Last updated: June 2026
The gap between knowing Linux commands and being able to use them fluidly under pressure is where a lot of practitioners sit. You know netstat exists. You know grep can filter output. You know curl can fetch things. But putting them together in the moment, on an unfamiliar machine, against a deadline — that’s a different skill.
This is a practical collection of CLI patterns that show up in actual security work, with enough context to understand when and why to use each.
Network Reconnaissance and Enumeration
Show all listening ports and what’s listening on them:
ss -tlnp
# or: netstat -tlnp (older systems)
The -t limits to TCP, -l to listening sockets, -n avoids DNS resolution (faster), -p shows the process. ss is faster than netstat on modern systems.
Check active connections:
ss -tnp state established
Test if a specific port is open:
nc -zvw3 192.168.1.1 80
# -z: scan only, -v: verbose, -w3: 3 second timeout
Trace the path packets take:
traceroute -n 8.8.8.8
# -n skips DNS resolution; much faster
Quick banner grab on an open port:
echo "" | nc -v -w3 192.168.1.X 22
Process and System Enumeration
What’s running, with full command lines:
ps aux
ps -ef
Find processes using a specific port:
ss -tlnp | grep :80
fuser 80/tcp
Find files opened by a process:
lsof -p PID
lsof -i :80 # files using port 80
Check what cron jobs exist across the system:
for user in $(cut -d: -f1 /etc/passwd); do crontab -u $user -l 2>/dev/null; done
ls -la /etc/cron*
cat /etc/crontab
Find recently modified files:
find / -mtime -1 -type f 2>/dev/null | head -50
# -mtime -1 = modified in last 24 hours
Find SUID/SGID binaries (privilege escalation vectors):
find / -perm /4000 -type f 2>/dev/null # SUID
find / -perm /2000 -type f 2>/dev/null # SGID
Log Analysis
Tail a log with live output:
tail -f /var/log/auth.log
Search logs for specific patterns:
grep -i "failed\|invalid" /var/log/auth.log | tail -50
grep -i "sudo" /var/log/auth.log
Count occurrences of IPs in a log:
grep "Failed password" /var/log/auth.log | \
awk '{print $11}' | sort | uniq -c | sort -rn | head -20
Find authentication events for a specific user:
grep "session opened for user root" /var/log/auth.log
File Hashing and Integrity
Hash a file:
sha256sum /path/to/file
md5sum /path/to/file
Hash every file in a directory tree (for baseline comparisons):
find /etc -type f -exec sha256sum {} \; > /tmp/etc-baseline.txt
Compare against a baseline:
sha256sum -c /tmp/etc-baseline.txt 2>&1 | grep -v OK
Network Traffic
Capture traffic on an interface:
tcpdump -i eth0 -w /tmp/capture.pcap
tcpdump -i eth0 host 192.168.1.X -w /tmp/target.pcap
Read a capture file:
tcpdump -r /tmp/capture.pcap
tcpdump -r /tmp/capture.pcap -A | grep -i "password\|user\|login"
One-Liners Worth Having
Check for world-writable files:
find / -perm -002 -type f 2>/dev/null
Show all users with login shells:
grep -v "nologin\|false" /etc/passwd
Check for password hashes (on older systems):
cat /etc/shadow 2>/dev/null | grep -v '!!\|*'
Enumerate environment variables:
env
cat /proc/1/environ | tr '\0' '\n'
The power of these tools is in chaining them. grep filters the output of ss. awk extracts the field you need. sort | uniq -c | sort -rn turns a list into a ranked frequency count. The patterns transfer across contexts once the building blocks are solid.