel-release --machine
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-

[#3] View Environment variables

Environment variables always provide a way to influence the behaviour of software on the system. Run the following commands to find out the information about the environment variables:

cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set

To list all environment variables in Powershell:

Get-ChildItem Env:

[#4] List of running services

A service is bound by regular permission restrictions. It all depends on what user the service runs as. Services are just regular processes that are always running. With the help of below commands, you can easily find out all the running services from privileged users:

ps aux
ps -ef
pstree
top
cat /etc/services
systemctl | grep running
systemctl list-unit-files | grep enabled
systemctl --full --type service --all
systemd-cgtop
service --status-all | grep running
initctl list

And below are the commands which you can run to find out the running services for root user:

ps aux | grep root
ps -ef | grep root

[#5] Search for installed applications

To get a list of all installed packages or applications, run the following commands at shell prompt:

ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/

[#6] Important configuration files

Most of the configuration files in the Linux machine are in the /etc directory unless otherwise specified. Here we've listed out few configuration files path related to Apache Server, Syslog Server etc:

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

[#7] Search and view scheduled tasks

The cron daemon on Linux runs tasks in the background at specific times; it's like the Task Scheduler on Windows. You can even add tasks to your system's crontab files using the appropriate syntax and cron will automatically run them for you. Here we've listed out few commands which helps you to search and view the scheduled tasks:

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

[#8] Search for logins and passwords

The grep and find command is one of the powerful commands to find files containing some text. With the help of below commands, you can even search for passwords or some other sensitive information:

grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
find / -user [user]

[#9] View network interfaces & adapter configurations

In computing, a network interface is a system's interface between two pieces of equipment or protocol layers in a computer network. The majority of network setup can be done via the interfaces configuration file at /etc/network/interfaces. You can also use below commands which helps you to find more information about network adapter configurations, DNS, Gateways etc:

/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

[#10] Check cache and saved IP / MAC addresses

The Address Resolution Protocol (ARP) cache is a crucial component of IP networking on any operating system. What ARP does is link Ethernet addressing (IP addressing) to hardware addressing (MAC addressing). Without this system, a machine could not communicate to the outside world as one addressing scheme could not communicate with the other.

arp -e
route
/sbin/route –nee
ip n
ip r

If you are on a Windows machine, then the command will be "arp -a" to view your local ARP table which will list all IP addresses and their corresponding MAC addresses.

[#11] Check for sniffing traffic

In most cases you will need root permission to be able to capture packets on an interface. But with the help of tcpdump, you can easily sniff/capture all the packets and saving them to a file to analyze with Wireshark. TCPdump is one of the most popular network analysis tool which provides both power and simplicity in single interface.

tcpdump net 192.168.0.1/32
tcpdump -i any

[#12] View confidential files

The password files are an important cornerstone of the security of your Linux system. Commonly they are /etc/passwd and /etc/shadow, and installed by default.

cat /etc/passwd
cat /etc/group
cat /etc/shadow
cat /etc/gshadow
ls -alh /var/mail/

[#13] History Commands

In its most simple form, you can run the 'history' command by itself and it will simply print out the bash history of the current user to the screen. The history is stored in the ~/.bash_history file by default.

cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history

[#14] Finding SSH private key information

An SSH key is an access credential in the SSH protocol. Its function is similar to that of user names and passwords, but the keys are primarily used for automated processes and for implementing single sign-on by system administrators and power users.

Below are the commands/paths, where you can easily search all possible SSH Private Key informations.

cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

[#15] Search for rewritable configuration files in /etc

The /etc directory maintains a lot of files. With below commands, you'll be able to list all configuration files that are readable and writable to everyone.

ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null
find /etc/ -readable -type f 2>/dev/null
find /etc/ -readable -type f -maxdepth 1 2>/dev/null

[#16] Recursive Web Search

With the help of below commands, you can easily search all hidden files recursively in a web server.

ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/
ls -ahlR /home/

[#17] Common Log Files

In computing, a log file is a file that records either events that occur in an OS or other software runs, or messages between different users of a communication software.

Common Log Format

x.x.x.x user-identifier joe [12/May/2019:12:23:33 -0700] "GET /favicon.ico HTTP/1.1" 200 1234

x.x.x.x is the IP address of the client which made the request to the server.
user-identifier is the RFC 1413 identity of the client.
joe is the userid of the person requesting the document.
[12/May/2019:12:23:33 -0700]is the date, time, and time zone that the request was received, by default in strftime format %d/%b/%Y:%H:%M:%S %z.
"GET /favicon.ico HTTP/1.1" is the request line from the client. The method GET, /favicon.ico the resource requested, and HTTP/1.1 the HTTP protocol.
200 is the HTTP status code returned to the client. 2xx is a successful response, 3xx a redirection, 4xx a client error, and 5xx a server error.
1234 is the size of the object returned to the client, measured in bytes.

cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

[#18] Upgrade shells

Every pentester knows that amazing feeling when they catch a reverse shell with netcat but most of the time it is limited. So here we've listed out some commands that make these shells must more useable:

python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
bin/sh –i
/bin/bash –i
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
exec "/bin/sh"
:!bash
:set shell=/bin/bash:shell
!sh
awk ‘BEGIN{system(“/bin/bash”)}’

For more info, please visit netsec.ws

[#19] Mounting file systems

The file system is best visualized as a tree, rooted, as it were, at /. /dev, /usr, and the other directories in the root directory are branches, which may have their own branches, such as /usr/local, and so on. During the boot process, file systems listed in /etc/fstab are automatically mounted except for the entries containing noauto but with the help of following commands, you can mount any file system:

mount /dev/sda /opt
df –h

[#20] Search for unmounted file systems

The unmounting of a file system removes it from the file system mount point, and deletes the entry from the /etc/fstab file. With the help of below command, you can easily view all mounted and unmounted partitions:

cat /etc/fstab

[#21] Search "Advanced Linux File Permissions" Sticky bits, SUID & GUID

find / -perm -1000 -type d 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

[#22] Search Writable directories

In the general the writable directories are /tmp, /var /tmp, /dev /shm but if you want to search throughout the filesystem, then the commands are:

find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null
find / -perm -o w -type d 2>/dev/null
find / -perm -o x -type d 2>/dev/null
find / $ -perm -o w -perm -o x $ -type d 2>/dev/null

[#23] Search for various unusual files, “nobody” etc

find / -xdev -type d $ -perm -0002 -a ! -perm -1000 $ -print
find /dir -xdev $ -nouser -o -nogroup $ -print

[#24] Programming languages and compilers

Linux has always seemed like the natural home for all programming languages. With the help of below commands, you can easily idenfity the common programming languages versions:

find / -name perl*
find / -name python*
find / -name gcc*
find / -name cc
python –version
ruby –version
gcc --version

[#25] Search for the ability to upload files to the server

find / -name wget
find / -name nc*
find / -name netcat*
find / -name tftp*
find / -name ftp
wget –version
nc -v