Open in app

Sign in

Write

Sign in

Linux For Hackers

Hadi AL Halbouni
5 min readSep 18, 2023

In this article I tried to collect the most essential Linux commands that a penetration tester needs, to provide a comprehensive reference for controlling Linux systems effectively.

Disable a user account:

  1. The usermod -L username and passwd -l username commands both place an exclamation mark (!) at the beginning of the password hash in /etc/shadow. This change can be manually applied to the file as well. The result is that any password authentication attempt will fail for the given user.
  2. Mark the user account as expired. When an account expiration date is set, it is stored in the 8th field in the /etc/shadow. the chage command can be used with the -E switch to set an expiration date for a user account. The easiest way to expire an account is to provide a date in the past.
  3. Changing the default shell in /etc/passwd either to /bin/false, which will exit immediately, or to /sbin/nologin, which is a simple program that displays a message saying that the account is currently not available. We can use the usermod command with the -s option to change the default shell of a user.
sudo usermod -s /sbin/nologin hadi

Create a user with a specific home folder name, and a specific shell environment:

sudo useradd -m -d <home_directory> -s <login_shell> <username>

sudo useradd -m -d /hadihome -s /bin/bash hadi
  • -m: This option creates the user's home directory if it doesn't exist.
  • -d <home_directory>: Specifies the home directory for the user.
  • -s <login_shell>: Specifies the login shell for the user.
  • <username>: Replace this with the desired username.

The above command will create a user named hadi with a home folder called hadihome and bash as a shell environment.

Execute a specific command as a specific user with sudo:

We can use su to execute a single command as the target user by using the

-l and -c options as follows.

su -l hadi -c "whoami"

Listing processes with ps:

ps -ef

The first (e) select all processes. The second (f) displays the full format listing (UID, PID, PPID, etc.)

Finding our Mousepad application in that massive listing is definitely not easy, but since we know the application name we are looking for, we can replace the -e switch with -C (select by command name)

ps -fC command
ps -fC mousepad

Foreground and background processes in Linux:

To view the processes in the background we use the command jobs

In the example above I ran the mousepad and I backgrounded it immediately after running it using the &

Then I used the command jobs to view the running processes in the background

Now if we want to bring it to the foreground we use the % symbol followed by the number of the process(the number of it in the list, not the PID) in this example it would be %1

Forcefully killing a process:

SIGKILL (9): The kill -9 the command sends the SIGKILL signal to a process, which forcefully terminates it. This signal cannot be caught, blocked, or ignored by the process. It's the most aggressive way to stop a process.

sudo kill -9 <PID>

tail and watch for monitoring:

It is extremely useful to know how to monitor files and commands in real-time during a penetration test. We have two commands that help with such tasks tail and watch

The most common use of tail is to monitor log file entries as they are being written. For example, we may want to monitor the Apache logs to determine if a web server is being contacted by a given client that we are attempting to attack via a client-side exploit. Let’s examine this practical example to understand how we might use tail.

We can use tail with the flag -f to monitor a file in real time.

In the following example, I created a log file with six entries and monitored the file with the tail -f command then using another terminal I entered a text and the text got viewed immediately.

We can use the -n X, flag as well, which outputs the last “X” number of lines, instead of the default value of 10.

watch command is used to run a command of our choice at regular intervals. By default, it runs every two seconds, but we can specify a different interval by using the -n X option to have it run every “X” number of seconds. For example, this command will list logged-in users (via the w command) once every 5 seconds

watch -n 5 command
watch -n 5 w

Using Job Schedulers, Cron:

To view the crontab of a specific user, e.g. the userphoenix, we can use the following command:

crontab -u username-l
crontab -u phoenix -l

Add cronjob for a system-wide or for the current user:

To add a system-wide cronjob, we can add it directly to /etc/crontabThe system-wide cron job is not associated with a specific user

To add a cron job for the current user we can use the crontab -e

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Hadi AL Halbouni
Hadi AL Halbouni

Written by Hadi AL Halbouni

18 Followers
4 Following

Cybersecurity Analyst with a B.Sc in Software Engineering and 2 M.Sc degrees in Cybersecurity. Skilled in detection, response and passionate about red teaming

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams