Linux Penetration Testing Fundamentals
Purpose
Master essential Linux skills for penetration testing including navigation, file manipulation, text processing, networking, process management, permissions, and bash scripting. Linux is the preferred platform for security professionals due to its flexibility, transparency, and extensive tool support.
Prerequisites
Required Environment
-
Linux-based system (Kali Linux recommended)
-
Terminal access
-
Basic understanding of operating systems
Required Knowledge
-
Basic command-line concepts
-
File system understanding
-
Networking fundamentals
Outputs and Deliverables
-
System Navigation - Efficient directory and file operations
-
Text Processing - Data extraction and manipulation
-
Network Configuration - Interface and DNS management
-
Automation Scripts - Custom bash tools
Core Workflow
Phase 1: Basic Navigation Commands
Essential commands for system navigation:
Identify current location and user
pwd # Print working directory whoami # Current user id # User ID, group ID, groups
Change directories
cd /path/to/directory # Absolute path cd .. # Parent directory cd ~ # Home directory cd - # Previous directory
List contents
ls # Basic listing ls -l # Detailed listing ls -la # Include hidden files ls -lah # Human-readable sizes
Get help
man <command> # Manual page <command> --help # Help text <command> -h # Short help
Phase 2: File Operations
Create, copy, move, and delete files:
Create files and directories
touch newfile.txt # Create empty file mkdir new_directory # Create directory mkdir -p path/to/dir # Create nested directories
Copy files
cp file.txt copy.txt # Copy file cp -r dir1 dir2 # Copy directory recursively cp file.txt /dest/ # Copy to destination
Move/rename files
mv file.txt newname.txt # Rename file mv file.txt /dest/ # Move to destination mv dir1 dir2 # Rename directory
Remove files
rm file.txt # Remove file rm -r directory/ # Remove directory recursively rm -rf directory/ # Force remove (dangerous!) rmdir empty_directory/ # Remove empty directory
View file contents
cat file.txt # Display entire file less file.txt # Scrollable view more file.txt # Page-by-page view head -n 20 file.txt # First 20 lines tail -n 20 file.txt # Last 20 lines tail -f logfile.log # Follow log file
Phase 3: Searching and Finding
Locate files and search content:
Find files
find / -name "filename" 2>/dev/null # Find by name find / -type f -name "*.txt" 2>/dev/null # Find text files find / -type d -name "logs" 2>/dev/null # Find directories find / -size +100M 2>/dev/null # Files over 100MB find / -mtime -7 2>/dev/null # Modified in 7 days find / -perm -4000 2>/dev/null # SUID files (privesc) find / -user root -perm -4000 2>/dev/null # Root SUID files
Locate (uses database)
locate filename # Fast search (database-based) updatedb # Update locate database
Find binaries
which nmap # Binary location in PATH whereis nmap # Binary, source, man page
Search file contents
grep "pattern" file.txt # Search in file grep -r "pattern" /path/ # Recursive search grep -i "pattern" file.txt # Case insensitive grep -v "pattern" file.txt # Invert match grep -n "pattern" file.txt # Show line numbers grep -E "regex|pattern" file.txt # Extended regex
Phase 4: Text Manipulation
Process and transform text:
Display with line numbers
nl file.txt # Number lines cat -n file.txt # Number all lines
Extract and cut
cut -d':' -f1 /etc/passwd # First field, colon delimiter cut -d',' -f1,3 file.csv # Fields 1 and 3 awk '{print $1}' file.txt # Print first column awk -F: '{print $1}' /etc/passwd # Custom delimiter
Sort and unique
sort file.txt # Sort lines sort -r file.txt # Reverse sort sort -n file.txt # Numeric sort uniq file.txt # Remove duplicates sort file.txt | uniq # Sort then unique sort file.txt | uniq -c # Count occurrences
Search and replace
sed 's/old/new/g' file.txt # Replace all occurrences sed -i 's/old/new/g' file.txt # In-place replacement sed -n '5,10p' file.txt # Print lines 5-10 sed '1,5d' file.txt # Delete lines 1-5
Word count
wc file.txt # Lines, words, bytes wc -l file.txt # Count lines wc -w file.txt # Count words
Piping and redirection
command1 | command2 # Pipe output command > file.txt # Redirect to file (overwrite) command >> file.txt # Append to file command 2>/dev/null # Discard errors command 2>&1 # Stderr to stdout
Phase 5: Permissions and Ownership
Manage file access control:
View permissions
ls -l file.txt # Show permissions
Format: -rwxrwxrwx (type, owner, group, others)
Change permissions (numeric)
chmod 755 file.txt # rwxr-xr-x chmod 644 file.txt # rw-r--r-- chmod 777 file.txt # rwxrwxrwx (dangerous!) chmod 600 file.txt # rw------- (secure)
Change permissions (symbolic)
chmod +x file.txt # Add execute for all chmod u+x file.txt # Add execute for owner chmod g+w file.txt # Add write for group chmod o-r file.txt # Remove read for others chmod u=rw,g=r file.txt # Explicit assignment
Change ownership
chown user file.txt # Change owner chown user:group file.txt # Change owner and group chown -R user directory/ # Recursive ownership chgrp group file.txt # Change group only
