Linux CLI Tools Every Security Practitioner Should Actually Know

Last updated: June 2026

The gap between knowing Linux commands and being able to use them fluidly under pressure is where a lot of practitioners sit. You know netstat exists. You know grep can filter output. You know curl can fetch things. But putting them together in the moment, on an unfamiliar machine, against a deadline — that’s a different skill.

This is a practical collection of CLI patterns that show up in actual security work, with enough context to understand when and why to use each.

Network Reconnaissance and Enumeration

Show all listening ports and what’s listening on them:

ss -tlnp
# or: netstat -tlnp (older systems)

The -t limits to TCP, -l to listening sockets, -n avoids DNS resolution (faster), -p shows the process. ss is faster than netstat on modern systems.

Check active connections:

ss -tnp state established

Test if a specific port is open:

nc -zvw3 192.168.1.1 80
# -z: scan only, -v: verbose, -w3: 3 second timeout

Trace the path packets take:

traceroute -n 8.8.8.8
# -n skips DNS resolution; much faster

Quick banner grab on an open port:

echo "" | nc -v -w3 192.168.1.X 22

Process and System Enumeration

What’s running, with full command lines:

ps aux
ps -ef

Find processes using a specific port:

ss -tlnp | grep :80
fuser 80/tcp

Find files opened by a process:

lsof -p PID
lsof -i :80 # files using port 80

Check what cron jobs exist across the system:

for user in $(cut -d: -f1 /etc/passwd); do crontab -u $user -l 2>/dev/null; done
ls -la /etc/cron*
cat /etc/crontab

Find recently modified files:

find / -mtime -1 -type f 2>/dev/null | head -50
# -mtime -1 = modified in last 24 hours

Find SUID/SGID binaries (privilege escalation vectors):

find / -perm /4000 -type f 2>/dev/null  # SUID
find / -perm /2000 -type f 2>/dev/null # SGID

Log Analysis

Tail a log with live output:

tail -f /var/log/auth.log

Search logs for specific patterns:

grep -i "failed\|invalid" /var/log/auth.log | tail -50
grep -i "sudo" /var/log/auth.log

Count occurrences of IPs in a log:

grep "Failed password" /var/log/auth.log | \
awk '{print $11}' | sort | uniq -c | sort -rn | head -20

Find authentication events for a specific user:

grep "session opened for user root" /var/log/auth.log

File Hashing and Integrity

Hash a file:

sha256sum /path/to/file
md5sum /path/to/file

Hash every file in a directory tree (for baseline comparisons):

find /etc -type f -exec sha256sum {} \; > /tmp/etc-baseline.txt

Compare against a baseline:

sha256sum -c /tmp/etc-baseline.txt 2>&1 | grep -v OK

Network Traffic

Capture traffic on an interface:

tcpdump -i eth0 -w /tmp/capture.pcap
tcpdump -i eth0 host 192.168.1.X -w /tmp/target.pcap

Read a capture file:

tcpdump -r /tmp/capture.pcap
tcpdump -r /tmp/capture.pcap -A | grep -i "password\|user\|login"

One-Liners Worth Having

Check for world-writable files:

find / -perm -002 -type f 2>/dev/null

Show all users with login shells:

grep -v "nologin\|false" /etc/passwd

Check for password hashes (on older systems):

cat /etc/shadow 2>/dev/null | grep -v '!!\|*'

Enumerate environment variables:

env
cat /proc/1/environ | tr '\0' '\n'

The power of these tools is in chaining them. grep filters the output of ss. awk extracts the field you need. sort | uniq -c | sort -rn turns a list into a ranked frequency count. The patterns transfer across contexts once the building blocks are solid.

Scroll to Top