Skip to content

Essential Linux Commands

The terminal is your primary weapon
Master navigation to move through filesystems rapidly during enumeration , incident response , or system administration

Navigation

pwd                              # Where am I?
cd /var/log                      # Absolute path
cd ../..                         # Relative path (up two)
cd ~                             # Home directory
cd -                             # Previous directory (gold)

Listing Files

ls -l                            # Long format
ls -la                           # Include hidden files
ls -latr                         # All files , sorted by time reversed
ls -lS                           # Sort by size

The -latr combination is critical -- when investigating compromised systems it shows what files changed recently in chronological order

File Operations

touch file.txt                   # Create empty file
touch -t 202301011200 ev.txt     # Set specific timestamp
mkdir -p path/to/deep/dir        # Create with parents
cp -a source/ dest/              # Archive mode (preserves everything)
mv old new                       # Rename (atomic on same filesystem)
rm -rf directory/                # Nuclear option (DANGEROUS)
shred -u -z file                # Secure deletion

Timestamp manipulation matters
Attackers use touch -t to backdate file timestamps and hide evidence of recent modifications

Viewing Files

cat /etc/passwd                  # Display file (small files only)
less /var/log/syslog             # Navigate large files
less +F /var/log/auth.log        # Follow mode (like tail -f)
head -n 20 file                  # First 20 lines
tail -f /var/log/auth.log        # Watch in real-time

Text Processing

grep "Failed" auth.log           # Pattern matching
grep -v "INFO" log               # Inverse match
grep -r "TODO" src/              # Recursive search
cut -d: -f1 /etc/passwd          # Column extraction
sort -u file                     # Sort and unique
wc -l file                       # Count lines

Pipes and Redirection

command > file.txt               # stdout to file
command 2> error.log             # stderr to file
command &> combined.log          # Both streams
command1 | command2              # Pipe stdout to stdin
command | tee output.txt         # Save and display

Essential One-Liners

# Count failed login attempts
grep "Failed password" /var/log/auth.log | wc -l

# Find all SUID binaries (privilege escalation)
find / -perm -4000 -type f 2>/dev/null

# Monitor auth attempts in real-time
tail -f /var/log/auth.log | grep "Failed"

# Extract IPs from log
grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" access.log | sort -u