Linux Command Line for Security: The 40 Commands You Must Know

Why Linux Matters for Security

Most servers run Linux. Most hacking tools are built for Linux. Most security certifications expect Linux proficiency. If you're serious about cybersecurity, the command line is your primary weapon.

This guide covers the 40 commands you'll use most often in security work — organized by category with practical examples.

File System Navigation

1. ls — List Directory Contents

ls -la          # Long format, including hidden files
ls -la /etc/    # Check system config files
ls -laR /tmp/   # Recursive listing — find temp files left by attackers

2. cd, pwd — Navigate and Show Location

cd /var/log      # Go to log directory
pwd              # Print current directory
cd -             # Go back to previous directory

3. find — Search for Files

# Find SUID binaries (privilege escalation vector)
find / -perm -4000 -type f 2>/dev/null

# Find files modified in the last 24 hours
find / -mtime -1 -type f 2>/dev/null

# Find world-writable files
find / -perm -o+w -type f 2>/dev/null

# Find files owned by root that others can write
find / -user root -perm -o+w -type f 2>/dev/null

4. cat, less, head, tail — Read Files

cat /etc/passwd              # View user accounts
less /var/log/auth.log       # Scroll through auth logs
head -20 /etc/shadow         # First 20 lines (need root)
tail -f /var/log/syslog      # Follow logs in real-time

User and Permission Management

5. whoami, id — Current User Info

whoami           # Current username
id               # UID, GID, and group memberships
id root          # Check root's groups

6. chmod, chown — Change Permissions

chmod 700 script.sh      # Owner-only access
chmod +x exploit.py      # Make executable
chown root:root file.txt # Change ownership

7. sudo — Execute as Root

sudo -l                  # List what you can run as sudo
sudo su -                # Switch to root shell
sudo cat /etc/shadow     # Read shadow file

8. passwd — Change Passwords

passwd                   # Change your password
sudo passwd username     # Change another user's password

Network Analysis

9. ip, ifconfig — Network Interfaces

ip addr show             # All interfaces and IPs
ip route show            # Routing table
ifconfig                 # Legacy but still common

10. netstat, ss — Network Connections

ss -tulnp                # All listening ports with process names
netstat -tulnp           # Same, older syntax
ss -s                    # Connection statistics

11. ping, traceroute — Connectivity Testing

ping -c 4 google.com     # Test connectivity
traceroute google.com    # Trace network path

12. curl, wget — HTTP Requests

curl -v https://target.com          # Verbose HTTP request (see headers)
curl -X POST -d '{"key":"val"}' URL # POST JSON data
wget -r -l 2 http://target.com     # Recursive download (2 levels deep)

13. dig, nslookup — DNS Queries

dig cyberbolt.in                    # DNS lookup
dig cyberbolt.in ANY                # All DNS records
dig @8.8.8.8 cyberbolt.in           # Query specific DNS server
nslookup cyberbolt.in               # Simpler DNS lookup

Process Management

14. ps — Process List

ps aux                   # All running processes
ps aux | grep ssh        # Find SSH processes
ps -ef --forest          # Process tree

15. top, htop — System Monitor

top                      # Real-time process monitor
htop                     # Better interactive version

16. kill — Terminate Processes

kill -9 1234             # Force-kill PID 1234
killall python3          # Kill all python3 processes

Text Processing (Essential for Log Analysis)

17. grep — Search in Text

grep "Failed password" /var/log/auth.log     # Failed SSH logins
grep -r "password" /var/www/                 # Search recursively for hardcoded passwords
grep -i "error" /var/log/syslog | tail -20   # Last 20 errors (case-insensitive)

18. awk — Column Processing

# Extract IP addresses from auth log
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn

19. sed — Stream Editor

sed 's/password/REDACTED/g' config.txt       # Replace text in files
sed -n '10,20p' /var/log/syslog              # Print lines 10-20

20. sort, uniq, wc — Data Analysis

cat access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -10
# Top 10 IP addresses by request count

Networking Tools for Security

21. nmap — Port Scanner

nmap -sV target.com              # Service version detection
nmap -sS -p- target.com          # SYN scan all 65535 ports
nmap -sC -sV -oA scan target.com # Default scripts + version + save output
nmap --script vuln target.com    # Vulnerability scanning

22. tcpdump — Packet Capture

sudo tcpdump -i eth0 -n port 80           # HTTP traffic
sudo tcpdump -i eth0 -w capture.pcap      # Save to file for Wireshark
sudo tcpdump -i eth0 host 192.168.1.100   # Traffic to/from specific host

23. nc (netcat) — Network Swiss Army Knife

nc -lvnp 4444                    # Listen for reverse shell
nc target.com 80                 # Connect to port 80
echo "test" | nc -w 3 target 80  # Send data to port

System Information

24-28: Quick Recon Commands

uname -a                 # Kernel version (for kernel exploits)
cat /etc/os-release      # OS version
df -h                    # Disk usage
free -h                  # Memory usage
uptime                   # System uptime

File Integrity and Hashing

29-30: Hash Verification

md5sum file.iso          # MD5 hash
sha256sum file.iso       # SHA-256 hash (preferred)
sha256sum -c checksum.txt # Verify against known hash

Compression and Archiving

31-32: Archive Commands

tar -czf backup.tar.gz /var/www/    # Create compressed archive
tar -xzf backup.tar.gz              # Extract archive
zip -r backup.zip /var/www/         # Create ZIP archive

Cron Jobs and Scheduled Tasks

33-34: Check for Persistence

crontab -l                          # Current user's cron jobs
sudo crontab -u root -l             # Root's cron jobs
cat /etc/crontab                    # System cron table
ls -la /etc/cron.d/                 # Cron drop-in directory
# Attackers often hide persistence in cron jobs!

SSH — Secure Remote Access

35-38: SSH Essentials

ssh user@target.com                      # Remote login
ssh -L 8080:localhost:80 user@target.com # Local port forwarding (tunnel)
ssh -D 9050 user@target.com              # SOCKS proxy through SSH
scp file.txt user@target.com:/tmp/       # Secure file copy
ssh-keygen -t ed25519                    # Generate SSH key (use ed25519)

Privilege Escalation Checks

39-40: Quick PrivEsc Checklist

# SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Sudo permissions
sudo -l

# Writable /etc/passwd?
ls -la /etc/passwd

# Check for credentials in environment
env | grep -i "pass\|key\|token\|secret"

# Readable SSH keys
find / -name "id_rsa" -o -name "id_ed25519" 2>/dev/null

# Check for running services as root
ps aux | grep root

Key Takeaways

• Practice these commands daily — muscle memory matters in time-sensitive security incidents
• Set up a home lab with a Linux VM (Kali, Parrot, or Ubuntu) to practice safely
• Combine commands with pipes — the real power of Linux is chaining tools together
• The find, grep, awk trio handles 80% of security analysis tasks
• Always check man command for the full manual when you need more options