85 commandes · 13 catégories
echo
Displays text or the value of a variable in the terminal.
echo Hello echo "Hello world" echo $HOME
whoami
Displays the username of the currently logged-in user.
ls
Lists files and directories in the current (or specified) directory.
ls ls -l # long format (permissions, owner, size, date) ls -a # show hidden files (dot files)
cat
Displays the content of a file directly in the terminal. Best suited for small files. For large files, use `less` or `head`/`tail`:
cat file.txt cat ./- # file whose name is a dash cat "./file with spaces" # file whose name contains spaces
cd
Changes the current working directory.
cd folder cd .. cd /absolute/path
pwd
Prints the absolute path of the current working directory.
mkdir
Creates a new directory.
mkdir new_folder mkdir -p parent/child/grandchild # create nested directories in one shot
touch
Creates a new empty file or updates its timestamp if it already exists.
touch file.txt
cp
Copies files or directories.
cp file.txt backup.txt cp -r folder/ backup_folder/
mv
Moves or renames files and directories.
mv file.txt /home/user/ mv old.txt new.txt
rm
Removes files or directories.
rm file.txt rm -r folder/
file
Determines the type of a file (text, binary, gzip, bzip2, tar…).
file document.txt file ./* # check all files in current directory
man
Opens the manual page for a command.
man ls man find man chmod
clear
Clears the terminal screen.
id
Displays the current user's UID, GID, and group memberships.
id id username
uname
Displays system information (kernel, architecture, hostname).
uname -a # all info: kernel, hostname, architecture, OS uname -r # kernel version only uname -m # architecture (x86_64, etc.)
history
Displays the shell command history for the current user.
history history | grep "ssh" cat ~/.*history | less # read all history files
date
Displays the current system date and time. Supports custom output formatting. The `+` prefix defines a custom format using strftime-style specifiers.
date # full date and time date +"%Y-%m-%d" # formatted: 2026-02-26 date +"%H:%M:%S" # time only: 14:35:00
basename
Returns the last component of a path — the filename or directory name without the leading path. Useful in scripts to extract a clean name from a full path.
basename /home/user/docs/report.txt # → report.txt basename /home/user/docs/ # → docs
nano
Terminal-based text editor — simple and beginner-friendly. Keyboard shortcuts:
nano file.txt
vim
Powerful modal text editor — steep learning curve but extremely versatile. Essential commands:
vim file.txt
find
Searches for files and directories recursively.
find / -name "*.txt" find / -type f -name "secret" find / -type f -user bob -group dev -size 33c 2>/dev/null
grep
Searches for a specific pattern inside files.
grep "admin" file.txt grep -r "admin" /path grep -i "admin" file.txt
awk
Pattern-based text processing tool — splits input into fields and applies actions.
awk '{print $1}' file.txt # print first field of each line awk -F: '{print $1}' /etc/passwd # use : as delimiter, print usernames awk '/error/ {print $0}' log.txt # print lines matching "error"
cut
Extracts specific fields from lines based on a delimiter.
cut -d ' ' -f 1 file.txt # extract first field, space-delimited echo "a b c" | cut -d ' ' -f 2 # → b md5sum file | cut -d ' ' -f 1 # extract only the hash
sort
Sorts lines in a file alphabetically (or numerically).
sort file.txt sort -u file.txt # sort and remove duplicates sort -n file.txt # sort numerically
uniq
Filters or counts duplicate lines. Usually combined with `sort`.
sort file.txt | uniq # remove duplicates sort file.txt | uniq -u # keep only unique lines sort file.txt | uniq -c # count occurrences of each line
wc
Counts lines, words, or characters in a file.
wc file.txt # lines, words, characters wc -l file.txt # count lines only wc -w file.txt # count words only
strings
Extracts human-readable strings from a binary file.
strings binary_file strings data.txt | grep "=" # extract and filter
md5sum
Computes the MD5 hash of a file or input string.
md5sum file.txt echo "I am user bandit23" | md5sum echo "I am user bandit23" | md5sum | cut -d ' ' -f 1 # hash only
base64
Encodes or decodes base64 data.
base64 file.txt # encode base64 -d file.txt # decode
tr
Translates or replaces characters in a stream.
tr 'A-Za-z' 'N-ZA-Mn-za-m' # ROT13 tr 'a-z' 'A-Z' # lowercase to uppercase cat file.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m' # ROT13 via pipe
xxd
Creates a hex dump of a file, or reverses one back to binary.
xxd file # display hex dump xxd -r hexdump > binary # rebuild binary from hex dump
gzip` / `gunzip
Compresses or decompresses `.gz` files.
gzip file.txt # compress → file.txt.gz gunzip file.gz # decompress gzip -d file.gz # decompress (alternative)
bzip2` / `bunzip2
Compresses or decompresses `.bz2` files.