Special permissions
chmod 4755 file.txt # SUID (setuid) chmod 2755 directory # SGID (setgid) chmod 1755 directory # Sticky bit
Permission values:
-
4 = Read (r)
-
2 = Write (w)
-
1 = Execute (x)
Phase 6: Network Management
Configure and analyze network settings:
View network interfaces
ifconfig # All interfaces (legacy) ip addr # Modern alternative ip link # Interface status
Change IP address
ifconfig eth0 192.168.1.100 netmask 255.255.255.0 ip addr add 192.168.1.100/24 dev eth0
Spoof MAC address
ifconfig eth0 down ifconfig eth0 hw ether 00:11:22:33:44:55 ifconfig eth0 up
Or: macchanger -r eth0
DHCP client
dhclient eth0 # Request IP from DHCP
DNS resolution
dig example.com # DNS lookup dig example.com mx # Mail servers dig example.com ns # Name servers nslookup example.com # Alternative lookup
Change DNS server
echo "nameserver 8.8.8.8" > /etc/resolv.conf
Host file mapping
nano /etc/hosts
Add: 192.168.1.100 fake.domain.com
Test connectivity
ping -c 4 target.com # 4 ping packets traceroute target.com # Trace route netstat -tuln # Listening ports ss -tuln # Modern alternative
Phase 7: Process Management
Control running processes:
View processes
ps # Current session ps aux # All processes, all users ps aux | grep nmap # Filter by name top # Interactive process view htop # Enhanced interactive view
Process control
kill <PID> # Terminate process kill -9 <PID> # Force kill killall processname # Kill by name pkill -f pattern # Kill by pattern
Background processes
command & # Run in background jobs # List background jobs fg %1 # Bring job 1 to foreground bg %1 # Resume job 1 in background Ctrl+Z # Suspend current process
Priority management
nice -n 10 command # Start with lower priority nice -n -10 command # Start with higher priority (root) renice 10 -p <PID> # Change running process priority
Phase 8: Software Management
Install and manage packages:
Debian/Ubuntu (apt)
apt update # Update package lists apt upgrade # Upgrade packages apt install <package> # Install package apt remove <package> # Remove package apt purge <package> # Remove with config files apt search <keyword> # Search packages apt-cache show <package> # Package info
RHEL/CentOS (yum/dnf)
yum update # Update packages yum install <package> # Install package yum remove <package> # Remove package dnf install <package> # Modern alternative
From source/GitHub
git clone https://github.com/user/repo.git cd repo pip install -r requirements.txt python setup.py install
Phase 9: Bash Scripting Basics
Create automation scripts:
#!/bin/bash
Basic script structure
Shebang - tells system to use bash
#!/bin/bash
Comments
This is a comment
Variables
name="World" echo "Hello, $name"
User input
echo "Enter target IP:" read target echo "Scanning $target"
Command substitution
current_date=$(date) ip_address=$(hostname -I)
Conditional statements
if [ -f /etc/passwd ]; then echo "File exists" else echo "File not found" fi
Loops
for i in 1 2 3 4 5; do echo "Number: $i" done
for file in *.txt; do echo "Processing: $file" done
While loop
while [ $count -lt 10 ]; do echo $count count=$((count + 1)) done
Example scanner script:
#!/bin/bash
Simple network scanner
echo "Enter target network (e.g., 192.168.1):" read network
echo "Scanning $network.0/24..."
for ip in {1..254}; do ping -c 1 -W 1 $network.$ip > /dev/null 2>&1 if [ $? -eq 0 ]; then echo "[+] Host alive: $network.$ip" fi done &
echo "Scan running in background"
Phase 10: Environment Variables
Manage system environment:
View variables
env # All environment variables echo $PATH # Specific variable set | more # All variables
Set variables (session)
export MYVAR="value" # Set and export PATH=$PATH:/new/path # Append to PATH
Permanent variables
echo 'export MYVAR="value"' >> ~/.bashrc source ~/.bashrc # Reload
Important variables
$HOME # Home directory $PATH # Executable search path $USER # Current username $SHELL # Current shell $PWD # Current directory $HISTSIZE # History size
Quick Reference
Essential Commands
Command Purpose
pwd
Print working directory
ls -la
List all files detailed
cd
Change directory
cat
Display file contents
grep
Search text
find
Find files
chmod
Change permissions
ps aux
List processes
kill
Terminate process
File Permissions
Value Permission
7 rwx
6 rw-
5 r-x
4 r--
0
Network Commands
Command Purpose
ifconfig
Interface config
ip addr
Show IP addresses
netstat -tuln
Listening ports
dig
DNS lookup
ping
Test connectivity
Constraints and Limitations
Permission Requirements
-
Many commands require root/sudo
-
File access depends on permissions
-
Network operations may need elevated privileges
Best Practices
-
Always backup before modifying system files
-
Use test environments for learning
-
Document changes made to systems
-
Understand commands before executing
Troubleshooting
Permission Denied
Solutions:
-
Use sudo for elevated privileges
-
Check file permissions: ls -la
-
Verify user group membership
-
Check for immutable attributes
Command Not Found
Solutions:
-
Check if package is installed
-
Verify PATH includes command location
-
Use full path to binary
-
Install missing package