bzip2 file.txt # compress → file.txt.bz2 bunzip2 file.bz2 # decompress bzip2 -d file.bz2 # decompress (alternative)
tar
Archives multiple files into a single `.tar` file.
tar tf archive.tar # list contents tar xf archive.tar # extract tar czf archive.tar.gz folder/ # create compressed archive
su
Switches to another user account. `-l` provides a full login shell environment.
su username su -l username
ssh
Connects to a remote machine over a network.
ssh user@hostname ssh user@192.168.1.10 ssh user@host -p 2220 # specify port
scp
Securely copies files between machines over SSH.
scp file.txt user@192.168.1.10:/path/ # send scp user@192.168.1.10:/path/file.txt . # receive scp -P 2220 user@host:file.txt . # specify port
wget
Downloads files from a URL.
wget http://example.com/file.txt
curl
Transfers data from or to a server. Supports HTTP, HTTPS, FTP, and more.
curl http://example.com # GET request, output to stdout curl -o file.html http://example.com # save output to file curl -I http://example.com # fetch headers only
nc` (Netcat)
Opens raw TCP/UDP connections. Useful for interacting with services directly.
nc host port # connect to a host on a port nc localhost 30000 # connect to a local service nc -l -p 1234 # listen on port 1234 (TCP server mode)
openssl s_client
Connects to a host using SSL/TLS. Required when the service does not accept plaintext. `-ign_eof` prevents the connection from closing when stdin reaches EOF — necessary when piping input.
openssl s_client -connect localhost:30001 openssl s_client -connect localhost:30001 -ign_eof
nmap
Scans hosts and port ranges to identify open services and their versions. #### Scan types #### Detection & output flags #### NSE (Nmap Scripting Engine) Script categories: `safe`, `intrusive`, `vuln`, `exploit`, `auth`, `brute`, `discovery` #### Firewall evasion
nmap host # default scan nmap -p 31000-32000 localhost # scan a specific port range nmap -p- localhost # scan all 65535 ports
telnet
Opens a raw TCP connection to any port. Must manually speak the target protocol after connecting. After connecting, send the appropriate protocol command: The server response headers reveal the service name and version (`Server: nginx/1.6.2`). This technique is called **banner grabbing**.
telnet <IP> 80 # connect to port 80 (HTTP) telnet <IP> 25 # connect to port 25 (SMTP) telnet <IP> 110 # connect to port 110 (POP3)
nslookup
Queries DNS servers to resolve domain names and retrieve DNS records. DNS record types:
nslookup domain.com # standard A record lookup nslookup -type=A domain.com # IPv4 address nslookup -type=AAAA domain.com # IPv6 address
diff
Compares two files line by line and shows differences. Output convention: `<` = line from the first file, `>` = line from the second file.
diff file1.txt file2.txt
ping
Sends ICMP echo requests to test whether a host is reachable.
ping hostname ping 8.8.8.8 ping -4 hostname # force IPv4 only
traceroute
Maps the path packets take to reach a destination by recording each hop. Uses the Internet layer (IP) by default.
traceroute hostname traceroute -i eth0 hostname # specify the network interface traceroute -T hostname # use TCP SYN instead of default UDP
whois
Queries domain registration information and IP address ownership.
whois example.com whois 8.8.8.8
dig
Manually queries DNS servers to resolve domain names. Key sections in the output:
dig example.com # standard DNS lookup dig example.com @8.8.8.8 # query a specific DNS server dig -x 8.8.8.8 # reverse DNS lookup
python3
Runs Python scripts or starts an interactive interpreter. #### `python3 -m http.server` Starts a simple HTTP server in the current directory. Useful for transferring files between machines. Then fetch from another machine:
python3 script.py # run a script python3 scanner.py --host 10.10.1.1 --start 1 --end 1024 # pass CLI arguments (argparse) python3 -c "import hashlib; print(hashlib.md5(b'test').hexdigest())" # one-liner
ps
Displays running processes.
ps ps aux
top
Displays real-time process statistics (CPU, memory, PID).
kill
Sends signals to processes.
kill PID # SIGTERM – graceful stop kill -9 PID # SIGKILL – forced stop
systemctl
Manages system services.
systemctl start apache2 systemctl stop apache2 systemctl enable apache2 # auto-start on boot
Job Control
Suspend a running process: Resume in the background: Resume in the foreground:
CTRL + Z
apt
Package manager for Debian-based systems (Ubuntu, Kali, etc.).
sudo apt update # refresh package list sudo apt upgrade # upgrade installed packages sudo apt install package_name # install a package
pip` / `pip3
Python package manager. Installs third-party libraries from PyPI. Common pentest libraries:
pip install requests # install a package pip install paramiko scapy # install multiple packages pip install -r requirements.txt # install from a requirements file
cron
Schedules recurring tasks. Edit the crontab: Cron format:
crontab -e
chown
Changes the owner (and optionally the group) of a file or directory.
chown user file.txt chown user:group file.txt chown -R user folder/ # recursive
chmod
Changes the permissions of a file or directory. Permissions are structured across three levels: Numeric values: Example — `chmod 750 file.txt`:
chmod 750 file.txt chmod 400 keyfile # read-only for owner (SSH private keys) chmod +x script.sh # add execute permission
On files
On directories
seq
Generates a sequence of numbers. Commonly used in loops for brute force or iteration:
seq 5 # 1 2 3 4 5 seq 0 9999 # 0 to 9999 seq 1 2 10 # 1 3 5 7 9 (step of 2)
printf
Formats and prints data — more powerful than `echo` for precise formatting.
printf '%04d\n' 7 # → 0007 printf '%s %04d\n' "abc" 42
export
Sets an environment variable and makes it available to child processes. Used in PATH Hijacking — prepending a custom directory to `$PATH` forces the shell to find fake binaries before real ones.
export VAR=value export PATH=/tmp/mydir:$PATH # prepend a directory to PATH
Shebang
The shebang must be alone on the first line and tells the OS which interpreter to run the script with. `/usr/bin/env bash` is more portable than `#!/bin/bash` — it resolves `bash` via `PATH` instead of assuming a fixed location.
#!/usr/bin/env bash
Variables
Declare a variable without spaces around `=`. Reference it with `$VAR` (case-sensitive). Always quote variables to handle paths with spaces: Concatenate variables using `${}`:
SOURCE="/path/to/dir" echo "$SOURCE"
Command Substitution
Store the output of a command in a variable:
DATE=$(date +"%Y-%m-%d") DIR_NAME=$(basename "$SOURCE")
Conditionals
Common condition flags: Example — check that a directory exists before proceeding:
if [ condition ]; then # commands fi
Exit Codes
Every command returns an exit code when it finishes. Use `exit` to terminate a script explicitly: If a script finishes without an explicit `exit`, it returns the exit code of the last command.
exit 0 # success exit 1 # error
Copying Directories
cp -r "$SOURCE" "$DESTINATION" # copies the directory itself cp -r "$SOURCE"/* "$DESTINATION" # copies only the contents
sudo
Executes a command as another user (default: root). Requires the target user to be specified with `-u`. The allowed commands per user are configured in `/etc/sudoers`.
sudo command sudo -u username command sudo -u app-admin /bin/cat /path/to/file
SUID Binaries
A binary with the SUID bit set runs with the **file owner's** privileges, regardless of who executes it. Identifying SUID binaries:
ls -la ./binary # look for 's' in owner permissions: -rwsr-xr-x ./binary command # runs as the file owner
PATH Hijacking
If a SUID binary calls a command without an absolute path (e.g., `ls` instead of `/bin/ls`), the shell resolves it via `$PATH`. Prepending a custom directory allows substituting the real binary with a fake one.
mkdir /tmp/fake echo -e '#!/bin/bash\ncat /path/to/secret' > /tmp/fake/ls chmod +x /tmp/fake/ls
PrivEsc Enumeration Checklist
Key files and commands to check during Linux privilege escalation:
uname -a # kernel version, architecture id && whoami # current user and groups sudo -l # sudo permissions
john` (John the Ripper)
Password cracking tool. Runs on the attacker's machine, not on the target. Extract a hash from `/etc/shadow`:
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt # crack with wordlist john --show hash.txt # display cracked passwords
mkpasswd
Generates a password hash suitable for `/etc/shadow`.
mkpasswd -m sha-512 newpassword
openssl passwd
Generates a password hash suitable for `/etc/passwd`. Inject a new root user into a world-writable `/etc/passwd`:
openssl passwd newpassword
gcc
Compiles C source code. Used in PrivEsc to build shared libraries or custom binaries.
gcc -o output source.c # basic compilation gcc -fPIC -shared -nostartfiles -o /tmp/preload.so lib.c # compile shared library
ldd
Lists the shared libraries required by a binary. Used in LD_LIBRARY_PATH exploitation to identify which library to replace.
ldd /usr/sbin/apache2 ldd /usr/bin/passwd
mount
Mounts a filesystem or network share. Used in NFS `no_root_squash` exploitation — mount the share on the attacker machine as root.
mount # list all mounted filesystems mount /dev/sda1 /mnt # mount a local partition mount -t nfs target:/share /mnt # mount an NFS share
LD_PRELOAD / LD_LIBRARY_PATH
If `env_keep+=LD_PRELOAD` appears in `sudo -l` output, a shared library can be injected: If `env_keep+=LD_LIBRARY_PATH` is set, replace a library used by an allowed sudo binary:
sudo LD_PRELOAD=/tmp/preload.so find
GTFOBins — Sudo Exploitation
When `sudo -l` allows running a binary, check [GTFOBins](https://gtfobins.github.io) for shell escapes:
sudo find . -exec /bin/sh \; -quit sudo vim -c ':!/bin/sh' sudo awk 'BEGIN {system("/bin/sh")}'